[selinux-policy] - gpg_t needs to talk to gnome-keyring - nscd wants to read /usr/tmp->/var/tmp to generate randomzia
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Mar 1 16:09:15 UTC 2011
commit 781f349e054be2f5eac63672f07ef6235eb604ad
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Mar 1 17:08:45 2011 +0000
- gpg_t needs to talk to gnome-keyring
- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
- enforce MCS labeling on nodes
- Allow arpwatch to read meminfo
- Allow gnomeclock to send itself signals
- init relabels /dev/.udev files on boot
- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_
- nautilus checks access on /media directory before mounting usb sticks, dontaudit acc
- dnsmasq can run as a dbus service, needs acquire service
- mysql_admin should be allowed to connect to mysql service
- virt creates monitor sockets in the users home dir
policy-F15.patch | 1211 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 15 +-
2 files changed, 785 insertions(+), 441 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index b84e047..e59db95 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -208,7 +208,7 @@ index 4705ab6..262b5ba 100644
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
-index 358ce7c..60afbfe 100644
+index 358ce7c..0f1d444 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -86,10 +86,10 @@ mlsconstrain file { create relabelto }
@@ -234,10 +234,13 @@ index 358ce7c..60afbfe 100644
#
# MCS policy for SELinux-enabled databases
#
-@@ -144,4 +147,7 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -144,4 +147,10 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
++mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
++ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
++
+mlsconstrain packet { send recv }
+ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
+
@@ -1883,7 +1886,7 @@ index d0604cf..679d61c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
-index 8966ec9..01cf407 100644
+index 8966ec9..a54882c 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
@@ -1918,7 +1921,16 @@ index 8966ec9..01cf407 100644
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
-@@ -59,5 +63,11 @@ optional_policy(`
+@@ -54,10 +58,20 @@ logging_send_audit_msgs(shutdown_t)
+ miscfiles_read_localization(shutdown_t)
+
+ optional_policy(`
++ cron_system_entry(shutdown_t, shutdown_exec_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(shutdown_t)
+ dbus_connect_system_bus(shutdown_t)
')
optional_policy(`
@@ -1973,7 +1985,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..30a7f38 100644
+index 975af1a..bae65ee 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -2023,7 +2035,7 @@ index 975af1a..30a7f38 100644
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
-+ userdom_signal_unpriv_users($1_sudo_t)
++ userdom_signal_all_users($1_sudo_t)
# for some PAM modules and for cwd
- userdom_dontaudit_search_user_home_content($1_sudo_t)
+ userdom_search_user_home_content($1_sudo_t)
@@ -2962,10 +2974,10 @@ index 00a19e3..1354800 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..bb2528e 100644
+index f5afe78..c9d74ee 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,43 +1,507 @@
+@@ -1,43 +1,519 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -3031,6 +3043,7 @@ index f5afe78..bb2528e 100644
+ attribute gnome_domain;
+ type gnome_home_t;
+ type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
++ class dbus send_msg;
+ ')
+
+ type gkeyringd_$1_t, gnome_domain, gkeyringd_domain;
@@ -3047,6 +3060,12 @@ index f5afe78..bb2528e 100644
+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+
++ corecmd_bin_domtrans(gkeyringd_$1_t, $1_t)
++ corecmd_shell_domtrans(gkeyringd_$1_t, $1_t)
++ allow gkeyringd_$1_t $3:process sigkill;
++ allow $3 gkeyringd_$1_t:fd use;
++ allow $3 gkeyringd_$1_t:fifo_file rw_fifo_file_perms;
++
+ ps_process_pattern(gkeyringd_$1_t, $3)
+
+ ps_process_pattern($3, gkeyringd_$1_t)
@@ -3054,15 +3073,18 @@ index f5afe78..bb2528e 100644
+
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
++ allow gkeyringd_$1_t $3:dbus send_msg;
++ allow $3 gkeyringd_$1_t:dbus send_msg;
++
+ optional_policy(`
-+ dbus_session_domain(gkeyringd_$1_t, gkeyringd_exec_t)
-+ dbus_session_bus_client(gkeyringd_$1_t)
-+ gnome_home_dir_filetrans(gkeyringd_$1_t)
-+ gnome_manage_generic_home_dirs(gkeyringd_$1_t)
++ dbus_session_domain(gkeyringd_$1_t, gkeyringd_exec_t)
++ dbus_session_bus_client(gkeyringd_$1_t)
++ gnome_home_dir_filetrans(gkeyringd_$1_t)
++ gnome_manage_generic_home_dirs(gkeyringd_$1_t)
+
-+ optional_policy(`
++ optional_policy(`
+ telepathy_mission_control_read_state(gkeyringd_$1_t)
-+ ')
++ ')
+ ')
+')
+
@@ -3102,11 +3124,13 @@ index f5afe78..bb2528e 100644
+#
+interface(`gnome_stream_connect_gkeyringd',`
+ gen_require(`
-+ type gkeyringd_t, gkeyringd_tmp_t;
++ attribute gkeyringd_domain;
++ type gkeyringd_tmp_t;
++ type gconf_tmp_t;
+ ')
+
-+ stream_connect_pattern($2, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_t)
-+ gnome_search_gconf_tmp_dirs($2)
++ allow $1 gconf_tmp_t:dir search_dir_perms;
++ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+')
+
+########################################
@@ -3490,7 +3514,7 @@ index f5afe78..bb2528e 100644
## in the caller domain.
## </summary>
## <param name="domain">
-@@ -56,27 +520,26 @@ interface(`gnome_exec_gconf',`
+@@ -56,27 +532,26 @@ interface(`gnome_exec_gconf',`
########################################
## <summary>
@@ -3526,7 +3550,7 @@ index f5afe78..bb2528e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +547,41 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +559,41 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -3579,7 +3603,7 @@ index f5afe78..bb2528e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +589,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +601,13 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -3596,7 +3620,7 @@ index f5afe78..bb2528e 100644
')
########################################
-@@ -151,40 +619,258 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +631,258 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -3866,7 +3890,7 @@ index f5afe78..bb2528e 100644
userdom_search_user_home_dirs($1)
')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..78e50a6 100644
+index 2505654..fd62ccc 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0)
@@ -3937,7 +3961,7 @@ index 2505654..78e50a6 100644
##############################
#
# Local Policy
-@@ -75,3 +106,147 @@ optional_policy(`
+@@ -75,3 +106,149 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -4066,6 +4090,8 @@ index 2505654..78e50a6 100644
+
+selinux_getattr_fs(gkeyringd_domain)
+
++auth_use_nsswitch(gkeyringd_domain)
++
+logging_send_syslog_msg(gkeyringd_domain)
+
+miscfiles_read_localization(gkeyringd_domain)
@@ -4158,7 +4184,7 @@ index 40e0a2a..f4a103c 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..504280f 100644
+index 9050e8c..1407f21 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -4223,18 +4249,19 @@ index 9050e8c..504280f 100644
mta_write_config(gpg_t)
-@@ -142,6 +158,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -142,6 +158,11 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ gnome_read_config(gpg_t)
++ gnome_stream_connect_gkeyringd(gpg_t)
+')
+
+optional_policy(`
mozilla_read_user_home_files(gpg_t)
mozilla_write_user_home_files(gpg_t)
')
-@@ -151,10 +171,10 @@ optional_policy(`
+@@ -151,10 +172,10 @@ optional_policy(`
xserver_rw_xdm_pipes(gpg_t)
')
@@ -4249,7 +4276,7 @@ index 9050e8c..504280f 100644
########################################
#
-@@ -205,6 +225,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -205,6 +226,7 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -4257,7 +4284,7 @@ index 9050e8c..504280f 100644
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
-@@ -245,6 +266,7 @@ userdom_search_user_home_dirs(gpg_agent_t)
+@@ -245,6 +267,7 @@ userdom_search_user_home_dirs(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -4265,7 +4292,7 @@ index 9050e8c..504280f 100644
')
tunable_policy(`gpg_agent_env_file',`
-@@ -332,6 +354,9 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -332,6 +355,9 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -4275,7 +4302,7 @@ index 9050e8c..504280f 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
-@@ -342,11 +367,21 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -342,11 +368,21 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -4297,7 +4324,7 @@ index 9050e8c..504280f 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +391,28 @@ optional_policy(`
+@@ -356,4 +392,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -6937,10 +6964,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644
-index 0000000..5f09eb9
+index 0000000..0fedd57
--- /dev/null
+++ b/policy/modules/apps/sandbox.if
-@@ -0,0 +1,335 @@
+@@ -0,0 +1,305 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -6963,9 +6990,9 @@ index 0000000..5f09eb9
+interface(`sandbox_transition',`
+ gen_require(`
+ type sandbox_xserver_t;
++ type sandbox_file_t;
+ attribute sandbox_domain;
+ attribute sandbox_x_domain;
-+ attribute sandbox_file_type;
+ attribute sandbox_tmpfs_type;
+ ')
+
@@ -6997,17 +7024,18 @@ index 0000000..5f09eb9
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
+
-+ can_exec($1, sandbox_file_type)
-+ manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
-+ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
-+ manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type);
-+ manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type);
-+ manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type);
-+ relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
-+ relabel_files_pattern($1, sandbox_file_type, sandbox_file_type)
-+ relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type)
-+ relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type)
-+ relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
++ can_exec($1, sandbox_file_t)
++ allow $1 sandbox_file_t:filesystem getattr;
++ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
++ relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
++ relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
++ relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
++ relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
@@ -7025,7 +7053,7 @@ index 0000000..5f09eb9
+
+ gen_require(`
+ attribute sandbox_domain;
-+ attribute sandbox_file_type;
++ type sandbox_file_t;
+ attribute sandbox_type;
+ ')
+ type $1_t, sandbox_domain, sandbox_type;
@@ -7034,16 +7062,6 @@ index 0000000..5f09eb9
+
+ mls_rangetrans_target($1_t)
+ mcs_untrusted_proc($1_t)
-+
-+ type $1_file_t, sandbox_file_type;
-+ files_type($1_file_t)
-+
-+ can_exec($1_t, $1_file_t)
-+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+')
+
+########################################
@@ -7063,7 +7081,7 @@ index 0000000..5f09eb9
+ type sandbox_xserver_t;
+ type sandbox_exec_t;
+ attribute sandbox_domain, sandbox_x_domain;
-+ attribute sandbox_file_type, sandbox_tmpfs_type;
++ attribute sandbox_tmpfs_type;
+ attribute sandbox_type;
+ ')
+
@@ -7071,16 +7089,6 @@ index 0000000..5f09eb9
+ application_type($1_t)
+ mcs_untrusted_proc($1_t)
+
-+ type $1_file_t, sandbox_file_type;
-+ files_type($1_file_t)
-+
-+ can_exec($1_t, $1_file_t)
-+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
-+
+ # window manager
+ miscfiles_setattr_fonts_cache_dirs($1_t)
+ allow $1_t self:capability setuid;
@@ -7110,23 +7118,12 @@ index 0000000..5f09eb9
+ # Random tmpfs_t that gets created when you run X.
+ fs_rw_tmpfs_files($1_t)
+
-+ manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
-+ manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
-+ manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
-+ allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
+ ps_process_pattern(sandbox_xserver_t, $1_t)
+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+ allow $1_client_t $1_t:unix_stream_socket connectto;
+ allow $1_t $1_client_t:unix_stream_socket connectto;
-+
-+ can_exec($1_client_t, $1_file_t)
-+ manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
-+ manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
-+ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
-+ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
-+ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
+')
+
+########################################
@@ -7198,10 +7195,10 @@ index 0000000..5f09eb9
+#
+interface(`sandbox_delete_files',`
+ gen_require(`
-+ attribute sandbox_file_type;
++ type sandbox_file_t;
+ ')
+
-+ delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
++ delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
@@ -7216,10 +7213,10 @@ index 0000000..5f09eb9
+#
+interface(`sandbox_delete_sock_files',`
+ gen_require(`
-+ attribute sandbox_file_type;
++ type sandbox_file_t;
+ ')
+
-+ delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
++ delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
@@ -7235,10 +7232,10 @@ index 0000000..5f09eb9
+#
+interface(`sandbox_setattr_dirs',`
+ gen_require(`
-+ attribute sandbox_file_type;
++ type sandbox_file_t;
+ ')
+
-+ allow $1 sandbox_file_type:dir setattr;
++ allow $1 sandbox_file_t:dir setattr;
+')
+
+########################################
@@ -7253,10 +7250,10 @@ index 0000000..5f09eb9
+#
+interface(`sandbox_delete_dirs',`
+ gen_require(`
-+ attribute sandbox_file_type;
++ type sandbox_file_t;
+ ')
+
-+ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
++ delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
@@ -7271,29 +7268,33 @@ index 0000000..5f09eb9
+#
+interface(`sandbox_list',`
+ gen_require(`
-+ attribute sandbox_file_type;
++ type sandbox_file_t;
+ ')
+
-+ allow $1 sandbox_file_type:dir list_dir_perms;
++ allow $1 sandbox_file_t:dir list_dir_perms;
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..fc8db7d
+index 0000000..e6e9f42
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,449 @@
+@@ -0,0 +1,465 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
-+attribute sandbox_file_type;
+attribute sandbox_web_type;
++attribute sandbox_file_type;
+attribute sandbox_tmpfs_type;
+attribute sandbox_type;
+
+type sandbox_exec_t;
+files_type(sandbox_exec_t)
+
++type sandbox_file_t, sandbox_file_type;
++files_type(sandbox_file_t)
++typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
++
+########################################
+#
+# Declarations
@@ -7325,6 +7326,11 @@ index 0000000..fc8db7d
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
+
++manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
++manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
++manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
++allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms;
++
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
@@ -7402,6 +7408,14 @@ index 0000000..fc8db7d
+dev_rw_all_inherited_chr_files(sandbox_domain)
+dev_rw_all_inherited_blk_files(sandbox_domain)
+
++can_exec(sandbox_domain, sandbox_file_t)
++allow sandbox_domain sandbox_file_t:filesystem getattr;
++manage_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++manage_dirs_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++
+gen_require(`
+ type usr_t, lib_t, locale_t;
+ type var_t, var_run_t, rpm_log_t, locale_t;
@@ -7730,7 +7744,6 @@ index 0000000..fc8db7d
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
-+
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
index 1f2cde4..7227631 100644
--- a/policy/modules/apps/screen.fc
@@ -8868,7 +8881,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..75c0fdf 100644
+index 34c9d01..5574b5c 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -8901,7 +8914,16 @@ index 34c9d01..75c0fdf 100644
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -232,6 +232,9 @@ ifdef(`distro_gentoo',`
+@@ -177,6 +177,8 @@ ifdef(`distro_gentoo',`
+ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
++/root/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /usr
+ #
+@@ -232,6 +234,9 @@ ifdef(`distro_gentoo',`
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
@@ -8911,7 +8933,7 @@ index 34c9d01..75c0fdf 100644
/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -247,6 +250,8 @@ ifdef(`distro_gentoo',`
+@@ -247,6 +252,8 @@ ifdef(`distro_gentoo',`
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8920,7 +8942,7 @@ index 34c9d01..75c0fdf 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -307,6 +312,7 @@ ifdef(`distro_redhat', `
+@@ -307,6 +314,7 @@ ifdef(`distro_redhat', `
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -8928,7 +8950,7 @@ index 34c9d01..75c0fdf 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -316,9 +322,11 @@ ifdef(`distro_redhat', `
+@@ -316,9 +324,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -9309,10 +9331,10 @@ index 8ac94e4..c02f095 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index efaf808..321f9ad 100644
+index efaf808..d1ceca8 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
-@@ -146,8 +146,8 @@ interface(`dev_relabel_all_dev_nodes',`
+@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
relabelfrom_dirs_pattern($1, device_t, device_node)
relabelfrom_files_pattern($1, device_t, device_node)
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
@@ -9323,7 +9345,32 @@ index efaf808..321f9ad 100644
relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t, { device_t device_node })
')
-@@ -209,6 +209,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
+
+ ########################################
+ ## <summary>
++## Allow full relabeling (to and from) of all device files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`dev_relabel_all_dev_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ relabel_files_pattern($1, device_t, device_t)
++')
++
++########################################
++## <summary>
+ ## List all of the device nodes in a device directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -209,6 +228,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
########################################
## <summary>
@@ -9348,7 +9395,7 @@ index efaf808..321f9ad 100644
## Add entries to directories in /dev.
## </summary>
## <param name="domain">
-@@ -336,6 +354,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
+@@ -336,6 +373,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
########################################
## <summary>
@@ -9373,7 +9420,7 @@ index efaf808..321f9ad 100644
## Read and write generic files in /dev.
## </summary>
## <param name="domain">
-@@ -516,6 +552,24 @@ interface(`dev_getattr_generic_chr_files',`
+@@ -516,6 +571,24 @@ interface(`dev_getattr_generic_chr_files',`
########################################
## <summary>
@@ -9398,7 +9445,7 @@ index efaf808..321f9ad 100644
## Dontaudit getattr for generic character device files.
## </summary>
## <param name="domain">
-@@ -552,6 +606,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
+@@ -552,6 +625,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
########################################
## <summary>
@@ -9423,7 +9470,7 @@ index efaf808..321f9ad 100644
## Read and write generic character device files.
## </summary>
## <param name="domain">
-@@ -570,6 +642,24 @@ interface(`dev_rw_generic_chr_files',`
+@@ -570,6 +661,24 @@ interface(`dev_rw_generic_chr_files',`
########################################
## <summary>
@@ -9448,7 +9495,7 @@ index efaf808..321f9ad 100644
## Dontaudit attempts to read/write generic character device files.
## </summary>
## <param name="domain">
-@@ -679,6 +769,24 @@ interface(`dev_delete_generic_symlinks',`
+@@ -679,6 +788,24 @@ interface(`dev_delete_generic_symlinks',`
########################################
## <summary>
@@ -9473,7 +9520,7 @@ index efaf808..321f9ad 100644
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -1088,6 +1196,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1088,6 +1215,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -9516,7 +9563,7 @@ index efaf808..321f9ad 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1350,6 +1494,24 @@ interface(`dev_getattr_autofs_dev',`
+@@ -1350,6 +1513,24 @@ interface(`dev_getattr_autofs_dev',`
########################################
## <summary>
@@ -9541,7 +9588,7 @@ index efaf808..321f9ad 100644
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
-@@ -1597,6 +1759,24 @@ interface(`dev_rw_cpu_microcode',`
+@@ -1597,6 +1778,24 @@ interface(`dev_rw_cpu_microcode',`
########################################
## <summary>
@@ -9566,7 +9613,7 @@ index efaf808..321f9ad 100644
## Read and write the the hardware SSL accelerator.
## </summary>
## <param name="domain">
-@@ -1979,6 +2159,24 @@ interface(`dev_read_kmsg',`
+@@ -1979,6 +2178,24 @@ interface(`dev_read_kmsg',`
########################################
## <summary>
@@ -9591,7 +9638,7 @@ index efaf808..321f9ad 100644
## Write to the kernel messages device
## </summary>
## <param name="domain">
-@@ -3048,24 +3246,6 @@ interface(`dev_rw_printer',`
+@@ -3048,24 +3265,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -9616,7 +9663,7 @@ index efaf808..321f9ad 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3613,6 +3793,24 @@ interface(`dev_manage_smartcard',`
+@@ -3613,6 +3812,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
@@ -9641,7 +9688,7 @@ index efaf808..321f9ad 100644
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3773,6 +3971,24 @@ interface(`dev_rw_sysfs',`
+@@ -3773,6 +3990,24 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -9666,7 +9713,7 @@ index efaf808..321f9ad 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -3960,6 +4176,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3960,6 +4195,24 @@ interface(`dev_read_usbmon_dev',`
########################################
## <summary>
@@ -9691,7 +9738,7 @@ index efaf808..321f9ad 100644
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4270,11 +4504,10 @@ interface(`dev_write_video_dev',`
+@@ -4270,11 +4523,10 @@ interface(`dev_write_video_dev',`
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -10121,7 +10168,7 @@ index 3517db2..f798a69 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ed203b2..45fe4f9 100644
+index ed203b2..0a4f89a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -10223,7 +10270,32 @@ index ed203b2..45fe4f9 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1854,6 +1924,25 @@ interface(`files_relabelfrom_boot_files',`
+@@ -1731,6 +1801,24 @@ interface(`files_list_boot',`
+ allow $1 boot_t:dir list_dir_perms;
+ ')
+
++#######################################
++## <summary>
++## Dontaudit List the /boot directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_list_boot',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ dontaudit $1 boot_t:dir list_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Create directories in /boot
+@@ -1854,6 +1942,25 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10249,7 +10321,7 @@ index ed203b2..45fe4f9 100644
########################################
## <summary>
## Read and write symbolic links
-@@ -2453,6 +2542,24 @@ interface(`files_delete_etc_files',`
+@@ -2453,6 +2560,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10274,7 +10346,7 @@ index ed203b2..45fe4f9 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2583,6 +2690,31 @@ interface(`files_create_boot_flag',`
+@@ -2583,6 +2708,31 @@ interface(`files_create_boot_flag',`
########################################
## <summary>
@@ -10306,7 +10378,7 @@ index ed203b2..45fe4f9 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2623,6 +2755,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2623,6 +2773,24 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -10331,7 +10403,7 @@ index ed203b2..45fe4f9 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -3104,6 +3254,7 @@ interface(`files_getattr_home_dir',`
+@@ -3104,6 +3272,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
@@ -10339,7 +10411,7 @@ index ed203b2..45fe4f9 100644
')
########################################
-@@ -3124,6 +3275,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3124,6 +3293,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
@@ -10347,7 +10419,7 @@ index ed203b2..45fe4f9 100644
')
########################################
-@@ -3287,6 +3439,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
+@@ -3287,6 +3457,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
dontaudit $1 lost_found_t:dir getattr;
')
@@ -10372,7 +10444,7 @@ index ed203b2..45fe4f9 100644
########################################
## <summary>
## Create, read, write, and delete objects in
-@@ -3365,6 +3535,24 @@ interface(`files_list_mnt',`
+@@ -3365,6 +3553,43 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@@ -10394,10 +10466,29 @@ index ed203b2..45fe4f9 100644
+ dontaudit $1 mnt_t:dir list_dir_perms;
+')
+
++########################################
++## <summary>
++## Do not audit attempts to check the
++## write access on mnt files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_access_check_mnt',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ dontaudit $1 mnt_t:file_class_set audit_access;
++')
++
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3438,6 +3626,24 @@ interface(`files_read_mnt_files',`
+@@ -3438,6 +3663,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -10422,7 +10513,7 @@ index ed203b2..45fe4f9 100644
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3729,6 +3935,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3729,6 +3972,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -10522,7 +10613,7 @@ index ed203b2..45fe4f9 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3914,6 +4213,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3914,6 +4250,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -10555,7 +10646,7 @@ index ed203b2..45fe4f9 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3968,7 +4293,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3968,7 +4330,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -10564,7 +10655,7 @@ index ed203b2..45fe4f9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3976,17 +4301,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3976,17 +4338,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -10586,7 +10677,7 @@ index ed203b2..45fe4f9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3994,74 +4319,77 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -3994,45 +4356,123 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -10642,87 +10733,18 @@ index ed203b2..45fe4f9 100644
#
-interface(`files_getattr_all_tmp_files',`
+interface(`files_relabel_all_tmp_files',`
- gen_require(`
- attribute tmpfile;
-+ type var_t;
- ')
-
-- allow $1 tmpfile:file getattr;
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp sock_file.
-+## Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- dontaudit $1 tmpfile:sock_file getattr;
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
-
- ########################################
- ## <summary>
--## Read all tmp files.
-+## List all tmp directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4069,25 +4397,100 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_all_tmp_files',`
-+interface(`files_list_all_tmp',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- read_files_pattern($1, tmpfile, tmpfile)
-+ allow $1 tmpfile:dir list_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Create an object in the tmp directories, with a private
--## type using a type transition.
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain not to audit.
- ## </summary>
- ## </param>
--## <param name="private type">
-+#
-+interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
++ type var_t;
+ ')
+
-+ dontaudit $1 tmpfile:file getattr;
++ allow $1 var_t:dir search_dir_perms;
++ relabel_files_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+## <summary>
-+## Allow attempts to get the attributes
-+## of all tmp files.
++## Set the attributes of all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10730,66 +10752,67 @@ index ed203b2..45fe4f9 100644
+## </summary>
+## </param>
+#
-+interface(`files_getattr_all_tmp_files',`
++interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:file getattr;
++ allow $1 tmpfile:dir { search_dir_perms setattr };
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
++## List all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain not to audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_list_all_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ dontaudit $1 tmpfile:sock_file getattr;
++ allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
-+## Read all tmp files.
++## Do not audit attempts to get the attributes
++## of all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain not to audit.
+## </summary>
+## </param>
+#
-+interface(`files_read_all_tmp_files',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ read_files_pattern($1, tmpfile, tmpfile)
++ dontaudit $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
-+## Create an object in the tmp directories, with a private
-+## type using a type transition.
++## Allow attempts to get the attributes
++## of all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="private type">
- ## <summary>
- ## The type of the object to be created.
- ## </summary>
-@@ -4127,6 +4530,13 @@ interface(`files_purge_tmp',`
++#
++interface(`files_getattr_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+@@ -4127,6 +4567,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -10803,7 +10826,7 @@ index ed203b2..45fe4f9 100644
')
########################################
-@@ -4736,6 +5146,24 @@ interface(`files_read_var_files',`
+@@ -4736,6 +5183,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@@ -10828,7 +10851,7 @@ index ed203b2..45fe4f9 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5071,6 +5499,24 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5536,24 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -10853,7 +10876,7 @@ index ed203b2..45fe4f9 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5156,12 +5602,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5639,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -10870,7 +10893,7 @@ index ed203b2..45fe4f9 100644
')
########################################
-@@ -5207,6 +5653,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5690,27 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
@@ -10898,7 +10921,7 @@ index ed203b2..45fe4f9 100644
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5335,6 +5802,43 @@ interface(`files_search_pids',`
+@@ -5335,6 +5839,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -10942,7 +10965,7 @@ index ed203b2..45fe4f9 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5542,6 +6046,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6083,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -11005,7 +11028,7 @@ index ed203b2..45fe4f9 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6119,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6156,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -11050,7 +11073,7 @@ index ed203b2..45fe4f9 100644
')
########################################
-@@ -5844,3 +6442,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6479,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -12771,10 +12794,10 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..f9735b5 100644
+index 2be17d2..62c9b17 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,52 @@ policy_module(staff, 2.2.0)
+@@ -8,12 +8,56 @@ policy_module(staff, 2.2.0)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -12824,10 +12847,14 @@ index 2be17d2..f9735b5 100644
+ selinux_read_policy(staff_t)
+')
+
++optional_policy(`
++ abrt_cache_read(staff_t)
++')
++
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +67,118 @@ optional_policy(`
+@@ -27,25 +71,118 @@ optional_policy(`
')
optional_policy(`
@@ -12948,7 +12975,7 @@ index 2be17d2..f9735b5 100644
optional_policy(`
vlock_run(staff_t, staff_r)
-@@ -89,10 +222,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +226,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -12959,7 +12986,7 @@ index 2be17d2..f9735b5 100644
gpg_role(staff_r, staff_t)
')
-@@ -137,10 +266,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +270,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -12970,7 +12997,7 @@ index 2be17d2..f9735b5 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +297,8 @@ ifndef(`distro_redhat',`
+@@ -172,3 +301,8 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -12980,7 +13007,7 @@ index 2be17d2..f9735b5 100644
+')
+
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..a0a91fe 100644
+index 4a8d146..8839731 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
@@ -13061,7 +13088,18 @@ index 4a8d146..a0a91fe 100644
')
optional_policy(`
-@@ -163,6 +188,13 @@ optional_policy(`
+@@ -124,6 +149,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_role_template(sysadm, sysadm_r, sysadm_t)
++')
++
++optional_policy(`
+ ddcprobe_run(sysadm_t, sysadm_r)
+ ')
+
+@@ -163,6 +192,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -13075,7 +13113,7 @@ index 4a8d146..a0a91fe 100644
')
optional_policy(`
-@@ -170,15 +202,15 @@ optional_policy(`
+@@ -170,15 +206,15 @@ optional_policy(`
')
optional_policy(`
@@ -13094,7 +13132,7 @@ index 4a8d146..a0a91fe 100644
')
optional_policy(`
-@@ -202,14 +234,7 @@ optional_policy(`
+@@ -202,14 +238,7 @@ optional_policy(`
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -13110,7 +13148,7 @@ index 4a8d146..a0a91fe 100644
')
optional_policy(`
-@@ -225,6 +250,10 @@ optional_policy(`
+@@ -225,6 +254,10 @@ optional_policy(`
')
optional_policy(`
@@ -13121,7 +13159,7 @@ index 4a8d146..a0a91fe 100644
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -253,7 +282,7 @@ optional_policy(`
+@@ -253,7 +286,7 @@ optional_policy(`
')
optional_policy(`
@@ -13130,7 +13168,7 @@ index 4a8d146..a0a91fe 100644
')
optional_policy(`
-@@ -265,20 +294,14 @@ optional_policy(`
+@@ -265,20 +298,14 @@ optional_policy(`
')
optional_policy(`
@@ -13152,7 +13190,7 @@ index 4a8d146..a0a91fe 100644
optional_policy(`
rsync_exec(sysadm_t)
-@@ -307,7 +330,7 @@ optional_policy(`
+@@ -307,7 +334,7 @@ optional_policy(`
')
optional_policy(`
@@ -13161,7 +13199,7 @@ index 4a8d146..a0a91fe 100644
')
optional_policy(`
-@@ -332,10 +355,6 @@ optional_policy(`
+@@ -332,10 +359,6 @@ optional_policy(`
')
optional_policy(`
@@ -13172,7 +13210,7 @@ index 4a8d146..a0a91fe 100644
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -343,18 +362,10 @@ optional_policy(`
+@@ -343,19 +366,15 @@ optional_policy(`
')
optional_policy(`
@@ -13185,13 +13223,16 @@ index 4a8d146..a0a91fe 100644
optional_policy(`
- uml_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- unconfined_domtrans(sysadm_t)
++ unconfined_domtrans(sysadm_t)
+ ')
+
+ optional_policy(`
+- unconfined_domtrans(sysadm_t)
++ udev_run(sysadm_t, sysadm_r)
')
-@@ -367,17 +378,14 @@ optional_policy(`
+ optional_policy(`
+@@ -367,17 +386,14 @@ optional_policy(`
')
optional_policy(`
@@ -13211,7 +13252,7 @@ index 4a8d146..a0a91fe 100644
')
optional_policy(`
-@@ -389,7 +397,7 @@ optional_policy(`
+@@ -389,7 +405,7 @@ optional_policy(`
')
optional_policy(`
@@ -13220,7 +13261,7 @@ index 4a8d146..a0a91fe 100644
')
optional_policy(`
-@@ -404,8 +412,15 @@ optional_policy(`
+@@ -404,8 +420,15 @@ optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
@@ -13236,7 +13277,7 @@ index 4a8d146..a0a91fe 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -452,5 +467,60 @@ ifndef(`distro_redhat',`
+@@ -452,5 +475,60 @@ ifndef(`distro_redhat',`
optional_policy(`
java_role(sysadm_r, sysadm_t)
')
@@ -14509,10 +14550,10 @@ index 0000000..daf56b2
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..0c84965 100644
+index e5bfdd4..54ea4f5 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,59 @@ role user_r;
+@@ -12,15 +12,63 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -14522,6 +14563,10 @@ index e5bfdd4..0c84965 100644
+ userdom_execmod_user_home_files(user_usertype)
+')
+
++optional_policy(`
++ abrt_cache_read(user_t)
++')
++
optional_policy(`
apache_role(user_r, user_t)
')
@@ -14572,7 +14617,7 @@ index e5bfdd4..0c84965 100644
vlock_run(user_t, user_r)
')
-@@ -62,10 +106,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +110,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -14583,7 +14628,7 @@ index e5bfdd4..0c84965 100644
gpg_role(user_r, user_t)
')
-@@ -118,7 +158,7 @@ ifndef(`distro_redhat',`
+@@ -118,7 +162,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -14592,7 +14637,7 @@ index e5bfdd4..0c84965 100644
')
optional_policy(`
-@@ -157,3 +197,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +201,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -14797,7 +14842,7 @@ index 1bd5812..3b3ba64 100644
/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..8961dba 100644
+index 0b827c5..9a82e8d 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@@ -14819,12 +14864,31 @@ index 0b827c5..8961dba 100644
')
########################################
-@@ -160,8 +165,25 @@ interface(`abrt_run_helper',`
+@@ -160,8 +165,44 @@ interface(`abrt_run_helper',`
########################################
## <summary>
-## Send and receive messages from
-## abrt over dbus.
++## Read abrt cache
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_cache_read',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++')
++
++########################################
++## <summary>
+## Append abrt cache
+## </summary>
+## <param name="domain">
@@ -14847,7 +14911,7 @@ index 0b827c5..8961dba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -253,6 +275,24 @@ interface(`abrt_manage_pid_files',`
+@@ -253,6 +294,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -14872,7 +14936,7 @@ index 0b827c5..8961dba 100644
#####################################
## <summary>
## All of the rules required to administrate
-@@ -286,18 +326,18 @@ interface(`abrt_admin',`
+@@ -286,18 +345,18 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
@@ -15440,10 +15504,10 @@ index 0000000..aeb1888
+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if
new file mode 100644
-index 0000000..8e6e2c3
+index 0000000..0f3fc36
--- /dev/null
+++ b/policy/modules/services/ajaxterm.if
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,86 @@
+## <summary>policy for ajaxterm</summary>
+
+########################################
@@ -15482,6 +15546,24 @@ index 0000000..8e6e2c3
+ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
+')
+
++#######################################
++## <summary>
++## Read and write the ajaxterm pty type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ajaxterm_rw_ptys',`
++ gen_require(`
++ type ajaxterm_devpts_t;
++ ')
++
++ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -15514,10 +15596,10 @@ index 0000000..8e6e2c3
+')
diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te
new file mode 100644
-index 0000000..ffdcad1
+index 0000000..3d0fd88
--- /dev/null
+++ b/policy/modules/services/ajaxterm.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,64 @@
+policy_module(ajaxterm, 1.0.0)
+
+########################################
@@ -15573,8 +15655,13 @@ index 0000000..ffdcad1
+
+sysnet_dns_name_resolve(ajaxterm_t)
+
++#######################################
++#
++# SSH component local policy
++#
++
+optional_policy(`
-+ ssh_domtrans(ajaxterm_t)
++ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
+')
+
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
@@ -15591,9 +15678,18 @@ index ceb2142..e31d92a 100644
')
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index c3a1903..a65e930 100644
+index c3a1903..0140399 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
+@@ -47,7 +47,7 @@ files_type(amavis_spool_t)
+
+ allow amavis_t self:capability { kill chown dac_override setgid setuid };
+ dontaudit amavis_t self:capability sys_tty_config;
+-allow amavis_t self:process { signal sigchld signull };
++allow amavis_t self:process { signal sigchld sigkill signull };
+ allow amavis_t self:fifo_file rw_fifo_file_perms;
+ allow amavis_t self:unix_stream_socket create_stream_socket_perms;
+ allow amavis_t self:unix_dgram_socket create_socket_perms;
@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
# tmp files
@@ -17292,6 +17388,21 @@ index c804110..bdefbe1 100644
ps_process_pattern($1, arpwatch_t)
arpwatch_initrc_domtrans($1)
+diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
+index 804135f..af04567 100644
+--- a/policy/modules/services/arpwatch.te
++++ b/policy/modules/services/arpwatch.te
+@@ -47,8 +47,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+ files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+
+ kernel_read_network_state(arpwatch_t)
++# meminfo
++kernel_read_system_state(arpwatch_t)
+ kernel_read_kernel_sysctls(arpwatch_t)
+-kernel_list_proc(arpwatch_t)
+ kernel_read_proc_symlinks(arpwatch_t)
+ kernel_request_load_module(arpwatch_t)
+
diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
index 8b8143e..c1a2b96 100644
--- a/policy/modules/services/asterisk.if
@@ -18680,7 +18791,7 @@ index 7a6e5ba..d664be8 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index c3e3f79..23c4087 100644
+index c3e3f79..3e78d4e 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -23,7 +23,8 @@ files_type(certmonger_var_lib_t)
@@ -18723,7 +18834,7 @@ index c3e3f79..23c4087 100644
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
-@@ -58,15 +64,31 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+@@ -58,15 +64,32 @@ miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
@@ -18748,6 +18859,7 @@ index c3e3f79..23c4087 100644
+
+optional_policy(`
kerberos_use(certmonger_t)
++ kerberos_read_keytab(certmonger_t)
')
optional_policy(`
@@ -23005,7 +23117,7 @@ index 9bd812b..c808b31 100644
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..dc4eb3d 100644
+index fdaeeba..df87ba8 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@@ -23028,7 +23140,7 @@ index fdaeeba..dc4eb3d 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,10 +99,18 @@ optional_policy(`
+@@ -96,7 +99,16 @@ optional_policy(`
')
optional_policy(`
@@ -23037,17 +23149,15 @@ index fdaeeba..dc4eb3d 100644
+
+optional_policy(`
dbus_system_bus_client(dnsmasq_t)
- ')
-
- optional_policy(`
-+ ppp_read_pid_files(dnsmasq_t)
++ dbus_connect_system_bus(dnsmasq_t)
+')
+
+optional_policy(`
- seutil_sigchld_newrole(dnsmasq_t)
++ ppp_read_pid_files(dnsmasq_t)
')
-@@ -114,4 +125,5 @@ optional_policy(`
+ optional_policy(`
+@@ -114,4 +126,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
@@ -25059,10 +25169,15 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..9507bbb 100644
+index 4fde46b..74db53c 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -19,7 +19,10 @@ allow gnomeclock_t self:process { getattr getsched };
+@@ -15,11 +15,14 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+ #
+
+ allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
+-allow gnomeclock_t self:process { getattr getsched };
++allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
@@ -27170,10 +27285,10 @@ index 0000000..68ad33f
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
new file mode 100644
-index 0000000..6395ec8
+index 0000000..f60483e
--- /dev/null
+++ b/policy/modules/services/mock.if
-@@ -0,0 +1,254 @@
+@@ -0,0 +1,272 @@
+## <summary>policy for mock</summary>
+
+########################################
@@ -27327,6 +27442,24 @@ index 0000000..6395ec8
+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
++#######################################
++## <summary>
++## Dontaudit read and write an leaked file descriptors
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mock_dontaudit_leaks',`
++ gen_require(`
++ type mock_tmp_t;
++ ')
++
++ dontaudit $1 mock_tmp_t:file rw_inherited_file_perms;
++')
++
+########################################
+## <summary>
+## Execute mock in the mock domain, and
@@ -27430,12 +27563,19 @@ index 0000000..6395ec8
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..5576314
+index 0000000..b7d8f2f
--- /dev/null
+++ b/policy/modules/services/mock.te
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,123 @@
+policy_module(mock,1.0.0)
+
++## <desc>
++## <p>
++## Allow mock to read files in home directories.
++## </p>
++## </desc>
++gen_tunable(mock_enable_homedirs, false)
++
+########################################
+#
+# Declarations
@@ -27486,10 +27626,14 @@ index 0000000..5576314
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
++manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
+can_exec(mock_t, mock_var_lib_t)
+allow mock_t mock_var_lib_t:dir mounton;
++allow mock_t mock_var_lib_t:dir relabel_dir_perms;
++allow mock_t mock_var_lib_t:file relabel_file_perms;
++
+
+kernel_list_proc(mock_t)
+kernel_read_irq_sysctls(mock_t)
@@ -27503,20 +27647,24 @@ index 0000000..5576314
+corenet_tcp_connect_http_port(mock_t)
+
+dev_read_urand(mock_t)
++dev_read_sysfs(mock_t)
+
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_files(mock_t)
+files_read_usr_files(mock_t)
++files_dontaudit_list_boot(mock_t)
+
+fs_getattr_all_fs(mock_t)
++fs_manage_cgroup_dirs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
++init_dontaudit_stream_connect(mock_t)
+
+libs_domtrans_ldconfig(mock_t)
+
@@ -27527,6 +27675,12 @@ index 0000000..5576314
+
+mount_domtrans(mock_t)
+
++userdom_use_user_ptys(mock_t)
++
++tunable_policy(`mock_enable_homedirs',`
++ userdom_read_user_home_content_files(mock_t)
++')
++
+optional_policy(`
+ rpm_exec(mock_t)
+ rpm_manage_db(mock_t)
@@ -28355,7 +28509,7 @@ index 343cee3..2f948ad 100644
+ ')
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..8974c28 100644
+index 64268e4..0d7da33 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -28519,7 +28673,18 @@ index 64268e4..8974c28 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -249,11 +250,16 @@ optional_policy(`
+@@ -242,6 +243,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ logwatch_search_cache_dir(mailserver_delivery)
++')
++
++optional_policy(`
+ # so MTA can access /var/lib/mailman/mail/wrapper
+ files_search_var_lib(mailserver_delivery)
+
+@@ -249,11 +254,16 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -28536,7 +28701,7 @@ index 64268e4..8974c28 100644
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +298,44 @@ optional_policy(`
+@@ -292,3 +302,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -28891,7 +29056,7 @@ index f17583b..8f01394 100644
+
+miscfiles_read_localization(munin_plugin_domain)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..a12d5ea 100644
+index e9c0982..f11e4f2 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@@ -28975,7 +29140,7 @@ index e9c0982..a12d5ea 100644
')
allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +379,17 @@ interface(`mysql_admin',`
+@@ -343,13 +379,19 @@ interface(`mysql_admin',`
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
@@ -28992,6 +29157,8 @@ index e9c0982..a12d5ea 100644
+ files_list_tmp($1)
admin_pattern($1, mysqld_tmp_t)
++
++ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 0a0d63c..579f237 100644
@@ -33452,7 +33619,7 @@ index 2855a44..0456b11 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..1a07760 100644
+index 64c5f95..69fa687 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -33528,8 +33695,14 @@ index 64c5f95..1a07760 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -214,13 +226,32 @@ domain_read_all_domains_state(puppetmaster_t)
+@@ -210,17 +222,38 @@ dev_read_rand(puppetmaster_t)
+ dev_read_urand(puppetmaster_t)
+
+ domain_read_all_domains_state(puppetmaster_t)
++domain_obj_id_change_exemption(puppetmaster_t)
+
files_read_etc_files(puppetmaster_t)
++files_read_usr_files(puppetmaster_t)
files_search_var_lib(puppetmaster_t)
+selinux_validate_context(puppetmaster_t)
@@ -33561,7 +33734,7 @@ index 64c5f95..1a07760 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +262,8 @@ optional_policy(`
+@@ -231,3 +264,8 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -36503,7 +36676,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..395fafb 100644
+index e30bb63..00a9125 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -36681,7 +36854,7 @@ index e30bb63..395fafb 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,14 +809,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +809,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -36699,9 +36872,11 @@ index e30bb63..395fafb 100644
-files_pid_filetrans(winbind_t, winbind_var_run_t, file)
+files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir })
++kernel_read_network_state(winbind_t)
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +836,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+
+@@ -833,6 +837,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -36709,7 +36884,7 @@ index e30bb63..395fafb 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -922,6 +926,18 @@ optional_policy(`
+@@ -922,6 +927,18 @@ optional_policy(`
#
optional_policy(`
@@ -36728,7 +36903,7 @@ index e30bb63..395fafb 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +948,12 @@ optional_policy(`
+@@ -932,9 +949,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -38868,7 +39043,7 @@ index 941380a..6dbfc01 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..12d37a2 100644
+index 8ffa257..44cbef4 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -38894,15 +39069,20 @@ index 8ffa257..12d37a2 100644
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,6 +50,7 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,8 +50,12 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
++corenet_udp_bind_generic_port(sssd_t)
++corenet_dontaudit_udp_bind_all_ports(sssd_t)
++
corecmd_exec_bin(sssd_t)
-@@ -60,6 +63,7 @@ domain_obj_id_change_exemption(sssd_t)
+
+ dev_read_urand(sssd_t)
+@@ -60,6 +66,7 @@ domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
@@ -38910,17 +39090,16 @@ index 8ffa257..12d37a2 100644
fs_list_inotifyfs(sssd_t)
-@@ -69,7 +73,8 @@ seutil_read_file_contexts(sssd_t)
+@@ -69,7 +76,7 @@ seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
-auth_use_nsswitch(sssd_t)
-+
+# auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
-@@ -79,6 +84,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +86,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -38933,7 +39112,7 @@ index 8ffa257..12d37a2 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -88,3 +99,11 @@ optional_policy(`
+@@ -88,3 +101,11 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
')
@@ -40225,7 +40404,7 @@ index 7c5d8d8..5e2f264 100644
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..48fc96d 100644
+index 3eca020..3e3dc01 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
@@ -40377,15 +40556,16 @@ index 3eca020..48fc96d 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -133,6 +152,7 @@ dev_list_sysfs(svirt_t)
+@@ -133,6 +152,8 @@ dev_list_sysfs(svirt_t)
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
+append_files_pattern(svirt_t, virt_home_t, virt_home_t)
++stream_connect_pattern(svirt_t, virt_home_t, virt_home_t, virtd_t)
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +167,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +168,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -40401,7 +40581,7 @@ index 3eca020..48fc96d 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +184,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +185,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -40424,7 +40604,7 @@ index 3eca020..48fc96d 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +209,28 @@ optional_policy(`
+@@ -174,21 +210,28 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -40458,7 +40638,7 @@ index 3eca020..48fc96d 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +242,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +243,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -40475,7 +40655,7 @@ index 3eca020..48fc96d 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +268,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +269,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -40483,7 +40663,7 @@ index 3eca020..48fc96d 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +288,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +289,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -40516,7 +40696,7 @@ index 3eca020..48fc96d 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +320,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +321,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -40535,7 +40715,7 @@ index 3eca020..48fc96d 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +355,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +356,31 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -40559,6 +40739,7 @@ index 3eca020..48fc96d 100644
+userdom_setattr_user_home_content_files(virtd_t)
+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
++manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
+userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
+
@@ -40566,7 +40747,7 @@ index 3eca020..48fc96d 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -329,6 +413,10 @@ optional_policy(`
+@@ -329,6 +415,10 @@ optional_policy(`
')
optional_policy(`
@@ -40577,7 +40758,7 @@ index 3eca020..48fc96d 100644
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
-@@ -365,6 +453,8 @@ optional_policy(`
+@@ -365,6 +455,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -40586,7 +40767,7 @@ index 3eca020..48fc96d 100644
')
optional_policy(`
-@@ -396,12 +486,25 @@ optional_policy(`
+@@ -396,12 +488,25 @@ optional_policy(`
allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
@@ -40613,7 +40794,7 @@ index 3eca020..48fc96d 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +525,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +527,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -40621,7 +40802,7 @@ index 3eca020..48fc96d 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +533,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +535,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -40634,7 +40815,7 @@ index 3eca020..48fc96d 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +546,11 @@ files_search_all(virt_domain)
+@@ -440,6 +548,11 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -40646,7 +40827,7 @@ index 3eca020..48fc96d 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +568,117 @@ optional_policy(`
+@@ -457,8 +570,117 @@ optional_policy(`
')
optional_policy(`
@@ -44292,7 +44473,7 @@ index bea0ade..a0feb45 100644
optional_policy(`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 54d122b..46929ca 100644
+index 54d122b..b86897f 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0)
@@ -44338,7 +44519,16 @@ index 54d122b..46929ca 100644
allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)
-@@ -394,3 +409,13 @@ optional_policy(`
+@@ -99,6 +114,8 @@ dev_read_urand(chkpwd_t)
+ files_read_etc_files(chkpwd_t)
+ # for nscd
+ files_dontaudit_search_var(chkpwd_t)
++files_read_usr_symlinks(chkpwd_t)
++files_list_tmp(chkpwd_t)
+
+ fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+
+@@ -394,3 +411,13 @@ optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -44702,7 +44892,7 @@ index 6fed22c..06e5395 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..341c578 100644
+index cc83689..2657c0b 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,40 @@ interface(`init_script_domain',`
@@ -44907,7 +45097,32 @@ index cc83689..341c578 100644
mls_rangetrans_target($1)
')
')
-@@ -688,19 +796,24 @@ interface(`init_telinit',`
+@@ -525,6 +633,24 @@ interface(`init_stream_connect',`
+ allow $1 init_t:unix_stream_socket connectto;
+ ')
+
++#######################################
++## <summary>
++## Dontaudit Connect to init with a unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_dontaudit_stream_connect',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:unix_stream_socket connectto;
++')
++
+ ########################################
+ ## <summary>
+ ## Inherit and use file descriptors from init.
+@@ -688,19 +814,24 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -44933,7 +45148,7 @@ index cc83689..341c578 100644
')
')
-@@ -773,18 +886,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +904,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -44957,7 +45172,7 @@ index cc83689..341c578 100644
')
')
-@@ -800,19 +914,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +932,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -45003,7 +45218,7 @@ index cc83689..341c578 100644
')
########################################
-@@ -868,9 +1004,14 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1022,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -45018,7 +45233,7 @@ index cc83689..341c578 100644
files_search_etc($1)
')
-@@ -1079,6 +1220,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1238,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -45043,7 +45258,7 @@ index cc83689..341c578 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1289,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1307,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -45057,7 +45272,7 @@ index cc83689..341c578 100644
')
########################################
-@@ -1375,6 +1529,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1547,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -45085,7 +45300,7 @@ index cc83689..341c578 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1636,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1654,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -45111,7 +45326,7 @@ index cc83689..341c578 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1674,7 +1868,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1886,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -45120,7 +45335,7 @@ index cc83689..341c578 100644
')
########################################
-@@ -1749,3 +1943,93 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +1961,93 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -45215,7 +45430,7 @@ index cc83689..341c578 100644
+ allow $1 init_t:unix_dgram_socket sendto;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 77e8ca8..c50cbb7 100644
+index 77e8ca8..2abb81b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -45360,7 +45575,7 @@ index 77e8ca8..c50cbb7 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +229,96 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +229,100 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -45385,6 +45600,7 @@ index 77e8ca8..c50cbb7 100644
+ kernel_read_all_sysctls(init_t)
+ kernel_read_software_raid_state(init_t)
+ kernel_unmount_debugfs(init_t)
++ kernel_setsched(init_t)
+
+ dev_write_kmsg(init_t)
+ dev_write_urand(init_t)
@@ -45393,11 +45609,13 @@ index 77e8ca8..c50cbb7 100644
+ dev_manage_generic_dirs(init_t)
+ dev_manage_generic_files(init_t)
+ dev_read_generic_chr_files(init_t)
-+ dev_relabelfrom_generic_chr_files(init_t)
-+ dev_relabel_autofs_dev(init_t)
++ dev_relabel_generic_dev_dirs(init_t)
++ dev_relabel_all_dev_nodes(init_t)
++ dev_relabel_all_dev_files(init_t)
+ dev_manage_sysfs_dirs(init_t)
+
+ files_mounton_all_mountpoints(init_t)
++ files_unmount_all_file_type_fs(init_t)
+ files_manage_all_pid_dirs(init_t)
+ files_unlink_all_pid_sockets(init_t)
+ files_manage_urandom_seed(init_t)
@@ -45407,6 +45625,7 @@ index 77e8ca8..c50cbb7 100644
+ fs_manage_tmpfs_dirs(init_t)
+ fs_relabelfrom_tmpfs_dir(init_t)
+ fs_mount_all_fs(init_t)
++ fs_remount_autofs(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_read_cgroup_files(init_t)
+ fs_write_cgroup_files(init_t)
@@ -45457,7 +45676,7 @@ index 77e8ca8..c50cbb7 100644
')
optional_policy(`
-@@ -199,10 +326,24 @@ optional_policy(`
+@@ -199,10 +330,25 @@ optional_policy(`
')
optional_policy(`
@@ -45471,6 +45690,7 @@ index 77e8ca8..c50cbb7 100644
optional_policy(`
+ udev_read_db(init_t)
++ udev_relabelto_db(init_t)
+')
+
+optional_policy(`
@@ -45482,7 +45702,7 @@ index 77e8ca8..c50cbb7 100644
unconfined_domain(init_t)
')
-@@ -212,7 +353,7 @@ optional_policy(`
+@@ -212,7 +358,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -45491,7 +45711,7 @@ index 77e8ca8..c50cbb7 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +382,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +387,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -45506,7 +45726,7 @@ index 77e8ca8..c50cbb7 100644
init_write_initctl(initrc_t)
-@@ -258,11 +401,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +406,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -45530,7 +45750,7 @@ index 77e8ca8..c50cbb7 100644
corecmd_exec_all_executables(initrc_t)
-@@ -279,6 +434,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +439,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -45538,7 +45758,7 @@ index 77e8ca8..c50cbb7 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +447,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +452,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -45546,7 +45766,7 @@ index 77e8ca8..c50cbb7 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +455,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +460,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -45562,7 +45782,7 @@ index 77e8ca8..c50cbb7 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +480,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +485,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -45574,7 +45794,7 @@ index 77e8ca8..c50cbb7 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +499,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +504,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -45588,7 +45808,7 @@ index 77e8ca8..c50cbb7 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +514,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +519,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -45597,7 +45817,7 @@ index 77e8ca8..c50cbb7 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +528,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +533,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -45605,7 +45825,7 @@ index 77e8ca8..c50cbb7 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +540,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +545,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -45613,7 +45833,7 @@ index 77e8ca8..c50cbb7 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +561,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +566,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -45629,7 +45849,7 @@ index 77e8ca8..c50cbb7 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -478,7 +646,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +651,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -45638,7 +45858,7 @@ index 77e8ca8..c50cbb7 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -524,6 +692,23 @@ ifdef(`distro_redhat',`
+@@ -524,6 +697,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -45662,7 +45882,7 @@ index 77e8ca8..c50cbb7 100644
')
optional_policy(`
-@@ -531,10 +716,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +721,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -45680,7 +45900,7 @@ index 77e8ca8..c50cbb7 100644
')
optional_policy(`
-@@ -549,6 +741,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +746,39 @@ ifdef(`distro_suse',`
')
')
@@ -45720,7 +45940,7 @@ index 77e8ca8..c50cbb7 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +786,8 @@ optional_policy(`
+@@ -561,6 +791,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -45729,7 +45949,7 @@ index 77e8ca8..c50cbb7 100644
')
optional_policy(`
-@@ -577,6 +804,7 @@ optional_policy(`
+@@ -577,6 +809,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -45737,7 +45957,7 @@ index 77e8ca8..c50cbb7 100644
')
optional_policy(`
-@@ -589,6 +817,11 @@ optional_policy(`
+@@ -589,6 +822,11 @@ optional_policy(`
')
optional_policy(`
@@ -45749,7 +45969,7 @@ index 77e8ca8..c50cbb7 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +838,13 @@ optional_policy(`
+@@ -605,9 +843,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -45763,7 +45983,7 @@ index 77e8ca8..c50cbb7 100644
')
optional_policy(`
-@@ -706,7 +943,13 @@ optional_policy(`
+@@ -706,7 +948,13 @@ optional_policy(`
')
optional_policy(`
@@ -45777,7 +45997,7 @@ index 77e8ca8..c50cbb7 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +972,10 @@ optional_policy(`
+@@ -729,6 +977,10 @@ optional_policy(`
')
optional_policy(`
@@ -45788,7 +46008,7 @@ index 77e8ca8..c50cbb7 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +985,20 @@ optional_policy(`
+@@ -738,10 +990,20 @@ optional_policy(`
')
optional_policy(`
@@ -45809,7 +46029,7 @@ index 77e8ca8..c50cbb7 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1007,10 @@ optional_policy(`
+@@ -750,6 +1012,10 @@ optional_policy(`
')
optional_policy(`
@@ -45820,7 +46040,7 @@ index 77e8ca8..c50cbb7 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1032,6 @@ optional_policy(`
+@@ -771,8 +1037,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -45829,7 +46049,7 @@ index 77e8ca8..c50cbb7 100644
')
optional_policy(`
-@@ -781,14 +1040,21 @@ optional_policy(`
+@@ -781,14 +1045,21 @@ optional_policy(`
')
optional_policy(`
@@ -45851,7 +46071,7 @@ index 77e8ca8..c50cbb7 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -810,11 +1076,19 @@ optional_policy(`
+@@ -810,11 +1081,19 @@ optional_policy(`
')
optional_policy(`
@@ -45872,7 +46092,7 @@ index 77e8ca8..c50cbb7 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1098,25 @@ optional_policy(`
+@@ -824,6 +1103,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -45898,7 +46118,7 @@ index 77e8ca8..c50cbb7 100644
')
optional_policy(`
-@@ -849,3 +1142,59 @@ optional_policy(`
+@@ -849,3 +1147,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -46971,21 +47191,22 @@ index 2b7e5f3..76b4ce1 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 571599b..b323b73 100644
+index 571599b..7e33883 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -17,6 +17,10 @@
+@@ -17,6 +17,11 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-@@ -25,6 +29,7 @@
+@@ -25,6 +30,7 @@
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
@@ -46993,7 +47214,7 @@ index 571599b..b323b73 100644
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
ifdef(`distro_suse', `
-@@ -54,18 +59,24 @@ ifdef(`distro_redhat',`
+@@ -54,18 +60,24 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
@@ -47383,7 +47604,7 @@ index 58bc27f..b95f0c0 100644
+ allow $1 clvmd_tmpfs_t:file unlink;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index a0a0ebf..402f69e 100644
+index a0a0ebf..1440818 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -47524,6 +47745,17 @@ index a0a0ebf..402f69e 100644
modutils_domtrans_insmod(lvm_t)
')
+@@ -339,6 +367,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_passwd_agent_dev_template(lvm)
++')
++
++optional_policy(`
+ udev_read_db(lvm_t)
+ ')
+
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 172287e..2683ce9 100644
--- a/policy/modules/system/miscfiles.fc
@@ -49791,10 +50023,10 @@ index 0000000..64fc1a5
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..5f0352b
+index 0000000..eed77d0
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,122 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -49887,12 +50119,42 @@ index 0000000..5f0352b
+ allow $2 systemd_passwd_agent_t:process signal;
+')
+
++
++######################################
++## <summary>
++## Template for temporary sockets and files in /dev/.systemd/ask-password
++## which are used by systemd-passwd-agent
++## </summary>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++#
++interface(`systemd_passwd_agent_dev_template',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ ')
++
++ type systemd_$1_device_t;
++ files_type(systemd_$1_device_t)
++ dev_associate(systemd_$1_device_t)
++
++ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
++ allow $1_t systemd_$1_device_t:file manage_file_perms;
++ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
++
++ allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto;
++ allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write;
++ allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms;
++')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..4d7a07a
+index 0000000..d09b523
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,108 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -49930,6 +50192,7 @@ index 0000000..4d7a07a
+#
+allow systemd_passwd_agent_t self:capability chown;
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
++allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+allow systemd_passwd_agent_t systemd_device_t:fifo_file manage_fifo_file_perms;
+dev_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
@@ -49954,11 +50217,11 @@ index 0000000..4d7a07a
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
-+files_read_etc_files(systemd_tmpfiles_t)
++kernel_read_network_state(systemd_tmpfiles_t)
+
++files_read_etc_files(systemd_tmpfiles_t)
+files_getattr_all_dirs(systemd_tmpfiles_t)
+files_getattr_all_files(systemd_tmpfiles_t)
-+
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_files(systemd_tmpfiles_t)
@@ -50016,7 +50279,7 @@ index d1c22f3..44fe366 100644
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 025348a..cea695c 100644
+index 025348a..ad5bfd8 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -50052,11 +50315,62 @@ index 025348a..cea695c 100644
')
########################################
-@@ -231,3 +233,36 @@ interface(`udev_manage_pid_files',`
+@@ -214,6 +216,24 @@ interface(`udev_rw_db',`
+
+ ########################################
+ ## <summary>
++## Allow process to modify relabelto udev database
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`udev_relabelto_db',`
++ gen_require(`
++ type udev_tbl_t;
++ ')
++
++ allow $1 udev_tbl_t:file relabelto_file_perms;
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete
+ ## udev pid files.
+ ## </summary>
+@@ -231,3 +251,62 @@ interface(`udev_manage_pid_files',`
files_search_var_lib($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
+
++#######################################
++## <summary>
++## Execute udev in the udev domain, and
++## allow the specified role the udev domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the iptables domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`udev_run',`
++ gen_require(`
++ type iptables_t;
++ ')
++
++ udev_domtrans($1)
++ role $2 types udev_t;
++')
++
+########################################
+## <summary>
+## Create a domain for processes
@@ -50996,7 +51310,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..b22960c 100644
+index 28b88de..296513f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -51010,7 +51324,7 @@ index 28b88de..b22960c 100644
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -43,69 +44,100 @@ template(`userdom_base_user_template',`
+@@ -43,69 +44,101 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -51103,6 +51417,7 @@ index 28b88de..b22960c 100644
+ files_read_etc_files($1_usertype)
+ files_list_mnt($1_usertype)
+ files_read_mnt_files($1_usertype)
++ files_dontaudit_access_check_mnt($1_usertype)
+ files_read_etc_runtime_files($1_usertype)
+ files_read_usr_files($1_usertype)
+ files_read_usr_src_files($1_usertype)
@@ -51160,7 +51475,7 @@ index 28b88de..b22960c 100644
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +148,16 @@ template(`userdom_base_user_template',`
+@@ -116,6 +149,16 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -51177,7 +51492,7 @@ index 28b88de..b22960c 100644
')
#######################################
-@@ -149,6 +191,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +192,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -51186,7 +51501,7 @@ index 28b88de..b22960c 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +210,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +211,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -51214,7 +51529,7 @@ index 28b88de..b22960c 100644
')
#######################################
-@@ -218,8 +241,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +242,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -51226,7 +51541,7 @@ index 28b88de..b22960c 100644
##############################
#
# Domain access to home dir
-@@ -228,17 +254,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,17 +255,21 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -51258,7 +51573,7 @@ index 28b88de..b22960c 100644
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -246,25 +276,23 @@ interface(`userdom_manage_home_role',`
+@@ -246,25 +277,23 @@ interface(`userdom_manage_home_role',`
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -51288,7 +51603,7 @@ index 28b88de..b22960c 100644
')
')
-@@ -289,6 +317,8 @@ interface(`userdom_manage_tmp_role',`
+@@ -289,6 +318,8 @@ interface(`userdom_manage_tmp_role',`
type user_tmp_t;
')
@@ -51297,7 +51612,7 @@ index 28b88de..b22960c 100644
files_poly_member_tmp($2, user_tmp_t)
manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-@@ -297,6 +327,45 @@ interface(`userdom_manage_tmp_role',`
+@@ -297,6 +328,45 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -51343,7 +51658,7 @@ index 28b88de..b22960c 100644
')
#######################################
-@@ -316,6 +385,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +386,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -51351,7 +51666,7 @@ index 28b88de..b22960c 100644
files_search_tmp($1)
')
-@@ -350,6 +420,8 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -350,6 +421,8 @@ interface(`userdom_manage_tmpfs_role',`
type user_tmpfs_t;
')
@@ -51360,7 +51675,7 @@ index 28b88de..b22960c 100644
manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-@@ -360,46 +432,41 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -360,46 +433,41 @@ interface(`userdom_manage_tmpfs_role',`
#######################################
## <summary>
@@ -51429,7 +51744,7 @@ index 28b88de..b22960c 100644
')
#######################################
-@@ -430,6 +497,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +498,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -51437,7 +51752,7 @@ index 28b88de..b22960c 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -490,7 +558,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +559,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -51446,7 +51761,7 @@ index 28b88de..b22960c 100644
##############################
#
-@@ -500,73 +568,79 @@ template(`userdom_common_user_template',`
+@@ -500,73 +569,79 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -51565,7 +51880,7 @@ index 28b88de..b22960c 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +648,114 @@ template(`userdom_common_user_template',`
+@@ -574,67 +649,114 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -51698,7 +52013,7 @@ index 28b88de..b22960c 100644
')
optional_policy(`
-@@ -650,41 +771,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +772,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -51760,7 +52075,7 @@ index 28b88de..b22960c 100644
')
#######################################
-@@ -712,13 +842,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +843,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -51792,7 +52107,7 @@ index 28b88de..b22960c 100644
userdom_change_password_template($1)
-@@ -736,72 +879,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +880,71 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -51901,7 +52216,7 @@ index 28b88de..b22960c 100644
')
')
-@@ -833,6 +975,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +976,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -51911,7 +52226,7 @@ index 28b88de..b22960c 100644
##############################
#
# Local policy
-@@ -874,45 +1019,107 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1020,107 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -52030,7 +52345,7 @@ index 28b88de..b22960c 100644
')
')
-@@ -947,7 +1154,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1155,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -52039,7 +52354,7 @@ index 28b88de..b22960c 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1163,77 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1164,77 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -52147,7 +52462,7 @@ index 28b88de..b22960c 100644
')
')
-@@ -1039,7 +1269,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1270,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -52156,7 +52471,7 @@ index 28b88de..b22960c 100644
')
##############################
-@@ -1066,6 +1296,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1297,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -52164,7 +52479,7 @@ index 28b88de..b22960c 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1305,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1306,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -52174,7 +52489,7 @@ index 28b88de..b22960c 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1322,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1323,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -52182,7 +52497,16 @@ index 28b88de..b22960c 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1119,10 +1354,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,6 +1341,8 @@ template(`userdom_admin_user_template',`
+ dev_rename_all_blk_files($1_t)
+ dev_rename_all_chr_files($1_t)
+ dev_create_generic_symlinks($1_t)
++ dev_rw_generic_usb_dev($1_t)
++ dev_rw_usbfs($1_t)
+
+ domain_setpriority_all_domains($1_t)
+ domain_read_all_domains_state($1_t)
+@@ -1119,15 +1357,19 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -52196,7 +52520,13 @@ index 28b88de..b22960c 100644
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1142,6 +1380,7 @@ template(`userdom_admin_user_template',`
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
++ storage_dontaudit_read_fixed_disk($1_t)
+
+ term_use_all_terms($1_t)
+
+@@ -1142,6 +1384,7 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -52204,7 +52534,7 @@ index 28b88de..b22960c 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1449,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1453,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -52213,7 +52543,7 @@ index 28b88de..b22960c 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1463,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1467,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -52221,7 +52551,7 @@ index 28b88de..b22960c 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1479,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1483,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -52229,7 +52559,7 @@ index 28b88de..b22960c 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1522,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1526,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -52267,7 +52597,7 @@ index 28b88de..b22960c 100644
ubac_constrained($1)
')
-@@ -1395,6 +1664,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1668,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -52275,7 +52605,7 @@ index 28b88de..b22960c 100644
files_search_home($1)
')
-@@ -1441,6 +1711,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1715,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -52290,7 +52620,7 @@ index 28b88de..b22960c 100644
')
########################################
-@@ -1456,9 +1734,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1738,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -52302,7 +52632,7 @@ index 28b88de..b22960c 100644
')
########################################
-@@ -1515,10 +1795,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1799,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -52315,7 +52645,7 @@ index 28b88de..b22960c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,35 +1806,71 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,35 +1810,71 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -52408,7 +52738,7 @@ index 28b88de..b22960c 100644
## </summary>
## </param>
## <param name="target_domain">
-@@ -1589,6 +1905,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1909,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -52417,7 +52747,7 @@ index 28b88de..b22960c 100644
')
########################################
-@@ -1603,10 +1921,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1925,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -52432,7 +52762,7 @@ index 28b88de..b22960c 100644
')
########################################
-@@ -1649,6 +1969,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1973,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -52458,7 +52788,7 @@ index 28b88de..b22960c 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2039,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2043,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -52491,7 +52821,7 @@ index 28b88de..b22960c 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2075,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2079,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -52509,7 +52839,7 @@ index 28b88de..b22960c 100644
')
########################################
-@@ -1810,8 +2172,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2176,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -52519,7 +52849,7 @@ index 28b88de..b22960c 100644
')
########################################
-@@ -1827,20 +2188,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2192,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -52533,18 +52863,19 @@ index 28b88de..b22960c 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -2182,7 +2537,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+ ## Do not audit attempts to execute user home files.
+@@ -2182,7 +2541,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -52553,7 +52884,7 @@ index 28b88de..b22960c 100644
')
########################################
-@@ -2435,13 +2790,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2794,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -52569,7 +52900,7 @@ index 28b88de..b22960c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2818,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2822,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -52596,7 +52927,7 @@ index 28b88de..b22960c 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3151,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3155,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -52605,7 +52936,7 @@ index 28b88de..b22960c 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3167,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3171,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -52621,7 +52952,7 @@ index 28b88de..b22960c 100644
')
########################################
-@@ -2917,7 +3255,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3259,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -52630,7 +52961,7 @@ index 28b88de..b22960c 100644
')
########################################
-@@ -2972,7 +3310,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3314,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -52677,7 +53008,7 @@ index 28b88de..b22960c 100644
')
########################################
-@@ -3009,6 +3385,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3389,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -52685,7 +53016,7 @@ index 28b88de..b22960c 100644
kernel_search_proc($1)
')
-@@ -3139,3 +3516,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3520,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 241ae91..76bb25a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.15
-Release: 2%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,19 @@ exit 0
%endif
%changelog
+* Tue Mar 1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.15-5
+- gpg_t needs to talk to gnome-keyring
+- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
+- enforce MCS labeling on nodes
+- Allow arpwatch to read meminfo
+- Allow gnomeclock to send itself signals
+- init relabels /dev/.udev files on boot
+- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t
+- nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t
+- dnsmasq can run as a dbus service, needs acquire service
+- mysql_admin should be allowed to connect to mysql service
+- virt creates monitor sockets in the users home dir
+
* Mon Feb 21 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.15-2
- Allow usbhid-ups to read hardware state information
- systemd-tmpfiles has moved
More information about the scm-commits
mailing list