[selinux-policy] Update to upstream
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Mar 8 17:29:05 UTC 2011
commit 6726024e43be9e195c563f4e67c764e031114373
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Mar 8 18:28:56 2011 +0000
Update to upstream
policy-F15.patch | 3918 +++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 17 +-
sources | 2 +-
3 files changed, 2573 insertions(+), 1364 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index e59db95..d97462d 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1,13 +1,3 @@
-diff --git a/Changelog b/Changelog
-index 6f31b1e..e2cd6fb 100644
---- a/Changelog
-+++ b/Changelog
-@@ -1,3 +1,5 @@
-+- Cron pam_namespace and pam_loginuid support from Harry Ciao.
-+- Xserver update for startx from Sven Vermeulen.
- - Fix MLS constraint for contains permission from Harry Ciao.
- - Apache user webpages fix from Dominick Grift.
- - Change default build.conf to modular policy from Stephen Smalley.
diff --git a/Makefile b/Makefile
index b8486a0..bec48d7 100644
--- a/Makefile
@@ -271,86 +261,56 @@ index e66c296..61f738b 100644
+
+ dontaudit $1 acct_data_t:dir list_dir_perms;
+')
-diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index 90d5203..1392679 100644
---- a/policy/modules/admin/alsa.if
-+++ b/policy/modules/admin/alsa.if
-@@ -21,6 +21,32 @@ interface(`alsa_domtrans',`
+diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
+index 46d467c..d841424 100644
+--- a/policy/modules/admin/amanda.te
++++ b/policy/modules/admin/amanda.te
+@@ -200,12 +200,14 @@ files_search_pids(amanda_recover_t)
- ########################################
- ## <summary>
-+## Execute a domain transition to run
-+## Alsa, and allow the specified role
-+## the Alsa domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`alsa_run',`
-+ gen_require(`
-+ type alsa_t;
-+ ')
-+
-+ alsa_domtrans($1)
-+ role $2 types alsa_t;
-+')
-+
-+########################################
-+## <summary>
- ## Read and write Alsa semaphores.
- ## </summary>
- ## <param name="domain">
-diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
-index a7c7971..d073f49 100644
---- a/policy/modules/admin/alsa.te
-+++ b/policy/modules/admin/alsa.te
-@@ -11,7 +11,10 @@ init_system_domain(alsa_t, alsa_exec_t)
- role system_r types alsa_t;
-
- type alsa_etc_rw_t;
--files_type(alsa_etc_rw_t)
-+files_config_file(alsa_etc_rw_t)
-+
-+type alsa_tmp_t;
-+files_tmp_file(alsa_tmp_t)
+ auth_use_nsswitch(amanda_recover_t)
- type alsa_var_lib_t;
- files_type(alsa_var_lib_t)
-@@ -39,6 +42,13 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+-fstools_domtrans(amanda_t)
+-fstools_signal(amanda_t)
+-
+ logging_search_logs(amanda_recover_t)
- can_exec(alsa_t, alsa_exec_t)
+ miscfiles_read_localization(amanda_recover_t)
-+manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
-+manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
-+files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
-+userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
-+userdom_dontaudit_setattr_user_tmp(alsa_t)
+ userdom_use_user_terminals(amanda_recover_t)
+ userdom_search_user_home_content(amanda_recover_t)
+
-+
- manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
- manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
- files_search_var_lib(alsa_t)
++optional_policy(`
++ fstools_domtrans(amanda_t)
++ fstools_signal(amanda_t)
++')
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
-index e81bdbd..63ab279 100644
+index e81bdbd..dd1522d 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
-@@ -30,6 +30,7 @@ modutils_domtrans_insmod(anaconda_t)
- modutils_domtrans_depmod(anaconda_t)
+@@ -26,10 +26,8 @@ libs_domtrans_ldconfig(anaconda_t)
+
+ logging_send_syslog_msg(anaconda_t)
+-modutils_domtrans_insmod(anaconda_t)
+-modutils_domtrans_depmod(anaconda_t)
+-
seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
-@@ -51,7 +52,7 @@ optional_policy(`
+@@ -38,6 +36,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_domtrans_insmod(anaconda_t)
++ modutils_domtrans_depmod(anaconda_t)
++')
++optional_policy(`
+ rpm_domtrans(anaconda_t)
+ rpm_domtrans_script(anaconda_t)
+ ')
+@@ -51,7 +53,7 @@ optional_policy(`
')
optional_policy(`
@@ -389,7 +349,7 @@ index 63eb96b..17a9f6d 100644
## <summary>
## Execute bootloader interactively and do
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index d3da8f2..9799904 100644
+index d3da8f2..a9c9ff2 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -23,7 +23,7 @@ role system_r types bootloader_t;
@@ -401,6 +361,28 @@ index d3da8f2..9799904 100644
#
# The temp file is used for initrd creation;
+@@ -121,8 +121,6 @@ logging_rw_generic_logs(bootloader_t)
+
+ miscfiles_read_localization(bootloader_t)
+
+-modutils_domtrans_insmod_uncond(bootloader_t)
+-
+ seutil_read_bin_policy(bootloader_t)
+ seutil_read_loadpolicy(bootloader_t)
+ seutil_dontaudit_search_config(bootloader_t)
+@@ -162,8 +160,10 @@ ifdef(`distro_redhat',`
+ files_manage_isid_type_blk_files(bootloader_t)
+ files_manage_isid_type_chr_files(bootloader_t)
+
+- # for mke2fs
+- mount_domtrans(bootloader_t)
++ optional_policy(`
++ # for mke2fs
++ mount_domtrans(bootloader_t)
++ ')
+
+ optional_policy(`
+ unconfined_domain(bootloader_t)
@@ -171,6 +171,10 @@ ifdef(`distro_redhat',`
')
@@ -412,6 +394,14 @@ index d3da8f2..9799904 100644
fstools_exec(bootloader_t)
')
+@@ -197,6 +201,7 @@ optional_policy(`
+ modutils_exec_insmod(bootloader_t)
+ modutils_exec_depmod(bootloader_t)
+ modutils_exec_update_mods(bootloader_t)
++ modutils_domtrans_insmod_uncond(bootloader_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
index 2c2cdb6..73b3814 100644
--- a/policy/modules/admin/brctl.if
@@ -506,6 +496,29 @@ index cd5e005..24f73ca 100644
')
optional_policy(`
+diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te
+index 5e062bc..8854858 100644
+--- a/policy/modules/admin/ddcprobe.te
++++ b/policy/modules/admin/ddcprobe.te
+@@ -42,10 +42,14 @@ libs_read_lib_files(ddcprobe_t)
+
+ miscfiles_read_localization(ddcprobe_t)
+
+-modutils_read_module_deps(ddcprobe_t)
+-
+ userdom_use_user_terminals(ddcprobe_t)
+ userdom_use_all_users_fds(ddcprobe_t)
+
+-#reh why? this does not seem even necessary to function properly
+-kudzu_getattr_exec_files(ddcprobe_t)
++optional_policy(`
++ #reh why? this does not seem even necessary to function properly
++ kudzu_getattr_exec_files(ddcprobe_t)
++')
++
++optional_policy(`
++ modutils_read_module_deps(ddcprobe_t)
++')
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 72bc6d8..ed02103 100644
--- a/policy/modules/admin/dmesg.te
@@ -532,7 +545,7 @@ index 72bc6d8..ed02103 100644
')
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
-index 6776b69..86cff15 100644
+index 6776b69..a1482b0 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -18,7 +18,7 @@ role system_r types dpkg_t;
@@ -544,6 +557,50 @@ index 6776b69..86cff15 100644
type dpkg_tmp_t;
files_tmp_file(dpkg_tmp_t)
+@@ -193,14 +193,19 @@ domain_signull_all_domains(dpkg_t)
+ files_read_etc_runtime_files(dpkg_t)
+ files_exec_usr_files(dpkg_t)
+ miscfiles_read_localization(dpkg_t)
+-modutils_domtrans_depmod(dpkg_t)
+-modutils_domtrans_insmod(dpkg_t)
+ seutil_domtrans_loadpolicy(dpkg_t)
+ seutil_domtrans_setfiles(dpkg_t)
+ userdom_use_all_users_fds(dpkg_t)
++
+ optional_policy(`
+ mta_send_mail(dpkg_t)
+ ')
++
++optional_policy(`
++ modutils_domtrans_depmod(dpkg_t)
++ modutils_domtrans_insmod(dpkg_t)
++')
++
+ optional_policy(`
+ usermanage_domtrans_groupadd(dpkg_t)
+ usermanage_domtrans_useradd(dpkg_t)
+@@ -299,9 +304,6 @@ logging_send_syslog_msg(dpkg_script_t)
+
+ miscfiles_read_localization(dpkg_script_t)
+
+-modutils_domtrans_depmod(dpkg_script_t)
+-modutils_domtrans_insmod(dpkg_script_t)
+-
+ seutil_domtrans_loadpolicy(dpkg_script_t)
+ seutil_domtrans_setfiles(dpkg_script_t)
+
+@@ -321,6 +323,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_domtrans_depmod(dpkg_script_t)
++ modutils_domtrans_insmod(dpkg_script_t)
++')
++
++optional_policy(`
+ mta_send_mail(dpkg_script_t)
+ ')
+
diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if
index 8fa451c..bc5bfc4 100644
--- a/policy/modules/admin/firstboot.if
@@ -575,10 +632,22 @@ index 8fa451c..bc5bfc4 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
-index c4d8998..6f193f8 100644
+index c4d8998..dbdc14c 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
-@@ -103,6 +103,10 @@ optional_policy(`
+@@ -75,11 +75,6 @@ logging_send_syslog_msg(firstboot_t)
+
+ miscfiles_read_localization(firstboot_t)
+
+-modutils_domtrans_insmod(firstboot_t)
+-modutils_domtrans_depmod(firstboot_t)
+-modutils_read_module_config(firstboot_t)
+-modutils_read_module_deps(firstboot_t)
+-
+ userdom_use_user_terminals(firstboot_t)
+ # Add/remove user home directories
+ userdom_manage_user_home_content_dirs(firstboot_t)
+@@ -103,8 +98,18 @@ optional_policy(`
')
optional_policy(`
@@ -588,8 +657,16 @@ index c4d8998..6f193f8 100644
+optional_policy(`
nis_use_ypbind(firstboot_t)
')
++optional_policy(`
++ modutils_domtrans_insmod(firstboot_t)
++ modutils_domtrans_depmod(firstboot_t)
++ modutils_read_module_config(firstboot_t)
++ modutils_read_module_deps(firstboot_t)
++')
-@@ -125,6 +129,7 @@ optional_policy(`
+ optional_policy(`
+ samba_rw_config(firstboot_t)
+@@ -125,6 +130,7 @@ optional_policy(`
')
optional_policy(`
@@ -626,26 +703,51 @@ index 4198ff5..df3f4d6 100644
####################################
## <summary>
## Manage kdump configuration file.
+diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
+index 4f7bd3c..3405a10 100644
+--- a/policy/modules/admin/kudzu.te
++++ b/policy/modules/admin/kudzu.te
+@@ -111,11 +111,6 @@ logging_send_syslog_msg(kudzu_t)
+ miscfiles_read_hwdata(kudzu_t)
+ miscfiles_read_localization(kudzu_t)
+
+-modutils_read_module_config(kudzu_t)
+-modutils_read_module_deps(kudzu_t)
+-modutils_rename_module_config(kudzu_t)
+-modutils_delete_module_config(kudzu_t)
+-modutils_domtrans_insmod(kudzu_t)
+
+ sysnet_read_config(kudzu_t)
+
+@@ -128,6 +123,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_read_module_config(kudzu_t)
++ modutils_read_module_deps(kudzu_t)
++ modutils_rename_module_config(kudzu_t)
++ modutils_delete_module_config(kudzu_t)
++ modutils_domtrans_insmod(kudzu_t)
++')
++
++optional_policy(`
+ nscd_socket_use(kudzu_t)
+ ')
+
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..a874b65 100644
+index 7090dae..ce5af6e 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
-@@ -119,14 +119,20 @@ seutil_dontaudit_read_config(logrotate_t)
+@@ -119,14 +119,10 @@ seutil_dontaudit_read_config(logrotate_t)
userdom_use_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
-+userdom_dontaudit_list_admin_dir(logrotate_t)
-
- cron_system_entry(logrotate_t, logrotate_exec_t)
- cron_search_spool(logrotate_t)
-
+-
+-cron_system_entry(logrotate_t, logrotate_exec_t)
+-cron_search_spool(logrotate_t)
+-
-mta_send_mail(logrotate_t)
-+#mta_send_mail(logrotate_t)
-+mta_base_mail_template(logrotate)
-+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
-+role system_r types logrotate_mail_t;
-+logging_read_all_logs(logrotate_mail_t)
-+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
++userdom_dontaudit_list_admin_dir(logrotate_t)
ifdef(`distro_debian', `
- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
@@ -653,6 +755,41 @@ index 7090dae..a874b65 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
+@@ -166,6 +162,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ cron_system_entry(logrotate_t, logrotate_exec_t)
++ cron_search_spool(logrotate_t)
++')
++
++optional_policy(`
+ cups_domtrans(logrotate_t)
+ ')
+
+@@ -203,7 +204,6 @@ optional_policy(`
+ psad_domtrans(logrotate_t)
+ ')
+
+-
+ optional_policy(`
+ samba_exec_log(logrotate_t)
+ ')
+@@ -228,3 +228,14 @@ optional_policy(`
+ optional_policy(`
+ varnishd_manage_log(logrotate_t)
+ ')
++
++#######################################
++#
++# logrotate_mail local policy
++#
++
++mta_base_mail_template(logrotate)
++mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
++role system_r types logrotate_mail_t;
++logging_read_all_logs(logrotate_mail_t)
++manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc
index 3c7b1e8..1e155f5 100644
--- a/policy/modules/admin/logwatch.fc
@@ -736,24 +873,23 @@ index 56c43c0..de535e4 100644
+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
+
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
-index 5671977..8498ed1 100644
+index 5671977..24a6ad6 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
-@@ -7,9 +7,13 @@ policy_module(mcelog, 1.1.0)
+@@ -7,8 +7,11 @@ policy_module(mcelog, 1.1.0)
type mcelog_t;
type mcelog_exec_t;
+init_system_domain(mcelog_t, mcelog_exec_t)
application_domain(mcelog_t, mcelog_exec_t)
- cron_system_entry(mcelog_t, mcelog_exec_t)
-
+-cron_system_entry(mcelog_t, mcelog_exec_t)
++
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)
-+
+
########################################
#
- # mcelog local policy
-@@ -17,10 +21,18 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
+@@ -17,10 +20,18 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
allow mcelog_t self:capability sys_admin;
@@ -772,6 +908,14 @@ index 5671977..8498ed1 100644
files_read_etc_files(mcelog_t)
+@@ -30,3 +41,7 @@ mls_file_read_all_levels(mcelog_t)
+ logging_send_syslog_msg(mcelog_t)
+
+ miscfiles_read_localization(mcelog_t)
++
++optional_policy(`
++ cron_system_entry(mcelog_t, mcelog_exec_t)
++')
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 0e19d80..9d58abe 100644
--- a/policy/modules/admin/mrtg.te
@@ -878,10 +1022,10 @@ index 0000000..8c2e044
+
diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
new file mode 100644
-index 0000000..67296b9
+index 0000000..104253d
--- /dev/null
+++ b/policy/modules/admin/ncftool.te
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,87 @@
+policy_module(ncftool, 1.0.0)
+
+########################################
@@ -935,10 +1079,6 @@ index 0000000..67296b9
+
+miscfiles_read_localization(ncftool_t)
+
-+modutils_list_module_config(ncftool_t)
-+modutils_read_module_config(ncftool_t)
-+modutils_domtrans_insmod(ncftool_t)
-+
+sysnet_delete_dhcpc_pid(ncftool_t)
+sysnet_domtrans_dhcpc(ncftool_t)
+sysnet_domtrans_ifconfig(ncftool_t)
@@ -957,7 +1097,7 @@ index 0000000..67296b9
+')
+
+optional_policy(`
-+ dbus_system_bus_client(ncftool_t)
++ dbus_system_bus_client(ncftool_t)
+')
+
+optional_policy(`
@@ -965,11 +1105,13 @@ index 0000000..67296b9
+')
+
+optional_policy(`
-+ iptables_initrc_domtrans(ncftool_t)
++ netutils_domtrans(ncftool_t)
+')
+
+optional_policy(`
-+ netutils_domtrans(ncftool_t)
++ modutils_list_module_config(ncftool_t)
++ modutils_read_module_config(ncftool_t)
++ modutils_domtrans_insmod(ncftool_t)
+')
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index c6ca761..46e0767 100644
@@ -1111,7 +1253,7 @@ index e0791b9..c083ea8 100644
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
-index c633aea..b773bc3 100644
+index c633aea..c489eec 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -43,7 +43,7 @@ type portage_db_t;
@@ -1123,6 +1265,17 @@ index c633aea..b773bc3 100644
type portage_cache_t;
files_type(portage_cache_t)
+@@ -107,7 +107,9 @@ miscfiles_read_localization(gcc_config_t)
+
+ userdom_use_user_terminals(gcc_config_t)
+
+-consoletype_exec(gcc_config_t)
++optional_policy(`
++ consoletype_exec(gcc_config_t)
++')
+
+ optional_policy(`
+ seutil_use_newrole_fds(gcc_config_t)
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index af55369..f77e897 100644
--- a/policy/modules/admin/prelink.te
@@ -1234,10 +1387,10 @@ index 7077413..56d1ecb 100644
+
+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
-index 47c4723..4866a08 100644
+index 47c4723..ca58272 100644
--- a/policy/modules/admin/readahead.if
+++ b/policy/modules/admin/readahead.if
-@@ -1 +1,20 @@
+@@ -1 +1,40 @@
## <summary>Readahead, read files into page cache for improved performance</summary>
+
+########################################
@@ -1258,6 +1411,26 @@ index 47c4723..4866a08 100644
+ corecmd_search_bin($1)
+ domtrans_pattern($1, readahead_exec_t, readahead_t)
+')
++
++########################################
++## <summary>
++## Manage readahead var_run files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`readahead_manage_pid_files',`
++ gen_require(`
++ type readahead_var_run_t;
++ ')
++
++ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
++ files_search_pids($1)
++')
++
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index b4ac57e..d3b51b7 100644
--- a/policy/modules/admin/readahead.te
@@ -1526,7 +1699,7 @@ index d33daa8..c76708e 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..31f474e 100644
+index 47a8f7d..bca3b72 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -1578,7 +1751,7 @@ index 47a8f7d..31f474e 100644
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -173,6 +181,7 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+@@ -173,11 +181,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
@@ -1586,7 +1759,13 @@ index 47a8f7d..31f474e 100644
files_exec_etc_files(rpm_t)
-@@ -207,6 +216,7 @@ optional_policy(`
+ init_domtrans_script(rpm_t)
+ init_use_script_ptys(rpm_t)
++init_signull_script(rpm_t)
+
+ libs_exec_ld_so(rpm_t)
+ libs_exec_lib_files(rpm_t)
+@@ -207,6 +217,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -1594,7 +1773,7 @@ index 47a8f7d..31f474e 100644
')
optional_policy(`
-@@ -214,7 +224,7 @@ optional_policy(`
+@@ -214,7 +225,7 @@ optional_policy(`
')
optional_policy(`
@@ -1603,7 +1782,7 @@ index 47a8f7d..31f474e 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -261,6 +271,7 @@ kernel_read_crypto_sysctls(rpm_script_t)
+@@ -261,6 +272,7 @@ kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
@@ -1611,7 +1790,7 @@ index 47a8f7d..31f474e 100644
kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
-@@ -308,6 +319,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
+@@ -308,6 +320,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
auth_relabel_shadow(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
@@ -1620,7 +1799,13 @@ index 47a8f7d..31f474e 100644
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -338,12 +351,15 @@ modutils_domtrans_insmod(rpm_script_t)
+@@ -332,18 +346,18 @@ logging_send_syslog_msg(rpm_script_t)
+
+ miscfiles_read_localization(rpm_script_t)
+
+-modutils_domtrans_depmod(rpm_script_t)
+-modutils_domtrans_insmod(rpm_script_t)
+-
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1636,7 +1821,19 @@ index 47a8f7d..31f474e 100644
')
')
-@@ -377,8 +393,9 @@ optional_policy(`
+@@ -368,6 +382,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_domtrans_depmod(rpm_script_t)
++ modutils_domtrans_insmod(rpm_script_t)
++')
++
++optional_policy(`
+ tzdata_domtrans(rpm_t)
+ tzdata_domtrans(rpm_script_t)
+ ')
+@@ -377,8 +396,9 @@ optional_policy(`
')
optional_policy(`
@@ -1648,14 +1845,37 @@ index 47a8f7d..31f474e 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te
-index c8ef84b..e241334 100644
+index c8ef84b..40ceffb 100644
--- a/policy/modules/admin/sectoolm.te
+++ b/policy/modules/admin/sectoolm.te
-@@ -84,6 +84,7 @@ logging_send_syslog_msg(sectoolm_t)
+@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t)
+
+ auth_use_nsswitch(sectoolm_t)
+
+-# tests related to network
+-hostname_exec(sectoolm_t)
+-
+-# tests related to network
+-iptables_domtrans(sectoolm_t)
+-
+ libs_exec_ld_so(sectoolm_t)
+
+ logging_send_syslog_msg(sectoolm_t)
+@@ -84,6 +78,17 @@ logging_send_syslog_msg(sectoolm_t)
sysnet_domtrans_ifconfig(sectoolm_t)
userdom_manage_user_tmp_sockets(sectoolm_t)
+userdom_dgram_send(sectoolm_t)
++
++optional_policy(`
++ # tests related to network
++ hostname_exec(sectoolm_t)
++')
++
++optional_policy(`
++ # tests related to network
++ iptables_domtrans(sectoolm_t)
++')
optional_policy(`
mount_exec(sectoolm_t)
@@ -1943,10 +2163,18 @@ index 8966ec9..a54882c 100644
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te
-index bc00875..3c1b37b 100644
+index bc00875..b47c0f4 100644
--- a/policy/modules/admin/smoltclient.te
+++ b/policy/modules/admin/smoltclient.te
-@@ -46,6 +46,7 @@ fs_list_auto_mountpoints(smoltclient_t)
+@@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0)
+ type smoltclient_t;
+ type smoltclient_exec_t;
+ application_domain(smoltclient_t, smoltclient_exec_t)
+-cron_system_entry(smoltclient_t, smoltclient_exec_t)
+
+ type smoltclient_tmp_t;
+ files_tmp_file(smoltclient_tmp_t)
+@@ -46,6 +45,7 @@ fs_list_auto_mountpoints(smoltclient_t)
files_getattr_generic_locks(smoltclient_t)
files_read_etc_files(smoltclient_t)
@@ -1954,6 +2182,43 @@ index bc00875..3c1b37b 100644
files_read_usr_files(smoltclient_t)
auth_use_nsswitch(smoltclient_t)
+@@ -55,6 +55,10 @@ logging_send_syslog_msg(smoltclient_t)
+ miscfiles_read_localization(smoltclient_t)
+
+ optional_policy(`
++ cron_system_entry(smoltclient_t, smoltclient_exec_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(smoltclient_t)
+ ')
+
+diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
+index fe1c377..7660180 100644
+--- a/policy/modules/admin/sosreport.te
++++ b/policy/modules/admin/sosreport.te
+@@ -92,9 +92,6 @@ logging_send_syslog_msg(sosreport_t)
+
+ miscfiles_read_localization(sosreport_t)
+
+-# needed by modinfo
+-modutils_read_module_deps(sosreport_t)
+-
+ sysnet_read_config(sosreport_t)
+
+ optional_policy(`
+@@ -110,6 +107,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # needed by modinfo
++ modutils_read_module_deps(sosreport_t)
++')
++
++optional_policy(`
+ fstools_domtrans(sosreport_t)
+ ')
+
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 8c5fa3c..1a46f56 100644
--- a/policy/modules/admin/su.if
@@ -2063,8 +2328,33 @@ index 2731fa1..3443ba2 100644
+type sudo_db_t;
+files_type(sudo_db_t)
+
+diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
+index d5aaf0e..689b2fd 100644
+--- a/policy/modules/admin/sxid.te
++++ b/policy/modules/admin/sxid.te
+@@ -76,13 +76,17 @@ logging_send_syslog_msg(sxid_t)
+
+ miscfiles_read_localization(sxid_t)
+
+-mount_exec(sxid_t)
+-
+ sysnet_read_config(sxid_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(sxid_t)
+
+-cron_system_entry(sxid_t, sxid_exec_t)
++optional_policy(`
++ cron_system_entry(sxid_t, sxid_exec_t)
++')
++
++optional_policy(`
++ mount_exec(sxid_t)
++')
+
+ optional_policy(`
+ mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..c59c3cd 100644
+index 6a5004b..9b0f49e 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -2087,7 +2377,18 @@ index 6a5004b..c59c3cd 100644
files_getattr_all_dirs(tmpreaper_t)
files_getattr_all_files(tmpreaper_t)
-@@ -52,7 +56,9 @@ optional_policy(`
+@@ -38,7 +42,9 @@ logging_send_syslog_msg(tmpreaper_t)
+ miscfiles_read_localization(tmpreaper_t)
+ miscfiles_delete_man_pages(tmpreaper_t)
+
+-cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
++optional_policy(`
++ cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
++')
+
+ ifdef(`distro_redhat',`
+ userdom_list_user_home_content(tmpreaper_t)
+@@ -52,7 +58,9 @@ optional_policy(`
')
optional_policy(`
@@ -2097,7 +2398,7 @@ index 6a5004b..c59c3cd 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,6 +72,14 @@ optional_policy(`
+@@ -66,6 +74,14 @@ optional_policy(`
')
optional_policy(`
@@ -2125,6 +2426,27 @@ index d0f2a64..7df0825 100644
files_search_spool(tzdata_t)
fs_getattr_xattr_fs(tzdata_t)
+diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te
+index 74354da..0852738 100644
+--- a/policy/modules/admin/usbmodules.te
++++ b/policy/modules/admin/usbmodules.te
+@@ -34,8 +34,6 @@ init_use_fds(usbmodules_t)
+
+ miscfiles_read_hwdata(usbmodules_t)
+
+-modutils_read_module_deps(usbmodules_t)
+-
+ userdom_use_user_terminals(usbmodules_t)
+
+ optional_policy(`
+@@ -45,3 +43,7 @@ optional_policy(`
+ optional_policy(`
+ logging_send_syslog_msg(usbmodules_t)
+ ')
++
++optional_policy(`
++ modutils_read_module_deps(usbmodules_t)
++')
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 81fb26f..cd18ca8 100644
--- a/policy/modules/admin/usermanage.if
@@ -2287,6 +2609,27 @@ index 1f42250..3d36ae2 100644
########################################
#
# awstats cgi script policy
+diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
+index 47d81d1..046a9de 100644
+--- a/policy/modules/apps/calamaris.te
++++ b/policy/modules/apps/calamaris.te
+@@ -66,8 +66,6 @@ miscfiles_read_localization(calamaris_t)
+
+ userdom_dontaudit_list_user_home_dirs(calamaris_t)
+
+-squid_read_log(calamaris_t)
+-
+ optional_policy(`
+ apache_search_sys_content(calamaris_t)
+ ')
+@@ -79,3 +77,7 @@ optional_policy(`
+ optional_policy(`
+ mta_send_mail(calamaris_t)
+ ')
++
++optional_policy(`
++ squid_read_log(calamaris_t)
++')
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
index 1403835..2e9a72c 100644
--- a/policy/modules/apps/cdrecord.te
@@ -2535,66 +2878,19 @@ index 0000000..0852151
+ fs_read_inherited_cifs_files(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
-diff --git a/policy/modules/apps/cpufreqselector.if b/policy/modules/apps/cpufreqselector.if
-index ed94975..e43186f 100644
---- a/policy/modules/apps/cpufreqselector.if
-+++ b/policy/modules/apps/cpufreqselector.if
-@@ -1 +1,42 @@
- ## <summary>Command-line CPU frequency settings.</summary>
-+
-+########################################
-+## <summary>
-+## Send a dbus message to
-+## cpufreq-selector.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cpufreqselector_dbus_send',`
-+ gen_require(`
-+ type cpufreqselector_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 cpufreqselector_t:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
-+## Send and receive messages from
-+## cpufreq-selector over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cpufreqselector_dbus_chat',`
-+ gen_require(`
-+ type cpufreqselector_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 cpufreqselector_t:dbus send_msg;
-+ allow cpufreqselector_t $1:dbus send_msg;
-+')
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
-index 0457de1..b440acb 100644
+index e51e7f5..8e0405f 100644
--- a/policy/modules/apps/cpufreqselector.te
+++ b/policy/modules/apps/cpufreqselector.te
-@@ -16,6 +16,7 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
-
+@@ -17,6 +17,7 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+ allow cpufreqselector_t self:process getsched;
allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+allow cpufreqselector_t self:process getsched;
- files_read_etc_files(cpufreqselector_t)
- files_read_usr_files(cpufreqselector_t)
-@@ -24,10 +25,12 @@ corecmd_search_bin(cpufreqselector_t)
+ kernel_read_system_state(cpufreqselector_t)
+
+@@ -27,10 +28,12 @@ corecmd_search_bin(cpufreqselector_t)
dev_rw_sysfs(cpufreqselector_t)
@@ -2608,7 +2904,7 @@ index 0457de1..b440acb 100644
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-@@ -50,3 +53,7 @@ optional_policy(`
+@@ -53,3 +56,7 @@ optional_policy(`
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
')
@@ -2862,10 +3158,10 @@ index 0000000..7fe26f3
+')
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
new file mode 100644
-index 0000000..0bbd523
+index 0000000..f4c2d3f
--- /dev/null
+++ b/policy/modules/apps/firewallgui.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,74 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
@@ -2900,7 +3196,6 @@ index 0000000..0bbd523
+
+corecmd_exec_shell(firewallgui_t)
+corecmd_exec_bin(firewallgui_t)
-+consoletype_exec(firewallgui_t)
+
+dev_read_urand(firewallgui_t)
+dev_read_sysfs(firewallgui_t)
@@ -2912,26 +3207,35 @@ index 0000000..0bbd523
+files_search_kernel_modules(firewallgui_t)
+files_list_kernel_modules(firewallgui_t)
+
-+iptables_domtrans(firewallgui_t)
-+iptables_initrc_domtrans(firewallgui_t)
-+
-+modutils_getattr_module_deps(firewallgui_t)
-+
+miscfiles_read_localization(firewallgui_t)
+
+userdom_dontaudit_search_user_home_dirs(firewallgui_t)
+
-+nscd_dontaudit_search_pid(firewallgui_t)
-+nscd_socket_use(firewallgui_t)
++optional_policy(`
++ consoletype_exec(firewallgui_t)
++')
+
+optional_policy(`
+ gnome_read_gconf_home_files(firewallgui_t)
+')
+
+optional_policy(`
-+ policykit_dbus_chat(firewallgui_t)
++ iptables_domtrans(firewallgui_t)
++ iptables_initrc_domtrans(firewallgui_t)
++')
++
++optional_policy(`
++ modutils_getattr_module_deps(firewallgui_t)
+')
+
++optional_policy(`
++ nscd_dontaudit_search_pid(firewallgui_t)
++ nscd_socket_use(firewallgui_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(firewallgui_t)
++')
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
index 00a19e3..1354800 100644
--- a/policy/modules/apps/gnome.fc
@@ -2974,10 +3278,10 @@ index 00a19e3..1354800 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..c9d74ee 100644
+index f5afe78..0c61d93 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,43 +1,519 @@
+@@ -1,43 +1,521 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -3073,9 +3377,10 @@ index f5afe78..c9d74ee 100644
+
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
++ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_$1_t)
++
+ allow gkeyringd_$1_t $3:dbus send_msg;
+ allow $3 gkeyringd_$1_t:dbus send_msg;
-+
+ optional_policy(`
+ dbus_session_domain(gkeyringd_$1_t, gkeyringd_exec_t)
+ dbus_session_bus_client(gkeyringd_$1_t)
@@ -3152,10 +3457,11 @@ index f5afe78..c9d74ee 100644
+ gen_require(`
+ attribute gkeyringd_domain;
+ type gkeyringd_tmp_t;
++ type gconf_tmp_t;
+ ')
+
++ allow $1 gconf_tmp_t:dir search_dir_perms;
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
-+ gnome_search_gconf_tmp_dirs($1)
+')
+
+########################################
@@ -3514,7 +3820,7 @@ index f5afe78..c9d74ee 100644
## in the caller domain.
## </summary>
## <param name="domain">
-@@ -56,27 +532,26 @@ interface(`gnome_exec_gconf',`
+@@ -56,27 +534,26 @@ interface(`gnome_exec_gconf',`
########################################
## <summary>
@@ -3550,7 +3856,7 @@ index f5afe78..c9d74ee 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +559,41 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +561,41 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -3603,7 +3909,7 @@ index f5afe78..c9d74ee 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +601,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +603,13 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -3620,7 +3926,7 @@ index f5afe78..c9d74ee 100644
')
########################################
-@@ -151,40 +631,258 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +633,258 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -3890,7 +4196,7 @@ index f5afe78..c9d74ee 100644
userdom_search_user_home_dirs($1)
')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..fd62ccc 100644
+index 2505654..2417992 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0)
@@ -3961,7 +4267,7 @@ index 2505654..fd62ccc 100644
##############################
#
# Local Policy
-@@ -75,3 +106,149 @@ optional_policy(`
+@@ -75,3 +106,151 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -4096,9 +4402,11 @@ index 2505654..fd62ccc 100644
+
+miscfiles_read_localization(gkeyringd_domain)
+
-+xserver_append_xdm_home_files(gkeyringd_domain)
-+xserver_read_xdm_home_files(gkeyringd_domain)
-+xserver_use_xdm_fds(gkeyringd_domain)
++optional_policy(`
++ xserver_append_xdm_home_files(gkeyringd_domain)
++ xserver_read_xdm_home_files(gkeyringd_domain)
++ xserver_use_xdm_fds(gkeyringd_domain)
++')
+
+optional_policy(`
+ gnome_read_home_config(gkeyringd_domain)
@@ -4621,7 +4929,7 @@ index 167950d..ef63b20 100644
+ ')
')
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
-index f63c4c2..3812a46 100644
+index f63c4c2..bf59895 100644
--- a/policy/modules/apps/kdumpgui.te
+++ b/policy/modules/apps/kdumpgui.te
@@ -14,6 +14,7 @@ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
@@ -4632,7 +4940,7 @@ index f63c4c2..3812a46 100644
allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -33,6 +34,7 @@ files_manage_etc_symlinks(kdumpgui_t)
+@@ -33,27 +34,38 @@ files_manage_etc_symlinks(kdumpgui_t)
# for blkid.tab
files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
@@ -4640,12 +4948,26 @@ index f63c4c2..3812a46 100644
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
-@@ -50,10 +52,16 @@ miscfiles_read_localization(kdumpgui_t)
+
+ auth_use_nsswitch(kdumpgui_t)
+
+-consoletype_exec(kdumpgui_t)
+-
+-kdump_manage_config(kdumpgui_t)
+-kdump_initrc_domtrans(kdumpgui_t)
+-
+ logging_send_syslog_msg(kdumpgui_t)
+
+ miscfiles_read_localization(kdumpgui_t)
init_dontaudit_read_all_script_files(kdumpgui_t)
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
+
++optional_policy(`
++ consoletype_exec(kdumpgui_t)
++')
++
optional_policy(`
dev_rw_lvm_control(kdumpgui_t)
')
@@ -4655,6 +4977,11 @@ index f63c4c2..3812a46 100644
+')
+
+optional_policy(`
++ kdump_manage_config(kdumpgui_t)
++ kdump_initrc_domtrans(kdumpgui_t)
++')
++
++optional_policy(`
policykit_dbus_chat(kdumpgui_t)
')
diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
@@ -5058,7 +5385,7 @@ index 9a6d67d..d88c02c 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..26f1ff3 100644
+index 2a91fa8..9b22659 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -5140,7 +5467,7 @@ index 2a91fa8..26f1ff3 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,180 @@ optional_policy(`
+@@ -266,3 +291,183 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -5197,6 +5524,7 @@ index 2a91fa8..26f1ff3 100644
+corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
+corenet_tcp_connect_squid_port(mozilla_plugin_t)
+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
++corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
+corenet_tcp_connect_speech_port(mozilla_plugin_t)
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
@@ -5209,6 +5537,8 @@ index 2a91fa8..26f1ff3 100644
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
++# for nvidia driver
++dev_rw_xserver_misc(mozilla_plugin_t)
+dev_dontaudit_rw_dri(mozilla_plugin_t)
+
+domain_use_interactive_fds(mozilla_plugin_t)
@@ -6920,7 +7250,7 @@ index c605046..97b3df2 100644
+miscfiles_read_localization(rssh_chroot_helper_t)
+
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
-index 9ec1478..ceec04a 100644
+index 9ec1478..e3734df 100644
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
@@ -27,9 +27,10 @@ corecmd_exec_bin(sambagui_t)
@@ -6935,25 +7265,48 @@ index 9ec1478..ceec04a 100644
auth_use_nsswitch(sambagui_t)
-@@ -39,6 +40,8 @@ miscfiles_read_localization(sambagui_t)
+@@ -37,21 +38,32 @@ logging_send_syslog_msg(sambagui_t)
- nscd_dontaudit_search_pid(sambagui_t)
+ miscfiles_read_localization(sambagui_t)
+-nscd_dontaudit_search_pid(sambagui_t)
+
+-# handling with samba conf files
+-samba_append_log(sambagui_t)
+-samba_manage_config(sambagui_t)
+-samba_manage_var_files(sambagui_t)
+-samba_read_secrets(sambagui_t)
+-samba_initrc_domtrans(sambagui_t)
+-samba_domtrans_smbd(sambagui_t)
+-samba_domtrans_nmbd(sambagui_t)
+userdom_dontaudit_search_admin_dir(sambagui_t)
-+
- # handling with samba conf files
- samba_append_log(sambagui_t)
- samba_manage_config(sambagui_t)
-@@ -53,5 +56,9 @@ optional_policy(`
+
+ optional_policy(`
+ consoletype_exec(sambagui_t)
')
optional_policy(`
++ nscd_dontaudit_search_pid(sambagui_t)
++')
++
++optional_policy(`
+ gnome_dontaudit_search_config(sambagui_t)
+')
+
+optional_policy(`
policykit_dbus_chat(sambagui_t)
')
++
++optional_policy(`
++ # handling with samba conf files
++ samba_append_log(sambagui_t)
++ samba_manage_config(sambagui_t)
++ samba_manage_var_files(sambagui_t)
++ samba_read_secrets(sambagui_t)
++ samba_initrc_domtrans(sambagui_t)
++ samba_domtrans_smbd(sambagui_t)
++ samba_domtrans_nmbd(sambagui_t)
++')
diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc
new file mode 100644
index 0000000..6caef63
@@ -7275,10 +7628,10 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..e6e9f42
+index 0000000..2280381
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,465 @@
+@@ -0,0 +1,474 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -7465,6 +7818,14 @@ index 0000000..e6e9f42
+allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
+term_create_pty(sandbox_x_domain,sandbox_devpts_t)
+
++can_exec(sandbox_x_domain, sandbox_file_t)
++allow sandbox_x_domain sandbox_file_t:filesystem getattr;
++manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
@@ -7500,6 +7861,8 @@ index 0000000..e6e9f42
+miscfiles_read_localization(sandbox_x_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
+
++mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
++
+selinux_get_fs_mount(sandbox_x_domain)
+selinux_validate_context(sandbox_x_domain)
+selinux_compute_access_vector(sandbox_x_domain)
@@ -7508,7 +7871,6 @@ index 0000000..e6e9f42
+selinux_compute_user_contexts(sandbox_x_domain)
+seutil_read_default_contexts(sandbox_x_domain)
+
-+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+term_search_ptys(sandbox_x_domain)
@@ -7799,7 +8161,7 @@ index 320df26..0e4ead0 100644
files_search_tmp($1_screen_t)
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
-index 1dc7a85..7455c19 100644
+index 1dc7a85..787df80 100644
--- a/policy/modules/apps/seunshare.if
+++ b/policy/modules/apps/seunshare.if
@@ -53,8 +53,14 @@ interface(`seunshare_run',`
@@ -7818,7 +8180,7 @@ index 1dc7a85..7455c19 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -66,15 +72,28 @@ interface(`seunshare_run',`
+@@ -66,15 +72,31 @@ interface(`seunshare_run',`
## </summary>
## </param>
#
@@ -7849,15 +8211,18 @@ index 1dc7a85..7455c19 100644
+ allow $1_seunshare_t $3:process transition;
+ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
+
++ corecmd_bin_domtrans($1_seunshare_t, $1_t)
++ corecmd_shell_domtrans($1_seunshare_t, $1_t)
++
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $1_seunshare_t $3:socket_class_set { read write };
+ ')
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..63db4fd 100644
+index 7590165..44aa6d1 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,47 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,48 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
@@ -7871,7 +8236,7 @@ index 7590165..63db4fd 100644
#
# seunshare local policy
#
-+allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice };
+allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
@@ -7894,6 +8259,7 @@ index 7590165..63db4fd 100644
+files_read_etc_files(seunshare_domain)
+files_mounton_all_poly_members(seunshare_domain)
+files_manage_generic_tmp_dirs(seunshare_domain)
++files_relabelfrom_tmp_dirs(seunshare_domain)
-auth_use_nsswitch(seunshare_t)
+fs_manage_cgroup_dirs(seunshare_domain)
@@ -7907,9 +8273,9 @@ index 7590165..63db4fd 100644
-userdom_use_user_terminals(seunshare_t)
+miscfiles_read_localization(seunshare_domain)
-+
-+userdom_use_user_terminals(seunshare_domain)
++userdom_use_user_terminals(seunshare_domain)
++userdom_list_user_home_content(seunshare_domain)
ifdef(`hide_broken_symptoms', `
- fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
+ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
@@ -8156,10 +8522,10 @@ index 0000000..6878d68
+
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..d4e5e9e
+index 0000000..db7941f
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,331 @@
+@@ -0,0 +1,333 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -8227,6 +8593,7 @@ index 0000000..d4e5e9e
+corenet_tcp_connect_mmcc_port(telepathy_msn_t)
+corenet_tcp_connect_msnp_port(telepathy_msn_t)
+corenet_tcp_connect_sametime_port(telepathy_msn_t)
++corenet_tcp_connect_ssdp_port(telepathy_msn_t)
+
+corecmd_exec_bin(telepathy_msn_t)
+corecmd_exec_shell(telepathy_msn_t)
@@ -8323,6 +8690,7 @@ index 0000000..d4e5e9e
+allow telepathy_idle_t self:netlink_route_socket create_netlink_socket_perms;
+
+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
++corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
+corenet_tcp_connect_ircd_port(telepathy_idle_t)
+
+dev_read_rand(telepathy_idle_t)
@@ -9070,7 +9438,7 @@ index 5a07a43..e97e47f 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..791a227 100644
+index 0757523..6795999 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -9224,7 +9592,7 @@ index 0757523..791a227 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,24 +213,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -177,24 +213,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -9249,6 +9617,7 @@ index 0757523..791a227 100644
network_port(speech, tcp,8036,s0)
-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
++network_port(ssdp, tcp,1900,s0, udp, 1900, s0)
network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
@@ -9257,7 +9626,7 @@ index 0757523..791a227 100644
network_port(syslogd, udp,514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
-@@ -205,16 +245,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,16 +246,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -9278,7 +9647,7 @@ index 0757523..791a227 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-@@ -276,5 +317,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
+@@ -276,5 +318,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -9286,42 +9655,19 @@ index 0757523..791a227 100644
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 8ac94e4..c02f095 100644
+index 6cf8784..286aec1 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -18,6 +18,7 @@
- /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
- /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
- /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -159,6 +160,7 @@ ifdef(`distro_suse', `
-
- /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-
-+/dev/mqueue(/.*)? <<none>>
- /dev/pts(/.*)? <<none>>
-
- /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -178,13 +180,12 @@ ifdef(`distro_suse', `
-
- /etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
-
--/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
-+/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
-
--ifdef(`distro_gentoo',`
- # used by init scripts to initally populate udev /dev
-+/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+@@ -187,8 +187,6 @@ ifdef(`distro_suse', `
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
--')
+-/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
+-
ifdef(`distro_redhat',`
# originally from named.fc
-@@ -193,3 +194,8 @@ ifdef(`distro_redhat',`
+ /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
+@@ -196,3 +194,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -9331,7 +9677,7 @@ index 8ac94e4..c02f095 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index efaf808..d1ceca8 100644
+index e9313fb..8083a5b 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -9395,132 +9741,73 @@ index efaf808..d1ceca8 100644
## Add entries to directories in /dev.
## </summary>
## <param name="domain">
-@@ -336,6 +373,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
+@@ -715,7 +752,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
########################################
## <summary>
-+## read generic files in /dev.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_read_generic_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ read_files_pattern($1, device_t, device_t)
-+')
-+
-+########################################
-+## <summary>
- ## Read and write generic files in /dev.
+-## Read symbolic links in device directories.
++## Create symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -516,6 +571,24 @@ interface(`dev_getattr_generic_chr_files',`
+ ## <summary>
+@@ -723,17 +760,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_read_generic_symlinks',`
++interface(`dev_create_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
- ########################################
- ## <summary>
-+## Allow relablefrom for generic character device files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_relabelfrom_generic_chr_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ allow $1 device_t:chr_file relabelfrom;
-+')
-+
-+########################################
-+## <summary>
- ## Dontaudit getattr for generic character device files.
- ## </summary>
- ## <param name="domain">
-@@ -552,6 +625,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
+- allow $1 device_t:lnk_file read_lnk_file_perms;
++ create_lnk_files_pattern($1, device_t, device_t)
+ ')
########################################
## <summary>
-+## Read generic character device files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_read_generic_chr_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ allow $1 device_t:chr_file read_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Read and write generic character device files.
+-## Create symbolic links in device directories.
++## Delete symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -570,6 +661,24 @@ interface(`dev_rw_generic_chr_files',`
+ ## <summary>
+@@ -741,17 +778,17 @@ interface(`dev_read_generic_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_create_generic_symlinks',`
++interface(`dev_delete_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
- ########################################
- ## <summary>
-+## Read and write generic block device files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_rw_generic_blk_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ allow $1 device_t:blk_file rw_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Dontaudit attempts to read/write generic character device files.
- ## </summary>
- ## <param name="domain">
-@@ -679,6 +788,24 @@ interface(`dev_delete_generic_symlinks',`
+- create_lnk_files_pattern($1, device_t, device_t)
++ delete_lnk_files_pattern($1, device_t, device_t)
+ ')
########################################
## <summary>
+-## Delete symbolic links in device directories.
+## Read symbolic links in device directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_read_generic_symlinks',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ allow $1 device_t:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -1088,6 +1215,42 @@ interface(`dev_create_all_chr_files',`
+ ## <summary>
+@@ -759,12 +796,12 @@ interface(`dev_create_generic_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_delete_generic_symlinks',`
++interface(`dev_read_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+- delete_lnk_files_pattern($1, device_t, device_t)
++ allow $1 device_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -1178,6 +1215,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -9563,82 +9850,7 @@ index efaf808..d1ceca8 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1350,6 +1513,24 @@ interface(`dev_getattr_autofs_dev',`
-
- ########################################
- ## <summary>
-+## Relable the autofs device node.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_relabel_autofs_dev',`
-+ gen_require(`
-+ type autofs_device_t;
-+ ')
-+
-+ allow $1 autofs_device_t:chr_file relabel_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to get the attributes of
- ## the autofs device node.
- ## </summary>
-@@ -1597,6 +1778,24 @@ interface(`dev_rw_cpu_microcode',`
-
- ########################################
- ## <summary>
-+## Read the kernel crash device
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_read_crash',`
-+ gen_require(`
-+ type device_t, crash_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, crash_device_t)
-+')
-+
-+########################################
-+## <summary>
- ## Read and write the the hardware SSL accelerator.
- ## </summary>
- ## <param name="domain">
-@@ -1979,6 +2178,24 @@ interface(`dev_read_kmsg',`
-
- ########################################
- ## <summary>
-+## Do not audit attempts to read the kernel messages
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_dontaudit_read_kmsg',`
-+ gen_require(`
-+ type kmsg_device_t;
-+ ')
-+
-+ dontaudit $1 kmsg_device_t:chr_file read;
-+')
-+
-+########################################
-+## <summary>
- ## Write to the kernel messages device
- ## </summary>
- ## <param name="domain">
-@@ -3048,24 +3265,6 @@ interface(`dev_rw_printer',`
+@@ -3192,24 +3265,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -9663,32 +9875,33 @@ index efaf808..d1ceca8 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3613,6 +3812,24 @@ interface(`dev_manage_smartcard',`
+@@ -3884,25 +3939,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
-+## Associate a file to a sysfs filesystem.
-+## </summary>
-+## <param name="file_type">
-+## <summary>
-+## The type of the file to be associated to sysfs.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_associate_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of sysfs directories.
+-## Create, read, write, and delete sysfs
+-## directories.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`dev_manage_sysfs_dirs',`
+- gen_require(`
+- type sysfs_t;
+- ')
+-
+- manage_dirs_pattern($1, sysfs_t, sysfs_t)
+-')
+-
+-########################################
+-## <summary>
+ ## Read hardware state information.
## </summary>
- ## <param name="domain">
-@@ -3773,6 +3990,24 @@ interface(`dev_rw_sysfs',`
+ ## <desc>
+@@ -3954,6 +3990,24 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -9713,63 +9926,11 @@ index efaf808..d1ceca8 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -3960,6 +4195,24 @@ interface(`dev_read_usbmon_dev',`
-
- ########################################
- ## <summary>
-+## Write USB monitor devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_write_usbmon_dev',`
-+ gen_require(`
-+ type device_t, usbmon_device_t;
-+ ')
-+
-+ write_chr_files_pattern($1, device_t, usbmon_device_t)
-+')
-+
-+########################################
-+## <summary>
- ## Mount a usbfs filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -4270,11 +4523,10 @@ interface(`dev_write_video_dev',`
- #
- interface(`dev_rw_vhost',`
- gen_require(`
-- type vhost_device_t;
-+ type device_t, vhost_device_t;
- ')
-
-- list_dirs_pattern($1, vhost_device_t, vhost_device_t)
-- rw_files_pattern($1, vhost_device_t, vhost_device_t)
-+ rw_chr_files_pattern($1, device_t, vhost_device_t)
- ')
-
- ########################################
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index c03e21b..2942d8d 100644
+index 3ff4f60..89ffda6 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
-@@ -56,6 +56,12 @@ dev_node(clock_device_t)
- type cpu_device_t;
- dev_node(cpu_device_t)
-
-+#
-+# Type for /dev/crash
-+#
-+type crash_device_t;
-+dev_node(crash_device_t)
-+
- # for the IBM zSeries z90crypt hardware ssl accelorator
- type crypt_device_t;
- dev_node(crypt_device_t)
-@@ -102,6 +108,7 @@ dev_node(ksm_device_t)
+@@ -108,6 +108,7 @@ dev_node(ksm_device_t)
#
type kvm_device_t;
dev_node(kvm_device_t)
@@ -9777,7 +9938,7 @@ index c03e21b..2942d8d 100644
#
# Type for /dev/lirc
-@@ -304,5 +311,5 @@ files_associate_tmp(device_node)
+@@ -310,5 +311,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -9881,7 +10042,7 @@ index aad8c52..6ac24b0 100644
+ dontaudit $1 domain:socket_class_set { read write };
+')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index bc534c1..2a6b5e1 100644
+index bc534c1..b70ea07 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.0)
@@ -9974,7 +10135,7 @@ index bc534c1..2a6b5e1 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +197,85 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,89 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -9983,10 +10144,14 @@ index bc534c1..2a6b5e1 100644
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
+
-+seutil_dontaudit_read_config(domain)
++optional_policy(`
++ seutil_dontaudit_read_config(domain)
++')
+
-+init_sigchld(domain)
-+init_signull(domain)
++optional_policy(`
++ init_sigchld(domain)
++ init_signull(domain)
++')
+
+ifdef(`distro_redhat',`
+ files_search_mnt(domain)
@@ -10061,7 +10226,7 @@ index bc534c1..2a6b5e1 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 3517db2..f798a69 100644
+index 16108f6..2abd3eb 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -10072,9 +10237,9 @@ index 3517db2..f798a69 100644
')
ifdef(`distro_suse',`
-@@ -64,6 +65,13 @@ ifdef(`distro_suse',`
- /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -58,6 +59,13 @@ ifdef(`distro_suse',`
+ /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
@@ -10086,7 +10251,7 @@ index 3517db2..f798a69 100644
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
-@@ -74,7 +82,10 @@ ifdef(`distro_suse',`
+@@ -68,7 +76,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -10098,7 +10263,7 @@ index 3517db2..f798a69 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -95,7 +106,7 @@ ifdef(`distro_suse',`
+@@ -89,7 +100,7 @@ ifdef(`distro_suse',`
# HOME_ROOT
# expanded by genhomedircon
#
@@ -10107,7 +10272,7 @@ index 3517db2..f798a69 100644
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <<none>>
-@@ -159,6 +170,12 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -153,6 +164,12 @@ HOME_ROOT/lost\+found/.* <<none>>
/proc -d <<none>>
/proc/.* <<none>>
@@ -10120,7 +10285,7 @@ index 3517db2..f798a69 100644
#
# /selinux
#
-@@ -172,12 +189,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -166,12 +183,6 @@ HOME_ROOT/lost\+found/.* <<none>>
/srv/.* gen_context(system_u:object_r:var_t,s0)
#
@@ -10133,7 +10298,7 @@ index 3517db2..f798a69 100644
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-@@ -217,7 +228,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -211,7 +222,6 @@ HOME_ROOT/lost\+found/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -10141,7 +10306,7 @@ index 3517db2..f798a69 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -233,6 +243,8 @@ ifndef(`distro_redhat',`
+@@ -227,6 +237,8 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -10150,7 +10315,7 @@ index 3517db2..f798a69 100644
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-@@ -249,7 +261,7 @@ ifndef(`distro_redhat',`
+@@ -243,7 +255,7 @@ ifndef(`distro_redhat',`
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -10159,7 +10324,7 @@ index 3517db2..f798a69 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -258,3 +270,7 @@ ifndef(`distro_redhat',`
+@@ -252,3 +264,7 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -10168,7 +10333,7 @@ index 3517db2..f798a69 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ed203b2..0a4f89a 100644
+index 958ca84..d451c3f 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -11359,7 +11524,7 @@ index ed203b2..0a4f89a 100644
+ dontaudit $1 file_type:file_class_set write;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index e8a6b1d..fd53860 100644
+index 6e01635..212a736 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -11,6 +11,7 @@ attribute lockfile;
@@ -11415,7 +11580,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..c19e896 100644
+index dfe361a..fbbd1ce 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -11531,10 +11696,28 @@ index dfe361a..c19e896 100644
## Create, read, write, and delete all noxattrfs directories.
## </summary>
## <param name="domain">
-@@ -1088,6 +1133,24 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1088,6 +1133,42 @@ interface(`fs_read_noxattr_fs_files',`
########################################
## <summary>
++## Read/Write all inherited noxattrfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_rw_inherited_noxattr_fs_files',`
++ gen_require(`
++ attribute noxattrfs;
++ ')
++
++ allow $1 noxattrfs:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## Do not audit read all noxattrfs files.
+## </summary>
+## <param name="domain">
@@ -11556,7 +11739,7 @@ index dfe361a..c19e896 100644
## Dont audit attempts to write to noxattrfs files.
## </summary>
## <param name="domain">
-@@ -1227,6 +1290,24 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1227,6 +1308,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
## <summary>
@@ -11564,7 +11747,7 @@ index dfe361a..c19e896 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -11578,10 +11761,28 @@ index dfe361a..c19e896 100644
+
+########################################
+## <summary>
++## Read/Write inherited files on a CIFS or SMB filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_rw_inherited_cifs_files',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </summary>
-@@ -1241,7 +1322,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1241,7 +1358,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -11590,7 +11791,7 @@ index dfe361a..c19e896 100644
')
########################################
-@@ -1504,6 +1585,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1504,6 +1621,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -11616,7 +11817,7 @@ index dfe361a..c19e896 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1659,6 +1759,25 @@ interface(`fs_search_dos',`
+@@ -1659,6 +1795,25 @@ interface(`fs_search_dos',`
########################################
## <summary>
@@ -11642,7 +11843,7 @@ index dfe361a..c19e896 100644
## Create, read, write, and delete dirs
## on a DOS filesystem.
## </summary>
-@@ -1892,6 +2011,26 @@ interface(`fs_manage_fusefs_files',`
+@@ -1892,6 +2047,26 @@ interface(`fs_manage_fusefs_files',`
########################################
## <summary>
@@ -11669,7 +11870,7 @@ index dfe361a..c19e896 100644
## Do not audit attempts to create,
## read, write, and delete files
## on a FUSEFS filesystem.
-@@ -1931,7 +2070,26 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1931,7 +2106,26 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -11697,7 +11898,7 @@ index dfe361a..c19e896 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,6 +2104,41 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -1946,6 +2140,41 @@ interface(`fs_rw_hugetlbfs_files',`
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -11739,7 +11940,7 @@ index dfe361a..c19e896 100644
########################################
## <summary>
-@@ -1999,6 +2192,7 @@ interface(`fs_list_inotifyfs',`
+@@ -1999,6 +2228,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -11747,7 +11948,7 @@ index dfe361a..c19e896 100644
')
########################################
-@@ -2331,6 +2525,7 @@ interface(`fs_read_nfs_files',`
+@@ -2331,6 +2561,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -11755,7 +11956,7 @@ index dfe361a..c19e896 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2369,6 +2564,7 @@ interface(`fs_write_nfs_files',`
+@@ -2369,6 +2600,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -11763,7 +11964,7 @@ index dfe361a..c19e896 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2395,6 +2591,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2395,6 +2627,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -11789,7 +11990,7 @@ index dfe361a..c19e896 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2435,6 +2650,24 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2435,6 +2686,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -11797,7 +11998,7 @@ index dfe361a..c19e896 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -11811,10 +12012,28 @@ index dfe361a..c19e896 100644
+
+########################################
+## <summary>
++## Read/write inherited files on a NFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_rw_inherited_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2449,7 +2682,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2736,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -11823,7 +12042,7 @@ index dfe361a..c19e896 100644
')
########################################
-@@ -2637,6 +2870,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2924,24 @@ interface(`fs_dontaudit_read_removable_files',`
########################################
## <summary>
@@ -11848,7 +12067,7 @@ index dfe361a..c19e896 100644
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2653,6 +2904,25 @@ interface(`fs_read_removable_symlinks',`
+@@ -2653,6 +2958,25 @@ interface(`fs_read_removable_symlinks',`
read_lnk_files_pattern($1, removable_t, removable_t)
')
@@ -11874,7 +12093,7 @@ index dfe361a..c19e896 100644
########################################
## <summary>
## Read and write block nodes on removable filesystems.
-@@ -2779,6 +3049,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2779,6 +3103,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -11882,7 +12101,7 @@ index dfe361a..c19e896 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -2819,6 +3090,7 @@ interface(`fs_manage_nfs_files',`
+@@ -2819,6 +3144,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -11890,7 +12109,7 @@ index dfe361a..c19e896 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2845,7 +3117,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +3171,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -11899,7 +12118,7 @@ index dfe361a..c19e896 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2859,6 +3131,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -2859,6 +3185,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -11907,7 +12126,7 @@ index dfe361a..c19e896 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3989,6 +4262,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3989,6 +4316,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -11950,7 +12169,7 @@ index dfe361a..c19e896 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4271,6 +4580,8 @@ interface(`fs_mount_all_fs',`
+@@ -4271,6 +4634,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -11959,7 +12178,7 @@ index dfe361a..c19e896 100644
')
########################################
-@@ -4681,3 +4992,24 @@ interface(`fs_unconfined',`
+@@ -4681,3 +5046,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -12228,7 +12447,7 @@ index 069d36c..adaabf4 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 5001b89..d513268 100644
+index 5001b89..160976e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -12258,7 +12477,7 @@ index 5001b89..d513268 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -268,19 +272,31 @@ files_list_root(kernel_t)
+@@ -268,19 +272,28 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -12277,20 +12496,29 @@ index 5001b89..d513268 100644
mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_share_all_levels(kernel_t)
-+
-+logging_manage_generic_logs(kernel_t)
ifdef(`distro_redhat',`
# Bugzilla 222337
fs_rw_tmpfs_chr_files(kernel_t)
')
-+userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
+
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -357,6 +373,10 @@ optional_policy(`
+@@ -296,6 +309,11 @@ optional_policy(`
+
+ optional_policy(`
+ logging_send_syslog_msg(kernel_t)
++ logging_manage_generic_logs(kernel_t)
++')
++
++optional_policy(`
++ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
+ ')
+
+ optional_policy(`
+@@ -357,6 +375,10 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -12794,10 +13022,10 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..62c9b17 100644
+index 2be17d2..6898bd0 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,56 @@ policy_module(staff, 2.2.0)
+@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -12835,14 +13063,6 @@ index 2be17d2..62c9b17 100644
+
+miscfiles_read_hwdata(staff_usertype)
+
-+modutils_read_module_config(staff_usertype)
-+modutils_read_module_deps(staff_usertype)
-+
-+netutils_run_ping(staff_t, staff_r)
-+netutils_run_traceroute(staff_t, staff_r)
-+netutils_signal_ping(staff_t)
-+netutils_kill_ping(staff_t)
-+
+ifndef(`enable_mls',`
+ selinux_read_policy(staff_t)
+')
@@ -12854,7 +13074,7 @@ index 2be17d2..62c9b17 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +71,118 @@ optional_policy(`
+@@ -27,25 +63,138 @@ optional_policy(`
')
optional_policy(`
@@ -12863,6 +13083,10 @@ index 2be17d2..62c9b17 100644
+')
+
+optional_policy(`
++ colord_dbus_chat(staff_t)
++')
++
++optional_policy(`
+ gnomeclock_dbus_chat(staff_t)
+')
+
@@ -12897,6 +13121,18 @@ index 2be17d2..62c9b17 100644
+')
+
+optional_policy(`
++ modutils_read_module_config(staff_usertype)
++ modutils_read_module_deps(staff_usertype)
++')
++
++optional_policy(`
++ netutils_run_ping(staff_t, staff_r)
++ netutils_run_traceroute(staff_t, staff_r)
++ netutils_signal_ping(staff_t)
++ netutils_kill_ping(staff_t)
++')
++
++optional_policy(`
+ oident_manage_user_content(staff_t)
+ oident_relabel_user_content(staff_t)
+')
@@ -12910,6 +13146,10 @@ index 2be17d2..62c9b17 100644
')
optional_policy(`
++ qemu_role(staff_r, staff_t)
++')
++
++optional_policy(`
+ rtkit_scheduled(staff_t)
+')
+
@@ -12975,7 +13215,7 @@ index 2be17d2..62c9b17 100644
optional_policy(`
vlock_run(staff_t, staff_r)
-@@ -89,10 +226,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +238,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -12986,7 +13226,7 @@ index 2be17d2..62c9b17 100644
gpg_role(staff_r, staff_t)
')
-@@ -137,10 +270,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +282,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -12997,7 +13237,7 @@ index 2be17d2..62c9b17 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +301,8 @@ ifndef(`distro_redhat',`
+@@ -172,3 +313,8 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -13007,10 +13247,10 @@ index 2be17d2..62c9b17 100644
+')
+
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..8839731 100644
+index 4a8d146..d721e34 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
+@@ -24,20 +24,40 @@ ifndef(`enable_mls',`
#
# Local policy
#
@@ -13037,7 +13277,6 @@ index 4a8d146..8839731 100644
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+
-+modutils_read_module_deps(sysadm_t)
+
+miscfiles_read_hwdata(sysadm_t)
@@ -13052,7 +13291,7 @@ index 4a8d146..8839731 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,6 +76,7 @@ ifndef(`enable_mls',`
+@@ -55,6 +75,7 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@@ -13060,7 +13299,7 @@ index 4a8d146..8839731 100644
')
tunable_policy(`allow_ptrace',`
-@@ -69,7 +91,6 @@ optional_policy(`
+@@ -69,7 +90,6 @@ optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -13068,7 +13307,7 @@ index 4a8d146..8839731 100644
')
optional_policy(`
-@@ -98,6 +119,10 @@ optional_policy(`
+@@ -98,6 +118,10 @@ optional_policy(`
')
optional_policy(`
@@ -13079,7 +13318,7 @@ index 4a8d146..8839731 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -114,7 +139,7 @@ optional_policy(`
+@@ -114,7 +138,7 @@ optional_policy(`
')
optional_policy(`
@@ -13088,7 +13327,7 @@ index 4a8d146..8839731 100644
')
optional_policy(`
-@@ -124,6 +149,10 @@ optional_policy(`
+@@ -124,6 +148,10 @@ optional_policy(`
')
optional_policy(`
@@ -13099,7 +13338,7 @@ index 4a8d146..8839731 100644
ddcprobe_run(sysadm_t, sysadm_r)
')
-@@ -163,6 +192,13 @@ optional_policy(`
+@@ -163,6 +191,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -13113,7 +13352,7 @@ index 4a8d146..8839731 100644
')
optional_policy(`
-@@ -170,15 +206,15 @@ optional_policy(`
+@@ -170,15 +205,15 @@ optional_policy(`
')
optional_policy(`
@@ -13132,7 +13371,12 @@ index 4a8d146..8839731 100644
')
optional_policy(`
-@@ -202,14 +238,7 @@ optional_policy(`
+@@ -198,18 +233,12 @@ optional_policy(`
+ modutils_run_depmod(sysadm_t, sysadm_r)
+ modutils_run_insmod(sysadm_t, sysadm_r)
+ modutils_run_update_mods(sysadm_t, sysadm_r)
++ modutils_read_module_deps(sysadm_t)
+ ')
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -14048,10 +14292,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..daf56b2
+index 0000000..77c513d
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,497 @@
+@@ -0,0 +1,499 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -14153,9 +14397,11 @@ index 0000000..daf56b2
+logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r)
+
-+mount_run_unconfined(unconfined_t, unconfined_r)
-+# Unconfined running as system_r
-+mount_domtrans_unconfined(unconfined_t)
++optional_policy(`
++ mount_run_unconfined(unconfined_t, unconfined_r)
++ # Unconfined running as system_r
++ mount_domtrans_unconfined(unconfined_t)
++')
+
+seutil_run_setsebool(unconfined_t, unconfined_r)
+seutil_run_setfiles(unconfined_t, unconfined_r)
@@ -14550,10 +14796,10 @@ index 0000000..daf56b2
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..54ea4f5 100644
+index e5bfdd4..10d03a3 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,63 @@ role user_r;
+@@ -12,15 +12,67 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -14572,6 +14818,10 @@ index e5bfdd4..54ea4f5 100644
')
optional_policy(`
++ colord_dbus_chat(user_t)
++')
++
++optional_policy(`
+ gnome_role(user_r, user_t)
+')
+
@@ -14617,7 +14867,7 @@ index e5bfdd4..54ea4f5 100644
vlock_run(user_t, user_r)
')
-@@ -62,10 +110,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +114,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -14628,7 +14878,7 @@ index e5bfdd4..54ea4f5 100644
gpg_role(user_r, user_t)
')
-@@ -118,7 +162,7 @@ ifndef(`distro_redhat',`
+@@ -118,7 +166,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -14637,7 +14887,7 @@ index e5bfdd4..54ea4f5 100644
')
optional_policy(`
-@@ -157,3 +201,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +205,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -14655,7 +14905,7 @@ index 0ecc786..dbf2710 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..06b0e48 100644
+index e88b95f..9d37855 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@@ -14689,12 +14939,14 @@ index e88b95f..06b0e48 100644
ifndef(`enable_mls',`
fs_exec_noxattr(xguest_t)
-@@ -48,12 +48,21 @@ ifndef(`enable_mls',`
- storage_raw_read_removable_device(xguest_t)
+@@ -49,11 +49,23 @@ ifndef(`enable_mls',`
')
')
-+# Dontaudit fusermount
-+mount_dontaudit_exec_fusermount(xguest_t)
+
++optional_policy(`
++ # Dontaudit fusermount
++ mount_dontaudit_exec_fusermount(xguest_t)
++')
+
+allow xguest_t self:process execmem;
+kernel_dontaudit_request_load_module(xguest_t)
@@ -14702,7 +14954,7 @@ index e88b95f..06b0e48 100644
+tunable_policy(`allow_execstack',`
+ allow xguest_t self:process execstack;
+')
-
++
# Allow mounting of file systems
optional_policy(`
tunable_policy(`xguest_mount_media',`
@@ -14712,7 +14964,7 @@ index e88b95f..06b0e48 100644
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -62,10 +71,9 @@ optional_policy(`
+@@ -62,10 +74,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
@@ -14724,14 +14976,13 @@ index e88b95f..06b0e48 100644
')
')
-@@ -76,23 +84,99 @@ optional_policy(`
+@@ -76,23 +87,98 @@ optional_policy(`
')
optional_policy(`
+ chrome_role(xguest_r, xguest_usertype)
+')
+
-+
+optional_policy(`
hal_dbus_chat(xguest_t)
')
@@ -14755,18 +15006,18 @@ index e88b95f..06b0e48 100644
+
+optional_policy(`
+ mono_role_template(xguest, xguest_r, xguest_t)
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
++ mozilla_run_plugin(xguest_t, xguest_r)
+')
+
+optional_policy(`
-+ mozilla_run_plugin(xguest_t, xguest_r)
++ nsplugin_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
-+ nsplugin_role(xguest_r, xguest_t)
- ')
-
- optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
+ pcscd_read_pub_files(xguest_usertype)
+ pcscd_stream_connect(xguest_usertype)
')
@@ -15364,10 +15615,10 @@ index 0000000..6bf0ad6
+')
diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
new file mode 100644
-index 0000000..4b9dc88
+index 0000000..dda9c93
--- /dev/null
+++ b/policy/modules/services/aiccu.te
-@@ -0,0 +1,71 @@
+@@ -0,0 +1,75 @@
+policy_module(aiccu, 1.0.0)
+
+########################################
@@ -15435,10 +15686,14 @@ index 0000000..4b9dc88
+
+miscfiles_read_localization(aiccu_t)
+
-+modutils_domtrans_insmod(aiccu_t)
++optional_policy(`
++ modutils_domtrans_insmod(aiccu_t)
++')
+
-+sysnet_domtrans_ifconfig(aiccu_t)
-+sysnet_dns_name_resolve(aiccu_t)
++optional_policy(`
++ sysnet_domtrans_ifconfig(aiccu_t)
++ sysnet_dns_name_resolve(aiccu_t)
++')
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
index 838d25b..0b0db39 100644
--- a/policy/modules/services/aide.if
@@ -15678,7 +15933,7 @@ index ceb2142..e31d92a 100644
')
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index c3a1903..0140399 100644
+index c3a1903..19fb14a 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -47,7 +47,7 @@ files_type(amavis_spool_t)
@@ -15716,10 +15971,39 @@ index c3a1903..0140399 100644
corenet_all_recvfrom_unlabeled(amavis_t)
corenet_all_recvfrom_netlabel(amavis_t)
-@@ -170,6 +171,10 @@ optional_policy(`
+@@ -152,24 +153,32 @@ sysnet_use_ldap(amavis_t)
+
+ userdom_dontaudit_search_user_home_dirs(amavis_t)
+
+-# Cron handling
+-cron_use_fds(amavis_t)
+-cron_use_system_job_fds(amavis_t)
+-cron_rw_pipes(amavis_t)
+-
+-mta_read_config(amavis_t)
+-
+ optional_policy(`
+ clamav_stream_connect(amavis_t)
+ clamav_domtrans_clamscan(amavis_t)
+ ')
+
+ optional_policy(`
++ #Cron handling
++ cron_use_fds(amavis_t)
++ cron_use_system_job_fds(amavis_t)
++ cron_rw_pipes(amavis_t)
++')
++
++optional_policy(`
+ dcc_domtrans_client(amavis_t)
+ dcc_stream_connect_dccifd(amavis_t)
')
optional_policy(`
++ mta_read_config(amavis_t)
++')
++
++optional_policy(`
+ nslcd_stream_connect(amavis_t)
+')
+
@@ -17320,7 +17604,7 @@ index 1ea99b2..49e6c74 100644
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..5fbd9b3 100644
+index 1c8c27e..ca71f13 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -17348,7 +17632,17 @@ index 1c8c27e..5fbd9b3 100644
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
-@@ -142,9 +146,8 @@ ifdef(`distro_redhat',`
+@@ -127,9 +131,6 @@ logging_send_audit_msgs(apmd_t)
+ miscfiles_read_localization(apmd_t)
+ miscfiles_read_hwdata(apmd_t)
+
+-modutils_domtrans_insmod(apmd_t)
+-modutils_read_module_config(apmd_t)
+-
+ seutil_dontaudit_read_config(apmd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(apmd_t)
+@@ -142,9 +143,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
@@ -17359,7 +17653,7 @@ index 1c8c27e..5fbd9b3 100644
')
optional_policy(`
-@@ -155,6 +158,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +155,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
@@ -17375,6 +17669,18 @@ index 1c8c27e..5fbd9b3 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
+@@ -205,6 +214,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_domtrans_insmod(apmd_t)
++ modutils_read_module_config(apmd_t)
++')
++
++optional_policy(`
+ pcmcia_domtrans_cardmgr(apmd_t)
+ pcmcia_domtrans_cardctl(apmd_t)
+ ')
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
index c804110..bdefbe1 100644
--- a/policy/modules/services/arpwatch.if
@@ -17482,17 +17788,33 @@ index d80a16b..a43e006 100644
init_labeled_script_domtrans($1, automount_initrc_exec_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
-index 39799db..6189565 100644
+index 39799db..d174b05 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
-@@ -145,6 +145,7 @@ miscfiles_read_generic_certs(automount_t)
+@@ -143,9 +143,6 @@ logging_search_logs(automount_t)
+ miscfiles_read_localization(automount_t)
+ miscfiles_read_generic_certs(automount_t)
- # Run mount in the mount_t domain.
- mount_domtrans(automount_t)
-+mount_domtrans_showmount(automount_t)
- mount_signal(automount_t)
+-# Run mount in the mount_t domain.
+-mount_domtrans(automount_t)
+-mount_signal(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
+ userdom_dontaudit_search_user_home_dirs(automount_t)
+@@ -155,6 +152,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Run mount in the mount_t domain.
++ mount_domtrans(automount_t)
++ mount_domtrans_showmount(automount_t)
++ mount_signal(automount_t)
++')
++
++optional_policy(`
+ fstools_domtrans(automount_t)
+ ')
+
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
index 61c74bc..c6b0498 100644
--- a/policy/modules/services/avahi.if
@@ -17506,10 +17828,18 @@ index 61c74bc..c6b0498 100644
allow avahi_t $1:dbus send_msg;
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
-index a7a0e71..15686e9 100644
+index a7a0e71..5352ef6 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
-@@ -46,6 +46,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
+@@ -17,6 +17,7 @@ files_pid_file(avahi_var_lib_t)
+
+ type avahi_var_run_t;
+ files_pid_file(avahi_var_run_t)
++init_sock_file(avahi_var_run_t)
+
+ ########################################
+ #
+@@ -46,6 +47,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
kernel_read_system_state(avahi_t)
kernel_read_kernel_sysctls(avahi_t)
kernel_read_network_state(avahi_t)
@@ -17517,7 +17847,7 @@ index a7a0e71..15686e9 100644
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
-@@ -104,6 +105,10 @@ optional_policy(`
+@@ -104,6 +106,10 @@ optional_policy(`
')
optional_policy(`
@@ -18329,10 +18659,10 @@ index 0000000..3964548
+')
diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te
new file mode 100644
-index 0000000..c63c8fa
+index 0000000..b73c9f2
--- /dev/null
+++ b/policy/modules/services/bugzilla.te
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,57 @@
+policy_module(bugzilla, 1.0)
+
+########################################
@@ -18375,12 +18705,14 @@ index 0000000..c63c8fa
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
-+mta_send_mail(httpd_bugzilla_script_t)
-+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
++ mta_send_mail(httpd_bugzilla_script_t)
++')
++
++optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
+')
@@ -18466,10 +18798,10 @@ index 0000000..3b41945
+')
diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
new file mode 100644
-index 0000000..575c16e
+index 0000000..e7d2a5b
--- /dev/null
+++ b/policy/modules/services/cachefilesd.te
-@@ -0,0 +1,143 @@
+@@ -0,0 +1,145 @@
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
@@ -18535,7 +18867,9 @@ index 0000000..575c16e
+#
+# Permit RPM to deal with files in the cache
+#
-+rpm_use_script_fds(cachefilesd_t)
++optional_policy(`
++ rpm_use_script_fds(cachefilesd_t)
++')
+
+###############################################################################
+#
@@ -19231,7 +19565,7 @@ index 1f11572..7f6a7ab 100644
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..f1571f1 100644
+index f758323..f2f0739 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,9 @@
@@ -19276,7 +19610,29 @@ index f758323..f1571f1 100644
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -147,8 +151,10 @@ optional_policy(`
+@@ -127,12 +131,16 @@ logging_send_syslog_msg(clamd_t)
+
+ miscfiles_read_localization(clamd_t)
+
+-cron_use_fds(clamd_t)
+-cron_use_system_job_fds(clamd_t)
+-cron_rw_pipes(clamd_t)
++optional_policy(`
++ cron_use_fds(clamd_t)
++ cron_use_system_job_fds(clamd_t)
++ cron_rw_pipes(clamd_t)
++')
+
+-mta_read_config(clamd_t)
+-mta_send_mail(clamd_t)
++optional_policy(`
++ mta_read_config(clamd_t)
++ mta_send_mail(clamd_t)
++')
+
+ optional_policy(`
+ amavis_read_lib_files(clamd_t)
+@@ -147,8 +155,10 @@ optional_policy(`
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
@@ -19288,7 +19644,7 @@ index f758323..f1571f1 100644
')
########################################
-@@ -178,10 +184,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +188,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -19307,7 +19663,7 @@ index f758323..f1571f1 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +201,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +205,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -19315,7 +19671,7 @@ index f758323..f1571f1 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +220,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +224,18 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -19338,7 +19694,7 @@ index f758323..f1571f1 100644
########################################
#
# clamscam local policy
-@@ -248,9 +263,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t)
+@@ -248,9 +267,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
corenet_tcp_sendrecv_all_ports(clamscan_t)
corenet_tcp_sendrecv_clamd_port(clamscan_t)
@@ -19350,13 +19706,17 @@ index f758323..f1571f1 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -265,6 +282,9 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,7 +285,12 @@ miscfiles_read_public_files(clamscan_t)
+
clamav_stream_connect(clamscan_t)
- mta_send_mail(clamscan_t)
-+mta_read_queue(clamscan_t)
-+
+-mta_send_mail(clamscan_t)
+sysnet_read_config(clamscan_t)
++
++optional_policy(`
++ mta_send_mail(clamscan_t)
++ mta_read_queue(clamscan_t)
++')
optional_policy(`
amavis_read_spool_files(clamscan_t)
@@ -20046,8 +20406,140 @@ index 0258b48..8fde016 100644
+list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
+new file mode 100644
+index 0000000..7a01ff6
+--- /dev/null
++++ b/policy/modules/services/colord.fc
+@@ -0,0 +1,4 @@
++
++/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
++
++/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if
+new file mode 100644
+index 0000000..38cb883
+--- /dev/null
++++ b/policy/modules/services/colord.if
+@@ -0,0 +1,42 @@
++
++## <summary>policy for colord</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run colord.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`colord_domtrans',`
++ gen_require(`
++ type colord_t, colord_exec_t;
++ ')
++
++ domtrans_pattern($1, colord_exec_t, colord_t)
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## colord over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`colord_dbus_chat',`
++ gen_require(`
++ type colord_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 colord_t:dbus send_msg;
++ allow colord_t $1:dbus send_msg;
++')
++
+diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
+new file mode 100644
+index 0000000..0ecb72e
+--- /dev/null
++++ b/policy/modules/services/colord.te
+@@ -0,0 +1,68 @@
++policy_module(colord,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type colord_t;
++type colord_exec_t;
++dbus_system_domain(colord_t, colord_exec_t)
++
++type colord_var_lib_t;
++files_type(colord_var_lib_t)
++
++type colord_tmp_t;
++files_tmp_file(colord_tmp_t)
++
++permissive colord_t;
++
++########################################
++#
++# colord local policy
++#
++allow colord_t self:fifo_file rw_fifo_file_perms;
++allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow colord_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
++manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
++files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
++
++manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
++manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
++files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
++
++kernel_read_device_sysctls(colord_t)
++
++corenet_udp_bind_generic_node(colord_t)
++corenet_udp_bind_ipp_port(colord_t)
++
++dev_read_raw_memory(colord_t)
++dev_write_raw_memory(colord_t)
++dev_read_video_dev(colord_t)
++dev_write_video_dev(colord_t)
++dev_read_rand(colord_t)
++dev_read_sysfs(colord_t)
++dev_read_urand(colord_t)
++dev_list_sysfs(colord_t)
++dev_read_generic_usb_dev(colord_t)
++
++domain_use_interactive_fds(colord_t)
++
++files_read_etc_files(colord_t)
++files_read_usr_files(colord_t)
++
++miscfiles_read_localization(colord_t)
++
++sysnet_dns_name_resolve(colord_t)
++
++optional_policy(`
++ cups_read_rw_config(colord_t)
++ cups_stream_connect(colord_t)
++ cups_dbus_chat(colord_t)
++')
++
++optional_policy(`
++ udev_read_db(colord_t)
++')
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
-index 42c6bd7..8f23087 100644
+index fd15dfe..ad224fa 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -5,9 +5,9 @@
@@ -20115,8 +20607,8 @@ index 42c6bd7..8f23087 100644
## Read consolekit log files.
## </summary>
## <param name="domain">
-@@ -95,3 +134,22 @@ interface(`consolekit_read_pid_files',`
- files_search_pids($1)
+@@ -96,3 +135,22 @@ interface(`consolekit_read_pid_files',`
+ allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
+
@@ -20139,7 +20631,7 @@ index 42c6bd7..8f23087 100644
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index daf151d..16c0746 100644
+index e67a003..894d4e0 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
@@ -20152,7 +20644,7 @@ index daf151d..16c0746 100644
########################################
#
# consolekit local policy
-@@ -69,7 +72,10 @@ logging_send_audit_msgs(consolekit_t)
+@@ -69,11 +72,12 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
@@ -20162,8 +20654,12 @@ index daf151d..16c0746 100644
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
- hal_ptrace(consolekit_t)
-@@ -83,6 +89,10 @@ tunable_policy(`use_samba_home_dirs',`
+-hal_ptrace(consolekit_t)
+-
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(consolekit_t)
+ ')
+@@ -83,6 +87,14 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -20171,10 +20667,14 @@ index daf151d..16c0746 100644
+')
+
+optional_policy(`
++ hal_ptrace(consolekit_t)
++')
++
++optional_policy(`
dbus_system_domain(consolekit_t, consolekit_exec_t)
optional_policy(`
-@@ -99,6 +109,10 @@ optional_policy(`
+@@ -99,6 +111,10 @@ optional_policy(`
')
optional_policy(`
@@ -20185,7 +20685,7 @@ index daf151d..16c0746 100644
policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
-@@ -106,9 +120,10 @@ optional_policy(`
+@@ -106,9 +122,10 @@ optional_policy(`
')
optional_policy(`
@@ -20198,7 +20698,7 @@ index daf151d..16c0746 100644
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
-@@ -125,5 +140,6 @@ optional_policy(`
+@@ -125,5 +142,6 @@ optional_policy(`
optional_policy(`
#reading .Xauthity
@@ -20735,15 +21235,9 @@ index 35241ed..b6402c9 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f35b243..9941737 100644
+index f7583ab..9941737 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
-@@ -1,4 +1,4 @@
--policy_module(cron, 2.2.0)
-+policy_module(cron, 2.2.1)
-
- gen_require(`
- class passwd rootok;
@@ -10,18 +10,18 @@ gen_require(`
#
@@ -20883,7 +21377,7 @@ index f35b243..9941737 100644
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -203,12 +220,18 @@ files_list_usr(crond_t)
+@@ -203,11 +220,16 @@ files_list_usr(crond_t)
files_search_var_lib(crond_t)
files_search_default(crond_t)
@@ -20898,11 +21392,9 @@ index f35b243..9941737 100644
+logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
-+logging_set_loginuid(crond_t)
+ logging_set_loginuid(crond_t)
- seutil_read_config(crond_t)
- seutil_read_default_contexts(crond_t)
-@@ -219,8 +242,10 @@ miscfiles_read_localization(crond_t)
+@@ -220,8 +242,10 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -20913,7 +21405,7 @@ index f35b243..9941737 100644
ifdef(`distro_debian',`
# pam_limits is used
-@@ -232,7 +257,7 @@ ifdef(`distro_debian',`
+@@ -233,7 +257,7 @@ ifdef(`distro_debian',`
')
')
@@ -20922,16 +21414,7 @@ index f35b243..9941737 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -240,16 +265,39 @@ ifdef(`distro_redhat', `
- ')
- ')
-
-+tunable_policy(`allow_polyinstantiation',`
-+ files_polyinstantiate_all(crond_t)
-+')
-+
- tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file manage_file_perms;
+@@ -250,11 +274,30 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -20962,7 +21445,7 @@ index f35b243..9941737 100644
amanda_search_var_lib(crond_t)
')
-@@ -259,6 +307,8 @@ optional_policy(`
+@@ -264,6 +307,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -20971,7 +21454,7 @@ index f35b243..9941737 100644
')
optional_policy(`
-@@ -284,12 +334,18 @@ optional_policy(`
+@@ -289,12 +334,18 @@ optional_policy(`
udev_read_db(crond_t)
')
@@ -20990,7 +21473,7 @@ index f35b243..9941737 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -301,10 +357,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +357,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -21011,7 +21494,7 @@ index f35b243..9941737 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -324,6 +389,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +389,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -21019,7 +21502,7 @@ index f35b243..9941737 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -335,9 +401,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,9 +401,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -21034,7 +21517,7 @@ index f35b243..9941737 100644
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -360,6 +430,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +430,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -21042,7 +21525,7 @@ index f35b243..9941737 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -386,6 +457,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +457,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -21050,7 +21533,7 @@ index f35b243..9941737 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -408,8 +480,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +480,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -21062,7 +21545,7 @@ index f35b243..9941737 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -434,6 +508,8 @@ optional_policy(`
+@@ -439,6 +508,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -21071,7 +21554,7 @@ index f35b243..9941737 100644
')
optional_policy(`
-@@ -441,6 +517,14 @@ optional_policy(`
+@@ -446,6 +517,14 @@ optional_policy(`
')
optional_policy(`
@@ -21086,7 +21569,7 @@ index f35b243..9941737 100644
ftp_read_log(system_cronjob_t)
')
-@@ -451,15 +535,24 @@ optional_policy(`
+@@ -456,15 +535,24 @@ optional_policy(`
')
optional_policy(`
@@ -21111,7 +21594,7 @@ index f35b243..9941737 100644
')
optional_policy(`
-@@ -475,7 +568,7 @@ optional_policy(`
+@@ -480,7 +568,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -21120,7 +21603,7 @@ index f35b243..9941737 100644
')
optional_policy(`
-@@ -490,6 +583,7 @@ optional_policy(`
+@@ -495,6 +583,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -21128,7 +21611,7 @@ index f35b243..9941737 100644
')
optional_policy(`
-@@ -497,7 +591,13 @@ optional_policy(`
+@@ -502,7 +591,13 @@ optional_policy(`
')
optional_policy(`
@@ -21142,7 +21625,7 @@ index f35b243..9941737 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -590,9 +690,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +690,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -21230,7 +21713,7 @@ index 305ddf4..777091a 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..cf33683 100644
+index 0f28095..1c96265 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -21281,7 +21764,20 @@ index 0f28095..cf33683 100644
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
-@@ -297,8 +301,10 @@ optional_policy(`
+@@ -270,12 +274,6 @@ files_dontaudit_list_home(cupsd_t)
+ userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+ userdom_dontaudit_search_user_home_content(cupsd_t)
+
+-# Write to /var/spool/cups.
+-lpd_manage_spool(cupsd_t)
+-lpd_read_config(cupsd_t)
+-lpd_exec_lpr(cupsd_t)
+-lpd_relabel_spool(cupsd_t)
+-
+ optional_policy(`
+ apm_domtrans_client(cupsd_t)
+ ')
+@@ -297,8 +295,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -21292,7 +21788,22 @@ index 0f28095..cf33683 100644
')
')
-@@ -371,8 +377,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -315,6 +315,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Write to /var/spool/cups.
++ lpd_manage_spool(cupsd_t)
++ lpd_read_config(cupsd_t)
++ lpd_exec_lpr(cupsd_t)
++ lpd_relabel_spool(cupsd_t)
++')
++
++optional_policy(`
+ mta_send_mail(cupsd_t)
+ ')
+
+@@ -371,8 +379,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -21303,7 +21814,7 @@ index 0f28095..cf33683 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -425,6 +432,7 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +434,10 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -21311,6 +21822,11 @@ index 0f28095..cf33683 100644
cups_stream_connect(cupsd_config_t)
+-lpd_read_config(cupsd_config_t)
+-
+ ifdef(`distro_redhat',`
+ optional_policy(`
+ rpm_read_db(cupsd_config_t)
@@ -453,6 +461,10 @@ optional_policy(`
')
@@ -21322,7 +21838,18 @@ index 0f28095..cf33683 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -587,14 +599,16 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -467,6 +479,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ lpd_read_config(cupsd_config_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(cupsd_config_t)
+ userdom_read_all_users_state(cupsd_config_t)
+ ')
+@@ -587,13 +603,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -21334,13 +21861,15 @@ index 0f28095..cf33683 100644
userdom_manage_user_home_content_files(cups_pdf_t)
+userdom_dontaudit_search_admin_dir(cups_pdf_t)
- lpd_manage_spool(cups_pdf_t)
-
+-lpd_manage_spool(cups_pdf_t)
-
++optional_policy(`
++ lpd_manage_spool(cups_pdf_t)
++')
+
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
- fs_manage_nfs_dirs(cups_pdf_t)
-@@ -606,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +626,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
@@ -21351,7 +21880,7 @@ index 0f28095..cf33683 100644
########################################
#
# HPLIP local policy
-@@ -639,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +663,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -21360,7 +21889,7 @@ index 0f28095..cf33683 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +703,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +709,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -21368,6 +21897,19 @@ index 0f28095..cf33683 100644
logging_send_syslog_msg(hplip_t)
+@@ -696,8 +721,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+ userdom_dontaudit_search_user_home_dirs(hplip_t)
+ userdom_dontaudit_search_user_home_content(hplip_t)
+
+-lpd_read_config(hplip_t)
+-lpd_manage_spool(hplip_t)
++optional_policy(`
++ lpd_read_config(hplip_t)
++ lpd_manage_spool(hplip_t)
++')
+
+ optional_policy(`
+ dbus_system_bus_client(hplip_t)
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
index c43ff4c..a9783e3 100644
--- a/policy/modules/services/cvs.if
@@ -21506,7 +22048,7 @@ index a8b93c0..831ce70 100644
type dante_var_run_t;
files_pid_file(dante_var_run_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..bbc1a8f 100644
+index 0d5711c..2f38c31 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -21684,7 +22226,7 @@ index 0d5711c..bbc1a8f 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -497,3 +552,22 @@ interface(`dbus_unconfined',`
+@@ -497,3 +552,23 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -21707,20 +22249,32 @@ index 0d5711c..bbc1a8f 100644
+ files_search_pids($1)
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
++
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 98e5af6..a7472fc 100644
+index 86d09b4..1c0dd9b 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
-@@ -52,7 +52,7 @@ ifdef(`enable_mls',`
+@@ -33,6 +33,7 @@ files_tmp_file(system_dbusd_tmp_t)
+
+ type system_dbusd_var_lib_t;
+ files_type(system_dbusd_var_lib_t)
++init_sock_file(system_dbusd_var_lib_t)
+
+ type system_dbusd_var_run_t;
+ files_pid_file(system_dbusd_var_run_t)
+@@ -52,9 +53,9 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
- allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
+-allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
++allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
-@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+ allow system_dbusd_t self:dbus { send_msg acquire_svc };
+ allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+@@ -74,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
@@ -21732,7 +22286,7 @@ index 98e5af6..a7472fc 100644
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
-@@ -111,6 +112,8 @@ auth_read_pam_console_data(system_dbusd_t)
+@@ -111,6 +113,8 @@ auth_read_pam_console_data(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -21741,7 +22295,7 @@ index 98e5af6..a7472fc 100644
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
-@@ -121,7 +124,9 @@ files_read_usr_files(system_dbusd_t)
+@@ -121,7 +125,9 @@ files_read_usr_files(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -21751,7 +22305,7 @@ index 98e5af6..a7472fc 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -141,6 +146,14 @@ optional_policy(`
+@@ -141,10 +147,18 @@ optional_policy(`
')
optional_policy(`
@@ -21759,6 +22313,10 @@ index 98e5af6..a7472fc 100644
+')
+
+optional_policy(`
+ cpufreqselector_dbus_chat(system_dbusd_t)
+ ')
+
+ optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
@@ -21766,7 +22324,7 @@ index 98e5af6..a7472fc 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -158,5 +171,12 @@ optional_policy(`
+@@ -162,5 +176,12 @@ optional_policy(`
#
# Unconfined access to this module
#
@@ -22145,7 +22703,7 @@ index f706b99..22b862e 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..10c33ed 100644
+index f231f17..0d11034 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -22190,7 +22748,7 @@ index f231f17..10c33ed 100644
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
-@@ -178,25 +186,47 @@ optional_policy(`
+@@ -178,33 +186,53 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -22239,7 +22797,15 @@ index f231f17..10c33ed 100644
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
-@@ -212,12 +242,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+ corecmd_exec_bin(devicekit_power_t)
+ corecmd_exec_shell(devicekit_power_t)
+
+-consoletype_exec(devicekit_power_t)
+-
+ domain_read_all_domains_state(devicekit_power_t)
+
+ dev_read_input(devicekit_power_t)
+@@ -212,12 +240,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -22256,18 +22822,25 @@ index f231f17..10c33ed 100644
term_use_all_terms(devicekit_power_t)
-@@ -225,8 +259,11 @@ auth_use_nsswitch(devicekit_power_t)
-
- miscfiles_read_localization(devicekit_power_t)
+@@ -227,6 +259,7 @@ miscfiles_read_localization(devicekit_power_t)
-+modutils_domtrans_insmod(devicekit_power_t)
-+
sysnet_read_config(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
+sysnet_domtrans_dhcpc(devicekit_power_t)
userdom_read_all_users_state(devicekit_power_t)
+@@ -235,6 +268,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consoletype_exec(devicekit_power_t)
++')
++
++optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
+ ')
+
@@ -261,14 +298,21 @@ optional_policy(`
')
@@ -22291,10 +22864,14 @@ index f231f17..10c33ed 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +320,21 @@ optional_policy(`
+@@ -276,9 +320,25 @@ optional_policy(`
')
optional_policy(`
++ modutils_domtrans_insmod(devicekit_power_t)
++')
++
++optional_policy(`
+ mount_domtrans(devicekit_power_t)
+')
+
@@ -22494,10 +23071,10 @@ index 0000000..60c81d6
+')
diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
new file mode 100644
-index 0000000..b4d0dd0
+index 0000000..b7fc006
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.te
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,100 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -22545,8 +23122,10 @@ index 0000000..b4d0dd0
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+
-+apache_domtrans(dirsrvadmin_t)
-+apache_signal(dirsrvadmin_t)
++optional_policy(`
++ apache_domtrans(dirsrvadmin_t)
++ apache_signal(dirsrvadmin_t)
++')
+
+########################################
+#
@@ -22555,44 +23134,47 @@ index 0000000..b4d0dd0
+#
+#
+# Create a domain for the CGI scripts
-+apache_content_template(dirsrvadmin)
-+
-+allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
-+allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
-+allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
-+allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
-+allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
-+allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
-+allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
-+
-+kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
-+
-+corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t)
-+corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
-+corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
-+corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
-+corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
-+
-+files_search_var_lib(httpd_dirsrvadmin_script_t)
-+
-+sysnet_read_config(httpd_dirsrvadmin_script_t)
-+
-+manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
-+
-+# The CGI scripts must be able to manage dirsrv-admin
-+dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
-+dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
-+dirsrv_domtrans(httpd_dirsrvadmin_script_t)
-+dirsrv_signal(httpd_dirsrvadmin_script_t)
-+dirsrv_signull(httpd_dirsrvadmin_script_t)
-+dirsrv_manage_log(httpd_dirsrvadmin_script_t)
-+dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
-+dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
-+dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
-+dirsrv_manage_config(httpd_dirsrvadmin_script_t)
-+dirsrv_read_share(httpd_dirsrvadmin_script_t)
++
++optional_policy(`
++ apache_content_template(dirsrvadmin)
++
++ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
++ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
++
++ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
++
++ corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t)
++ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
++
++ files_search_var_lib(httpd_dirsrvadmin_script_t)
++
++ sysnet_read_config(httpd_dirsrvadmin_script_t)
++
++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
++
++ # The CGI scripts must be able to manage dirsrv-admin
++ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
++ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
++ dirsrv_domtrans(httpd_dirsrvadmin_script_t)
++ dirsrv_signal(httpd_dirsrvadmin_script_t)
++ dirsrv_signull(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_log(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
++ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
++ dirsrv_read_share(httpd_dirsrvadmin_script_t)
++')
diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc
new file mode 100644
index 0000000..3aae725
@@ -24182,7 +24764,7 @@ index 69dcd2a..a9a9116 100644
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..eca06f7 100644
+index 8a74a83..826e699 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -24284,7 +24866,7 @@ index 8a74a83..eca06f7 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -316,6 +338,23 @@ optional_policy(`
+@@ -316,6 +338,25 @@ optional_policy(`
')
optional_policy(`
@@ -24299,16 +24881,18 @@ index 8a74a83..eca06f7 100644
+ ')
+')
+
-+tunable_policy(`ftpd_connect_db',`
-+ mysql_tcp_connect(ftpd_t)
-+ postgresql_tcp_connect(ftpd_t)
++optional_policy(`
++ tunable_policy(`ftpd_connect_db',`
++ mysql_tcp_connect(ftpd_t)
++ postgresql_tcp_connect(ftpd_t)
++ ')
+')
+
+optional_policy(`
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
-@@ -347,10 +386,11 @@ optional_policy(`
+@@ -347,10 +388,11 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -24321,7 +24905,7 @@ index 8a74a83..eca06f7 100644
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
# Allow ftpdctl to read config files
-@@ -368,15 +408,28 @@ files_read_etc_files(sftpd_t)
+@@ -368,15 +410,28 @@ files_read_etc_files(sftpd_t)
# allow read access to /home by default
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
@@ -25169,10 +25753,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..74db53c 100644
+index 4fde46b..f757926 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -15,11 +15,14 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -15,19 +15,20 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
#
allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
@@ -25188,7 +25772,23 @@ index 4fde46b..74db53c 100644
files_read_etc_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
-@@ -39,6 +42,15 @@ optional_policy(`
+
+ auth_use_nsswitch(gnomeclock_t)
+
+-clock_domtrans(gnomeclock_t)
+-
+ miscfiles_read_localization(gnomeclock_t)
+ miscfiles_manage_localization(gnomeclock_t)
+ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +36,23 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+ userdom_read_all_users_state(gnomeclock_t)
+
+ optional_policy(`
++ clock_domtrans(gnomeclock_t)
++')
++
++optional_policy(`
+ consolekit_dbus_chat(gnomeclock_t)
')
optional_policy(`
@@ -25289,6 +25889,30 @@ index 03742d8..2a87d1e 100644
dbus_system_bus_client(gpsd_t)
')
+diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
+index 2d0b4e1..804d347 100644
+--- a/policy/modules/services/hadoop.if
++++ b/policy/modules/services/hadoop.if
+@@ -175,8 +175,6 @@ template(`hadoop_domain_template',`
+ files_read_etc_files(hadoop_$1_initrc_t)
+ files_read_usr_files(hadoop_$1_initrc_t)
+
+- consoletype_exec(hadoop_$1_initrc_t)
+-
+ fs_getattr_xattr_fs(hadoop_$1_initrc_t)
+ fs_search_cgroup_dirs(hadoop_$1_initrc_t)
+
+@@ -196,6 +194,10 @@ template(`hadoop_domain_template',`
+ userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)
+
+ optional_policy(`
++ consoletype_exec(hadoop_$1_initrc_t)
++ ')
++
++ optional_policy(`
+ nscd_socket_use(hadoop_$1_initrc_t)
+ ')
+ ')
diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
index c98b0df..3b1a051 100644
--- a/policy/modules/services/hal.fc
@@ -25408,7 +26032,7 @@ index 7cf6763..ce32fe5 100644
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
-index 24c6253..f11fa08 100644
+index 24c6253..9376ea0 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
@@ -25438,7 +26062,23 @@ index 24c6253..f11fa08 100644
dev_rw_generic_usb_dev(hald_t)
dev_setattr_generic_usb_dev(hald_t)
dev_setattr_usbfs_files(hald_t)
-@@ -211,13 +215,19 @@ seutil_read_config(hald_t)
+@@ -186,8 +190,6 @@ term_use_unallocated_ttys(hald_t)
+
+ auth_use_nsswitch(hald_t)
+
+-fstools_getattr_swap_files(hald_t)
+-
+ init_domtrans_script(hald_t)
+ init_read_utmp(hald_t)
+ #hal runs shutdown, probably need a shutdown domain
+@@ -204,20 +206,25 @@ logging_search_logs(hald_t)
+ miscfiles_read_localization(hald_t)
+ miscfiles_read_hwdata(hald_t)
+
+-modutils_domtrans_insmod(hald_t)
+-modutils_read_module_deps(hald_t)
+-
+ seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)
@@ -25455,11 +26095,13 @@ index 24c6253..f11fa08 100644
userdom_dontaudit_search_user_home_dirs(hald_t)
+userdom_stream_connect(hald_t)
+
-+netutils_domtrans(hald_t)
++optional_policy(`
++ netutils_domtrans(hald_t)
++')
optional_policy(`
alsa_domtrans(hald_t)
-@@ -252,8 +262,7 @@ optional_policy(`
+@@ -252,8 +259,7 @@ optional_policy(`
')
optional_policy(`
@@ -25469,7 +26111,7 @@ index 24c6253..f11fa08 100644
init_dbus_chat_script(hald_t)
-@@ -263,11 +272,20 @@ optional_policy(`
+@@ -263,15 +269,28 @@ optional_policy(`
')
optional_policy(`
@@ -25490,7 +26132,27 @@ index 24c6253..f11fa08 100644
gpm_dontaudit_getattr_gpmctl(hald_t)
')
-@@ -302,7 +320,7 @@ optional_policy(`
+ optional_policy(`
++ fstools_getattr_swap_files(hald_t)
++')
++
++optional_policy(`
+ hotplug_read_config(hald_t)
+ ')
+
+@@ -280,6 +299,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_domtrans_insmod(hald_t)
++ modutils_read_module_deps(hald_t)
++')
++
++optional_policy(`
+ mount_domtrans(hald_t)
+ ')
+
+@@ -302,7 +326,7 @@ optional_policy(`
')
optional_policy(`
@@ -25499,7 +26161,7 @@ index 24c6253..f11fa08 100644
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
-@@ -318,6 +336,10 @@ optional_policy(`
+@@ -318,6 +342,10 @@ optional_policy(`
')
optional_policy(`
@@ -25510,7 +26172,7 @@ index 24c6253..f11fa08 100644
udev_domtrans(hald_t)
udev_read_db(hald_t)
')
-@@ -338,6 +360,10 @@ optional_policy(`
+@@ -338,6 +366,10 @@ optional_policy(`
virt_manage_images(hald_t)
')
@@ -25521,7 +26183,7 @@ index 24c6253..f11fa08 100644
########################################
#
# Hal acl local policy
-@@ -358,6 +384,7 @@ files_search_var_lib(hald_acl_t)
+@@ -358,6 +390,7 @@ files_search_var_lib(hald_acl_t)
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -25529,7 +26191,7 @@ index 24c6253..f11fa08 100644
corecmd_exec_bin(hald_acl_t)
-@@ -388,7 +415,7 @@ logging_send_syslog_msg(hald_acl_t)
+@@ -388,7 +421,7 @@ logging_send_syslog_msg(hald_acl_t)
miscfiles_read_localization(hald_acl_t)
optional_policy(`
@@ -25538,17 +26200,30 @@ index 24c6253..f11fa08 100644
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
-@@ -470,6 +497,10 @@ files_read_usr_files(hald_keymap_t)
+@@ -470,6 +503,12 @@ files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
-+# This is caused by a bug in hald and PolicyKit.
-+# Should be removed when this is fixed
-+cron_read_system_job_lib_files(hald_t)
++optional_policy(`
++ # This is caused by a bug in hald and PolicyKit.
++ # Should be removed when this is fixed
++ cron_read_system_job_lib_files(hald_t)
++')
+
########################################
#
# Local hald dccm policy
+@@ -524,7 +563,9 @@ files_read_usr_files(hald_dccm_t)
+
+ miscfiles_read_localization(hald_dccm_t)
+
+-hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
++optional_policy(`
++ hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
++')
+
+ optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if
index 87b4531..db2d189 100644
--- a/policy/modules/services/hddtemp.if
@@ -27563,10 +28238,10 @@ index 0000000..f60483e
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..b7d8f2f
+index 0000000..fa43044
--- /dev/null
+++ b/policy/modules/services/mock.te
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,125 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -27673,8 +28348,6 @@ index 0000000..b7d8f2f
+
+miscfiles_read_localization(mock_t)
+
-+mount_domtrans(mock_t)
-+
+userdom_use_user_ptys(mock_t)
+
+tunable_policy(`mock_enable_homedirs',`
@@ -27682,6 +28355,10 @@ index 0000000..b7d8f2f
+')
+
+optional_policy(`
++ mount_domtrans(mock_t)
++')
++
++optional_policy(`
+ rpm_exec(mock_t)
+ rpm_manage_db(mock_t)
+ rpm_entry_type(mock_t)
@@ -27707,7 +28384,7 @@ index 3368699..7a7fc02 100644
#
interface(`modemmanager_domtrans',`
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
-index b3ace16..7f18c33 100644
+index b3ace16..812a9ff 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
@@ -27720,7 +28397,7 @@ index b3ace16..7f18c33 100644
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -28,6 +29,7 @@ dev_rw_modem(modemmanager_t)
+@@ -28,13 +29,24 @@ dev_rw_modem(modemmanager_t)
files_read_etc_files(modemmanager_t)
@@ -27728,20 +28405,24 @@ index b3ace16..7f18c33 100644
term_use_unallocated_ttys(modemmanager_t)
miscfiles_read_localization(modemmanager_t)
-@@ -37,5 +39,13 @@ logging_send_syslog_msg(modemmanager_t)
- networkmanager_dbus_chat(modemmanager_t)
- optional_policy(`
-+ devicekit_dbus_chat_power(modemmanager_t)
+ logging_send_syslog_msg(modemmanager_t)
+
+-networkmanager_dbus_chat(modemmanager_t)
++optional_policy(`
++ networkmanager_dbus_chat(modemmanager_t)
+')
+
+optional_policy(`
-+ policykit_dbus_chat(modemmanager_t)
++ devicekit_dbus_chat_power(modemmanager_t)
+')
+
+optional_policy(`
++ policykit_dbus_chat(modemmanager_t)
++')
+
+ optional_policy(`
udev_read_db(modemmanager_t)
- ')
diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if
index 657a9fc..88e7330 100644
--- a/policy/modules/services/mojomojo.if
@@ -29161,7 +29842,7 @@ index e9c0982..f11e4f2 100644
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..579f237 100644
+index 0a0d63c..91de41a 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -29228,7 +29909,7 @@ index 0a0d63c..579f237 100644
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -175,6 +180,7 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -29236,12 +29917,12 @@ index 0a0d63c..579f237 100644
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-@@ -183,11 +189,14 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
- hostname_exec(mysqld_safe_t)
+ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+-hostname_exec(mysqld_safe_t)
+logging_send_syslog_msg(mysqld_safe_t)
-+
+
miscfiles_read_localization(mysqld_safe_t)
mysql_manage_db_files(mysqld_safe_t)
@@ -29250,7 +29931,13 @@ index 0a0d63c..579f237 100644
+mysql_signull(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
++optional_policy(`
++ hostname_exec(mysqld_safe_t)
++')
++
########################################
+ #
+ # MySQL Manager Policy
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
index 8581040..2367841 100644
--- a/policy/modules/services/nagios.if
@@ -29598,7 +30285,7 @@ index 2324d9e..8069487 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..cd5c974 100644
+index 0619395..3a396a1 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -29652,9 +30339,18 @@ index 0619395..cd5c974 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -141,22 +157,32 @@ sysnet_domtrans_ifconfig(NetworkManager_t)
+@@ -133,30 +149,37 @@ logging_send_syslog_msg(NetworkManager_t)
+ miscfiles_read_localization(NetworkManager_t)
+ miscfiles_read_generic_certs(NetworkManager_t)
+
+-modutils_domtrans_insmod(NetworkManager_t)
+-
+ seutil_read_config(NetworkManager_t)
+
+ sysnet_domtrans_ifconfig(NetworkManager_t)
sysnet_domtrans_dhcpc(NetworkManager_t)
sysnet_signal_dhcpc(NetworkManager_t)
++sysnet_signull_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_read_dhcp_config(NetworkManager_t)
sysnet_delete_dhcpc_pid(NetworkManager_t)
@@ -29673,8 +30369,6 @@ index 0619395..cd5c974 100644
+userdom_read_home_certs(NetworkManager_t)
userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
-+
-+cron_read_system_job_lib_files(NetworkManager_t)
optional_policy(`
avahi_domtrans(NetworkManager_t)
@@ -29685,12 +30379,16 @@ index 0619395..cd5c974 100644
')
optional_policy(`
-@@ -172,14 +198,17 @@ optional_policy(`
+@@ -172,14 +195,21 @@ optional_policy(`
')
optional_policy(`
- consoletype_exec(NetworkManager_t)
+ consoletype_domtrans(NetworkManager_t)
++')
++
++optional_policy(`
++ cron_read_system_job_lib_files(NetworkManager_t)
')
optional_policy(`
@@ -29704,7 +30402,7 @@ index 0619395..cd5c974 100644
')
')
-@@ -202,6 +231,17 @@ optional_policy(`
+@@ -202,6 +232,17 @@ optional_policy(`
')
optional_policy(`
@@ -29722,15 +30420,19 @@ index 0619395..cd5c974 100644
iptables_domtrans(NetworkManager_t)
')
-@@ -219,6 +259,7 @@ optional_policy(`
+@@ -219,6 +260,11 @@ optional_policy(`
')
optional_policy(`
++ modutils_domtrans_insmod(NetworkManager_t)
++')
++
++optional_policy(`
+ openvpn_read_config(NetworkManager_t)
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -263,6 +304,7 @@ optional_policy(`
+@@ -263,6 +309,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -30839,7 +31541,7 @@ index ceafba6..eca6852 100644
# pid files
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
-index 3185114..790742c 100644
+index 3185114..514e127 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -16,7 +16,7 @@ type pegasus_tmp_t;
@@ -30890,7 +31592,7 @@ index 3185114..790742c 100644
corenet_all_recvfrom_unlabeled(pegasus_t)
corenet_all_recvfrom_netlabel(pegasus_t)
-@@ -95,13 +98,12 @@ files_getattr_all_dirs(pegasus_t)
+@@ -95,17 +98,14 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -30905,8 +31607,12 @@ index 3185114..790742c 100644
+files_read_all_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
- hostname_exec(pegasus_t)
-@@ -114,7 +116,6 @@ logging_send_syslog_msg(pegasus_t)
+-hostname_exec(pegasus_t)
+-
+ init_rw_utmp(pegasus_t)
+ init_stream_connect_script(pegasus_t)
+
+@@ -114,17 +114,28 @@ logging_send_syslog_msg(pegasus_t)
miscfiles_read_localization(pegasus_t)
@@ -30914,7 +31620,14 @@ index 3185114..790742c 100644
sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
-@@ -125,6 +126,14 @@ optional_policy(`
+ userdom_dontaudit_search_user_home_dirs(pegasus_t)
+
+ optional_policy(`
++ hostname_exec(pegasus_t)
++')
++
++optional_policy(`
+ rpm_exec(pegasus_t)
')
optional_policy(`
@@ -30929,7 +31642,7 @@ index 3185114..790742c 100644
seutil_sigchld_newrole(pegasus_t)
seutil_dontaudit_read_config(pegasus_t)
')
-@@ -136,3 +145,13 @@ optional_policy(`
+@@ -136,3 +147,13 @@ optional_policy(`
optional_policy(`
unconfined_signull(pegasus_t)
')
@@ -31213,10 +31926,10 @@ index 0000000..6403c17
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..5793840
+index 0000000..d8f53f3
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,219 @@
+@@ -0,0 +1,223 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -31271,7 +31984,9 @@ index 0000000..5793840
+
+domain_read_all_domains_state(piranha_fos_t)
+
-+consoletype_exec(piranha_fos_t)
++optional_policy(`
++ consoletype_exec(piranha_fos_t)
++')
+
+# start and stop services
+init_domtrans_script(piranha_fos_t)
@@ -31324,7 +32039,9 @@ index 0000000..5793840
+
+files_read_usr_files(piranha_web_t)
+
-+consoletype_exec(piranha_web_t)
++optional_policy(`
++ consoletype_exec(piranha_web_t)
++')
+
+optional_policy(`
+ apache_read_config(piranha_web_t)
@@ -31660,10 +32377,18 @@ index 9759ed8..48a5431 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index fb8dc84..57fcfe1 100644
+index 06e217d..179e320 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
-@@ -19,6 +19,9 @@ files_type(plymouthd_spool_t)
+@@ -8,6 +8,7 @@ policy_module(plymouthd, 1.0.1)
+ type plymouth_t;
+ type plymouth_exec_t;
+ application_domain(plymouth_t, plymouth_exec_t)
++role system_r types plymouth_t;
+
+ type plymouthd_t;
+ type plymouthd_exec_t;
+@@ -19,6 +20,9 @@ files_type(plymouthd_spool_t)
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
@@ -31673,7 +32398,7 @@ index fb8dc84..57fcfe1 100644
type plymouthd_var_run_t;
files_pid_file(plymouthd_var_run_t)
-@@ -42,6 +45,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+@@ -42,6 +46,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
@@ -31684,7 +32409,7 @@ index fb8dc84..57fcfe1 100644
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -60,10 +67,22 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -60,10 +68,22 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
@@ -31707,7 +32432,7 @@ index fb8dc84..57fcfe1 100644
########################################
#
# Plymouth private policy
-@@ -74,6 +93,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +94,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -31715,7 +32440,7 @@ index fb8dc84..57fcfe1 100644
domain_use_interactive_fds(plymouth_t)
-@@ -87,7 +107,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +108,7 @@ sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
@@ -31744,7 +32469,7 @@ index 27c739c..c65d18f 100644
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if
-index 48ff1e8..13cdc77 100644
+index 48ff1e8..be00a65 100644
--- a/policy/modules/services/policykit.if
+++ b/policy/modules/services/policykit.if
@@ -17,18 +17,43 @@ interface(`policykit_dbus_chat',`
@@ -31835,13 +32560,15 @@ index 48ff1e8..13cdc77 100644
## </param>
#
interface(`policykit_domtrans_resolve',`
-@@ -206,4 +235,48 @@ interface(`policykit_read_lib',`
+@@ -206,4 +235,50 @@ interface(`policykit_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+
-+ # Broken placement
-+ cron_read_system_job_lib_files($1)
++ optional_policy(`
++ # Broken placement
++ cron_read_system_job_lib_files($1)
++ ')
+')
+
+#######################################
@@ -33573,7 +34300,7 @@ index bc329d1..0589f97 100644
admin_pattern($1, psad_tmp_t)
')
diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te
-index d4000e0..93cbfa2 100644
+index d4000e0..312e537 100644
--- a/policy/modules/services/psad.te
+++ b/policy/modules/services/psad.te
@@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t)
@@ -33597,7 +34324,7 @@ index d4000e0..93cbfa2 100644
# tmp files
manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
-@@ -85,6 +86,7 @@ corenet_sendrecv_whois_client_packets(psad_t)
+@@ -85,13 +86,12 @@ corenet_sendrecv_whois_client_packets(psad_t)
dev_read_urand(psad_t)
files_read_etc_runtime_files(psad_t)
@@ -33605,6 +34332,24 @@ index d4000e0..93cbfa2 100644
fs_getattr_all_fs(psad_t)
+ auth_use_nsswitch(psad_t)
+
+-iptables_domtrans(psad_t)
+-
+ logging_read_generic_logs(psad_t)
+ logging_read_syslog_config(psad_t)
+ logging_send_syslog_msg(psad_t)
+@@ -101,6 +101,10 @@ miscfiles_read_localization(psad_t)
+ sysnet_exec_ifconfig(psad_t)
+
+ optional_policy(`
++ iptables_domtrans(psad_t)
++')
++
++optional_policy(`
+ mta_send_mail(psad_t)
+ mta_read_queue(psad_t)
+ ')
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
index 2855a44..0456b11 100644
--- a/policy/modules/services/puppet.if
@@ -34832,7 +35577,7 @@ index 852840b..1244ab2 100644
+ ')
')
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
-index 0a76027..88ac667 100644
+index 0a76027..364903e 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -49,6 +49,7 @@ fs_getattr_xattr_fs(remote_login_t)
@@ -34852,27 +35597,32 @@ index 0a76027..88ac667 100644
miscfiles_read_localization(remote_login_t)
-@@ -87,6 +88,7 @@ userdom_search_user_home_content(remote_login_t)
+@@ -87,9 +88,7 @@ userdom_search_user_home_content(remote_login_t)
# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
+-
+-# Search for mail spool file.
+-mta_getattr_spool(remote_login_t)
+userdom_use_user_ptys(remote_login_t)
- # Search for mail spool file.
- mta_getattr_spool(remote_login_t)
-@@ -106,15 +108,10 @@ optional_policy(`
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(remote_login_t)
+@@ -106,15 +105,15 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(remote_login_t)
-+ telnet_use_ptys(remote_login_t)
++ # Search for mail spool file.
++ mta_getattr_spool(remote_login_t)
')
optional_policy(`
- nscd_socket_use(remote_login_t)
--')
--
--optional_policy(`
++ telnet_use_ptys(remote_login_t)
+ ')
+
+ optional_policy(`
- unconfined_domain(remote_login_t)
unconfined_shell_domtrans(remote_login_t)
')
@@ -34982,7 +35732,7 @@ index 7dc38d1..9c2c963 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..f107bbb 100644
+index 00fa514..1ef4cc6 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -35034,7 +35784,15 @@ index 00fa514..f107bbb 100644
kernel_read_system_state(rgmanager_t)
kernel_rw_rpc_sysctls(rgmanager_t)
kernel_search_debugfs(rgmanager_t)
-@@ -78,14 +83,19 @@ domain_read_all_domains_state(rgmanager_t)
+@@ -67,7 +72,6 @@ kernel_search_network_state(rgmanager_t)
+
+ corecmd_exec_bin(rgmanager_t)
+ corecmd_exec_shell(rgmanager_t)
+-consoletype_exec(rgmanager_t)
+
+ # need to write to /dev/misc/dlm-control
+ dev_rw_dlm_control(rgmanager_t)
+@@ -78,18 +82,22 @@ domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
domain_dontaudit_ptrace_all_domains(rgmanager_t)
@@ -35055,10 +35813,27 @@ index 00fa514..f107bbb 100644
storage_getattr_fixed_disk_dev(rgmanager_t)
term_getattr_pty_fs(rgmanager_t)
-@@ -118,6 +128,10 @@ optional_policy(`
+-#term_use_ptmx(rgmanager_t)
+
+ # needed by resources scripts
+ auth_read_all_files_except_shadow(rgmanager_t)
+@@ -100,8 +108,6 @@ logging_send_syslog_msg(rgmanager_t)
+
+ miscfiles_read_localization(rgmanager_t)
+
+-mount_domtrans(rgmanager_t)
+-
+ tunable_policy(`rgmanager_can_network_connect',`
+ corenet_tcp_connect_all_ports(rgmanager_t)
+ ')
+@@ -118,6 +124,14 @@ optional_policy(`
')
optional_policy(`
++ consoletype_exec(rgmanager_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(rgmanager_t)
+')
+
@@ -35066,7 +35841,7 @@ index 00fa514..f107bbb 100644
fstools_domtrans(rgmanager_t)
')
-@@ -140,6 +154,11 @@ optional_policy(`
+@@ -140,6 +154,15 @@ optional_policy(`
')
optional_policy(`
@@ -35075,6 +35850,10 @@ index 00fa514..f107bbb 100644
+')
+
+optional_policy(`
++ mount_domtrans(rgmanager_t)
++')
++
++optional_policy(`
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
@@ -35684,7 +36463,7 @@ index f7826f9..3128dd8 100644
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..052a1ff 100644
+index 33e72e8..b71d193 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@@ -35750,7 +36529,43 @@ index 33e72e8..052a1ff 100644
domain_read_all_domains_state(ricci_modcluster_t)
-@@ -241,8 +250,7 @@ optional_policy(`
+@@ -209,13 +218,9 @@ logging_send_syslog_msg(ricci_modcluster_t)
+
+ miscfiles_read_localization(ricci_modcluster_t)
+
+-modutils_domtrans_insmod(ricci_modcluster_t)
+-
+-mount_domtrans(ricci_modcluster_t)
+-
+-consoletype_exec(ricci_modcluster_t)
+-
+-ricci_stream_connect_modclusterd(ricci_modcluster_t)
++optional_policy(`
++ ricci_stream_connect_modclusterd(ricci_modcluster_t)
++')
+
+ optional_policy(`
+ aisexec_stream_connect(ricci_modcluster_t)
+@@ -233,6 +238,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_domtrans_insmod(ricci_modcluster_t)
++')
++
++optional_policy(`
++ mount_domtrans(ricci_modcluster_t)
++')
++
++optional_policy(`
++ consoletype_exec(ricci_modcluster_t)
++')
++
++optional_policy(`
+ nscd_socket_use(ricci_modcluster_t)
+ ')
+
+@@ -241,8 +258,7 @@ optional_policy(`
')
optional_policy(`
@@ -35760,7 +36575,7 @@ index 33e72e8..052a1ff 100644
')
########################################
-@@ -261,6 +269,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
+@@ -261,6 +277,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
@@ -35771,7 +36586,7 @@ index 33e72e8..052a1ff 100644
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-@@ -272,6 +284,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
+@@ -272,6 +292,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
kernel_read_kernel_sysctls(ricci_modclusterd_t)
kernel_read_system_state(ricci_modclusterd_t)
@@ -35779,7 +36594,27 @@ index 33e72e8..052a1ff 100644
corecmd_exec_bin(ricci_modclusterd_t)
-@@ -444,6 +457,12 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+@@ -394,8 +415,6 @@ files_search_usr(ricci_modservice_t)
+ # Needed for running chkconfig
+ files_manage_etc_symlinks(ricci_modservice_t)
+
+-consoletype_exec(ricci_modservice_t)
+-
+ init_domtrans_script(ricci_modservice_t)
+
+ miscfiles_read_localization(ricci_modservice_t)
+@@ -405,6 +424,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consoletype_exec(ricci_modservice_t)
++')
++
++optional_policy(`
+ nscd_dontaudit_search_pid(ricci_modservice_t)
+ ')
+
+@@ -444,22 +467,20 @@ files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -35792,6 +36627,50 @@ index 33e72e8..052a1ff 100644
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
+
+-fstools_domtrans(ricci_modstorage_t)
+-
+ logging_send_syslog_msg(ricci_modstorage_t)
+
+ miscfiles_read_localization(ricci_modstorage_t)
+
+-modutils_read_module_deps(ricci_modstorage_t)
+-
+-consoletype_exec(ricci_modstorage_t)
+-
+-mount_domtrans(ricci_modstorage_t)
+-
+ optional_policy(`
+ aisexec_stream_connect(ricci_modstorage_t)
+ corosync_stream_connect(ricci_modstorage_t)
+@@ -471,11 +492,27 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consoletype_exec(ricci_modstorage_t)
++')
++
++optional_policy(`
++ fstools_domtrans(ricci_modstorage_t)
++')
++
++optional_policy(`
+ lvm_domtrans(ricci_modstorage_t)
+ lvm_manage_config(ricci_modstorage_t)
+ ')
+
+ optional_policy(`
++ modutils_read_module_deps(ricci_modstorage_t)
++')
++
++optional_policy(`
++ mount_domtrans(ricci_modstorage_t)
++')
++
++optional_policy(`
+ nscd_socket_use(ricci_modstorage_t)
+ ')
+
diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc
index 2785337..c3c2775 100644
--- a/policy/modules/services/rlogin.fc
@@ -35805,7 +36684,7 @@ index 2785337..c3c2775 100644
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..0155ca7 100644
+index 779fa44..cdfebe3 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -35842,16 +36721,30 @@ index 779fa44..0155ca7 100644
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
-@@ -88,6 +87,9 @@ seutil_read_config(rlogind_t)
+@@ -88,9 +87,9 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
+-
+-remotelogin_domtrans(rlogind_t)
+-remotelogin_signal(rlogind_t)
+userdom_search_admin_dir(rlogind_t)
+userdom_manage_user_tmp_files(rlogind_t)
+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
- remotelogin_domtrans(rlogind_t)
- remotelogin_signal(rlogind_t)
+ rlogin_read_home_content(rlogind_t)
+
+@@ -112,5 +111,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ remotelogin_domtrans(rlogind_t)
++ remotelogin_signal(rlogind_t)
++')
++
++optional_policy(`
+ tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
+ ')
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
index 5c70c0c..6842295 100644
--- a/policy/modules/services/rpc.fc
@@ -35955,7 +36848,7 @@ index cda37bb..484e552 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index 8e1ab72..e6821be 100644
+index 8e1ab72..eaa8036 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -36061,7 +36954,15 @@ index 8e1ab72..e6821be 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -218,6 +236,8 @@ tunable_policy(`allow_gssd_read_tmp',`
+@@ -210,14 +228,14 @@ auth_manage_cache(gssd_t)
+
+ miscfiles_read_generic_certs(gssd_t)
+
+-mount_signal(gssd_t)
+-
+ userdom_signal_all_users(gssd_t)
+
+ tunable_policy(`allow_gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
userdom_read_user_tmp_symlinks(gssd_t)
@@ -36070,6 +36971,17 @@ index 8e1ab72..e6821be 100644
')
optional_policy(`
+@@ -229,6 +247,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mount_signal(gssd_t)
++')
++
++optional_policy(`
+ pcscd_read_pub_files(gssd_t)
+ ')
+
diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc
index f5c47d6..5a965e9 100644
--- a/policy/modules/services/rpcbind.fc
@@ -36676,7 +37588,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..00a9125 100644
+index e30bb63..ef1edc6 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -36813,7 +37725,27 @@ index e30bb63..00a9125 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -677,7 +675,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -644,8 +642,6 @@ auth_use_nsswitch(smbmount_t)
+
+ miscfiles_read_localization(smbmount_t)
+
+-mount_use_fds(smbmount_t)
+-
+ locallogin_use_fds(smbmount_t)
+
+ logging_search_logs(smbmount_t)
+@@ -657,6 +653,10 @@ optional_policy(`
+ cups_read_rw_config(smbmount_t)
+ ')
+
++optional_policy(`
++ mount_use_fds(smbmount_t)
++')
++
+ ########################################
+ #
+ # SWAT Local policy
+@@ -677,7 +677,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -36822,7 +37754,7 @@ index e30bb63..00a9125 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +690,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +692,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -36837,7 +37769,7 @@ index e30bb63..00a9125 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +710,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +712,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -36845,7 +37777,7 @@ index e30bb63..00a9125 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +755,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +757,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -36854,7 +37786,7 @@ index e30bb63..00a9125 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,15 +809,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +811,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -36876,7 +37808,7 @@ index e30bb63..00a9125 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +837,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +839,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -36884,7 +37816,7 @@ index e30bb63..00a9125 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -922,6 +927,18 @@ optional_policy(`
+@@ -922,6 +929,18 @@ optional_policy(`
#
optional_policy(`
@@ -36903,7 +37835,7 @@ index e30bb63..00a9125 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +949,12 @@ optional_policy(`
+@@ -932,9 +951,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -37170,7 +38102,7 @@ index 22dac1f..b6781d5 100644
+ unconfined_domain_noaudit(unconfined_sendmail_t)
')
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
-index 22dfeb4..d9f5dbc 100644
+index bcdd16c..7c379a8 100644
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
@@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',`
@@ -37219,7 +38151,7 @@ index 22dfeb4..d9f5dbc 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..b0ee422 100644
+index 086cd5f..43350e6 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
@@ -37250,7 +38182,16 @@ index 086cd5f..b0ee422 100644
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -121,6 +126,14 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -112,8 +117,6 @@ logging_send_audit_msgs(setroubleshootd_t)
+ logging_send_syslog_msg(setroubleshootd_t)
+ logging_stream_connect_dispatcher(setroubleshootd_t)
+
+-modutils_read_module_config(setroubleshootd_t)
+-
+ seutil_read_config(setroubleshootd_t)
+ seutil_read_file_contexts(setroubleshootd_t)
+ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,6 +124,18 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -37262,10 +38203,14 @@ index 086cd5f..b0ee422 100644
+')
+
+optional_policy(`
++ modutils_read_module_config(setroubleshootd_t)
++')
++
++optional_policy(`
dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
')
-@@ -152,6 +165,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -152,6 +167,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
@@ -37273,7 +38218,7 @@ index 086cd5f..b0ee422 100644
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +178,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +180,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -37309,11 +38254,11 @@ index adea9f9..d5b2d93 100644
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 4804f14..761df2d 100644
+index 606a098..8b74d10 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
-@@ -72,16 +72,21 @@ files_exec_etc_files(fsdaemon_t)
- files_read_etc_runtime_files(fsdaemon_t)
+@@ -73,16 +73,21 @@ files_read_etc_runtime_files(fsdaemon_t)
+ files_read_usr_files(fsdaemon_t)
# for config
files_read_etc_files(fsdaemon_t)
+files_read_usr_files(fsdaemon_t)
@@ -38301,7 +39246,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..2cfaf93 100644
+index 22adaca..d9913e0 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -38567,7 +39512,40 @@ index 22adaca..2cfaf93 100644
files_search_pids($1)
')
-@@ -695,7 +726,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -680,6 +711,32 @@ interface(`ssh_domtrans_keygen',`
+ domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
+ ')
+
++#######################################
++## <summary>
++## Execute ssh-keygen in the iptables domain, and
++## allow the specified role the ssh-keygen domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ssh_run_keygen',`
++ gen_require(`
++ type ssh_keygen_t;
++ ')
++
++ role $2 types ssh_keygen_t;
++ ssh_domtrans_keygen($1)
++')
++
+ ########################################
+ ## <summary>
+ ## Read ssh server keys
+@@ -695,7 +752,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -38576,7 +39554,7 @@ index 22adaca..2cfaf93 100644
')
######################################
-@@ -735,3 +766,21 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +792,21 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -38599,7 +39577,7 @@ index 22adaca..2cfaf93 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..9a289e2 100644
+index 2dad3c8..f5c37de 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -38762,65 +39740,23 @@ index 2dad3c8..9a289e2 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +211,57 @@ optional_policy(`
- xserver_domtrans_xauth(ssh_t)
+@@ -196,10 +207,15 @@ tunable_policy(`user_tcp_server',`
')
-+########################################
-+#
-+# ssh_keygen local policy
-+#
-+
-+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
-+# and by sysadm_t
-+
-+dontaudit ssh_keygen_t self:capability sys_tty_config;
-+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-+
-+allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-+files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
-+
-+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
-+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
-+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
-+
-+kernel_read_kernel_sysctls(ssh_keygen_t)
-+
-+fs_search_auto_mountpoints(ssh_keygen_t)
-+
-+dev_read_sysfs(ssh_keygen_t)
-+dev_read_urand(ssh_keygen_t)
-+
-+term_dontaudit_use_console(ssh_keygen_t)
-+
-+domain_use_interactive_fds(ssh_keygen_t)
-+
-+files_read_etc_files(ssh_keygen_t)
-+
-+init_use_fds(ssh_keygen_t)
-+init_use_script_ptys(ssh_keygen_t)
-+
-+logging_send_syslog_msg(ssh_keygen_t)
-+
-+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-+
-+optional_policy(`
-+ nscd_socket_use(ssh_keygen_t)
-+')
-+
-+optional_policy(`
-+ seutil_sigchld_newrole(ssh_keygen_t)
+ optional_policy(`
++ gnome_stream_connect_all_gkeyringd(ssh_t)
+')
+
+optional_policy(`
-+ udev_read_db(ssh_keygen_t)
-+')
+ xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
+ xserver_domtrans_xauth(ssh_t)
+ ')
+
+
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +271,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +225,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -38829,7 +39765,7 @@ index 2dad3c8..9a289e2 100644
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +294,43 @@ optional_policy(`
+@@ -232,33 +248,43 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -38882,7 +39818,7 @@ index 2dad3c8..9a289e2 100644
')
optional_policy(`
-@@ -266,11 +338,24 @@ optional_policy(`
+@@ -266,11 +292,24 @@ optional_policy(`
')
optional_policy(`
@@ -38908,7 +39844,7 @@ index 2dad3c8..9a289e2 100644
')
optional_policy(`
-@@ -284,6 +369,11 @@ optional_policy(`
+@@ -284,6 +323,11 @@ optional_policy(`
')
optional_policy(`
@@ -38920,7 +39856,7 @@ index 2dad3c8..9a289e2 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +382,26 @@ optional_policy(`
+@@ -292,26 +336,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -38966,7 +39902,7 @@ index 2dad3c8..9a289e2 100644
') dnl endif TODO
########################################
-@@ -324,7 +414,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,12 +368,15 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -38974,17 +39910,24 @@ index 2dad3c8..9a289e2 100644
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +442,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+ files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
++manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
++
+ kernel_read_kernel_sysctls(ssh_keygen_t)
+
+ fs_search_auto_mountpoints(ssh_keygen_t)
+@@ -353,7 +400,7 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
- nscd_socket_use(ssh_keygen_t)
--')
--
--optional_policy(`
- seutil_sigchld_newrole(ssh_keygen_t)
++ nscd_socket_use(ssh_keygen_t)
')
+ optional_policy(`
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 941380a..6dbfc01 100644
--- a/policy/modules/services/sssd.if
@@ -39279,7 +40222,7 @@ index 58e7ec0..cf4cc85 100644
+ allow $1 telnetd_devpts_t:chr_file rw_term_perms;
+')
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
-index f40e67b..34c4c57 100644
+index f40e67b..8d1e658 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -8,7 +8,6 @@ policy_module(telnet, 1.10.0)
@@ -39323,8 +40266,12 @@ index f40e67b..34c4c57 100644
init_rw_utmp(telnetd_t)
-@@ -85,11 +80,8 @@ remotelogin_domtrans(telnetd_t)
+@@ -81,15 +76,10 @@ miscfiles_read_localization(telnetd_t)
+ seutil_read_config(telnetd_t)
+
+-remotelogin_domtrans(telnetd_t)
+-
userdom_search_user_home_dirs(telnetd_t)
userdom_setattr_user_ptys(telnetd_t)
-
@@ -39337,7 +40284,7 @@ index f40e67b..34c4c57 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
-@@ -98,3 +90,9 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -98,3 +88,12 @@ tunable_policy(`use_nfs_home_dirs',`
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs(telnetd_t)
')
@@ -39347,6 +40294,9 @@ index f40e67b..34c4c57 100644
+ kerberos_manage_host_rcache(telnetd_t)
+')
+
++optional_policy(`
++ remotelogin_domtrans(telnetd_t)
++')
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index 38bb312..414e03f 100644
--- a/policy/modules/services/tftp.if
@@ -40404,7 +41354,7 @@ index 7c5d8d8..5e2f264 100644
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..3e3dc01 100644
+index 3eca020..a541a0a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
@@ -40715,7 +41665,7 @@ index 3eca020..3e3dc01 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +356,31 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +356,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -40743,11 +41693,21 @@ index 3eca020..3e3dc01 100644
+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
+userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
+
-+consoletype_exec(virtd_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -329,6 +415,10 @@ optional_policy(`
+@@ -313,6 +398,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consoletype_exec(virtd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(virtd_t)
+
+ optional_policy(`
+@@ -329,6 +418,10 @@ optional_policy(`
')
optional_policy(`
@@ -40758,7 +41718,7 @@ index 3eca020..3e3dc01 100644
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
-@@ -365,6 +455,8 @@ optional_policy(`
+@@ -365,6 +458,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -40767,9 +41727,11 @@ index 3eca020..3e3dc01 100644
')
optional_policy(`
-@@ -396,12 +488,25 @@ optional_policy(`
+@@ -394,14 +489,26 @@ optional_policy(`
+ # virtual domains common policy
+ #
- allow virt_domain self:capability { dac_read_search dac_override kill };
+-allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
-allow virt_domain self:fifo_file rw_file_perms;
+allow virt_domain self:fifo_file rw_fifo_file_perms;
@@ -40794,7 +41756,7 @@ index 3eca020..3e3dc01 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +527,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +529,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -40802,7 +41764,7 @@ index 3eca020..3e3dc01 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +535,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +537,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -40815,11 +41777,14 @@ index 3eca020..3e3dc01 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +548,11 @@ files_search_all(virt_domain)
+@@ -440,6 +550,14 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
+fs_getattr_hugetlbfs(virt_domain)
++fs_rw_inherited_nfs_files(virt_domain)
++fs_rw_inherited_cifs_files(virt_domain)
++fs_rw_inherited_noxattr_fs_files(virt_domain)
+
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
@@ -40827,7 +41792,7 @@ index 3eca020..3e3dc01 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +570,117 @@ optional_policy(`
+@@ -457,8 +575,117 @@ optional_policy(`
')
optional_policy(`
@@ -41111,10 +42076,10 @@ index 0000000..b9104b7
+')
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
new file mode 100644
-index 0000000..ff32e95
+index 0000000..a7de540
--- /dev/null
+++ b/policy/modules/services/vnstatd.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,73 @@
+policy_module(vnstatd, 1.0.0)
+
+########################################
@@ -41135,7 +42100,6 @@ index 0000000..ff32e95
+type vnstat_t;
+type vnstat_exec_t;
+application_domain(vnstat_t, vnstat_exec_t)
-+cron_system_entry(vnstat_t, vnstat_exec_t)
+
+########################################
+#
@@ -41161,6 +42125,10 @@ index 0000000..ff32e95
+
+miscfiles_read_localization(vnstatd_t)
+
++optional_policy(`
++ cron_system_entry(vnstat_t, vnstat_exec_t)
++')
++
+########################################
+#
+# vnstat local policy
@@ -41351,7 +42319,7 @@ index 6f1e3c7..ecfe665 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..88c2626 100644
+index 130ced9..33c8170 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -41366,10 +42334,10 @@ index da2601a..88c2626 100644
')
role $1 types { xserver_t xauth_t iceauth_t };
-@@ -31,12 +32,13 @@ interface(`xserver_restricted_role',`
+@@ -30,12 +31,13 @@ interface(`xserver_restricted_role',`
+ allow xserver_t $2:fd use;
allow xserver_t $2:shm rw_shm_perms;
- domtrans_pattern($2, xserver_exec_t, xserver_t)
- allow xserver_t $2:process signal;
+ allow xserver_t $2:process { getpgid signal };
@@ -41381,7 +42349,7 @@ index da2601a..88c2626 100644
allow $2 user_fonts_config_t:dir list_dir_perms;
allow $2 user_fonts_config_t:file read_file_perms;
-@@ -45,6 +47,8 @@ interface(`xserver_restricted_role',`
+@@ -44,6 +46,8 @@ interface(`xserver_restricted_role',`
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -41390,7 +42358,7 @@ index da2601a..88c2626 100644
files_search_tmp($2)
# Communicate via System V shared memory.
-@@ -70,17 +74,21 @@ interface(`xserver_restricted_role',`
+@@ -69,17 +73,21 @@ interface(`xserver_restricted_role',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -41416,7 +42384,7 @@ index da2601a..88c2626 100644
dev_rw_xserver_misc($2)
dev_rw_power_management($2)
-@@ -89,14 +97,15 @@ interface(`xserver_restricted_role',`
+@@ -88,15 +96,17 @@ interface(`xserver_restricted_role',`
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
@@ -41430,11 +42398,13 @@ index da2601a..88c2626 100644
+ miscfiles_read_hwdata($2)
xserver_common_x_domain_template(user, $2)
+ xserver_domtrans($2)
- xserver_unconfined($2)
++ #xserver_unconfined($2)
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -106,12 +115,25 @@ interface(`xserver_restricted_role',`
+@@ -106,12 +116,25 @@ interface(`xserver_restricted_role',`
xserver_create_xdm_tmp_sockets($2)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
@@ -41460,7 +42430,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -143,13 +165,15 @@ interface(`xserver_role',`
+@@ -143,13 +166,15 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
@@ -41478,7 +42448,7 @@ index da2601a..88c2626 100644
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-@@ -162,7 +186,6 @@ interface(`xserver_role',`
+@@ -162,7 +187,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -41486,7 +42456,7 @@ index da2601a..88c2626 100644
')
#######################################
-@@ -197,7 +220,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +221,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -41495,7 +42465,7 @@ index da2601a..88c2626 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -227,7 +250,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +251,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
@@ -41504,7 +42474,7 @@ index da2601a..88c2626 100644
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
-@@ -255,7 +278,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +279,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
@@ -41513,7 +42483,7 @@ index da2601a..88c2626 100644
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +314,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +315,13 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -41531,7 +42501,7 @@ index da2601a..88c2626 100644
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -342,19 +365,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +366,23 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -41558,7 +42528,7 @@ index da2601a..88c2626 100644
')
##############################
-@@ -386,6 +413,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +414,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -41574,7 +42544,7 @@ index da2601a..88c2626 100644
')
#######################################
-@@ -444,8 +480,8 @@ template(`xserver_object_types_template',`
+@@ -444,8 +481,8 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -41585,7 +42555,7 @@ index da2601a..88c2626 100644
')
allow $2 self:shm create_shm_perms;
-@@ -458,9 +494,9 @@ template(`xserver_user_x_domain_template',`
+@@ -458,9 +495,9 @@ template(`xserver_user_x_domain_template',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -41597,7 +42567,7 @@ index da2601a..88c2626 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +508,25 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +509,25 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -41625,7 +42595,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -517,6 +558,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +559,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -41633,7 +42603,7 @@ index da2601a..88c2626 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +587,28 @@ interface(`xserver_domtrans_xauth',`
+@@ -545,6 +588,28 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -41662,7 +42632,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -598,6 +662,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +663,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -41670,7 +42640,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -615,7 +680,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +681,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -41679,7 +42649,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -651,7 +716,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +717,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -41688,7 +42658,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -670,7 +735,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +736,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -41697,7 +42667,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -688,7 +753,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +754,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -41706,7 +42676,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -703,12 +768,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +769,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -41720,7 +42690,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -724,11 +788,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +789,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -41754,7 +42724,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -765,7 +849,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +850,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -41763,7 +42733,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -805,7 +889,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +890,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -41791,7 +42761,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -897,7 +1000,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1001,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -41800,7 +42770,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -916,7 +1019,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1020,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -41809,7 +42779,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -963,6 +1066,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1067,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -41855,7 +42825,7 @@ index da2601a..88c2626 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1118,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1119,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -41864,7 +42834,7 @@ index da2601a..88c2626 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1180,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1181,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -41907,7 +42877,7 @@ index da2601a..88c2626 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1230,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1231,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -41916,7 +42886,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -1070,8 +1248,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1249,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -41928,7 +42898,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -1185,6 +1365,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1366,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -41955,7 +42925,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -1210,7 +1410,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1411,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -41964,7 +42934,7 @@ index da2601a..88c2626 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1420,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1421,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -41989,7 +42959,7 @@ index da2601a..88c2626 100644
')
########################################
-@@ -1243,10 +1453,393 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1454,392 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -42014,11 +42984,10 @@ index da2601a..88c2626 100644
+#
+interface(`xserver_dontaudit_append_xdm_home_files',`
+ gen_require(`
-+ type xdm_home_t, xserver_tmp_t;
++ type xdm_home_t;
+ ')
+
+ dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
-+ dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files($1)
@@ -42386,15 +43355,9 @@ index da2601a..88c2626 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index edc58df..f71b9e8 100644
+index 6c01261..7add988 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
-@@ -1,4 +1,4 @@
--policy_module(xserver, 3.5.1)
-+policy_module(xserver, 3.5.2)
-
- gen_require(`
- class x_drawable all_x_drawable_perms;
@@ -26,27 +26,50 @@ gen_require(`
#
@@ -42454,13 +43417,7 @@ index edc58df..f71b9e8 100644
attribute x_domain;
# X Events
-@@ -104,26 +127,30 @@ typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xeven
-
- type remote_t;
- xserver_object_types_template(remote)
--xserver_common_x_domain_template(remote,remote_t)
-+xserver_common_x_domain_template(remote, remote_t)
-
+@@ -109,21 +132,25 @@ xserver_common_x_domain_template(remote, remote_t)
type user_fonts_t;
typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
@@ -42584,7 +43541,7 @@ index edc58df..f71b9e8 100644
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -234,9 +279,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+@@ -234,10 +279,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -42593,7 +43550,7 @@ index edc58df..f71b9e8 100644
fs_search_auto_mountpoints(iceauth_t)
userdom_use_user_terminals(iceauth_t)
-+userdom_read_user_tmp_files(iceauth_t)
+ userdom_read_user_tmp_files(iceauth_t)
+userdom_read_all_users_state(iceauth_t)
+
+tunable_policy(`use_fusefs_home_dirs',`
@@ -42602,7 +43559,7 @@ index edc58df..f71b9e8 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -246,50 +299,109 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,50 +299,109 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(iceauth_t)
')
@@ -42717,7 +43674,7 @@ index edc58df..f71b9e8 100644
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -301,20 +413,33 @@ optional_policy(`
+@@ -302,20 +413,33 @@ optional_policy(`
# XDM Local policy
#
@@ -42755,7 +43712,7 @@ index edc58df..f71b9e8 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -322,43 +447,69 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -323,43 +447,62 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -42779,15 +43736,7 @@ index edc58df..f71b9e8 100644
manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
--fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
--manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-+fs_getattr_all_fs(xdm_t)
-+fs_list_inotifyfs(xdm_t)
-+fs_dontaudit_list_noxattr_fs(xdm_t)
-+fs_dontaudit_read_noxattr_fs_files(xdm_t)
-+fs_manage_cgroup_dirs(xdm_t)
-+fs_manage_cgroup_files(xdm_t)
+-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
+
@@ -42795,8 +43744,8 @@ index edc58df..f71b9e8 100644
+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
-+
-+manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+
+ manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
@@ -42832,7 +43781,7 @@ index edc58df..f71b9e8 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -367,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -368,18 +511,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -42860,7 +43809,7 @@ index edc58df..f71b9e8 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -390,18 +549,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -391,18 +542,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -42884,7 +43833,7 @@ index edc58df..f71b9e8 100644
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -410,18 +573,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
+@@ -411,18 +566,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -42912,7 +43861,7 @@ index edc58df..f71b9e8 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -432,9 +601,17 @@ files_list_mnt(xdm_t)
+@@ -433,9 +594,22 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -42925,12 +43874,17 @@ index edc58df..f71b9e8 100644
fs_search_auto_mountpoints(xdm_t)
+fs_rw_anon_inodefs_files(xdm_t)
+fs_mount_tmpfs(xdm_t)
++fs_list_inotifyfs(xdm_t)
++fs_dontaudit_list_noxattr_fs(xdm_t)
++fs_dontaudit_read_noxattr_fs_files(xdm_t)
++fs_manage_cgroup_dirs(xdm_t)
++fs_manage_cgroup_files(xdm_t)
+
+mls_socket_write_to_clearance(xdm_t)
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -443,28 +620,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -444,28 +618,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -42969,7 +43923,7 @@ index edc58df..f71b9e8 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -473,9 +658,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -474,9 +656,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -43000,20 +43954,22 @@ index edc58df..f71b9e8 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -491,6 +697,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -492,6 +695,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
-+tunable_policy(`xdm_exec_bootloader',`
-+ bootloader_exec(xdm_t)
-+ files_read_boot_files(xdm_t)
-+ files_read_boot_symlinks(xdm_t)
++optional_policy(`
++ tunable_policy(`xdm_exec_bootloader',`
++ bootloader_exec(xdm_t)
++ files_read_boot_files(xdm_t)
++ files_read_boot_symlinks(xdm_t)
++ ')
+')
+
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -504,11 +716,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -505,11 +716,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -43035,10 +43991,11 @@ index edc58df..f71b9e8 100644
')
optional_policy(`
-@@ -516,12 +738,54 @@ optional_policy(`
+@@ -517,7 +738,37 @@ optional_policy(`
')
optional_policy(`
+- cpufreqselector_dbus_chat(xdm_t)
+ # Use dbus to start other processes as xdm_t
+ dbus_role_template(xdm, system_r, xdm_t)
+
@@ -43055,7 +44012,7 @@ index edc58df..f71b9e8 100644
+ ')
+
+ optional_policy(`
-+ cpufreqselector_dbus_send(xdm_t)
++ cpufreqselector_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
@@ -43070,12 +44027,10 @@ index edc58df..f71b9e8 100644
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
+ ')
-+')
-+
-+optional_policy(`
- # Talk to the console mouse server.
- gpm_stream_connect(xdm_t)
- gpm_setattr_gpmctl(xdm_t)
+ ')
+
+ optional_policy(`
+@@ -527,6 +778,14 @@ optional_policy(`
')
optional_policy(`
@@ -43090,7 +44045,7 @@ index edc58df..f71b9e8 100644
hostname_exec(xdm_t)
')
-@@ -539,28 +803,64 @@ optional_policy(`
+@@ -544,28 +803,65 @@ optional_policy(`
')
optional_policy(`
@@ -43127,6 +44082,7 @@ index edc58df..f71b9e8 100644
+ rpm_exec(xdm_t)
+ rpm_read_db(xdm_t)
+ rpm_dontaudit_manage_db(xdm_t)
++ rpm_dontaudit_dbus_chat(xdm_t)
+')
+
+optional_policy(`
@@ -43164,10 +44120,14 @@ index edc58df..f71b9e8 100644
')
optional_policy(`
-@@ -572,6 +872,10 @@ optional_policy(`
+@@ -577,6 +873,14 @@ optional_policy(`
')
optional_policy(`
++ vdagent_stream_connect(xdm_t)
++')
++
++optional_policy(`
+ wm_exec(xdm_t)
+')
+
@@ -43175,7 +44135,7 @@ index edc58df..f71b9e8 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +900,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -601,7 +905,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -43184,7 +44144,7 @@ index edc58df..f71b9e8 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,8 +914,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -615,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -43200,7 +44160,7 @@ index edc58df..f71b9e8 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -630,12 +941,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -635,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -43222,7 +44182,7 @@ index edc58df..f71b9e8 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -643,6 +961,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -648,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -43230,7 +44190,7 @@ index edc58df..f71b9e8 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -669,7 +988,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -674,7 +993,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -43238,7 +44198,7 @@ index edc58df..f71b9e8 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -679,11 +997,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -684,11 +1002,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -43256,7 +44216,7 @@ index edc58df..f71b9e8 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1018,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -699,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -43270,14 +44230,23 @@ index edc58df..f71b9e8 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -717,15 +1046,19 @@ logging_send_audit_msgs(xserver_t)
+@@ -713,8 +1042,6 @@ init_getpgid(xserver_t)
+ term_setattr_unallocated_ttys(xserver_t)
+ term_use_unallocated_ttys(xserver_t)
+
+-getty_use_fds(xserver_t)
+-
+ locallogin_use_fds(xserver_t)
+
+ logging_send_syslog_msg(xserver_t)
+@@ -722,11 +1049,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
+-
+-modutils_domtrans_insmod(xserver_t)
+miscfiles_read_hwdata(xserver_t)
- modutils_domtrans_insmod(xserver_t)
-
# read x_contexts
seutil_read_default_contexts(xserver_t)
+seutil_read_config(xserver_t)
@@ -43285,12 +44254,7 @@ index edc58df..f71b9e8 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
- userdom_setattr_user_ttys(xserver_t)
-+userdom_read_user_tmp_files(xserver_t)
- userdom_rw_user_tmpfs_files(xserver_t)
-
- xserver_use_user_fonts(xserver_t)
-@@ -774,16 +1107,28 @@ optional_policy(`
+@@ -780,16 +1108,36 @@ optional_policy(`
')
optional_policy(`
@@ -43298,6 +44262,14 @@ index edc58df..f71b9e8 100644
+')
+
+optional_policy(`
++ getty_use_fds(xserver_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(xserver_t)
++')
++
++optional_policy(`
rhgb_getpgid(xserver_t)
rhgb_signal(xserver_t)
')
@@ -43320,7 +44292,7 @@ index edc58df..f71b9e8 100644
unconfined_domtrans(xserver_t)
')
-@@ -792,6 +1137,10 @@ optional_policy(`
+@@ -798,6 +1146,10 @@ optional_policy(`
')
optional_policy(`
@@ -43331,7 +44303,7 @@ index edc58df..f71b9e8 100644
xfs_stream_connect(xserver_t)
')
-@@ -807,10 +1156,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -813,10 +1165,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -43345,7 +44317,7 @@ index edc58df..f71b9e8 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -818,7 +1167,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -824,7 +1176,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -43354,7 +44326,7 @@ index edc58df..f71b9e8 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -831,6 +1180,9 @@ init_use_fds(xserver_t)
+@@ -837,6 +1189,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -43364,7 +44336,7 @@ index edc58df..f71b9e8 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -838,6 +1190,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -844,6 +1199,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -43376,7 +44348,7 @@ index edc58df..f71b9e8 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -846,11 +1203,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -852,11 +1212,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -43393,7 +44365,7 @@ index edc58df..f71b9e8 100644
')
optional_policy(`
-@@ -858,6 +1218,10 @@ optional_policy(`
+@@ -864,6 +1227,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -43404,7 +44376,7 @@ index edc58df..f71b9e8 100644
########################################
#
# Rules common to all X window domains
-@@ -901,7 +1265,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -907,7 +1274,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -43413,7 +44385,7 @@ index edc58df..f71b9e8 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -955,11 +1319,31 @@ allow x_domain self:x_resource { read write };
+@@ -961,11 +1328,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -43445,7 +44417,7 @@ index edc58df..f71b9e8 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -981,18 +1365,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -987,18 +1374,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -44084,7 +45056,7 @@ index 2952cef..4485fd5 100644
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..a0feb45 100644
+index 42b4f0f..e6b751b 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -44473,10 +45445,10 @@ index bea0ade..a0feb45 100644
optional_policy(`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 54d122b..b86897f 100644
+index 66d13c4..66a0a25 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
-@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0)
+@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.1)
# Declarations
#
@@ -44510,16 +45482,7 @@ index 54d122b..b86897f 100644
type pam_var_run_t;
files_pid_file(pam_var_run_t)
-@@ -83,7 +98,7 @@ logging_log_file(wtmp_t)
-
- allow chkpwd_t self:capability { dac_override setuid };
- dontaudit chkpwd_t self:capability sys_tty_config;
--allow chkpwd_t self:process getattr;
-+allow chkpwd_t self:process { getattr signal };
-
- allow chkpwd_t shadow_t:file read_file_perms;
- files_list_etc(chkpwd_t)
-@@ -99,6 +114,8 @@ dev_read_urand(chkpwd_t)
+@@ -100,6 +115,8 @@ dev_read_urand(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
files_dontaudit_search_var(chkpwd_t)
@@ -44528,7 +45491,7 @@ index 54d122b..b86897f 100644
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
-@@ -394,3 +411,13 @@ optional_policy(`
+@@ -395,3 +412,13 @@ optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -44738,7 +45701,7 @@ index a97a096..ab1e16a 100644
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index a442acc..133f7f8 100644
+index a442acc..9f99f16 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -44758,7 +45721,11 @@ index a442acc..133f7f8 100644
# Access to /initrd devices
dev_getattr_usbfs_dirs(fsadm_t)
# Access to /dev/mapper/control
-@@ -117,6 +118,9 @@ fs_remount_xattr_fs(fsadm_t)
+@@ -114,9 +115,13 @@ fs_rw_tmpfs_files(fsadm_t)
+ # remount file system to apply changes
+ fs_remount_xattr_fs(fsadm_t)
+ # for /dev/shm
++fs_list_auto_mountpoints(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -44768,7 +45735,7 @@ index a442acc..133f7f8 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -130,6 +134,7 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -130,6 +135,7 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -44776,8 +45743,13 @@ index a442acc..133f7f8 100644
storage_swapon_fixed_disk(fsadm_t)
term_use_console(fsadm_t)
-@@ -147,7 +152,7 @@ modutils_read_module_deps(fsadm_t)
+@@ -142,12 +148,9 @@ logging_send_syslog_msg(fsadm_t)
+
+ miscfiles_read_localization(fsadm_t)
+-modutils_read_module_config(fsadm_t)
+-modutils_read_module_deps(fsadm_t)
+-
seutil_read_config(fsadm_t)
-userdom_use_user_terminals(fsadm_t)
@@ -44785,7 +45757,7 @@ index a442acc..133f7f8 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +171,19 @@ optional_policy(`
+@@ -166,6 +169,24 @@ optional_policy(`
')
optional_policy(`
@@ -44802,10 +45774,15 @@ index a442acc..133f7f8 100644
+')
+
+optional_policy(`
++ modutils_read_module_config(fsadm_t)
++ modutils_read_module_deps(fsadm_t)
++')
++
++optional_policy(`
nis_use_ypbind(fsadm_t)
')
-@@ -175,6 +193,14 @@ optional_policy(`
+@@ -175,6 +196,14 @@ optional_policy(`
')
optional_policy(`
@@ -44855,11 +45832,37 @@ index c310775..d5fc685 100644
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
term_dontaudit_use_console(hostname_t)
+diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
+index 882c6a2..d0ff4ec 100644
+--- a/policy/modules/system/hotplug.te
++++ b/policy/modules/system/hotplug.te
+@@ -105,9 +105,6 @@ libs_read_lib_files(hotplug_t)
+ miscfiles_read_hwdata(hotplug_t)
+ miscfiles_read_localization(hotplug_t)
+
+-modutils_domtrans_insmod(hotplug_t)
+-modutils_read_module_deps(hotplug_t)
+-
+ seutil_dontaudit_search_config(hotplug_t)
+
+ sysnet_read_config(hotplug_t)
+@@ -154,6 +151,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_domtrans_insmod(hotplug_t)
++ modutils_read_module_deps(hotplug_t)
++')
++
++optional_policy(`
+ mount_domtrans(hotplug_t)
+ ')
+
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 6fed22c..06e5395 100644
+index 354ce93..f7cda1c 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
-@@ -33,7 +33,21 @@ ifdef(`distro_gentoo', `
+@@ -33,6 +33,19 @@ ifdef(`distro_gentoo', `
#
# /sbin
#
@@ -44877,11 +45880,9 @@ index 6fed22c..06e5395 100644
+# /sbin
+#
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
-+/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-
- ifdef(`distro_gentoo', `
- /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
-@@ -53,6 +67,9 @@ ifdef(`distro_gentoo', `
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+@@ -55,6 +68,9 @@ ifdef(`distro_gentoo', `
/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -44892,7 +45893,7 @@ index 6fed22c..06e5395 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..2657c0b 100644
+index cc83689..6a82950 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,40 @@ interface(`init_script_domain',`
@@ -45335,7 +46336,7 @@ index cc83689..2657c0b 100644
')
########################################
-@@ -1749,3 +1961,93 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +1961,120 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -45429,8 +46430,35 @@ index cc83689..2657c0b 100644
+
+ allow $1 init_t:unix_dgram_socket sendto;
+')
++
++########################################
++## <summary>
++## Create a file type used for init socket files.
++## </summary>
++## <desc>
++## <p>
++## This defines a type that init can create sock_file within for
++## impersonation purposes
++## </p>
++## </desc>
++## <param name="script_file">
++## <summary>
++## Type to be used for a sock file.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`init_sock_file',`
++ gen_require(`
++ attribute init_sock_file_type;
++ ')
++
++ typeattribute $1 init_sock_file_type;
++
++')
++
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 77e8ca8..2abb81b 100644
+index ea29513..2370758 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -45468,15 +46496,17 @@ index 77e8ca8..2abb81b 100644
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
-@@ -25,6 +53,7 @@ attribute direct_init_entry;
+@@ -25,6 +53,9 @@ attribute direct_init_entry;
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
+attribute initrc_transition_domain;
++# Attribute used for systemd so domains can allow systemd to create sock_files
++attribute init_sock_file_type;
# Mark process types as daemons
attribute daemon;
-@@ -32,7 +61,7 @@ attribute daemon;
+@@ -32,7 +63,7 @@ attribute daemon;
#
# init_t is the domain of the init process.
#
@@ -45485,7 +46515,7 @@ index 77e8ca8..2abb81b 100644
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
-@@ -63,6 +92,8 @@ role system_r types initrc_t;
+@@ -63,6 +94,8 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
@@ -45494,7 +46524,7 @@ index 77e8ca8..2abb81b 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -87,7 +118,7 @@ ifdef(`enable_mls',`
+@@ -87,7 +120,7 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -45503,7 +46533,7 @@ index 77e8ca8..2abb81b 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -100,7 +131,9 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -100,7 +133,9 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -45514,7 +46544,7 @@ index 77e8ca8..2abb81b 100644
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -114,11 +147,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -114,11 +149,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -45528,7 +46558,7 @@ index 77e8ca8..2abb81b 100644
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
-@@ -127,9 +162,13 @@ domain_kill_all_domains(init_t)
+@@ -127,9 +164,13 @@ domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
@@ -45542,7 +46572,7 @@ index 77e8ca8..2abb81b 100644
files_rw_generic_pids(init_t)
files_dontaudit_search_isid_type_dirs(init_t)
files_manage_etc_runtime_files(init_t)
-@@ -151,6 +190,7 @@ mls_file_read_all_levels(init_t)
+@@ -151,6 +192,7 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -45550,7 +46580,7 @@ index 77e8ca8..2abb81b 100644
selinux_set_all_booleans(init_t)
-@@ -162,12 +202,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +204,15 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -45566,7 +46596,7 @@ index 77e8ca8..2abb81b 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +221,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +223,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -45575,12 +46605,15 @@ index 77e8ca8..2abb81b 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +229,100 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +231,105 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
+storage_raw_rw_fixed_disk(init_t)
-+modutils_domtrans_insmod(init_t)
++
++optional_policy(`
++ modutils_domtrans_insmod(init_t)
++')
+
+tunable_policy(`init_systemd',`
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -45648,6 +46681,8 @@ index 77e8ca8..2abb81b 100644
+ # needs to remain
+ logging_create_devlog_dev(init_t)
+
++ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
++
+# miscfiles_delete_man_pages(init_t)
+# miscfiles_relabel_man_pages(init_t)
+
@@ -45676,7 +46711,7 @@ index 77e8ca8..2abb81b 100644
')
optional_policy(`
-@@ -199,10 +330,25 @@ optional_policy(`
+@@ -199,10 +337,25 @@ optional_policy(`
')
optional_policy(`
@@ -45702,7 +46737,7 @@ index 77e8ca8..2abb81b 100644
unconfined_domain(init_t)
')
-@@ -212,7 +358,7 @@ optional_policy(`
+@@ -212,7 +365,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -45711,7 +46746,7 @@ index 77e8ca8..2abb81b 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +387,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +394,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -45726,7 +46761,7 @@ index 77e8ca8..2abb81b 100644
init_write_initctl(initrc_t)
-@@ -258,11 +406,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +413,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -45750,7 +46785,7 @@ index 77e8ca8..2abb81b 100644
corecmd_exec_all_executables(initrc_t)
-@@ -279,6 +439,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +446,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -45758,7 +46793,7 @@ index 77e8ca8..2abb81b 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +452,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +459,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -45766,7 +46801,7 @@ index 77e8ca8..2abb81b 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +460,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +467,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -45782,7 +46817,7 @@ index 77e8ca8..2abb81b 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +485,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +492,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -45794,7 +46829,7 @@ index 77e8ca8..2abb81b 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +504,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +511,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -45808,7 +46843,7 @@ index 77e8ca8..2abb81b 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +519,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +526,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -45817,7 +46852,7 @@ index 77e8ca8..2abb81b 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +533,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +540,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -45825,7 +46860,7 @@ index 77e8ca8..2abb81b 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +545,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +552,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -45833,15 +46868,15 @@ index 77e8ca8..2abb81b 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +566,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +573,12 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
-miscfiles_read_generic_certs(initrc_t)
+miscfiles_manage_generic_cert_files(initrc_t)
- modutils_read_module_config(initrc_t)
- modutils_domtrans_insmod(initrc_t)
+-modutils_read_module_config(initrc_t)
+-modutils_domtrans_insmod(initrc_t)
seutil_read_config(initrc_t)
@@ -45849,7 +46884,7 @@ index 77e8ca8..2abb81b 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -478,7 +651,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +656,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -45858,7 +46893,7 @@ index 77e8ca8..2abb81b 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -524,6 +697,23 @@ ifdef(`distro_redhat',`
+@@ -524,6 +702,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -45882,7 +46917,7 @@ index 77e8ca8..2abb81b 100644
')
optional_policy(`
-@@ -531,10 +721,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +726,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -45900,7 +46935,7 @@ index 77e8ca8..2abb81b 100644
')
optional_policy(`
-@@ -549,6 +746,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +751,39 @@ ifdef(`distro_suse',`
')
')
@@ -45940,7 +46975,7 @@ index 77e8ca8..2abb81b 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +791,8 @@ optional_policy(`
+@@ -561,6 +796,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -45949,7 +46984,7 @@ index 77e8ca8..2abb81b 100644
')
optional_policy(`
-@@ -577,6 +809,7 @@ optional_policy(`
+@@ -577,6 +814,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -45957,7 +46992,7 @@ index 77e8ca8..2abb81b 100644
')
optional_policy(`
-@@ -589,6 +822,11 @@ optional_policy(`
+@@ -589,6 +827,11 @@ optional_policy(`
')
optional_policy(`
@@ -45969,7 +47004,7 @@ index 77e8ca8..2abb81b 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +843,13 @@ optional_policy(`
+@@ -605,9 +848,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -45983,7 +47018,19 @@ index 77e8ca8..2abb81b 100644
')
optional_policy(`
-@@ -706,7 +948,13 @@ optional_policy(`
+@@ -649,6 +896,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_read_module_config(initrc_t)
++ modutils_domtrans_insmod(initrc_t)
++')
++
++optional_policy(`
+ inn_exec_config(initrc_t)
+ ')
+
+@@ -706,7 +958,13 @@ optional_policy(`
')
optional_policy(`
@@ -45997,7 +47044,7 @@ index 77e8ca8..2abb81b 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +977,10 @@ optional_policy(`
+@@ -729,6 +987,10 @@ optional_policy(`
')
optional_policy(`
@@ -46008,7 +47055,7 @@ index 77e8ca8..2abb81b 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +990,20 @@ optional_policy(`
+@@ -738,10 +1000,20 @@ optional_policy(`
')
optional_policy(`
@@ -46029,7 +47076,7 @@ index 77e8ca8..2abb81b 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1012,10 @@ optional_policy(`
+@@ -750,6 +1022,10 @@ optional_policy(`
')
optional_policy(`
@@ -46040,7 +47087,7 @@ index 77e8ca8..2abb81b 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1037,6 @@ optional_policy(`
+@@ -771,8 +1047,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -46049,7 +47096,7 @@ index 77e8ca8..2abb81b 100644
')
optional_policy(`
-@@ -781,14 +1045,21 @@ optional_policy(`
+@@ -781,14 +1055,21 @@ optional_policy(`
')
optional_policy(`
@@ -46071,7 +47118,7 @@ index 77e8ca8..2abb81b 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -810,11 +1081,19 @@ optional_policy(`
+@@ -810,11 +1091,19 @@ optional_policy(`
')
optional_policy(`
@@ -46092,7 +47139,7 @@ index 77e8ca8..2abb81b 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1103,25 @@ optional_policy(`
+@@ -824,6 +1113,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -46118,7 +47165,7 @@ index 77e8ca8..2abb81b 100644
')
optional_policy(`
-@@ -849,3 +1147,59 @@ optional_policy(`
+@@ -849,3 +1157,37 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -46156,28 +47203,6 @@ index 77e8ca8..2abb81b 100644
+')
+
+init_rw_stream_sockets(daemon)
-+
-+ifdef(`hide_broken_symptoms',`
-+optional_policy(`
-+gen_require(`
-+ type system_dbusd_var_run_t;
-+ type fsadm_t;
-+ type avahi_var_run_t;
-+')
-+
-+fs_list_auto_mountpoints(fsadm_t)
-+
-+fs_list_auto_mountpoints(lvm_t)
-+fs_list_hugetlbfs(lvm_t)
-+
-+allow init_t avahi_var_run_t:dir { write add_name };
-+allow init_t avahi_var_run_t:sock_file create;
-+
-+allow init_t system_dbusd_var_run_t:dir { write add_name };
-+allow init_t system_dbusd_var_run_t:sock_file create;
-+
-+')
-+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 07eba2b..942bea1 100644
--- a/policy/modules/system/ipsec.fc
@@ -46319,7 +47344,7 @@ index 8232f91..8897e32 100644
+ allow ipsec_mgmt_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 98d6081..fbc8601 100644
+index 98d6081..ba4b965 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -73,7 +73,7 @@ role system_r types setkey_t;
@@ -46421,15 +47446,19 @@ index 98d6081..fbc8601 100644
term_use_console(ipsec_mgmt_t)
-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+term_use_all_terms(ipsec_mgmt_t)
-+
-+auth_dontaudit_read_login_records(ipsec_mgmt_t)
++auth_dontaudit_read_login_records(ipsec_mgmt_t)
++
+init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
-@@ -291,7 +308,9 @@ modutils_domtrans_insmod(ipsec_mgmt_t)
+@@ -287,11 +304,11 @@ logging_send_syslog_msg(ipsec_mgmt_t)
+
+ miscfiles_read_localization(ipsec_mgmt_t)
+-modutils_domtrans_insmod(ipsec_mgmt_t)
+-
seutil_dontaudit_search_config(ipsec_mgmt_t)
+sysnet_manage_config(ipsec_mgmt_t)
@@ -46438,7 +47467,7 @@ index 98d6081..fbc8601 100644
userdom_use_user_terminals(ipsec_mgmt_t)
-@@ -300,6 +319,23 @@ optional_policy(`
+@@ -300,6 +317,27 @@ optional_policy(`
')
optional_policy(`
@@ -46455,14 +47484,18 @@ index 98d6081..fbc8601 100644
+')
+
+optional_policy(`
-+ iptables_domtrans(ipsec_mgmt_t)
++ iptables_domtrans(ipsec_mgmt_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(ipsec_mgmt_t)
+')
+
+optional_policy(`
nscd_socket_use(ipsec_mgmt_t)
')
-@@ -386,6 +422,8 @@ miscfiles_read_localization(racoon_t)
+@@ -386,6 +424,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -46471,7 +47504,7 @@ index 98d6081..fbc8601 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +450,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
+@@ -412,6 +452,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -46479,7 +47512,7 @@ index 98d6081..fbc8601 100644
# allow setkey to set the context for ipsec SAs and policy.
corenet_setcontext_all_spds(setkey_t)
-@@ -423,4 +462,5 @@ miscfiles_read_localization(setkey_t)
+@@ -423,4 +464,5 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
@@ -47534,10 +48567,10 @@ index 9b5a9ed..7ea0ae3 100644
')
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..526d11c 100644
+index 879bb1e..7b22111 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
-@@ -28,10 +28,13 @@ ifdef(`distro_gentoo',`
+@@ -28,20 +28,24 @@ ifdef(`distro_gentoo',`
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -47551,7 +48584,19 @@ index 879bb1e..526d11c 100644
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -97,5 +100,7 @@ ifdef(`distro_gentoo',`
+ /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
+-/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -97,5 +101,7 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -47604,7 +48649,7 @@ index 58bc27f..b95f0c0 100644
+ allow $1 clvmd_tmpfs_t:file unlink;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index a0a0ebf..1440818 100644
+index a0a0ebf..f596c62 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -47703,7 +48748,7 @@ index a0a0ebf..1440818 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -253,8 +270,9 @@ files_read_etc_files(lvm_t)
+@@ -253,17 +270,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -47714,7 +48759,11 @@ index a0a0ebf..1440818 100644
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
-@@ -264,6 +282,7 @@ fs_rw_anon_inodefs_files(lvm_t)
+ fs_dontaudit_read_removable_files(lvm_t)
+ fs_dontaudit_getattr_tmpfs_files(lvm_t)
+ fs_rw_anon_inodefs_files(lvm_t)
++fs_list_auto_mountpoints(lvm_t)
++fs_list_hugetlbfs(lvm_t)
mls_file_read_all_levels(lvm_t)
mls_file_write_to_clearance(lvm_t)
@@ -47722,7 +48771,7 @@ index a0a0ebf..1440818 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -311,6 +330,11 @@ ifdef(`distro_redhat',`
+@@ -311,6 +332,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -47734,7 +48783,7 @@ index a0a0ebf..1440818 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,6 +355,10 @@ optional_policy(`
+@@ -331,6 +357,10 @@ optional_policy(`
')
optional_policy(`
@@ -47745,7 +48794,7 @@ index a0a0ebf..1440818 100644
modutils_domtrans_insmod(lvm_t)
')
-@@ -339,6 +367,10 @@ optional_policy(`
+@@ -339,6 +369,10 @@ optional_policy(`
')
optional_policy(`
@@ -48007,7 +49056,7 @@ index 72c746e..3d0bc28 100644
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..83107f9 100644
+index 8b5c196..6dc92dd 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,16 @@ interface(`mount_domtrans',`
@@ -48027,7 +49076,7 @@ index 8b5c196..83107f9 100644
')
########################################
-@@ -45,8 +55,54 @@ interface(`mount_run',`
+@@ -45,12 +55,77 @@ interface(`mount_run',`
role $2 types mount_t;
optional_policy(`
@@ -48050,11 +49099,11 @@ index 8b5c196..83107f9 100644
+
+ optional_policy(`
+ samba_run_smbmount(mount_t, $2)
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute fusermount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
@@ -48074,16 +49123,39 @@ index 8b5c196..83107f9 100644
+interface(`mount_run_fusermount',`
+ gen_require(`
+ type mount_t;
- ')
++ ')
+
+ mount_domtrans_fusermount($1)
+ role $2 types mount_t;
+
+ fstools_run(mount_t, $2)
- ')
-
- ########################################
-@@ -84,9 +140,11 @@ interface(`mount_exec',`
++')
++
++########################################
++## <summary>
++## Read mount PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mount_read_pid_files',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ allow $1 mount_var_run_t:file read_file_perms;
++ files_search_pids($1)
++')
++
++########################################
++## <summary>
+ ## Execute mount in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -84,9 +159,11 @@ interface(`mount_exec',`
interface(`mount_signal',`
gen_require(`
type mount_t;
@@ -48095,7 +49167,7 @@ index 8b5c196..83107f9 100644
')
########################################
-@@ -95,7 +153,7 @@ interface(`mount_signal',`
+@@ -95,7 +172,7 @@ interface(`mount_signal',`
## </summary>
## <param name="domain">
## <summary>
@@ -48104,7 +49176,7 @@ index 8b5c196..83107f9 100644
## </summary>
## </param>
#
-@@ -135,6 +193,24 @@ interface(`mount_send_nfs_client_request',`
+@@ -135,6 +212,24 @@ interface(`mount_send_nfs_client_request',`
########################################
## <summary>
@@ -48129,7 +49201,7 @@ index 8b5c196..83107f9 100644
## Execute mount in the unconfined mount domain.
## </summary>
## <param name="domain">
-@@ -176,4 +252,109 @@ interface(`mount_run_unconfined',`
+@@ -176,4 +271,110 @@ interface(`mount_run_unconfined',`
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
@@ -48159,6 +49231,7 @@ index 8b5c196..83107f9 100644
+ ')
+
+ domtrans_pattern($1, fusermount_exec_t, mount_t)
++ ps_process_pattern(mount_t, $1)
+')
+
+########################################
@@ -48240,7 +49313,7 @@ index 8b5c196..83107f9 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..b842390 100644
+index 15832c7..e7aff81 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -48430,16 +49503,12 @@ index 15832c7..b842390 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -141,10 +212,17 @@ ifdef(`distro_ubuntu',`
+@@ -141,10 +212,13 @@ ifdef(`distro_ubuntu',`
')
')
+corecmd_exec_shell(mount_t)
+
-+modutils_domtrans_insmod(mount_t)
-+
-+fstools_domtrans(mount_t)
-+
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
@@ -48448,7 +49517,7 @@ index 15832c7..b842390 100644
')
optional_policy(`
-@@ -174,6 +252,8 @@ optional_policy(`
+@@ -174,6 +248,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -48457,7 +49526,7 @@ index 15832c7..b842390 100644
')
optional_policy(`
-@@ -181,6 +261,28 @@ optional_policy(`
+@@ -181,6 +257,28 @@ optional_policy(`
')
optional_policy(`
@@ -48486,7 +49555,7 @@ index 15832c7..b842390 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,13 +290,44 @@ optional_policy(`
+@@ -188,13 +286,52 @@ optional_policy(`
')
')
@@ -48500,6 +49569,14 @@ index 15832c7..b842390 100644
+')
+
+optional_policy(`
++ modutils_domtrans_insmod(mount_t)
++')
++
++optional_policy(`
++ fstools_domtrans(mount_t)
++')
++
++optional_policy(`
+ rhcs_stream_connect_gfs_controld(mount_t)
+')
+
@@ -48531,7 +49608,7 @@ index 15832c7..b842390 100644
')
########################################
-@@ -203,6 +336,43 @@ optional_policy(`
+@@ -203,6 +340,43 @@ optional_policy(`
#
optional_policy(`
@@ -48576,6 +49653,30 @@ index 15832c7..b842390 100644
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_user_terminals(showmount_t)
+diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
+index 4d06ae3..a9918e0 100644
+--- a/policy/modules/system/pcmcia.te
++++ b/policy/modules/system/pcmcia.te
+@@ -98,8 +98,6 @@ logging_send_syslog_msg(cardmgr_t)
+
+ miscfiles_read_localization(cardmgr_t)
+
+-modutils_domtrans_insmod(cardmgr_t)
+-
+ sysnet_domtrans_ifconfig(cardmgr_t)
+ # for /etc/resolv.conf
+ sysnet_etc_filetrans_config(cardmgr_t)
+@@ -110,6 +108,10 @@ userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
+ userdom_dontaudit_search_user_home_dirs(cardmgr_t)
+
+ optional_policy(`
++ modutils_domtrans_insmod(cardmgr_t)
++')
++
++optional_policy(`
+ seutil_dontaudit_read_config(cardmgr_t)
+ seutil_sigchld_newrole(cardmgr_t)
+ ')
diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
index ed9c70d..b961d53 100644
--- a/policy/modules/system/raid.fc
@@ -49107,7 +50208,7 @@ index 170e2c7..540a936 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..d6a6763 100644
+index 7ed9819..c3dc5ba 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -49120,7 +50221,7 @@ index 7ed9819..d6a6763 100644
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
application_domain(checkpolicy_t, checkpolicy_exec_t)
-@@ -57,8 +60,9 @@ domain_interactive_fd(newrole_t)
+@@ -57,8 +60,13 @@ domain_interactive_fd(newrole_t)
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
@@ -49128,11 +50229,15 @@ index 7ed9819..d6a6763 100644
-files_type(policy_config_t)
+#type policy_config_t;
+#files_type(policy_config_t)
++gen_require(`
++ type semanage_store_t;
++')
++
+typealias semanage_store_t alias policy_config_t;
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
-@@ -74,7 +78,6 @@ type restorecond_t;
+@@ -74,7 +82,6 @@ type restorecond_t;
type restorecond_exec_t;
init_daemon_domain(restorecond_t, restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
@@ -49140,7 +50245,7 @@ index 7ed9819..d6a6763 100644
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-@@ -88,26 +91,36 @@ role system_r types run_init_t;
+@@ -88,26 +95,36 @@ role system_r types run_init_t;
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
@@ -49179,7 +50284,7 @@ index 7ed9819..d6a6763 100644
########################################
#
# Checkpolicy local policy
-@@ -176,6 +189,7 @@ term_list_ptys(load_policy_t)
+@@ -176,6 +193,7 @@ term_list_ptys(load_policy_t)
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
@@ -49187,7 +50292,7 @@ index 7ed9819..d6a6763 100644
miscfiles_read_localization(load_policy_t)
-@@ -204,7 +218,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -204,7 +222,7 @@ ifdef(`hide_broken_symptoms',`
# Newrole local policy
#
@@ -49196,7 +50301,7 @@ index 7ed9819..d6a6763 100644
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-@@ -216,7 +230,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -216,7 +234,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -49205,7 +50310,7 @@ index 7ed9819..d6a6763 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -233,6 +247,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -233,6 +251,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
@@ -49213,7 +50318,7 @@ index 7ed9819..d6a6763 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -260,25 +275,30 @@ term_relabel_all_ptys(newrole_t)
+@@ -260,25 +279,30 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -49250,7 +50355,7 @@ index 7ed9819..d6a6763 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -312,6 +332,8 @@ kernel_use_fds(restorecond_t)
+@@ -312,6 +336,8 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -49259,7 +50364,7 @@ index 7ed9819..d6a6763 100644
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
-@@ -335,6 +357,8 @@ miscfiles_read_localization(restorecond_t)
+@@ -335,6 +361,8 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
@@ -49268,7 +50373,7 @@ index 7ed9819..d6a6763 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -353,7 +377,7 @@ optional_policy(`
+@@ -353,7 +381,7 @@ optional_policy(`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -49277,7 +50382,7 @@ index 7ed9819..d6a6763 100644
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -380,6 +404,8 @@ selinux_compute_create_context(run_init_t)
+@@ -380,6 +408,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -49286,7 +50391,7 @@ index 7ed9819..d6a6763 100644
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
-@@ -405,6 +431,15 @@ ifndef(`direct_sysadm_daemon',`
+@@ -405,6 +435,15 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -49302,7 +50407,7 @@ index 7ed9819..d6a6763 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,61 +455,22 @@ optional_policy(`
+@@ -420,61 +459,22 @@ optional_policy(`
# semodule local policy
#
@@ -49319,17 +50424,17 @@ index 7ed9819..d6a6763 100644
-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
--
--corecmd_exec_bin(semanage_t)
--
--dev_read_urand(semanage_t)
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--domain_use_interactive_fds(semanage_t)
+-corecmd_exec_bin(semanage_t)
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+-dev_read_urand(semanage_t)
+-
+-domain_use_interactive_fds(semanage_t)
+-
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
@@ -49351,13 +50456,13 @@ index 7ed9819..d6a6763 100644
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
-+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
-
+-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
--
++# Admins are creating pp files in random locations
++auth_read_all_files_except_shadow(semanage_t)
+
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
@@ -49372,13 +50477,13 @@ index 7ed9819..d6a6763 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -487,118 +483,64 @@ ifdef(`distro_debian',`
+@@ -487,118 +487,64 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t)
')
+optional_policy(`
+ setrans_initrc_domtrans(semanage_t)
-+ domain_system_change_exemption(semanage_t)
++ domain_system_change_exemption(semanage_t)
+ consoletype_exec(semanage_t)
+')
+
@@ -49455,17 +50560,17 @@ index 7ed9819..d6a6763 100644
-init_use_script_fds(setfiles_t)
-init_use_script_ptys(setfiles_t)
-init_exec_script_files(setfiles_t)
--
--logging_send_syslog_msg(setfiles_t)
+init_dontaudit_use_fds(setsebool_t)
--miscfiles_read_localization(setfiles_t)
+-logging_send_syslog_msg(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
+-miscfiles_read_localization(setfiles_t)
+-
-seutil_libselinux_linked(setfiles_t)
+########################################
+#
@@ -49540,7 +50645,7 @@ index 1447687..cdc0223 100644
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 726619b..ece1edf 100644
+index 694fd94..334e80e 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -10,10 +10,10 @@
@@ -49564,7 +50669,7 @@ index 726619b..ece1edf 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 8e71fb7..065b98e 100644
+index ff80d0a..7f1a21c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
@@ -49592,7 +50697,7 @@ index 8e71fb7..065b98e 100644
')
########################################
-@@ -249,6 +267,43 @@ interface(`sysnet_delete_dhcpc_state',`
+@@ -269,6 +287,43 @@ interface(`sysnet_delete_dhcpc_state',`
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
@@ -49636,7 +50741,7 @@ index 8e71fb7..065b98e 100644
#######################################
## <summary>
## Set the attributes of network config files.
-@@ -270,6 +325,44 @@ interface(`sysnet_setattr_config',`
+@@ -290,6 +345,44 @@ interface(`sysnet_setattr_config',`
#######################################
## <summary>
@@ -49681,7 +50786,7 @@ index 8e71fb7..065b98e 100644
## Read network config files.
## </summary>
## <desc>
-@@ -406,6 +499,7 @@ interface(`sysnet_manage_config',`
+@@ -426,6 +519,7 @@ interface(`sysnet_manage_config',`
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_redhat',`
@@ -49689,7 +50794,7 @@ index 8e71fb7..065b98e 100644
manage_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -444,6 +538,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -464,6 +558,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@@ -49697,7 +50802,7 @@ index 8e71fb7..065b98e 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -464,6 +559,9 @@ interface(`sysnet_domtrans_ifconfig',`
+@@ -484,6 +579,9 @@ interface(`sysnet_domtrans_ifconfig',`
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -49707,7 +50812,7 @@ index 8e71fb7..065b98e 100644
')
########################################
-@@ -534,6 +632,25 @@ interface(`sysnet_signal_ifconfig',`
+@@ -554,6 +652,25 @@ interface(`sysnet_signal_ifconfig',`
########################################
## <summary>
@@ -49733,7 +50838,7 @@ index 8e71fb7..065b98e 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -641,6 +758,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -661,6 +778,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
@@ -49742,7 +50847,7 @@ index 8e71fb7..065b98e 100644
sysnet_read_config($1)
optional_policy(`
-@@ -678,6 +797,9 @@ interface(`sysnet_use_ldap',`
+@@ -698,6 +817,9 @@ interface(`sysnet_use_ldap',`
corenet_sendrecv_ldap_client_packets($1)
sysnet_read_config($1)
@@ -49752,7 +50857,7 @@ index 8e71fb7..065b98e 100644
')
########################################
-@@ -711,3 +833,49 @@ interface(`sysnet_use_portmap',`
+@@ -731,3 +853,49 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -49803,10 +50908,10 @@ index 8e71fb7..065b98e 100644
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index dfbe736..b8e873f 100644
+index df32316..6de83ef 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
-@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
+@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1)
# Declarations
#
@@ -49875,7 +50980,7 @@ index dfbe736..b8e873f 100644
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -130,9 +148,11 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
+@@ -130,13 +148,13 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
init_rw_utmp(dhcpc_t)
@@ -49886,8 +50991,12 @@ index dfbe736..b8e873f 100644
+miscfiles_read_generic_certs(dhcpc_t)
miscfiles_read_localization(dhcpc_t)
- modutils_domtrans_insmod(dhcpc_t)
-@@ -155,6 +175,14 @@ optional_policy(`
+-modutils_domtrans_insmod(dhcpc_t)
+-
+ userdom_use_user_terminals(dhcpc_t)
+ userdom_dontaudit_search_user_home_dirs(dhcpc_t)
+
+@@ -155,6 +173,14 @@ optional_policy(`
')
optional_policy(`
@@ -49902,7 +51011,7 @@ index dfbe736..b8e873f 100644
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
-@@ -171,6 +199,8 @@ optional_policy(`
+@@ -171,6 +197,8 @@ optional_policy(`
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -49911,10 +51020,14 @@ index dfbe736..b8e873f 100644
')
optional_policy(`
-@@ -192,6 +222,13 @@ optional_policy(`
+@@ -192,6 +220,17 @@ optional_policy(`
')
optional_policy(`
++ modutils_domtrans_insmod(dhcpc_t)
++')
++
++optional_policy(`
+ networkmanager_domtrans(dhcpc_t)
+ networkmanager_read_pid_files(dhcpc_t)
+ networkmanager_read_lib_files(dhcpc_t)
@@ -49925,7 +51038,7 @@ index dfbe736..b8e873f 100644
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -213,6 +250,10 @@ optional_policy(`
+@@ -213,6 +252,10 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -49936,7 +51049,7 @@ index dfbe736..b8e873f 100644
')
optional_policy(`
-@@ -276,8 +317,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +319,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -49948,7 +51061,11 @@ index dfbe736..b8e873f 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -305,6 +349,8 @@ modutils_domtrans_insmod(ifconfig_t)
+@@ -301,10 +347,11 @@ logging_send_syslog_msg(ifconfig_t)
+
+ miscfiles_read_localization(ifconfig_t)
+
+-modutils_domtrans_insmod(ifconfig_t)
seutil_use_runinit_fds(ifconfig_t)
@@ -49957,7 +51074,7 @@ index dfbe736..b8e873f 100644
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -314,6 +360,10 @@ ifdef(`distro_ubuntu',`
+@@ -314,6 +361,10 @@ ifdef(`distro_ubuntu',`
')
')
@@ -49968,7 +51085,7 @@ index dfbe736..b8e873f 100644
ifdef(`hide_broken_symptoms',`
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -325,12 +375,27 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,12 +376,31 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -49992,11 +51109,15 @@ index dfbe736..b8e873f 100644
+')
+
+optional_policy(`
++ modutils_domtrans_insmod(ifconfig_t)
++')
++
++optional_policy(`
+ netutils_domtrans(dhcpc_t)
')
optional_policy(`
-@@ -355,3 +420,9 @@ optional_policy(`
+@@ -355,3 +425,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -50008,10 +51129,12 @@ index dfbe736..b8e873f 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..64fc1a5
+index 0000000..50aed3b
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,9 @@
+@@ -0,0 +1,11 @@
++/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
++
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
@@ -50023,10 +51146,10 @@ index 0000000..64fc1a5
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..eed77d0
+index 0000000..1d17a7b
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,139 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -50065,6 +51188,23 @@ index 0000000..eed77d0
+ domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+')
+
++########################################
++## <summary>
++## Execute a domain transition to run systemd_notify.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_notify_domtrans',`
++ gen_require(`
++ type systemd_notify_t, systemd_notify_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t)
++')
+
+########################################
+## <summary>
@@ -50151,10 +51291,10 @@ index 0000000..eed77d0
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..d09b523
+index 0000000..23d4b0c
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,138 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -50177,7 +51317,12 @@ index 0000000..d09b523
+type systemd_tmpfiles_exec_t;
+init_systemd_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+
++type systemd_notify_t;
++type systemd_notify_exec_t;
++init_systemd_domain(systemd_notify_t, systemd_notify_exec_t)
++
+permissive systemd_tmpfiles_t;
++permissive systemd_notify_t;
+
+#
+# Type for systemd pipes in /dev/.systemd/ directory
@@ -50263,23 +51408,42 @@ index 0000000..d09b523
+ auth_rw_login_records(systemd_tmpfiles_t)
+')
+
++optional_policy(`
++ rpm_delete_db(systemd_tmpfiles_t)
++')
++
++########################################
++#
++# systemd_notify local policy
++#
++allow systemd_notify_t self:capability { chown };
++allow systemd_notify_t self:process { fork setfscreate setsockcreate };
++
++allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
++allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
++
++domain_use_interactive_fds(systemd_notify_t)
++
++files_read_etc_files(systemd_notify_t)
++
++auth_use_nsswitch(systemd_notify_t)
++
++miscfiles_read_localization(systemd_notify_t)
++
++optional_policy(`
++ readahead_manage_pid_files(systemd_notify_t)
++')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index d1c22f3..44fe366 100644
+index 0291685..44fe366 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
-@@ -1,4 +1,4 @@
--/dev/\.udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
-+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
- /dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
- /dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
-
@@ -22,3 +22,4 @@
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 025348a..ad5bfd8 100644
+index 025348a..8b50d5f 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -50364,7 +51528,7 @@ index 025348a..ad5bfd8 100644
+#
+interface(`udev_run',`
+ gen_require(`
-+ type iptables_t;
++ type udev_t;
+ ')
+
+ udev_domtrans($1)
@@ -50404,15 +51568,9 @@ index 025348a..ad5bfd8 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 8f852e5..d3c3938 100644
+index d88f7c3..d3c3938 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
-@@ -1,4 +1,4 @@
--policy_module(udev, 1.12.1)
-+policy_module(udev, 1.12.2)
-
- ########################################
- #
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -51310,7 +52468,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..296513f 100644
+index 28b88de..774a8cc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -52354,7 +53512,7 @@ index 28b88de..296513f 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1164,77 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1164,78 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -52446,6 +53604,7 @@ index 28b88de..296513f 100644
optional_policy(`
- setroubleshoot_stream_connect($1_t)
+ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
@@ -52462,7 +53621,7 @@ index 28b88de..296513f 100644
')
')
-@@ -1039,7 +1270,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1271,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -52471,7 +53630,7 @@ index 28b88de..296513f 100644
')
##############################
-@@ -1066,6 +1297,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1298,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -52479,7 +53638,7 @@ index 28b88de..296513f 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1306,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1307,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -52489,7 +53648,7 @@ index 28b88de..296513f 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1323,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1324,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -52497,7 +53656,7 @@ index 28b88de..296513f 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,6 +1341,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,6 +1342,8 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -52506,7 +53665,7 @@ index 28b88de..296513f 100644
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
-@@ -1119,15 +1357,19 @@ template(`userdom_admin_user_template',`
+@@ -1119,15 +1358,19 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -52526,15 +53685,19 @@ index 28b88de..296513f 100644
term_use_all_terms($1_t)
-@@ -1142,6 +1384,7 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1384,10 @@ template(`userdom_admin_user_template',`
+
logging_send_syslog_msg($1_t)
- modutils_domtrans_insmod($1_t)
-+ modutils_domtrans_depmod($1_t)
+- modutils_domtrans_insmod($1_t)
++ optional_policy(`
++ modutils_domtrans_insmod($1_t)
++ modutils_domtrans_depmod($1_t)
++ ')
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1453,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1456,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -52543,7 +53706,7 @@ index 28b88de..296513f 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1467,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1470,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -52551,7 +53714,7 @@ index 28b88de..296513f 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1483,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1486,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -52559,7 +53722,7 @@ index 28b88de..296513f 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1526,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1529,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -52597,7 +53760,7 @@ index 28b88de..296513f 100644
ubac_constrained($1)
')
-@@ -1395,6 +1668,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1671,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -52605,7 +53768,7 @@ index 28b88de..296513f 100644
files_search_home($1)
')
-@@ -1441,6 +1715,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1718,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -52620,7 +53783,7 @@ index 28b88de..296513f 100644
')
########################################
-@@ -1456,9 +1738,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1741,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -52632,7 +53795,7 @@ index 28b88de..296513f 100644
')
########################################
-@@ -1515,10 +1799,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1802,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -52645,7 +53808,7 @@ index 28b88de..296513f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,35 +1810,71 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,33 +1813,69 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -52681,8 +53844,7 @@ index 28b88de..296513f 100644
-## </desc>
-## <param name="source_domain">
+## <param name="domain">
- ## <summary>
--## Domain allowed to transition.
++## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
@@ -52733,12 +53895,10 @@ index 28b88de..296513f 100644
+## </p>
+## </desc>
+## <param name="source_domain">
-+## <summary>
-+## Domain allowed to transition.
+ ## <summary>
+ ## Domain allowed to transition.
## </summary>
- ## </param>
- ## <param name="target_domain">
-@@ -1589,6 +1909,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1912,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -52747,7 +53907,7 @@ index 28b88de..296513f 100644
')
########################################
-@@ -1603,10 +1925,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1928,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -52762,7 +53922,7 @@ index 28b88de..296513f 100644
')
########################################
-@@ -1649,6 +1973,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1976,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -52788,7 +53948,7 @@ index 28b88de..296513f 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2043,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2046,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -52821,7 +53981,7 @@ index 28b88de..296513f 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2079,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2082,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -52839,7 +53999,7 @@ index 28b88de..296513f 100644
')
########################################
-@@ -1810,8 +2176,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2179,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -52849,7 +54009,7 @@ index 28b88de..296513f 100644
')
########################################
-@@ -1827,21 +2192,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2195,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -52875,7 +54035,7 @@ index 28b88de..296513f 100644
########################################
## <summary>
## Do not audit attempts to execute user home files.
-@@ -2182,7 +2541,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2544,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -52884,7 +54044,7 @@ index 28b88de..296513f 100644
')
########################################
-@@ -2435,13 +2794,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2797,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -52900,7 +54060,7 @@ index 28b88de..296513f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2822,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2825,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -52927,7 +54087,7 @@ index 28b88de..296513f 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3155,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3158,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -52936,7 +54096,7 @@ index 28b88de..296513f 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3171,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3174,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -52952,7 +54112,7 @@ index 28b88de..296513f 100644
')
########################################
-@@ -2917,7 +3259,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3262,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -52961,7 +54121,7 @@ index 28b88de..296513f 100644
')
########################################
-@@ -2972,7 +3314,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3317,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -53008,7 +54168,7 @@ index 28b88de..296513f 100644
')
########################################
-@@ -3009,6 +3389,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3392,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -53016,7 +54176,7 @@ index 28b88de..296513f 100644
kernel_search_proc($1)
')
-@@ -3139,3 +3520,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3523,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -54243,7 +55403,7 @@ index 77d41b6..4aa96c6 100644
files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..630c03d 100644
+index 4350ba0..c8b1d3b 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -54274,16 +55434,52 @@ index 4350ba0..630c03d 100644
########################################
#
# blktap local policy
-@@ -341,6 +338,8 @@ xen_stream_connect_xenstore(xend_t)
+@@ -320,12 +317,9 @@ locallogin_dontaudit_use_fds(xend_t)
- netutils_domtrans(xend_t)
+ logging_send_syslog_msg(xend_t)
-+virt_read_config(xend_t)
-+
+-lvm_domtrans(xend_t)
+-
+ miscfiles_read_localization(xend_t)
+ miscfiles_read_hwdata(xend_t)
+
+-mount_domtrans(xend_t)
+
+ sysnet_domtrans_dhcpc(xend_t)
+ sysnet_signal_dhcpc(xend_t)
+@@ -339,8 +333,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+
+ xen_stream_connect_xenstore(xend_t)
+
+-netutils_domtrans(xend_t)
+-
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -413,9 +412,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -349,6 +341,22 @@ optional_policy(`
+ consoletype_exec(xend_t)
+ ')
+
++optional_policy(`
++ lvm_domtrans(xend_t)
++')
++
++optional_policy(`
++ mount_domtrans(xend_t)
++')
++
++optional_policy(`
++ netutils_domtrans(xend_t)
++')
++
++optional_policy(`
++ virt_read_config(xend_t)
++')
++
+ ########################################
+ #
+ # Xen console local policy
+@@ -413,9 +421,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -54295,7 +55491,7 @@ index 4350ba0..630c03d 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +442,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +451,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -54307,7 +55503,7 @@ index 4350ba0..630c03d 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -457,96 +459,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +468,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -54404,7 +55600,7 @@ index 4350ba0..630c03d 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +474,4 @@ optional_policy(`
+@@ -559,8 +483,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 76bb25a..f963050 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,8 +20,8 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.9.15
-Release: 5%{?dist}
+Version: 3.9.16
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,19 @@ exit 0
%endif
%changelog
+* Tue Mar 8 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-1
+- Update to upstream
+- Fixes for telepathy
+- Add port defition for ssdp port
+- add policy for /bin/systemd-notify from Dan
+- Mount command requires users read mount_var_run_t
+- colord needs to read konject_uevent_socket
+- User domains connect to the gkeyring socket
+- Add colord policy and allow user_t and staff_t to dbus chat with it
+- Add lvm_exec_t label for kpartx
+- Dontaudit reading the mail_spool_t link from sandbox -X
+- systemd is creating sockets in avahi_var_run and system_dbusd_var_run
+
* Tue Mar 1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.15-5
- gpg_t needs to talk to gnome-keyring
- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
diff --git a/sources b/sources
index 0fe45a1..e45ca02 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
409b40c8102b1617681ba17c31032e66 config.tgz
-2eeeb55c62c5ead3dab8a0ae7b29bfd5 serefpolicy-3.9.15.tgz
+f5e2a024693e5f5fb65bb2c1cd8256cd serefpolicy-3.9.16.tgz
More information about the scm-commits
mailing list