[selinux-policy/f15] - Allow logrotate to connect to init script using unix domain stream socket - Allow shorewall read a
Miroslav Grepl
mgrepl at fedoraproject.org
Tue May 17 15:43:18 UTC 2011
commit 4732303f1cfa1c0c1d0c0b4611a92af121f0bdd7
Author: Miroslav Grepl <mgrepl at fedora15.(none)>
Date: Tue May 17 17:43:00 2011 +0200
- Allow logrotate to connect to init script using unix domain stream socket
- Allow shorewall read and write inherited user domain pty/tty
- virt will attempt to us another virtualizations pulsesaudio tmpfs_t, ignore error
- Allow colord to get the attributes of fixed disk device nodes
- Allow nsplugin_t to getattr on gpmctl
- Allow mozilla_plugin to connect to pcscd over an unix stream socket
- Allow logrotate to execute systemctl
- colord wants to read files in users homedir
- Remote login should create user_tmp_t content not its own tmp files
- Allow psad signal
- Fix cobbler_read_lib_files interface
- Allow rlogind to r/w user terminals
- Allow prelink_cron_system_t to relabel content and ignore obj_id
- Allow gnomeclock_systemctl_t to list init_var_run_t
- Dbus domains will inherit fds from the init system
policy-F15.patch | 747 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 19 ++-
2 files changed, 491 insertions(+), 275 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 33a544e..b1073c0 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -786,10 +786,25 @@ index 4f7bd3c..3405a10 100644
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..ce5af6e 100644
+index 7090dae..90e22f4 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
-@@ -119,14 +119,10 @@ seutil_dontaudit_read_config(logrotate_t)
+@@ -105,6 +105,9 @@ files_getattr_generic_locks(logrotate_t)
+
+ # cjp: why is this needed?
+ init_domtrans_script(logrotate_t)
++# bug 704844
++init_stream_connect_script(logrotate_t)
++files_write_generic_pid_socket(logrotate_t)
+
+ logging_manage_all_logs(logrotate_t)
+ logging_send_syslog_msg(logrotate_t)
+@@ -116,17 +119,15 @@ miscfiles_read_localization(logrotate_t)
+
+ seutil_dontaudit_read_config(logrotate_t)
+
++systemd_exec_systemctl(logrotate_t)
++
userdom_use_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
@@ -806,7 +821,7 @@ index 7090dae..ce5af6e 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -166,6 +162,11 @@ optional_policy(`
+@@ -166,6 +167,11 @@ optional_policy(`
')
optional_policy(`
@@ -818,7 +833,7 @@ index 7090dae..ce5af6e 100644
cups_domtrans(logrotate_t)
')
-@@ -203,7 +204,6 @@ optional_policy(`
+@@ -203,7 +209,6 @@ optional_policy(`
psad_domtrans(logrotate_t)
')
@@ -826,7 +841,7 @@ index 7090dae..ce5af6e 100644
optional_policy(`
samba_exec_log(logrotate_t)
')
-@@ -228,3 +228,14 @@ optional_policy(`
+@@ -228,3 +233,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -1362,10 +1377,18 @@ index c633aea..c489eec 100644
optional_policy(`
seutil_use_newrole_fds(gcc_config_t)
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..2abb1a0 100644
+index af55369..4e0088d 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
-@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
+@@ -18,6 +18,7 @@ type prelink_cron_system_t;
+ type prelink_cron_system_exec_t;
+ domain_type(prelink_cron_system_t)
+ domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
++domain_obj_id_change_exemption(prelink_cron_system_t)
+
+ type prelink_log_t;
+ logging_log_file(prelink_log_t)
+@@ -36,7 +37,7 @@ files_type(prelink_var_lib_t)
# Local policy
#
@@ -1374,7 +1397,7 @@ index af55369..2abb1a0 100644
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;
-@@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+@@ -59,10 +60,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
@@ -1387,7 +1410,7 @@ index af55369..2abb1a0 100644
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
-@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t)
+@@ -73,6 +75,7 @@ corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
@@ -1395,7 +1418,7 @@ index af55369..2abb1a0 100644
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
-@@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t)
+@@ -86,6 +89,8 @@ files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
@@ -1404,7 +1427,7 @@ index af55369..2abb1a0 100644
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
-@@ -99,6 +103,8 @@ libs_delete_lib_symlinks(prelink_t)
+@@ -99,6 +104,8 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
userdom_use_user_terminals(prelink_t)
@@ -1413,7 +1436,7 @@ index af55369..2abb1a0 100644
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -109,6 +115,14 @@ optional_policy(`
+@@ -109,6 +116,14 @@ optional_policy(`
')
optional_policy(`
@@ -1428,7 +1451,7 @@ index af55369..2abb1a0 100644
rpm_manage_tmp_files(prelink_t)
')
-@@ -129,6 +143,7 @@ optional_policy(`
+@@ -129,6 +144,7 @@ optional_policy(`
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -1436,7 +1459,7 @@ index af55369..2abb1a0 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +163,28 @@ optional_policy(`
+@@ -148,17 +164,28 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
@@ -2103,7 +2126,7 @@ index 0948921..f198119 100644
admin_pattern($1, shorewall_tmp_t)
')
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
-index c17b6a6..d412305 100644
+index c17b6a6..8ff5a96 100644
--- a/policy/modules/admin/shorewall.te
+++ b/policy/modules/admin/shorewall.te
@@ -58,6 +58,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
@@ -2116,7 +2139,7 @@ index c17b6a6..d412305 100644
kernel_read_kernel_sysctls(shorewall_t)
kernel_read_network_state(shorewall_t)
-@@ -80,13 +83,18 @@ fs_getattr_all_fs(shorewall_t)
+@@ -80,13 +83,20 @@ fs_getattr_all_fs(shorewall_t)
init_rw_utmp(shorewall_t)
@@ -2128,6 +2151,8 @@ index c17b6a6..d412305 100644
sysnet_domtrans_ifconfig(shorewall_t)
-userdom_dontaudit_list_user_home_dirs(shorewall_t)
++userdom_use_inherited_user_ttys(shorewall_t)
++userdom_use_inherited_user_ptys(shorewall_t)
+userdom_dontaudit_list_admin_dir(shorewall_t)
+
+optional_policy(`
@@ -4525,7 +4550,7 @@ index f5afe78..4c9bd12 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..95f89db 100644
+index 2505654..43eb452 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0)
@@ -4600,7 +4625,7 @@ index 2505654..95f89db 100644
##############################
#
# Local Policy
-@@ -75,3 +110,165 @@ optional_policy(`
+@@ -75,3 +110,167 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -4675,6 +4700,8 @@ index 2505654..95f89db 100644
+files_read_etc_files(gnomesystemmm_t)
+files_read_usr_files(gnomesystemmm_t)
+
++fs_getattr_xattr_fs(gnomesystemmm_t)
++
+miscfiles_read_localization(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
@@ -5824,7 +5851,7 @@ index 9a6d67d..19de023 100644
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..584c255 100644
+index 2a91fa8..1ddd82a 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -5906,7 +5933,7 @@ index 2a91fa8..584c255 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,194 @@ optional_policy(`
+@@ -266,3 +291,198 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -6082,6 +6109,10 @@ index 2a91fa8..584c255 100644
+')
+
+optional_policy(`
++ pcscd_stream_connect(mozilla_plugin_t)
++')
++
++optional_policy(`
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
+ xserver_use_user_fonts(mozilla_plugin_t)
@@ -6799,10 +6830,10 @@ index 0000000..4f9cb05
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..3ce0256
+index 0000000..7e5b628
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,327 @@
+@@ -0,0 +1,332 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -6998,6 +7029,10 @@ index 0000000..3ce0256
+')
+
+optional_policy(`
++ gpm_getattr_gpmctl(nsplugin_t)
++')
++
++optional_policy(`
+ mozilla_execute_user_home_files(nsplugin_t)
+ mozilla_read_user_home_files(nsplugin_t)
+ mozilla_write_user_home_files(nsplugin_t)
@@ -7044,6 +7079,7 @@ index 0000000..3ce0256
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
++dev_search_sysfs(nsplugin_config_t)
+dev_read_urand(nsplugin_config_t)
+dev_dontaudit_read_rand(nsplugin_config_t)
+dev_dontaudit_rw_dri(nsplugin_config_t)
@@ -8160,10 +8196,10 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..dd6c327
+index 0000000..b0cc5df
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,483 @@
+@@ -0,0 +1,484 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8224,6 +8260,7 @@ index 0000000..dd6c327
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_dontaudit_request_load_module(sandbox_xserver_t)
++kernel_read_system_state(sandbox_xserver_t)
+
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
@@ -8241,7 +8278,9 @@ index 0000000..dd6c327
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
++dev_search_sysfs(sandbox_xserver_t)
+dev_rwx_zero(sandbox_xserver_t)
++dev_read_urand(sandbox_xserver_t)
+
+files_read_config_files(sandbox_xserver_t)
+files_read_usr_files(sandbox_xserver_t)
@@ -8253,8 +8292,6 @@ index 0000000..dd6c327
+miscfiles_read_fonts(sandbox_xserver_t)
+miscfiles_read_localization(sandbox_xserver_t)
+
-+kernel_read_system_state(sandbox_xserver_t)
-+
+selinux_validate_context(sandbox_xserver_t)
+selinux_compute_access_vector(sandbox_xserver_t)
+selinux_compute_create_context(sandbox_xserver_t)
@@ -8308,6 +8345,10 @@ index 0000000..dd6c327
+ attribute exec_type, configfile;
+')
+
++kernel_dontaudit_read_system_state(sandbox_domain)
++
++corecmd_exec_all_executables(sandbox_domain)
++
+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
+files_entrypoint_all_files(sandbox_domain)
+
@@ -8318,9 +8359,6 @@ index 0000000..dd6c327
+
+miscfiles_read_localization(sandbox_domain)
+
-+kernel_dontaudit_read_system_state(sandbox_domain)
-+corecmd_exec_all_executables(sandbox_domain)
-+
+userdom_dontaudit_use_user_terminals(sandbox_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
@@ -8360,21 +8398,20 @@ index 0000000..dd6c327
+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
+
-+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
-+
-+files_search_home(sandbox_x_domain)
-+files_dontaudit_list_all_mountpoints(sandbox_x_domain)
-+
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
+kernel_read_system_state(sandbox_x_domain)
+
++domain_dontaudit_read_all_domains_state(sandbox_x_domain)
++
+corecmd_exec_all_executables(sandbox_x_domain)
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+dev_read_sysfs(sandbox_x_domain)
+
++files_search_home(sandbox_x_domain)
++files_dontaudit_list_all_mountpoints(sandbox_x_domain)
+files_entrypoint_all_files(sandbox_x_domain)
+files_read_config_files(sandbox_x_domain)
+files_read_usr_files(sandbox_x_domain)
@@ -9599,10 +9636,10 @@ index ced285a..2e50976 100644
+ ')
+')
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
-index 13b2cea..45731eb 100644
+index 13b2cea..bf46ac1 100644
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
-@@ -6,9 +6,61 @@ policy_module(userhelper, 1.6.0)
+@@ -6,9 +6,63 @@ policy_module(userhelper, 1.6.0)
#
attribute userhelper_type;
@@ -9639,6 +9676,8 @@ index 13b2cea..45731eb 100644
+
+corecmd_exec_bin(consolehelper_domain)
+
++dev_getattr_all_chr_files(consolehelper_domain)
++
+files_read_config_files(consolehelper_domain)
+files_read_usr_files(consolehelper_domain)
+
@@ -10415,7 +10454,7 @@ index 6cf8784..5a6e602 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..255c5bb 100644
+index e9313fb..74456ed 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -10570,7 +10609,15 @@ index e9313fb..255c5bb 100644
')
########################################
-@@ -1178,6 +1233,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1006,6 +1061,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
+ interface(`dev_getattr_all_chr_files',`
+ gen_require(`
+ attribute device_node;
++ type device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, device_node)
+@@ -1178,6 +1234,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -10613,7 +10660,7 @@ index e9313fb..255c5bb 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -3192,24 +3283,6 @@ interface(`dev_rw_printer',`
+@@ -3192,24 +3284,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -10638,7 +10685,7 @@ index e9313fb..255c5bb 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3793,6 +3866,24 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3793,6 +3867,24 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -10663,7 +10710,7 @@ index e9313fb..255c5bb 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3884,25 +3975,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3884,25 +3976,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -10689,7 +10736,7 @@ index e9313fb..255c5bb 100644
## Read hardware state information.
## </summary>
## <desc>
-@@ -3954,6 +4026,42 @@ interface(`dev_rw_sysfs',`
+@@ -3954,6 +4027,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -10732,7 +10779,7 @@ index e9313fb..255c5bb 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4514,6 +4622,24 @@ interface(`dev_rwx_vmware',`
+@@ -4514,6 +4623,24 @@ interface(`dev_rwx_vmware',`
########################################
## <summary>
@@ -10757,7 +10804,7 @@ index e9313fb..255c5bb 100644
## Write to watchdog devices.
## </summary>
## <param name="domain">
-@@ -4748,3 +4874,22 @@ interface(`dev_unconfined',`
+@@ -4748,3 +4875,22 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -11235,7 +11282,7 @@ index 16108f6..a02d2cc 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..0d32093 100644
+index 958ca84..5631fb1 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -12145,7 +12192,32 @@ index 958ca84..0d32093 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5542,6 +6165,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5410,6 +6033,24 @@ interface(`files_write_generic_pid_pipes',`
+ allow $1 var_run_t:fifo_file write;
+ ')
+
++######################################
++## <summary>
++## Write named generic sock file in /var/run.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_write_generic_pid_socket',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:sock_file write;
++')
++
+ ########################################
+ ## <summary>
+ ## Create an object in the process ID directory, with a private type.
+@@ -5542,6 +6183,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -12208,7 +12280,7 @@ index 958ca84..0d32093 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6238,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6256,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -12253,7 +12325,7 @@ index 958ca84..0d32093 100644
')
########################################
-@@ -5844,3 +6561,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6579,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -21373,7 +21445,7 @@ index 1cf6c4e..e4bac67 100644
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
-index 293e08d..82306eb 100644
+index 293e08d..24f7736 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -1,12 +1,12 @@
@@ -21472,15 +21544,17 @@ index 293e08d..82306eb 100644
files_search_var_lib($1)
')
-@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',`
+@@ -118,7 +120,9 @@ interface(`cobbler_read_lib_files',`
+ type cobbler_var_lib_t;
')
++ allow $1 cobbler_var_lib_t:dir list_dir_perms;
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
-@@ -137,12 +140,33 @@ interface(`cobbler_manage_lib_files',`
+@@ -137,12 +141,33 @@ interface(`cobbler_manage_lib_files',`
type cobbler_var_lib_t;
')
@@ -21514,7 +21588,7 @@ index 293e08d..82306eb 100644
## All of the rules required to administrate
## an cobblerd environment
## </summary>
-@@ -161,25 +185,34 @@ interface(`cobbler_manage_lib_files',`
+@@ -161,25 +186,34 @@ interface(`cobbler_manage_lib_files',`
interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
@@ -21862,10 +21936,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..7aa11b6
+index 0000000..17e1cf3
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,111 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -21893,8 +21967,8 @@ index 0000000..7aa11b6
+# colord local policy
+#
+
++allow colord_t self:capability { dac_read_search dac_override };
+allow colord_t self:process signal;
-+
+allow colord_t self:fifo_file rw_fifo_file_perms;
+allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow colord_t self:udp_socket create_socket_perms;
@@ -21929,6 +22003,7 @@ index 0000000..7aa11b6
+dev_read_urand(colord_t)
+dev_list_sysfs(colord_t)
+dev_rw_generic_usb_dev(colord_t)
++storage_getattr_fixed_disk_dev(colord_t)
+storage_read_scsi_generic(colord_t)
+storage_write_scsi_generic(colord_t)
+
@@ -23509,7 +23584,7 @@ index a8b93c0..831ce70 100644
type dante_var_run_t;
files_pid_file(dante_var_run_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..d2d4d9d 100644
+index 0d5711c..fd9938d 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -23699,7 +23774,7 @@ index 0d5711c..d2d4d9d 100644
')
########################################
-@@ -431,14 +479,28 @@ interface(`dbus_system_domain',`
+@@ -431,14 +479,29 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -23710,7 +23785,8 @@ index 0d5711c..d2d4d9d 100644
+ init_stream_connect($1)
+ init_dgram_send($1)
-+
++ init_use_fds($1)
++
ps_process_pattern(system_dbusd_t, $1)
+ userdom_dontaudit_search_admin_dir($1)
@@ -23729,7 +23805,7 @@ index 0d5711c..d2d4d9d 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -497,3 +559,23 @@ interface(`dbus_unconfined',`
+@@ -497,3 +560,23 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -27362,7 +27438,7 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..6ee7b93 100644
+index 4fde46b..4417f4e 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
@@ -9,24 +9,31 @@ type gnomeclock_t;
@@ -27400,7 +27476,7 @@ index 4fde46b..6ee7b93 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +42,50 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +42,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -27445,6 +27521,7 @@ index 4fde46b..6ee7b93 100644
+# needed by systemctl
+init_stream_connect(gnomeclock_systemctl_t)
+init_read_state(gnomeclock_systemctl_t)
++init_list_pid_dirs(gnomeclock_systemctl_t)
+
+systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t)
+
@@ -28145,10 +28222,21 @@ index 9fab1dc..dc7dd01 100644
mta_send_mail(innd_t)
diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
-index 9aeeaf9..e0ed328 100644
+index 9aeeaf9..4ad06ac 100644
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
-@@ -47,6 +47,11 @@ miscfiles_read_localization(irqbalance_t)
+@@ -19,6 +19,10 @@ files_pid_file(irqbalance_var_run_t)
+
+ allow irqbalance_t self:capability { setpcap net_admin };
+ dontaudit irqbalance_t self:capability sys_tty_config;
++ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit irqbalance_t self:capability sys_module;
++')
+ allow irqbalance_t self:process { getcap setcap signal_perms };
+ allow irqbalance_t self:udp_socket create_socket_perms;
+
+@@ -47,6 +51,11 @@ miscfiles_read_localization(irqbalance_t)
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
userdom_dontaudit_search_user_home_dirs(irqbalance_t)
@@ -36650,7 +36738,7 @@ index bc329d1..0589f97 100644
admin_pattern($1, psad_tmp_t)
')
diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te
-index d4000e0..312e537 100644
+index d4000e0..f1e983e 100644
--- a/policy/modules/services/psad.te
+++ b/policy/modules/services/psad.te
@@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t)
@@ -36662,6 +36750,15 @@ index d4000e0..312e537 100644
type psad_initrc_exec_t;
init_script_file(psad_initrc_exec_t)
+@@ -39,7 +39,7 @@ files_tmp_file(psad_tmp_t)
+
+ allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+ dontaudit psad_t self:capability sys_tty_config;
+-allow psad_t self:process signull;
++allow psad_t self:process { signal signull };
+ allow psad_t self:fifo_file rw_fifo_file_perms;
+ allow psad_t self:rawip_socket create_socket_perms;
+
@@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
@@ -37932,10 +38029,31 @@ index 852840b..1244ab2 100644
+ ')
')
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
-index 0a76027..7083808 100644
+index 0a76027..150548c 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
-@@ -49,6 +49,8 @@ fs_getattr_xattr_fs(remote_login_t)
+@@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t)
+ auth_login_pgm_domain(remote_login_t)
+ auth_login_entry_type(remote_login_t)
+
+-type remote_login_tmp_t;
+-files_tmp_file(remote_login_tmp_t)
+-
+ ########################################
+ #
+ # Remote login remote policy
+@@ -34,10 +31,6 @@ allow remote_login_t self:msgq create_msgq_perms;
+ allow remote_login_t self:msg { send receive };
+ allow remote_login_t self:key write;
+
+-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+-
+ kernel_read_system_state(remote_login_t)
+ kernel_read_kernel_sysctls(remote_login_t)
+
+@@ -49,6 +42,8 @@ fs_getattr_xattr_fs(remote_login_t)
fs_search_auto_mountpoints(remote_login_t)
term_relabel_all_ptys(remote_login_t)
@@ -37944,7 +38062,7 @@ index 0a76027..7083808 100644
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
-@@ -77,7 +79,7 @@ files_list_mnt(remote_login_t)
+@@ -77,7 +72,7 @@ files_list_mnt(remote_login_t)
# for when /var/mail is a sym-link
files_read_var_symlinks(remote_login_t)
@@ -37953,7 +38071,7 @@ index 0a76027..7083808 100644
miscfiles_read_localization(remote_login_t)
-@@ -87,9 +89,8 @@ userdom_search_user_home_content(remote_login_t)
+@@ -87,9 +82,10 @@ userdom_search_user_home_content(remote_login_t)
# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
@@ -37961,11 +38079,13 @@ index 0a76027..7083808 100644
-# Search for mail spool file.
-mta_getattr_spool(remote_login_t)
+userdom_use_user_ptys(remote_login_t)
-+userdom_rw_user_tmp_files(remote_login_t)
++userdom_manage_user_tmp_dirs(remote_login_t)
++userdom_manage_user_tmp_files(remote_login_t)
++userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(remote_login_t)
-@@ -106,15 +107,15 @@ optional_policy(`
+@@ -106,15 +102,15 @@ optional_policy(`
')
optional_policy(`
@@ -39108,7 +39228,7 @@ index 63e78c6..ffa4f37 100644
## </param>
#
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..13556c1 100644
+index 779fa44..4bcaacc 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -39148,7 +39268,7 @@ index 779fa44..13556c1 100644
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
-@@ -88,9 +88,9 @@ seutil_read_config(rlogind_t)
+@@ -88,9 +88,10 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
@@ -39158,10 +39278,11 @@ index 779fa44..13556c1 100644
+userdom_search_admin_dir(rlogind_t)
+userdom_manage_user_tmp_files(rlogind_t)
+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
++userdom_use_user_terminals(rlogind_t)
rlogin_read_home_content(rlogind_t)
-@@ -112,5 +112,10 @@ optional_policy(`
+@@ -112,5 +113,10 @@ optional_policy(`
')
optional_policy(`
@@ -40703,10 +40824,10 @@ index adea9f9..d5b2d93 100644
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 606a098..8b74d10 100644
+index 606a098..14535da 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
-@@ -73,16 +73,21 @@ files_read_etc_runtime_files(fsdaemon_t)
+@@ -73,19 +73,26 @@ files_read_etc_runtime_files(fsdaemon_t)
files_read_usr_files(fsdaemon_t)
# for config
files_read_etc_files(fsdaemon_t)
@@ -40728,6 +40849,11 @@ index 606a098..8b74d10 100644
term_dontaudit_search_ptys(fsdaemon_t)
++init_read_utmp(fsdaemon_t)
++
+ libs_exec_ld_so(fsdaemon_t)
+ libs_exec_lib_files(fsdaemon_t)
+
diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
index 740994a..a92ba26 100644
--- a/policy/modules/services/smokeping.te
@@ -40742,16 +40868,17 @@ index 740994a..a92ba26 100644
allow smokeping_t self:udp_socket create_socket_perms;
allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc
-index 623c8fa..ac10740 100644
+index 623c8fa..0a802f7 100644
--- a/policy/modules/services/snmp.fc
+++ b/policy/modules/services/snmp.fc
-@@ -18,7 +18,7 @@
+@@ -18,7 +18,8 @@
/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0)
-/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
++/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
@@ -44018,7 +44145,7 @@ index 7c5d8d8..b961fd7 100644
+ allow $1 virt_tmpfs_type:file manage_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..9d3bc6d 100644
+index 3eca020..1d39c1b 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,66 @@ policy_module(virt, 1.4.0)
@@ -44171,7 +44298,17 @@ index 3eca020..9d3bc6d 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -133,6 +153,8 @@ dev_list_sysfs(svirt_t)
+@@ -120,6 +140,9 @@ read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+ dontaudit svirt_t virt_content_t:file write_file_perms;
+ dontaudit svirt_t virt_content_t:dir write;
+
++# virt will attempt to us another virtualizations pubsaudio tmpfs_t, ignore error
++dontaudit svirt_t svirt_tmpfs_t:file { read write };
++
+ corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
+@@ -133,6 +156,8 @@ dev_list_sysfs(svirt_t)
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
@@ -44180,7 +44317,7 @@ index 3eca020..9d3bc6d 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +169,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +172,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -44196,7 +44333,7 @@ index 3eca020..9d3bc6d 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +186,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +189,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -44219,7 +44356,7 @@ index 3eca020..9d3bc6d 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +211,33 @@ optional_policy(`
+@@ -174,21 +214,33 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -44257,7 +44394,7 @@ index 3eca020..9d3bc6d 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +249,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +252,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -44274,7 +44411,7 @@ index 3eca020..9d3bc6d 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +275,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +278,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -44282,7 +44419,7 @@ index 3eca020..9d3bc6d 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +295,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +298,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -44315,7 +44452,7 @@ index 3eca020..9d3bc6d 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +327,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +330,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -44334,7 +44471,7 @@ index 3eca020..9d3bc6d 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +362,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +365,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -44365,7 +44502,7 @@ index 3eca020..9d3bc6d 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +404,10 @@ optional_policy(`
+@@ -313,6 +407,10 @@ optional_policy(`
')
optional_policy(`
@@ -44376,7 +44513,7 @@ index 3eca020..9d3bc6d 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,6 +424,10 @@ optional_policy(`
+@@ -329,6 +427,10 @@ optional_policy(`
')
optional_policy(`
@@ -44387,7 +44524,7 @@ index 3eca020..9d3bc6d 100644
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
-@@ -365,6 +464,8 @@ optional_policy(`
+@@ -365,6 +467,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -44396,7 +44533,7 @@ index 3eca020..9d3bc6d 100644
')
optional_policy(`
-@@ -394,14 +495,26 @@ optional_policy(`
+@@ -394,14 +498,26 @@ optional_policy(`
# virtual domains common policy
#
@@ -44425,7 +44562,7 @@ index 3eca020..9d3bc6d 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +535,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +538,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -44433,7 +44570,7 @@ index 3eca020..9d3bc6d 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +543,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +546,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -44446,7 +44583,7 @@ index 3eca020..9d3bc6d 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +556,14 @@ files_search_all(virt_domain)
+@@ -440,6 +559,14 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -44461,7 +44598,7 @@ index 3eca020..9d3bc6d 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +581,117 @@ optional_policy(`
+@@ -457,8 +584,117 @@ optional_policy(`
')
optional_policy(`
@@ -48687,7 +48824,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..55a53e0 100644
+index cc83689..569ce8d 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -49024,7 +49161,7 @@ index cc83689..55a53e0 100644
')
')
-@@ -800,23 +962,45 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +962,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -49047,11 +49184,11 @@ index cc83689..55a53e0 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -49064,16 +49201,12 @@ index cc83689..55a53e0 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
-+ ')
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
+ ')
+
+ ########################################
@@ -868,9 +1052,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
@@ -49216,7 +49349,7 @@ index cc83689..55a53e0 100644
')
########################################
-@@ -1715,6 +1975,74 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1975,92 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -49235,6 +49368,24 @@ index cc83689..55a53e0 100644
+ type init_var_run_t;
+ ')
+
++ allow $1 init_var_run_t:dir search_dir_perms;
++')
++
++######################################
++## <summary>
++## Allow listing of the /run/systemd directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_list_pid_dirs',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
+ allow $1 init_var_run_t:dir list_dir_perms;
+')
+
@@ -49291,7 +49442,7 @@ index cc83689..55a53e0 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2077,139 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2095,139 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -52277,10 +52428,10 @@ index a0eef20..75e256f 100644
dev_rw_xserver_misc(insmod_t)
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..9f9124f 100644
+index 72c746e..704d2d7 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,15 @@
+@@ -1,4 +1,16 @@
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -52297,6 +52448,7 @@ index 72c746e..9f9124f 100644
+
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 8b5c196..6dc92dd 100644
--- a/policy/modules/system/mount.if
@@ -56114,7 +56266,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..b7339b1 100644
+index 28b88de..b5bbbf5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -56128,7 +56280,7 @@ index 28b88de..b7339b1 100644
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -43,69 +44,101 @@ template(`userdom_base_user_template',`
+@@ -43,69 +44,103 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -56259,8 +56411,7 @@ index 28b88de..b7339b1 100644
+ storage_rw_fuse($1_usertype)
+
+ auth_use_nsswitch($1_usertype)
-
-- libs_exec_ld_so($1_t)
++
+ init_stream_connect($1_usertype)
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
@@ -56268,6 +56419,9 @@ index 28b88de..b7339b1 100644
+
+ libs_exec_ld_so($1_usertype)
+- libs_exec_ld_so($1_t)
++ logging_send_audit_msgs($1_t)
+
miscfiles_read_localization($1_t)
miscfiles_read_generic_certs($1_t)
@@ -56279,7 +56433,7 @@ index 28b88de..b7339b1 100644
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +149,17 @@ template(`userdom_base_user_template',`
+@@ -116,6 +151,17 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -56297,7 +56451,7 @@ index 28b88de..b7339b1 100644
')
#######################################
-@@ -149,6 +193,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +195,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -56306,7 +56460,7 @@ index 28b88de..b7339b1 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +212,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +214,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -56334,7 +56488,7 @@ index 28b88de..b7339b1 100644
')
#######################################
-@@ -218,8 +243,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +245,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -56346,7 +56500,7 @@ index 28b88de..b7339b1 100644
##############################
#
# Domain access to home dir
-@@ -228,17 +256,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,17 +258,21 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -56378,7 +56532,7 @@ index 28b88de..b7339b1 100644
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -246,25 +278,23 @@ interface(`userdom_manage_home_role',`
+@@ -246,25 +280,23 @@ interface(`userdom_manage_home_role',`
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -56408,7 +56562,7 @@ index 28b88de..b7339b1 100644
')
')
-@@ -289,6 +319,8 @@ interface(`userdom_manage_tmp_role',`
+@@ -289,6 +321,8 @@ interface(`userdom_manage_tmp_role',`
type user_tmp_t;
')
@@ -56417,7 +56571,7 @@ index 28b88de..b7339b1 100644
files_poly_member_tmp($2, user_tmp_t)
manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-@@ -297,6 +329,45 @@ interface(`userdom_manage_tmp_role',`
+@@ -297,6 +331,45 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -56463,7 +56617,7 @@ index 28b88de..b7339b1 100644
')
#######################################
-@@ -316,6 +387,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +389,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -56471,7 +56625,7 @@ index 28b88de..b7339b1 100644
files_search_tmp($1)
')
-@@ -350,6 +422,8 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -350,6 +424,8 @@ interface(`userdom_manage_tmpfs_role',`
type user_tmpfs_t;
')
@@ -56480,7 +56634,7 @@ index 28b88de..b7339b1 100644
manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-@@ -360,46 +434,41 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -360,46 +436,41 @@ interface(`userdom_manage_tmpfs_role',`
#######################################
## <summary>
@@ -56549,7 +56703,7 @@ index 28b88de..b7339b1 100644
')
#######################################
-@@ -430,6 +499,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +501,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -56557,7 +56711,7 @@ index 28b88de..b7339b1 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -490,7 +560,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +562,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -56566,7 +56720,7 @@ index 28b88de..b7339b1 100644
##############################
#
-@@ -500,73 +570,81 @@ template(`userdom_common_user_template',`
+@@ -500,73 +572,81 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -56687,7 +56841,7 @@ index 28b88de..b7339b1 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +652,122 @@ template(`userdom_common_user_template',`
+@@ -574,67 +654,122 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -56701,23 +56855,23 @@ index 28b88de..b7339b1 100644
# Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ apm_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ canna_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
-+ canna_stream_connect($1_usertype)
++ colord_read_lib_files($1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
-+ chrome_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ colord_read_lib_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -56733,44 +56887,44 @@ index 28b88de..b7339b1 100644
+ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
+ ')
++
++ optional_policy(`
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ kde_dbus_chat_backlighthelper($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
- ')
-+
-+ optional_policy(`
-+ kde_dbus_chat_backlighthelper($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ modemmanager_dbus_chat($1_usertype)
-+ ')
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat($1_usertype)
@@ -56815,20 +56969,20 @@ index 28b88de..b7339b1 100644
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
++ ')
++
++ optional_policy(`
+ nsplugin_role($1_r, $1_usertype)
')
optional_policy(`
-@@ -650,41 +783,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +785,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -56860,51 +57014,51 @@ index 28b88de..b7339b1 100644
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
++ ')
++
++ optional_policy(`
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t,$1_r)
-+ seunshare_role_template($1, $1_r, $1_t)
- ')
-+
-+ optional_policy(`
+ slrnpull_search_spool($1_usertype)
-+ ')
+ ')
+
')
#######################################
-@@ -712,13 +854,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +856,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
-
-- userdom_manage_tmp_role($1_r, $1_t)
-- userdom_manage_tmpfs_role($1_r, $1_t)
++
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
-+
+
+- userdom_manage_tmp_role($1_r, $1_t)
+- userdom_manage_tmpfs_role($1_r, $1_t)
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -56922,7 +57076,7 @@ index 28b88de..b7339b1 100644
userdom_change_password_template($1)
-@@ -736,72 +891,70 @@ template(`userdom_login_user_template', `
+@@ -736,72 +893,70 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -56992,45 +57146,45 @@ index 28b88de..b7339b1 100644
- seutil_read_config($1_t)
+ seutil_read_config($1_usertype)
-+
-+ optional_policy(`
-+ cups_read_config($1_usertype)
-+ cups_stream_connect($1_usertype)
-+ cups_stream_connect_ptal($1_usertype)
-+ ')
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ kerberos_use($1_usertype)
++ cups_read_config($1_usertype)
++ cups_stream_connect($1_usertype)
++ cups_stream_connect_ptal($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
++ kerberos_use($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
++ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
++ ')
++
++ optional_policy(`
+ oddjob_run_mkhomedir($1_t, $1_r)
')
')
-@@ -833,6 +986,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +988,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -57040,7 +57194,7 @@ index 28b88de..b7339b1 100644
##############################
#
# Local policy
-@@ -874,45 +1030,116 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1032,116 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -57114,40 +57268,40 @@ index 28b88de..b7339b1 100644
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
-+ cups_dbus_chat($1_usertype)
-+ cups_dbus_chat_config($1_usertype)
- ')
++ ')
+
+ optional_policy(`
++ cups_dbus_chat($1_usertype)
++ cups_dbus_chat_config($1_usertype)
++ ')
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ fprintd_dbus_chat($1_t)
-+ ')
+ ')
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
++ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
+ optional_policy(`
-+ openoffice_role_template($1, $1_r, $1_usertype)
++ policykit_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
-+ policykit_role($1_r, $1_usertype)
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
+ pulseaudio_role($1_r, $1_usertype)
+ ')
+
@@ -57168,7 +57322,7 @@ index 28b88de..b7339b1 100644
')
')
-@@ -947,7 +1174,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1176,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -57177,7 +57331,7 @@ index 28b88de..b7339b1 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1183,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1185,83 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -57247,16 +57401,13 @@ index 28b88de..b7339b1 100644
+
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t,$1_r)
++ ')
++
++ optional_policy(`
+ gnomeclock_dbus_chat($1_t)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ gpm_stream_connect($1_usertype)
+ ')
+
@@ -57275,13 +57426,16 @@ index 28b88de..b7339b1 100644
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t,$1_r)
+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ postfix_run_postdrop($1_t, $1_r)
+ ')
+
@@ -57291,7 +57445,7 @@ index 28b88de..b7339b1 100644
')
')
-@@ -1039,7 +1295,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1297,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -57300,7 +57454,7 @@ index 28b88de..b7339b1 100644
')
##############################
-@@ -1066,6 +1322,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1324,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -57308,7 +57462,7 @@ index 28b88de..b7339b1 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1331,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1333,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -57318,7 +57472,7 @@ index 28b88de..b7339b1 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1348,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1350,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -57326,7 +57480,7 @@ index 28b88de..b7339b1 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1366,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1368,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -57340,7 +57494,7 @@ index 28b88de..b7339b1 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,15 +1383,19 @@ template(`userdom_admin_user_template',`
+@@ -1119,15 +1385,19 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -57360,7 +57514,7 @@ index 28b88de..b7339b1 100644
term_use_all_terms($1_t)
-@@ -1141,7 +1409,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1411,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -57372,7 +57526,7 @@ index 28b88de..b7339b1 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1481,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1483,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -57381,7 +57535,7 @@ index 28b88de..b7339b1 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1495,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1497,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -57389,7 +57543,7 @@ index 28b88de..b7339b1 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1511,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1513,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -57397,7 +57551,7 @@ index 28b88de..b7339b1 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1554,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1556,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -57435,7 +57589,7 @@ index 28b88de..b7339b1 100644
ubac_constrained($1)
')
-@@ -1395,6 +1696,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1698,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -57443,7 +57597,7 @@ index 28b88de..b7339b1 100644
files_search_home($1)
')
-@@ -1441,6 +1743,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1745,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -57458,7 +57612,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -1456,9 +1766,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1768,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -57470,7 +57624,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -1515,10 +1827,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1829,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -57483,7 +57637,7 @@ index 28b88de..b7339b1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,21 +1838,57 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,18 +1840,54 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -57502,10 +57656,8 @@ index 28b88de..b7339b1 100644
## <summary>
-## Do a domain transition to the specified
-## domain when executing a program in the
--## user home directory.
+## Relabel user home files.
- ## </summary>
--## <desc>
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -57543,13 +57695,10 @@ index 28b88de..b7339b1 100644
+## <summary>
+## Do a domain transition to the specified
+## domain when executing a program in the
-+## user home directory.
-+## </summary>
-+## <desc>
- ## <p>
- ## Do a domain transition to the specified
- ## domain when executing a program in the
-@@ -1589,6 +1937,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+ ## user home directory.
+ ## </summary>
+ ## <desc>
+@@ -1589,6 +1939,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -57558,7 +57707,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -1603,10 +1953,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1955,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -57573,7 +57722,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -1649,6 +2001,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2003,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -57599,7 +57748,7 @@ index 28b88de..b7339b1 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2071,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2073,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -57632,7 +57781,7 @@ index 28b88de..b7339b1 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2107,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2109,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -57650,7 +57799,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -1779,6 +2173,24 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2175,24 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -57675,7 +57824,7 @@ index 28b88de..b7339b1 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2222,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2224,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -57685,7 +57834,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -1827,20 +2238,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2240,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -57710,7 +57859,7 @@ index 28b88de..b7339b1 100644
########################################
## <summary>
-@@ -2008,7 +2413,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2415,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -57719,7 +57868,7 @@ index 28b88de..b7339b1 100644
files_search_home($1)
')
-@@ -2182,7 +2587,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2589,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -57728,7 +57877,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -2435,13 +2840,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2842,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -57744,7 +57893,7 @@ index 28b88de..b7339b1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2868,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2870,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -57771,7 +57920,57 @@ index 28b88de..b7339b1 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3201,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2570,6 +2958,24 @@ interface(`userdom_use_user_ttys',`
+ allow $1 user_tty_device_t:chr_file rw_term_perms;
+ ')
+
++#######################################
++## <summary>
++## Read and write inherited user domain tty.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_use_inherited_user_ttys',`
++ gen_require(`
++ type user_tty_device_t;
++ ')
++
++ allow $1 user_tty_device_t:chr_file { getattr read write append ioctl };
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write a user domain pty.
+@@ -2588,6 +2994,24 @@ interface(`userdom_use_user_ptys',`
+ allow $1 user_devpts_t:chr_file rw_term_perms;
+ ')
+
++#######################################
++## <summary>
++## Read and write inherited user domain pty.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_use_inherited_user_ptys',`
++ gen_require(`
++ type user_devpts_t;
++ ')
++
++ allow $1 user_devpts_t:chr_file { getattr read write append ioctl };
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write a user TTYs and PTYs.
+@@ -2815,7 +3239,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -57780,7 +57979,7 @@ index 28b88de..b7339b1 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3217,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3255,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -57796,7 +57995,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -2917,7 +3305,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3343,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -57805,7 +58004,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -2972,7 +3360,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3398,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -57852,7 +58051,7 @@ index 28b88de..b7339b1 100644
')
########################################
-@@ -3009,6 +3435,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3473,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -57860,7 +58059,7 @@ index 28b88de..b7339b1 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3514,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3552,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -57885,7 +58084,7 @@ index 28b88de..b7339b1 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3584,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3622,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a22ada4..8e46c93 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 23%{?dist}
+Release: 24%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,23 @@ exit 0
%endif
%changelog
+* Tue May 17 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-24
+- Allow logrotate to connect to init script using unix domain stream socket
+- Allow shorewall read and write inherited user domain pty/tty
+- virt will attempt to us another virtualizations pulsesaudio tmpfs_t, ignore error
+- Allow colord to get the attributes of fixed disk device nodes
+- Allow nsplugin_t to getattr on gpmctl
+- Allow mozilla_plugin to connect to pcscd over an unix stream socket
+- Allow logrotate to execute systemctl
+- colord wants to read files in users homedir
+- Remote login should create user_tmp_t content not its own tmp files
+- Allow psad signal
+- Fix cobbler_read_lib_files interface
+- Allow rlogind to r/w user terminals
+- Allow prelink_cron_system_t to relabel content and ignore obj_id
+- Allow gnomeclock_systemctl_t to list init_var_run_t
+- Dbus domains will inherit fds from the init system
+
* Fri May 6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-23
- Add label for /lib/upstart/init
- Allow colord to getattr on /proc/scsi/scsi
More information about the scm-commits
mailing list