[selinux-policy/f15] - Backport MCS fixes from F16 - Other chrome fixes from F16
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Nov 7 19:40:07 UTC 2011
commit f46f7be2adb568b0fac44a1356ac90907827cb86
Author: Miroslav <mgrepl at redhat.com>
Date: Mon Nov 7 20:39:54 2011 +0100
- Backport MCS fixes from F16
- Other chrome fixes from F16
policy-F15.patch | 489 +++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 6 +-
2 files changed, 341 insertions(+), 154 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index f3736aa..32d3d4e 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -218,10 +218,10 @@ index 4705ab6..262b5ba 100644
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
-index 358ce7c..5da1cd0 100644
+index 358ce7c..872d0d5 100644
--- a/policy/mcs
+++ b/policy/mcs
-@@ -69,16 +69,20 @@ gen_levels(1,mcs_num_cats)
+@@ -69,16 +69,32 @@ gen_levels(1,mcs_num_cats)
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
@@ -243,10 +243,22 @@ index 358ce7c..5da1cd0 100644
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
++
++mlsconstrain fifo_file { open }
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
++ (( t1 != mcsuntrustedproc ) and ( t2 == domain )));
++
++mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
++
++mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
++ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
-@@ -86,10 +90,10 @@ mlsconstrain file { create relabelto }
+@@ -86,10 +102,10 @@ mlsconstrain file { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
# new file labels must be dominated by the relabeling subject clearance
@@ -259,7 +271,7 @@ index 358ce7c..5da1cd0 100644
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain process { transition dyntransition }
-@@ -101,6 +105,9 @@ mlsconstrain process { ptrace }
+@@ -101,6 +117,9 @@ mlsconstrain process { ptrace }
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
@@ -269,7 +281,7 @@ index 358ce7c..5da1cd0 100644
#
# MCS policy for SELinux-enabled databases
#
-@@ -144,4 +151,10 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -144,4 +163,10 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
@@ -2983,10 +2995,10 @@ index 0000000..6073016
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
-index 0000000..3de35ef
+index 0000000..1553356
--- /dev/null
+++ b/policy/modules/apps/chrome.if
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,133 @@
+
+## <summary>policy for chrome</summary>
+
@@ -3005,12 +3017,14 @@ index 0000000..3de35ef
+ type chrome_sandbox_t, chrome_sandbox_exec_t;
+ ')
+
-+ domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t)
++ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
+ ps_process_pattern(chrome_sandbox_t, $1)
-+ifdef(`hide_broken_symptoms', `
-+ dontaudit chrome_sandbox_t $1:socket_class_set { read write };
-+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
-+')
++
++ allow $1 chrome_sandbox_t:fd use;
++
++ ifdef(`hide_broken_symptoms',`
++ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
++ ')
+')
+
+
@@ -3056,7 +3070,7 @@ index 0000000..3de35ef
+## </summary>
+## </param>
+#
-+interface(`chrome_role',`
++interface(`chrome_role_notrans',`
+ gen_require(`
+ type chrome_sandbox_t;
+ type chrome_sandbox_tmpfs_t;
@@ -3066,14 +3080,14 @@ index 0000000..3de35ef
+ role $1 types chrome_sandbox_t;
+ role $1 types chrome_sandbox_nacl_t;
+
-+ chrome_domtrans_sandbox($2)
-+
+ ps_process_pattern($2, chrome_sandbox_t)
+ allow $2 chrome_sandbox_t:process signal_perms;
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
++ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
++ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
@@ -3083,11 +3097,31 @@ index 0000000..3de35ef
+
+########################################
+## <summary>
++## Role access for chrome sandbox
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`chrome_role',`
++ chrome_role_notrans($1, $2)
++ chrome_domtrans_sandbox($2)
++')
++
++########################################
++## <summary>
+## Dontaudit read/write to a chrome_sandbox leaks
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -3100,10 +3134,10 @@ index 0000000..3de35ef
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..c010edb
+index 0000000..48c0b3c
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,180 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3180,15 +3214,17 @@ index 0000000..c010edb
+
+files_read_etc_files(chrome_sandbox_t)
+files_read_usr_files(chrome_sandbox_t)
-+files_exec_usr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
++userdom_execute_user_tmpfs_files(chrome_sandbox_t)
++
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
++userdom_search_user_home_content(chrome_sandbox_t)
+
+miscfiles_read_localization(chrome_sandbox_t)
+miscfiles_read_fonts(chrome_sandbox_t)
@@ -3249,7 +3285,9 @@ index 0000000..c010edb
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
-+allow chrome_sandbox_nacl_t self:unix_dgram_socket create_socket_perms;
++allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
++allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
@@ -3263,10 +3301,12 @@ index 0000000..c010edb
+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
++ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
+dev_read_urand(chrome_sandbox_nacl_t)
++dev_read_sysfs(chrome_sandbox_nacl_t)
+
+files_read_etc_files(chrome_sandbox_nacl_t)
+
@@ -3277,6 +3317,7 @@ index 0000000..c010edb
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
++userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
index e51e7f5..8e0405f 100644
--- a/policy/modules/apps/cpufreqselector.te
@@ -3369,10 +3410,10 @@ index 0000000..4540090
+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
-index 0000000..254774b
+index 0000000..6468443
--- /dev/null
+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,135 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -3444,10 +3485,6 @@ index 0000000..254774b
+ files_execmod_tmp($1_execmem_t)
+
+ optional_policy(`
-+ chrome_role($2, $1_execmem_t)
-+ ')
-+
-+ optional_policy(`
+ execmem_execmod($1_execmem_t)
+ ')
+
@@ -5096,7 +5133,7 @@ index 40e0a2a..f4a103c 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..f2b17b1 100644
+index 9050e8c..8cfdd2f 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -5168,7 +5205,7 @@ index 9050e8c..f2b17b1 100644
mta_write_config(gpg_t)
-@@ -142,6 +161,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -142,20 +161,29 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -5180,22 +5217,29 @@ index 9050e8c..f2b17b1 100644
mozilla_read_user_home_files(gpg_t)
mozilla_write_user_home_files(gpg_t)
')
-@@ -151,10 +175,10 @@ optional_policy(`
- xserver_rw_xdm_pipes(gpg_t)
+
+ optional_policy(`
+- xserver_use_xdm_fds(gpg_t)
+- xserver_rw_xdm_pipes(gpg_t)
++ spamassassin_read_spamd_tmp_files(gpg_t)
')
--optional_policy(`
+ optional_policy(`
- cron_system_entry(gpg_t, gpg_exec_t)
- cron_read_system_job_tmp_files(gpg_t)
--')
++ xserver_use_xdm_fds(gpg_t)
++ xserver_rw_xdm_pipes(gpg_t)
+ ')
+
+#optional_policy(`
+# cron_system_entry(gpg_t, gpg_exec_t)
+# cron_read_system_job_tmp_files(gpg_t)
+#')
-
++
########################################
#
-@@ -205,11 +229,12 @@ tunable_policy(`use_samba_home_dirs',`
+ # GPG helper local policy
+@@ -205,11 +233,12 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -5209,7 +5253,7 @@ index 9050e8c..f2b17b1 100644
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-@@ -245,13 +270,14 @@ userdom_search_user_home_dirs(gpg_agent_t)
+@@ -245,13 +274,14 @@ userdom_search_user_home_dirs(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -5225,7 +5269,7 @@ index 9050e8c..f2b17b1 100644
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
')
-@@ -332,6 +358,9 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -332,6 +362,9 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -5235,7 +5279,7 @@ index 9050e8c..f2b17b1 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
-@@ -342,11 +371,21 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -342,11 +375,21 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -5257,7 +5301,7 @@ index 9050e8c..f2b17b1 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +395,28 @@ optional_policy(`
+@@ -356,4 +399,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -10359,7 +10403,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..56a3b80 100644
+index 34c9d01..77900bf 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -10431,7 +10475,7 @@ index 34c9d01..56a3b80 100644
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11832,7 +11876,7 @@ index 6cf8784..e244a9d 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..78ef672 100644
+index e9313fb..f31d07e 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -12219,7 +12263,32 @@ index e9313fb..78ef672 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4514,6 +4660,24 @@ interface(`dev_rwx_vmware',`
+@@ -4085,6 +4231,24 @@ interface(`dev_setattr_generic_usb_dev',`
+ setattr_chr_files_pattern($1, device_t, usb_device_t)
+ ')
+
++######################################
++## <summary>
++## Allow relabeling (to and from) of generic usb device
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to relabel.
++## </summary>
++## </param>
++#
++interface(`dev_relabel_generic_usb_dev',`
++ gen_require(`
++ type usb_device_t;
++ ')
++
++ relabel_dirs_pattern($1, usb_device_t, usb_device_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read generic the USB devices.
+@@ -4514,6 +4678,24 @@ interface(`dev_rwx_vmware',`
########################################
## <summary>
@@ -12244,7 +12313,7 @@ index e9313fb..78ef672 100644
## Write to watchdog devices.
## </summary>
## <param name="domain">
-@@ -4748,3 +4912,22 @@ interface(`dev_unconfined',`
+@@ -4748,3 +4930,22 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -15873,7 +15942,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..4847432 100644
+index 2be17d2..b6549bd 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,53 @@ policy_module(staff, 2.2.0)
@@ -15930,7 +15999,7 @@ index 2be17d2..4847432 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,31 +68,147 @@ optional_policy(`
+@@ -27,31 +68,151 @@ optional_policy(`
')
optional_policy(`
@@ -15955,6 +16024,10 @@ index 2be17d2..4847432 100644
+')
+
+optional_policy(`
++ chrome_role(staff_r, staff_usertype)
++')
++
++optional_policy(`
+ lpd_list_spool(staff_t)
+')
+
@@ -16080,7 +16153,7 @@ index 2be17d2..4847432 100644
xserver_role(staff_r, staff_t)
')
-@@ -89,10 +246,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +250,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16091,7 +16164,7 @@ index 2be17d2..4847432 100644
gpg_role(staff_r, staff_t)
')
-@@ -121,10 +274,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +278,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16102,7 +16175,7 @@ index 2be17d2..4847432 100644
pyzor_role(staff_r, staff_t)
')
-@@ -137,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +290,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16113,7 +16186,7 @@ index 2be17d2..4847432 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +317,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +321,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -17189,7 +17262,7 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..dc3f3b7
+index 0000000..2e259b6
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,503 @@
@@ -17440,7 +17513,7 @@ index 0000000..dc3f3b7
+')
+
+optional_policy(`
-+ chrome_role(unconfined_r, unconfined_usertype)
++ chrome_role_notrans(unconfined_r, unconfined_usertype)
+')
+
+optional_policy(`
@@ -17697,10 +17770,10 @@ index 0000000..dc3f3b7
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..724f9be 100644
+index e5bfdd4..8fb4484 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,78 @@ role user_r;
+@@ -12,15 +12,82 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -17730,6 +17803,10 @@ index e5bfdd4..724f9be 100644
+')
+
+optional_policy(`
++ chrome_role(user_r, user_usertype)
++')
++
++optional_policy(`
+ oident_manage_user_content(user_t)
+ oident_relabel_user_content(user_t)
+')
@@ -17779,7 +17856,7 @@ index e5bfdd4..724f9be 100644
vlock_run(user_t, user_r)
')
-@@ -62,10 +125,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +129,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17790,7 +17867,7 @@ index e5bfdd4..724f9be 100644
gpg_role(user_r, user_t)
')
-@@ -98,10 +157,6 @@ ifndef(`distro_redhat',`
+@@ -98,10 +161,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17801,7 +17878,7 @@ index e5bfdd4..724f9be 100644
postgresql_role(user_r, user_t)
')
-@@ -118,11 +173,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +177,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17814,7 +17891,7 @@ index e5bfdd4..724f9be 100644
')
optional_policy(`
-@@ -157,3 +208,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +212,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -19270,7 +19347,7 @@ index c3a1903..19fb14a 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..0119d45 100644
+index 9e39aa5..cbe9538 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
@@ -19278,7 +19355,7 @@ index 9e39aa5..0119d45 100644
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
@@ -19296,7 +19373,7 @@ index 9e39aa5..0119d45 100644
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -19316,7 +19393,7 @@ index 9e39aa5..0119d45 100644
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -21496,7 +21573,7 @@ index 0197980..f8bce2c 100644
+/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
-index f4e7ad3..68aebc4 100644
+index f4e7ad3..2faf42a 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
@@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t)
@@ -21513,7 +21590,7 @@ index f4e7ad3..68aebc4 100644
-allow bitlbee_t self:capability { setgid setuid };
-allow bitlbee_t self:process signal;
-+allow bitlbee_t self:capability { setgid setuid sys_nice };
++allow bitlbee_t self:capability { dac_override setgid setuid sys_nice };
+allow bitlbee_t self:process { setsched signal };
+
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
@@ -21552,6 +21629,16 @@ index f4e7ad3..68aebc4 100644
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
+@@ -69,6 +81,9 @@ corenet_tcp_connect_http_port(bitlbee_t)
+ corenet_tcp_sendrecv_http_port(bitlbee_t)
+ corenet_tcp_connect_http_cache_port(bitlbee_t)
+ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
++corenet_tcp_bind_ircd_port(bitlbee_t)
++corenet_tcp_sendrecv_ircd_port(bitlbee_t)
++corenet_sendrecv_ircd_server_packets(bitlbee_t)
+
+ dev_read_rand(bitlbee_t)
+ dev_read_urand(bitlbee_t)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 3e45431..4aa8fb1 100644
--- a/policy/modules/services/bluetooth.if
@@ -23283,10 +23370,10 @@ index 6077339..d10acd2 100644
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
new file mode 100644
-index 0000000..2c745ea
+index 0000000..b5058ac
--- /dev/null
+++ b/policy/modules/services/cloudform.fc
-@@ -0,0 +1,16 @@
+@@ -0,0 +1,23 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
@@ -23295,6 +23382,8 @@ index 0000000..2c745ea
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
+
++/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
++
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
@@ -23303,6 +23392,11 @@ index 0000000..2c745ea
+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
+
++/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
++
++/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
++
++
diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
new file mode 100644
index 0000000..917f8d4
@@ -23334,10 +23428,10 @@ index 0000000..917f8d4
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..4072045
+index 0000000..51accbe
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,206 @@
+@@ -0,0 +1,212 @@
+policy_module(cloudform, 1.0)
+
+########################################
@@ -23478,14 +23572,11 @@ index 0000000..4072045
+# mongod local policy
+#
+
-+#WHY?
-+allow mongod_t self:process execmem;
-+
-+allow mongod_t self:process setsched;
-+
-+allow mongod_t self:process { fork signal };
++allow mongod_t self:process { setsched signal };
+
++allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
++allow mongod_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
@@ -23500,12 +23591,21 @@ index 0000000..4072045
+
+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++#needed by dbomatic
++files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
+
+corenet_tcp_bind_generic_node(mongod_t)
-+#temporary
+corenet_tcp_bind_generic_port(mongod_t)
+
-+domain_use_interactive_fds(mongod_t)
++files_read_usr_files(mongod_t)
++
++optional_policy(`
++ mysql_stream_connect(mongod_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(mongod_t)
++')
+
+optional_policy(`
+ sysnet_dns_name_resolve(mongod_t)
@@ -32540,7 +32640,7 @@ index 3aa8fa7..8fa74c3 100644
files_list_tmp($1)
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
-index 64fd1ff..10c2d54 100644
+index 64fd1ff..c40ad86 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -10,7 +10,7 @@ type slapd_exec_t;
@@ -32591,6 +32691,14 @@ index 64fd1ff..10c2d54 100644
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
+@@ -106,6 +120,7 @@ files_read_usr_files(slapd_t)
+ files_list_var_lib(slapd_t)
+
+ auth_use_nsswitch(slapd_t)
++auth_rw_cache(slapd_t)
+
+ logging_send_syslog_msg(slapd_t)
+
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
index 771e04b..81d98b3 100644
--- a/policy/modules/services/likewise.if
@@ -39859,7 +39967,7 @@ index b524673..9d90fb3 100644
admin_pattern($1, pptp_var_run_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..fbb89eb 100644
+index 2af42e7..fecf31f 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -39951,7 +40059,7 @@ index 2af42e7..fbb89eb 100644
')
optional_policy(`
-@@ -243,14 +248,16 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +248,17 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -39963,6 +40071,7 @@ index 2af42e7..fbb89eb 100644
kernel_list_proc(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
++kernel_read_network_state(pptp_t)
kernel_read_proc_symlinks(pptp_t)
kernel_read_system_state(pptp_t)
+kernel_signal(pptp_t)
@@ -41448,7 +41557,7 @@ index 0000000..02ca5ed
+ matahari_manage_pid_files(qpidd_t)
+')
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
-index b1ed1bf..21e2d95 100644
+index b1ed1bf..4bf83b3 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -77,6 +77,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
@@ -41459,6 +41568,14 @@ index b1ed1bf..21e2d95 100644
corenet_tcp_connect_mysqld_port(radiusd_t)
corenet_tcp_connect_snmp_port(radiusd_t)
corenet_sendrecv_radius_server_packets(radiusd_t)
+@@ -101,6 +102,7 @@ domain_use_interactive_fds(radiusd_t)
+ files_read_usr_files(radiusd_t)
+ files_read_etc_files(radiusd_t)
+ files_read_etc_runtime_files(radiusd_t)
++files_dontaudit_list_tmp(radiusd_t)
+
+ auth_use_nsswitch(radiusd_t)
+ auth_read_shadow(radiusd_t)
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
index be05bff..2bd662a 100644
--- a/policy/modules/services/radvd.if
@@ -43974,7 +44091,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..b931194 100644
+index e30bb63..e27fb71 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -43999,7 +44116,7 @@ index e30bb63..b931194 100644
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@@ -47142,7 +47259,7 @@ index 904f13e..464347f 100644
init_labeled_script_domtrans($1, tor_initrc_exec_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
-index c842cad..fe5deee 100644
+index c842cad..1136b10 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t)
@@ -47153,7 +47270,7 @@ index c842cad..fe5deee 100644
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -95,6 +96,7 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -95,9 +96,11 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
@@ -47161,6 +47278,10 @@ index c842cad..fe5deee 100644
# tor uses crypto and needs random
dev_read_urand(tor_t)
++dev_read_sysfs(tor_t)
+
+ domain_use_interactive_fds(tor_t)
+
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
index 54b8605..752697f 100644
--- a/policy/modules/services/tuned.if
@@ -47697,7 +47818,7 @@ index 32a3c13..7baeb6f 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..7b0af0f 100644
+index 2124b6a..fef1aa8 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,4 +1,5 @@
@@ -47707,7 +47828,7 @@ index 2124b6a..7b0af0f 100644
HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-@@ -13,17 +14,26 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -13,17 +14,27 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -47733,12 +47854,13 @@ index 2124b6a..7b0af0f 100644
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+
+# support for AEOLUS project
++/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..03cc7aee 100644
+index 7c5d8d8..874c749 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,42 @@
@@ -47955,7 +48077,15 @@ index 7c5d8d8..03cc7aee 100644
## </param>
#
interface(`virt_append_log',`
-@@ -424,6 +481,24 @@ interface(`virt_read_images',`
+@@ -408,6 +465,7 @@ interface(`virt_read_images',`
+ read_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
++ read_chr_files_pattern($1, virt_image_type, virt_image_type)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+@@ -424,6 +482,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -47980,7 +48110,7 @@ index 7c5d8d8..03cc7aee 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +508,15 @@ interface(`virt_read_images',`
+@@ -433,15 +509,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -48001,7 +48131,15 @@ index 7c5d8d8..03cc7aee 100644
')
########################################
-@@ -500,6 +575,7 @@ interface(`virt_manage_images',`
+@@ -466,6 +542,7 @@ interface(`virt_manage_images',`
+ manage_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs($1)
+@@ -500,6 +577,7 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -48009,7 +48147,7 @@ index 7c5d8d8..03cc7aee 100644
')
allow $1 virtd_t:process { ptrace signal_perms };
-@@ -515,4 +591,149 @@ interface(`virt_admin',`
+@@ -515,4 +593,149 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -48160,7 +48298,7 @@ index 7c5d8d8..03cc7aee 100644
+ allow $1 virt_tmpfs_type:file manage_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..e78e1e4 100644
+index 3eca020..a400283 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@@ -48415,7 +48553,7 @@ index 3eca020..e78e1e4 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +258,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +258,16 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -48424,6 +48562,7 @@ index 3eca020..e78e1e4 100644
+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
++allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
+allow virtd_t virt_ptynode:chr_file rw_term_perms;
+
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
@@ -48433,7 +48572,7 @@ index 3eca020..e78e1e4 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +285,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +286,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -48441,7 +48580,7 @@ index 3eca020..e78e1e4 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +305,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +306,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -48451,6 +48590,8 @@ index 3eca020..e78e1e4 100644
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
+dev_rw_vhost(virtd_t)
++dev_setattr_generic_usb_dev(virtd_t)
++dev_relabel_generic_usb_dev(virtd_t)
# Init script handling
domain_use_interactive_fds(virtd_t)
@@ -48474,7 +48615,7 @@ index 3eca020..e78e1e4 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +337,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +340,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -48493,7 +48634,7 @@ index 3eca020..e78e1e4 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +372,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +375,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -48524,7 +48665,7 @@ index 3eca020..e78e1e4 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +414,10 @@ optional_policy(`
+@@ -313,6 +417,10 @@ optional_policy(`
')
optional_policy(`
@@ -48535,7 +48676,7 @@ index 3eca020..e78e1e4 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,6 +434,10 @@ optional_policy(`
+@@ -329,6 +437,10 @@ optional_policy(`
')
optional_policy(`
@@ -48546,7 +48687,7 @@ index 3eca020..e78e1e4 100644
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
-@@ -365,6 +474,8 @@ optional_policy(`
+@@ -365,6 +477,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -48555,7 +48696,7 @@ index 3eca020..e78e1e4 100644
')
optional_policy(`
-@@ -394,14 +505,26 @@ optional_policy(`
+@@ -394,14 +508,26 @@ optional_policy(`
# virtual domains common policy
#
@@ -48584,7 +48725,7 @@ index 3eca020..e78e1e4 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +545,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +548,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -48592,7 +48733,7 @@ index 3eca020..e78e1e4 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +553,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +556,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -48605,7 +48746,7 @@ index 3eca020..e78e1e4 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +566,14 @@ files_search_all(virt_domain)
+@@ -440,6 +569,14 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -48620,7 +48761,7 @@ index 3eca020..e78e1e4 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +591,118 @@ optional_policy(`
+@@ -457,8 +594,118 @@ optional_policy(`
')
optional_policy(`
@@ -52560,7 +52701,7 @@ index 42b4f0f..7282768 100644
optional_policy(`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 66d13c4..66a0a25 100644
+index 66d13c4..b49e136 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.1)
@@ -52588,7 +52729,15 @@ index 66d13c4..66a0a25 100644
type auth_cache_t;
logging_log_file(auth_cache_t)
-@@ -44,7 +59,7 @@ type pam_tmp_t;
+@@ -21,6 +36,7 @@ role system_r types chkpwd_t;
+
+ type faillog_t;
+ logging_log_file(faillog_t)
++mls_trusted_object(faillog_t)
+
+ type lastlog_t;
+ logging_log_file(lastlog_t)
+@@ -44,7 +60,7 @@ type pam_tmp_t;
files_tmp_file(pam_tmp_t)
type pam_var_console_t;
@@ -52597,7 +52746,7 @@ index 66d13c4..66a0a25 100644
type pam_var_run_t;
files_pid_file(pam_var_run_t)
-@@ -100,6 +115,8 @@ dev_read_urand(chkpwd_t)
+@@ -100,6 +116,8 @@ dev_read_urand(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
files_dontaudit_search_var(chkpwd_t)
@@ -52606,7 +52755,7 @@ index 66d13c4..66a0a25 100644
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
-@@ -395,3 +412,13 @@ optional_policy(`
+@@ -395,3 +413,13 @@ optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -53855,7 +54004,7 @@ index cc83689..fc87c2c 100644
+ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..a8e892b 100644
+index ea29513..8ef68d0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -53981,7 +54130,16 @@ index ea29513..a8e892b 100644
files_manage_etc_runtime_files(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
-@@ -151,6 +195,7 @@ mls_file_read_all_levels(init_t)
+@@ -144,6 +188,8 @@ fs_list_inotifyfs(init_t)
+ # cjp: this may be related to /dev/log
+ fs_write_ramfs_sockets(init_t)
+
++mcs_file_read_all(init_t)
++mcs_file_write_all(init_t)
+ mcs_process_set_categories(init_t)
+ mcs_killall(init_t)
+
+@@ -151,6 +197,7 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -53989,7 +54147,7 @@ index ea29513..a8e892b 100644
selinux_set_all_booleans(init_t)
-@@ -162,12 +207,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +209,15 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -54005,7 +54163,7 @@ index ea29513..a8e892b 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +226,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +228,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -54014,7 +54172,7 @@ index ea29513..a8e892b 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +234,120 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +236,120 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -54135,7 +54293,7 @@ index ea29513..a8e892b 100644
')
optional_policy(`
-@@ -199,10 +355,25 @@ optional_policy(`
+@@ -199,10 +357,25 @@ optional_policy(`
')
optional_policy(`
@@ -54161,7 +54319,7 @@ index ea29513..a8e892b 100644
unconfined_domain(init_t)
')
-@@ -212,7 +383,7 @@ optional_policy(`
+@@ -212,7 +385,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -54170,7 +54328,7 @@ index ea29513..a8e892b 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +412,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +414,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -54186,7 +54344,7 @@ index ea29513..a8e892b 100644
init_write_initctl(initrc_t)
-@@ -258,20 +432,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +434,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -54223,7 +54381,7 @@ index ea29513..a8e892b 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +465,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +467,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -54231,7 +54389,7 @@ index ea29513..a8e892b 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +478,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +480,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -54239,7 +54397,7 @@ index ea29513..a8e892b 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +486,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +488,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -54255,7 +54413,7 @@ index ea29513..a8e892b 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +504,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +506,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -54263,7 +54421,7 @@ index ea29513..a8e892b 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +512,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +514,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -54275,7 +54433,7 @@ index ea29513..a8e892b 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +531,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +533,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -54289,7 +54447,7 @@ index ea29513..a8e892b 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +546,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,8 +548,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -54297,8 +54455,12 @@ index ea29513..a8e892b 100644
+fs_getattr_nfsd_files(initrc_t)
# initrc_t needs to do a pidof which requires ptrace
++mcs_file_read_all(initrc_t)
++mcs_file_write_all(initrc_t)
mcs_ptrace_all(initrc_t)
-@@ -363,6 +560,7 @@ mls_process_read_up(initrc_t)
+ mcs_killall(initrc_t)
+ mcs_process_set_categories(initrc_t)
+@@ -363,6 +564,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -54306,7 +54468,7 @@ index ea29513..a8e892b 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +572,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +576,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -54314,7 +54476,7 @@ index ea29513..a8e892b 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +593,12 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +597,12 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -54330,7 +54492,7 @@ index ea29513..a8e892b 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -458,6 +656,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +660,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -54341,7 +54503,7 @@ index ea29513..a8e892b 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +680,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +684,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -54350,7 +54512,7 @@ index ea29513..a8e892b 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +695,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +699,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -54358,7 +54520,7 @@ index ea29513..a8e892b 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +725,29 @@ ifdef(`distro_redhat',`
+@@ -522,8 +729,29 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -54388,7 +54550,7 @@ index ea29513..a8e892b 100644
')
optional_policy(`
-@@ -531,10 +755,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +759,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -54406,7 +54568,7 @@ index ea29513..a8e892b 100644
')
optional_policy(`
-@@ -549,6 +780,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +784,39 @@ ifdef(`distro_suse',`
')
')
@@ -54446,7 +54608,7 @@ index ea29513..a8e892b 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +825,8 @@ optional_policy(`
+@@ -561,6 +829,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -54455,7 +54617,7 @@ index ea29513..a8e892b 100644
')
optional_policy(`
-@@ -577,6 +843,7 @@ optional_policy(`
+@@ -577,6 +847,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -54463,7 +54625,7 @@ index ea29513..a8e892b 100644
')
optional_policy(`
-@@ -589,6 +856,17 @@ optional_policy(`
+@@ -589,6 +860,17 @@ optional_policy(`
')
optional_policy(`
@@ -54481,7 +54643,7 @@ index ea29513..a8e892b 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +883,13 @@ optional_policy(`
+@@ -605,9 +887,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -54495,7 +54657,7 @@ index ea29513..a8e892b 100644
')
optional_policy(`
-@@ -649,6 +931,11 @@ optional_policy(`
+@@ -649,6 +935,11 @@ optional_policy(`
')
optional_policy(`
@@ -54507,7 +54669,7 @@ index ea29513..a8e892b 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +993,13 @@ optional_policy(`
+@@ -706,7 +997,13 @@ optional_policy(`
')
optional_policy(`
@@ -54521,7 +54683,7 @@ index ea29513..a8e892b 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1022,10 @@ optional_policy(`
+@@ -729,6 +1026,10 @@ optional_policy(`
')
optional_policy(`
@@ -54532,7 +54694,7 @@ index ea29513..a8e892b 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1035,20 @@ optional_policy(`
+@@ -738,10 +1039,20 @@ optional_policy(`
')
optional_policy(`
@@ -54553,7 +54715,7 @@ index ea29513..a8e892b 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1057,10 @@ optional_policy(`
+@@ -750,6 +1061,10 @@ optional_policy(`
')
optional_policy(`
@@ -54564,7 +54726,7 @@ index ea29513..a8e892b 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1082,6 @@ optional_policy(`
+@@ -771,8 +1086,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -54573,7 +54735,7 @@ index ea29513..a8e892b 100644
')
optional_policy(`
-@@ -781,14 +1090,21 @@ optional_policy(`
+@@ -781,14 +1094,21 @@ optional_policy(`
')
optional_policy(`
@@ -54595,7 +54757,7 @@ index ea29513..a8e892b 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1116,6 @@ optional_policy(`
+@@ -800,7 +1120,6 @@ optional_policy(`
')
optional_policy(`
@@ -54603,7 +54765,7 @@ index ea29513..a8e892b 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1125,24 @@ optional_policy(`
+@@ -810,11 +1129,24 @@ optional_policy(`
')
optional_policy(`
@@ -54629,7 +54791,7 @@ index ea29513..a8e892b 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1152,25 @@ optional_policy(`
+@@ -824,6 +1156,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -54655,7 +54817,7 @@ index ea29513..a8e892b 100644
')
optional_policy(`
-@@ -849,3 +1196,42 @@ optional_policy(`
+@@ -849,3 +1200,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -55265,7 +55427,7 @@ index 1d1c399..b8f623a 100644
+ tgtd_manage_semaphores(iscsid_t)
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 9df8c4d..55b1544 100644
+index 9df8c4d..6f3ac01 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
@@ -55356,7 +55518,7 @@ index 9df8c4d..55b1544 100644
') dnl end distro_redhat
#
-@@ -319,14 +315,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -319,14 +315,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -55399,6 +55561,7 @@ index 9df8c4d..55b1544 100644
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/chrome/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
+
@@ -55466,7 +55629,6 @@ index 9df8c4d..55b1544 100644
+/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -55500,6 +55662,9 @@ index 9df8c4d..55b1544 100644
+
+/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -60775,7 +60940,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..a83c68a 100644
+index 28b88de..1ff8612 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -62696,7 +62861,7 @@ index 28b88de..a83c68a 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3729,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3729,1076 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -63552,6 +63717,24 @@ index 28b88de..a83c68a 100644
+ dontaudit $1 user_tmp_t:dir setattr;
+')
+
++#######################################
++## <summary>
++## Read all inherited users files in /tmp
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_read_inherited_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file read_inherited_file_perms;
++')
++
+########################################
+## <summary>
+## Write all inherited users files in /tmp
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 33e46b6..e875335 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 45%{?dist}
+Release: 46%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
%endif
%changelog
+* Mon Nov 7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-46
+- Backport MCS fixes from F16
+- Other chrome fixes from F16
+
* Wed Oct 26 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-45
- Backport chrome fixes
- Backport cloudform policy
More information about the scm-commits
mailing list