[selinux-policy] - Pulseaudio changes - Merge patches
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Nov 11 16:12:02 UTC 2011
commit 68f1456925eb14997526425284c2625f4bd5d36d
Author: Miroslav <mgrepl at redhat.com>
Date: Fri Nov 11 17:11:46 2011 +0100
- Pulseaudio changes
- Merge patches
policy-F16.patch | 6235 +++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 6 +-
2 files changed, 4276 insertions(+), 1965 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index acd9272..24fcf61 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -141,18 +141,33 @@ index 111d004..c90e80d 100644
-## </desc>
-gen_bool(secure_mode_policyload,false)
diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab6..262b5ba 100644
+index 4705ab6..0f0bb47 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
-@@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false)
+@@ -6,6 +6,13 @@
+
+ ## <desc>
+ ## <p>
++## Allow sysadm to debug or ptrace all processes.
++## </p>
++## </desc>
++gen_tunable(deny_ptrace, false)
++
++## <desc>
++## <p>
+ ## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+ ## </p>
+ ## </desc>
+@@ -13,21 +20,21 @@ gen_tunable(allow_execheap,false)
## <desc>
## <p>
-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
-+## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
++## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
## </p>
## </desc>
- gen_tunable(allow_execmem,false)
+-gen_tunable(allow_execmem,false)
++gen_tunable(deny_execmem,false)
## <desc>
## <p>
@@ -169,7 +184,7 @@ index 4705ab6..262b5ba 100644
## </p>
## </desc>
gen_tunable(allow_execstack,false)
-@@ -68,15 +68,6 @@ gen_tunable(global_ssp,false)
+@@ -68,15 +75,6 @@ gen_tunable(global_ssp,false)
## <desc>
## <p>
@@ -185,7 +200,7 @@ index 4705ab6..262b5ba 100644
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
-@@ -105,9 +96,24 @@ gen_tunable(use_samba_home_dirs,false)
+@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false)
## <desc>
## <p>
@@ -832,9 +847,20 @@ index 0f57d3b..655d07f 100644
########################################
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
-index cd5e005..50e9ee4 100644
+index cd5e005..72417f5 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
+@@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0)
+
+ type consoletype_t;
+ type consoletype_exec_t;
+-init_domain(consoletype_t, consoletype_exec_t)
+-init_system_domain(consoletype_t, consoletype_exec_t)
++application_domain(consoletype_t, consoletype_exec_t)
++role system_r types consoletype_t;
+
+ ########################################
+ #
@@ -47,14 +47,16 @@ fs_list_inotifyfs(consoletype_t)
mls_file_read_all_levels(consoletype_t)
mls_file_write_all_levels(consoletype_t)
@@ -1058,7 +1084,7 @@ index 8fa451c..f3a67c9 100644
')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
-index c4d8998..f808287 100644
+index c4d8998..bd59f2e 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -19,6 +19,9 @@ role system_r types firstboot_t;
@@ -1106,7 +1132,18 @@ index c4d8998..f808287 100644
# Add/remove user home directories
userdom_manage_user_home_content_dirs(firstboot_t)
userdom_manage_user_home_content_files(firstboot_t)
-@@ -103,8 +109,18 @@ optional_policy(`
+@@ -91,10 +97,6 @@ userdom_home_filetrans_user_home_dir(firstboot_t)
+ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+
+ optional_policy(`
+- consoletype_domtrans(firstboot_t)
+-')
+-
+-optional_policy(`
+ dbus_system_bus_client(firstboot_t)
+
+ optional_policy(`
+@@ -103,8 +105,18 @@ optional_policy(`
')
optional_policy(`
@@ -1125,7 +1162,7 @@ index c4d8998..f808287 100644
optional_policy(`
samba_rw_config(firstboot_t)
-@@ -113,7 +129,7 @@ optional_policy(`
+@@ -113,7 +125,7 @@ optional_policy(`
optional_policy(`
unconfined_domtrans(firstboot_t)
# The big hammer
@@ -1134,7 +1171,7 @@ index c4d8998..f808287 100644
')
optional_policy(`
-@@ -125,6 +141,7 @@ optional_policy(`
+@@ -125,6 +137,7 @@ optional_policy(`
')
optional_policy(`
@@ -1142,7 +1179,7 @@ index c4d8998..f808287 100644
gnome_manage_config(firstboot_t)
')
-@@ -132,4 +149,5 @@ optional_policy(`
+@@ -132,4 +145,5 @@ optional_policy(`
xserver_domtrans(firstboot_t)
xserver_rw_shm(firstboot_t)
xserver_unconfined(firstboot_t)
@@ -1161,7 +1198,7 @@ index c66934f..1aa1205 100644
/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if
-index 4198ff5..a296bfa 100644
+index 4198ff5..419c7a9 100644
--- a/policy/modules/admin/kdump.if
+++ b/policy/modules/admin/kdump.if
@@ -37,6 +37,30 @@ interface(`kdump_initrc_domtrans',`
@@ -1220,6 +1257,19 @@ index 4198ff5..a296bfa 100644
####################################
## <summary>
## Manage kdump configuration file.
+@@ -98,8 +140,11 @@ interface(`kdump_admin',`
+ type kdump_initrc_exec_t;
+ ')
+
+- allow $1 kdump_t:process { ptrace signal_perms };
++ allow $1 kdump_t:process signal_perms;
+ ps_process_pattern($1, kdump_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 kdump_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/admin/kdump.te b/policy/modules/admin/kdump.te
index b29d8e2..bcd9273 100644
--- a/policy/modules/admin/kdump.te
@@ -1234,6 +1284,22 @@ index b29d8e2..bcd9273 100644
#####################################
#
# kdump local policy
+diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if
+index c18c920..582f7f3 100644
+--- a/policy/modules/admin/kismet.if
++++ b/policy/modules/admin/kismet.if
+@@ -239,7 +239,10 @@ interface(`kismet_admin',`
+ ')
+
+ ps_process_pattern($1, kismet_t)
+- allow $1 kismet_t:process { ptrace signal_perms };
++ allow $1 kismet_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 kismet_t:process ptrace;
++ ')
+
+ kismet_manage_pid_files($1)
+ kismet_manage_lib($1)
diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te
index 9dd6880..4b7fa27 100644
--- a/policy/modules/admin/kismet.te
@@ -1248,9 +1314,18 @@ index 9dd6880..4b7fa27 100644
optional_policy(`
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
-index 4f7bd3c..a29af21 100644
+index 4f7bd3c..9143343 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
+@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t)
+ # Local policy
+ #
+
+-allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
++allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+ dontaudit kudzu_t self:capability sys_tty_config;
+ allow kudzu_t self:process { signal_perms execmem };
+ allow kudzu_t self:fifo_file rw_fifo_file_perms;
@@ -111,15 +111,10 @@ logging_send_syslog_msg(kudzu_t)
miscfiles_read_hwdata(kudzu_t)
miscfiles_read_localization(kudzu_t)
@@ -1288,22 +1363,21 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..98f0a2e 100644
+index 7090dae..a2512aa 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
-@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
+@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t)
#
# Change ownership on log files.
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
-+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
- # for mailx
+-# for mailx
-dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
-+dontaudit logrotate_t self:capability { sys_ptrace };
++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-@@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
+@@ -39,6 +37,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
allow logrotate_t self:process setfscreate;
allow logrotate_t self:fd use;
@@ -1311,7 +1385,7 @@ index 7090dae..98f0a2e 100644
allow logrotate_t self:fifo_file rw_fifo_file_perms;
allow logrotate_t self:unix_dgram_socket create_socket_perms;
allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
-@@ -61,6 +62,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+@@ -61,6 +60,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
# for /var/lib/logrotate.status and /var/lib/logcheck
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
@@ -1319,7 +1393,15 @@ index 7090dae..98f0a2e 100644
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
kernel_read_system_state(logrotate_t)
-@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t)
+@@ -75,6 +75,7 @@ fs_list_inotifyfs(logrotate_t)
+ mls_file_read_all_levels(logrotate_t)
+ mls_file_write_all_levels(logrotate_t)
+ mls_file_upgrade(logrotate_t)
++mls_process_write_to_clearance(logrotate_t)
+
+ selinux_get_fs_mount(logrotate_t)
+ selinux_get_enforce_mode(logrotate_t)
+@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t)
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -1327,7 +1409,7 @@ index 7090dae..98f0a2e 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -116,17 +119,15 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +118,15 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
@@ -1350,7 +1432,7 @@ index 7090dae..98f0a2e 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -138,7 +139,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +138,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
@@ -1359,7 +1441,7 @@ index 7090dae..98f0a2e 100644
')
optional_policy(`
-@@ -154,6 +155,10 @@ optional_policy(`
+@@ -154,6 +154,10 @@ optional_policy(`
')
optional_policy(`
@@ -1370,7 +1452,7 @@ index 7090dae..98f0a2e 100644
asterisk_domtrans(logrotate_t)
')
-@@ -162,10 +167,20 @@ optional_policy(`
+@@ -162,10 +166,20 @@ optional_policy(`
')
optional_policy(`
@@ -1391,7 +1473,7 @@ index 7090dae..98f0a2e 100644
cups_domtrans(logrotate_t)
')
-@@ -200,9 +215,12 @@ optional_policy(`
+@@ -200,9 +214,12 @@ optional_policy(`
')
optional_policy(`
@@ -1405,7 +1487,7 @@ index 7090dae..98f0a2e 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +246,14 @@ optional_policy(`
+@@ -228,3 +245,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -1532,7 +1614,7 @@ index 56c43c0..0641226 100644
+
+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
-index 5671977..ef8bc09 100644
+index 5671977..ea06507 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
@@ -1551,7 +1633,7 @@ index 5671977..ef8bc09 100644
########################################
#
-@@ -17,10 +23,22 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
+@@ -17,16 +23,34 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
allow mcelog_t self:capability sys_admin;
@@ -1574,7 +1656,11 @@ index 5671977..ef8bc09 100644
files_read_etc_files(mcelog_t)
-@@ -30,3 +48,7 @@ mls_file_read_all_levels(mcelog_t)
+ # for /dev/mem access
+ mls_file_read_all_levels(mcelog_t)
+
++auth_read_passwd(mcelog_t)
++
logging_send_syslog_msg(mcelog_t)
miscfiles_read_localization(mcelog_t)
@@ -1648,14 +1734,15 @@ index 75ee31d..a28ab46 100644
+ allow $2 ncftool_t:process signal;
+')
diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
-index ec29391..b25d59a 100644
+index ec29391..28c9672 100644
--- a/policy/modules/admin/ncftool.te
+++ b/policy/modules/admin/ncftool.te
-@@ -18,9 +18,13 @@ role system_r types ncftool_t;
+@@ -17,10 +17,13 @@ role system_r types ncftool_t;
+ # ncftool local policy
#
- allow ncftool_t self:capability { net_admin sys_ptrace };
-+
+-allow ncftool_t self:capability { net_admin sys_ptrace };
++allow ncftool_t self:capability net_admin;
allow ncftool_t self:process signal;
+
allow ncftool_t self:fifo_file manage_fifo_file_perms;
@@ -1665,7 +1752,7 @@ index ec29391..b25d59a 100644
allow ncftool_t self:tcp_socket create_stream_socket_perms;
allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -38,10 +42,14 @@ domain_read_all_domains_state(ncftool_t)
+@@ -38,10 +41,14 @@ domain_read_all_domains_state(ncftool_t)
dev_read_sysfs(ncftool_t)
@@ -1680,7 +1767,7 @@ index ec29391..b25d59a 100644
miscfiles_read_localization(ncftool_t)
sysnet_delete_dhcpc_pid(ncftool_t)
-@@ -50,6 +58,8 @@ sysnet_domtrans_ifconfig(ncftool_t)
+@@ -50,6 +57,8 @@ sysnet_domtrans_ifconfig(ncftool_t)
sysnet_etc_filetrans_config(ncftool_t)
sysnet_manage_config(ncftool_t)
sysnet_read_dhcpc_state(ncftool_t)
@@ -1689,7 +1776,7 @@ index ec29391..b25d59a 100644
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
-@@ -66,6 +76,7 @@ optional_policy(`
+@@ -66,6 +75,7 @@ optional_policy(`
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
@@ -1949,358 +2036,19 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..0bd2028
+index 0000000..9c8b64f
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,349 @@
-+policy_module(permissivedomains,16)
-+
-+optional_policy(`
-+ gen_require(`
-+ type polipo_t;
-+ ')
-+
-+ permissive polipo_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type pptp_t;
-+ ')
-+
-+ permissive pptp_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type quota_nld_t;
-+ ')
-+
-+ permissive quota_nld_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type bootloader_t;
-+ ')
-+
-+ permissive bootloader_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type systemd_logger_t;
-+ ')
-+
-+ permissive systemd_logger_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ permissive systemd_logind_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type fcoemon_t;
-+ ')
-+
-+ permissive fcoemon_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type httpd_passwd_t;
-+ ')
-+
-+ permissive httpd_passwd_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type puppetca_t;
-+ ')
-+
-+ permissive puppetca_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type spamd_update_t;
-+ ')
-+
-+ permissive spamd_update_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type rhev_agentd_t;
-+ ')
-+
-+ permissive rhev_agentd_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type abrt_handle_event_t;
-+ ')
-+
-+ permissive abrt_handle_event_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type cfengine_serverd_t;
-+ ')
-+
-+ permissive cfengine_serverd_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type cfengine_execd_t;
-+ ')
-+
-+ permissive cfengine_execd_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type cfengine_monitord_t;
-+ ')
-+
-+ permissive cfengine_monitord_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type rhsmcertd_t;
-+ ')
-+
-+ permissive rhsmcertd_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type sshd_sandbox_t;
-+ ')
-+
-+ permissive sshd_sandbox_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type fail2ban_client_t;
-+ ')
-+
-+ permissive fail2ban_client_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type ctdbd_t;
-+ ')
-+
-+ permissive ctdbd_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type mscan_t;
-+ ')
-+
-+ permissive mscan_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type lldpad_t;
-+ ')
-+
-+ permissive lldpad_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type nova_ajax_t;
-+ type nova_api_t;
-+ type nova_compute_t;
-+ type nova_direct_t;
-+ type nova_network_t;
-+ type nova_objectstore_t;
-+ type nova_scheduler_t;
-+ type nova_vncproxy_t;
-+ type nova_volume_t;
-+ ')
-+
-+ permissive nova_ajax_t;
-+ permissive nova_api_t;
-+ permissive nova_compute_t;
-+ permissive nova_direct_t;
-+ permissive nova_network_t;
-+ permissive nova_objectstore_t;
-+ permissive nova_scheduler_t;
-+ permissive nova_vncproxy_t;
-+ permissive nova_volume_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type rabbitmq_epmd_t;
-+ type rabbitmq_beam_t;
-+ ')
-+
-+ permissive rabbitmq_epmd_t;
-+ permissive rabbitmq_beam_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type sblim_gatherd_t;
-+ ')
-+
-+ permissive sblim_gatherd_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type sblim_gatherd_t;
-+ ')
-+
-+ permissive sblim_gatherd_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type callweaver_t;
-+ ')
-+
-+ permissive callweaver_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type sanlock_t;
-+ ')
-+
-+ permissive sanlock_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type uuidd_t;
-+ ')
-+
-+ permissive uuidd_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type wdmd_t;
-+ ')
-+
-+ permissive wdmd_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type dspam_t;
-+ ')
-+
-+ permissive dspam_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type virt_lxc_t;
-+ ')
-+
-+ permissive virt_lxc_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type virtd_t;
-+ ')
-+
-+ permissive virtd_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type pyicqt_t;
-+ ')
-+
-+ permissive pyicqt_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type telepathy_logger_t;
-+ ')
-+
-+ permissive telepathy_logger_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type glance_registry_t;
-+ type glance_api_t;
-+ ')
-+
-+ permissive glance_registry_t;
-+ permissive glance_api_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type thumb_t;
-+ ')
-+
-+ permissive thumb_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type virt_qmf_t;
-+ ')
-+
-+ permissive virt_qmf_t;
-+')
-+
-+# for cloudform daemons
-+
-+optional_policy(`
-+ gen_require(`
-+ type deltacloudd_t;
-+ type iwhd_t;
-+ type mongod_t;
-+ type thin_t;
-+ ')
-+
-+ permissive deltacloudd_t;
-+ permissive iwhd_t;
-+ permissive mongod_t;
-+ permissive thin_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type chrome_sandbox_nacl_t;
-+ ')
+@@ -0,0 +1,10 @@
++policy_module(permissivedomains,17)
+
-+ permissive chrome_sandbox_nacl_t;
-+')
+
+optional_policy(`
+ gen_require(`
-+ type matahari_sysconfigd_t;
++ type blueman_t;
+ ')
+
-+ permissive matahari_sysconfigd_t;
++ permissive blueman_t;
+')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
@@ -3042,7 +2790,7 @@ index d33daa8..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..4b78d5b 100644
+index 47a8f7d..17b5426 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -3163,7 +2911,17 @@ index 47a8f7d..4b78d5b 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -257,12 +282,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -225,7 +250,8 @@ optional_policy(`
+ # rpm-script Local policy
+ #
+
+-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
++allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
++
+ allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
+ allow rpm_script_t self:fd use;
+ allow rpm_script_t self:fifo_file rw_fifo_file_perms;
+@@ -257,12 +283,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
can_exec(rpm_script_t, rpm_script_tmpfs_t)
@@ -3182,7 +2940,7 @@ index 47a8f7d..4b78d5b 100644
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
-@@ -299,15 +330,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -299,15 +331,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -3203,7 +2961,7 @@ index 47a8f7d..4b78d5b 100644
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -331,19 +364,20 @@ libs_domtrans_ldconfig(rpm_script_t)
+@@ -331,23 +365,24 @@ libs_domtrans_ldconfig(rpm_script_t)
logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
@@ -3227,7 +2985,12 @@ index 47a8f7d..4b78d5b 100644
')
')
-@@ -368,6 +402,11 @@ optional_policy(`
+-tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`',`
+ allow rpm_script_t self:process execmem;
+ ')
+
+@@ -368,6 +403,11 @@ optional_policy(`
')
optional_policy(`
@@ -3239,7 +3002,7 @@ index 47a8f7d..4b78d5b 100644
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -377,8 +416,9 @@ optional_policy(`
+@@ -377,8 +417,9 @@ optional_policy(`
')
optional_policy(`
@@ -3251,9 +3014,18 @@ index 47a8f7d..4b78d5b 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te
-index c8ef84b..40ceffb 100644
+index c8ef84b..eb4bd05 100644
--- a/policy/modules/admin/sectoolm.te
+++ b/policy/modules/admin/sectoolm.te
+@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
+ # sectool local policy
+ #
+
+-allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
++allow sectoolm_t self:capability { dac_override net_admin sys_nice };
+ allow sectoolm_t self:process { getcap getsched signull setsched };
+ dontaudit sectoolm_t self:process { execstack execmem };
+ allow sectoolm_t self:fifo_file rw_fifo_file_perms;
@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t)
auth_use_nsswitch(sectoolm_t)
@@ -3286,7 +3058,7 @@ index c8ef84b..40ceffb 100644
optional_policy(`
mount_exec(sectoolm_t)
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
-index 781ad7e..082f0c5 100644
+index 781ad7e..f7b8881 100644
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
@@ -55,28 +55,9 @@ interface(`shorewall_read_config',`
@@ -3367,10 +3139,32 @@ index 781ad7e..082f0c5 100644
## </param>
#
interface(`shorewall_rw_lib_files',`
+@@ -177,8 +139,11 @@ interface(`shorewall_admin',`
+ type shorewall_tmp_t, shorewall_etc_t;
+ ')
+
+- allow $1 shorewall_t:process { ptrace signal_perms };
++ allow $1 shorewall_t:process signal_perms;
+ ps_process_pattern($1, shorewall_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 shorewall_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
-index 95bce88..1a53b7b 100644
+index 95bce88..95065c3 100644
--- a/policy/modules/admin/shorewall.te
+++ b/policy/modules/admin/shorewall.te
+@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t)
+ # shorewall local policy
+ #
+
+-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
++allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice };
+ dontaudit shorewall_t self:capability sys_tty_config;
+ allow shorewall_t self:fifo_file rw_fifo_file_perms;
+
@@ -59,6 +59,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
@@ -3640,9 +3434,18 @@ index 94c01b5..f64bd93 100644
########################################
diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
-index fe1c377..bedbb9b 100644
+index fe1c377..724df48 100644
--- a/policy/modules/admin/sosreport.te
+++ b/policy/modules/admin/sosreport.te
+@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t)
+ # sosreport local policy
+ #
+
+-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
+ allow sosreport_t self:process { setsched signull };
+ allow sosreport_t self:fifo_file rw_fifo_file_perms;
+ allow sosreport_t self:tcp_socket create_stream_socket_perms;
@@ -74,13 +74,17 @@ files_read_all_symlinks(sosreport_t)
# for blkid.tab
files_manage_etc_runtime_files(sosreport_t)
@@ -4056,7 +3859,7 @@ index d5aaf0e..6b16aef 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..90cf622 100644
+index 6a5004b..70d684a 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -4067,7 +3870,16 @@ index 6a5004b..90cf622 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
-@@ -25,11 +26,16 @@ fs_getattr_xattr_fs(tmpreaper_t)
+@@ -18,6 +19,8 @@ role system_r types tmpreaper_t;
+ allow tmpreaper_t self:process { fork sigchld };
+ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+
++kernel_read_system_state(tmpreaper_t)
++
+ dev_read_urand(tmpreaper_t)
+
+ fs_getattr_xattr_fs(tmpreaper_t)
+@@ -25,11 +28,16 @@ fs_getattr_xattr_fs(tmpreaper_t)
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
@@ -4084,7 +3896,7 @@ index 6a5004b..90cf622 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -38,13 +44,17 @@ logging_send_syslog_msg(tmpreaper_t)
+@@ -38,13 +46,17 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -4106,7 +3918,7 @@ index 6a5004b..90cf622 100644
')
optional_policy(`
-@@ -52,7 +62,9 @@ optional_policy(`
+@@ -52,7 +64,9 @@ optional_policy(`
')
optional_policy(`
@@ -4116,7 +3928,7 @@ index 6a5004b..90cf622 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +78,13 @@ optional_policy(`
+@@ -66,9 +80,13 @@ optional_policy(`
')
optional_policy(`
@@ -4382,7 +4194,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..cd9d876 100644
+index 441cf22..cc0406f 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -4393,7 +4205,7 @@ index 441cf22..cd9d876 100644
selinux_get_fs_mount(chfn_t)
selinux_validate_context(chfn_t)
-@@ -79,18 +80,18 @@ selinux_compute_create_context(chfn_t)
+@@ -79,25 +80,25 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -4413,10 +4225,18 @@ index 441cf22..cd9d876 100644
-auth_domtrans_chk_passwd(chfn_t)
-auth_dontaudit_read_shadow(chfn_t)
-auth_use_nsswitch(chfn_t)
++auth_manage_passwd(chfn_t)
+auth_use_pam(chfn_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
+
+ domain_use_interactive_fds(chfn_t)
+
+-files_manage_etc_files(chfn_t)
+ files_read_etc_runtime_files(chfn_t)
+ files_dontaudit_search_var(chfn_t)
+ files_dontaudit_search_home(chfn_t)
@@ -105,6 +106,7 @@ files_dontaudit_search_home(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
@@ -4447,7 +4267,29 @@ index 441cf22..cd9d876 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -277,6 +283,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -203,8 +209,8 @@ init_dontaudit_write_utmp(groupadd_t)
+
+ domain_use_interactive_fds(groupadd_t)
+
+-files_manage_etc_files(groupadd_t)
+ files_relabel_etc_files(groupadd_t)
++files_read_etc_files(groupadd_t)
+ files_read_etc_runtime_files(groupadd_t)
+ files_read_usr_symlinks(groupadd_t)
+
+@@ -219,9 +225,10 @@ miscfiles_read_localization(groupadd_t)
+ auth_domtrans_chk_passwd(groupadd_t)
+ auth_rw_lastlog(groupadd_t)
+ auth_use_nsswitch(groupadd_t)
++auth_manage_passwd(groupadd_t)
++auth_manage_shadow(groupadd_t)
+ # these may be unnecessary due to the above
+ # domtrans_chk_passwd() call.
+-auth_manage_shadow(groupadd_t)
+ auth_relabel_shadow(groupadd_t)
+ auth_etc_filetrans_shadow(groupadd_t)
+
+@@ -277,6 +284,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -4455,7 +4297,7 @@ index 441cf22..cd9d876 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -291,17 +298,19 @@ selinux_compute_create_context(passwd_t)
+@@ -291,26 +299,30 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -4465,6 +4307,7 @@ index 441cf22..cd9d876 100644
+term_getattr_all_ptys(passwd_t)
-auth_domtrans_chk_passwd(passwd_t)
++auth_manage_passwd(passwd_t)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
@@ -4479,7 +4322,9 @@ index 441cf22..cd9d876 100644
domain_use_interactive_fds(passwd_t)
-@@ -311,6 +320,8 @@ files_search_var(passwd_t)
+ files_read_etc_runtime_files(passwd_t)
+-files_manage_etc_files(passwd_t)
+ files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
files_relabel_etc_files(passwd_t)
@@ -4488,7 +4333,7 @@ index 441cf22..cd9d876 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -323,7 +334,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +335,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -4497,7 +4342,7 @@ index 441cf22..cd9d876 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +343,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +344,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -4505,7 +4350,7 @@ index 441cf22..cd9d876 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,8 +393,8 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,9 +394,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -4514,18 +4359,27 @@ index 441cf22..cd9d876 100644
+term_use_all_inherited_terms(sysadm_passwd_t)
+term_getattr_all_ptys(sysadm_passwd_t)
++auth_manage_passwd(sysadm_passwd_t)
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
-@@ -426,7 +438,7 @@ optional_policy(`
- # Useradd local policy
+ auth_etc_filetrans_shadow(sysadm_passwd_t)
+@@ -396,7 +410,6 @@ files_read_usr_files(sysadm_passwd_t)
+
+ domain_use_interactive_fds(sysadm_passwd_t)
+
+-files_manage_etc_files(sysadm_passwd_t)
+ files_relabel_etc_files(sysadm_passwd_t)
+ files_read_etc_runtime_files(sysadm_passwd_t)
+ # for nscd lookups
+@@ -427,6 +440,7 @@ optional_policy(`
#
--allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
-+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
+ allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
++
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,8 +460,12 @@ corecmd_exec_shell(useradd_t)
+@@ -448,10 +462,13 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -4536,9 +4390,11 @@ index 441cf22..cd9d876 100644
domain_read_all_domains_state(useradd_t)
+domain_dontaudit_read_all_domains_state(useradd_t)
- files_manage_etc_files(useradd_t)
+-files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -460,6 +476,7 @@ fs_search_auto_mountpoints(useradd_t)
+ files_relabel_etc_files(useradd_t)
+ files_read_etc_runtime_files(useradd_t)
+@@ -460,6 +477,7 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -4546,7 +4402,7 @@ index 441cf22..cd9d876 100644
# Allow access to context for shadow file
selinux_get_fs_mount(useradd_t)
-@@ -469,8 +486,8 @@ selinux_compute_create_context(useradd_t)
+@@ -469,8 +487,8 @@ selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
@@ -4557,7 +4413,15 @@ index 441cf22..cd9d876 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,21 +515,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -478,6 +496,7 @@ auth_rw_faillog(useradd_t)
+ auth_use_nsswitch(useradd_t)
+ # these may be unnecessary due to the above
+ # domtrans_chk_passwd() call.
++auth_manage_passwd(useradd_t)
+ auth_manage_shadow(useradd_t)
+ auth_relabel_shadow(useradd_t)
+ auth_etc_filetrans_shadow(useradd_t)
+@@ -498,21 +517,11 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -4851,10 +4715,10 @@ index 0000000..1553356
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..28cfa1d
+index 0000000..6c642a2
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,178 @@
+@@ -0,0 +1,180 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -4883,7 +4747,7 @@ index 0000000..28cfa1d
+#
+# chrome_sandbox local policy
+#
-+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
+allow chrome_sandbox_t self:fifo_file manage_file_perms;
@@ -4940,6 +4804,8 @@ index 0000000..28cfa1d
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
+userdom_search_user_home_content(chrome_sandbox_t)
++# This one we should figure a way to make it more secure
++userdom_manage_home_certs(chrome_sandbox_t)
+
+miscfiles_read_localization(chrome_sandbox_t)
+miscfiles_read_fonts(chrome_sandbox_t)
@@ -5034,11 +4900,15 @@ index 0000000..28cfa1d
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
-index 37475dd..7db4a01 100644
+index 37475dd..6026789 100644
--- a/policy/modules/apps/cpufreqselector.te
+++ b/policy/modules/apps/cpufreqselector.te
-@@ -17,6 +17,7 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
- allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+@@ -14,9 +14,10 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
+ # cpufreq-selector local policy
+ #
+
+-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
++allow cpufreqselector_t self:capability sys_nice;
allow cpufreqselector_t self:process getsched;
allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+allow cpufreqselector_t self:process getsched;
@@ -5525,6 +5395,19 @@ index 0000000..86b640d
+optional_policy(`
+ policykit_dbus_chat(firewallgui_t)
+')
+diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
+index ac4f509..4b7b763 100644
+--- a/policy/modules/apps/games.te
++++ b/policy/modules/apps/games.te
+@@ -166,7 +166,7 @@ userdom_manage_user_tmp_sockets(games_t)
+ # Suppress .icons denial until properly implemented
+ userdom_dontaudit_read_user_home_content_files(games_t)
+
+-tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`', `
+ allow games_t self:process execmem;
+ ')
+
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
index 6e4add5..10a2ce4 100644
--- a/policy/modules/apps/gift.te
@@ -5591,10 +5474,10 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..3f977fc 100644
+index f5afe78..deab06c 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,787 @@
+@@ -1,44 +1,786 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -5690,8 +5573,7 @@ index f5afe78..3f977fc 100644
+ auth_use_nsswitch($1_gkeyringd_t)
+
+ ps_process_pattern($3, $1_gkeyringd_t)
-+ allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
-+
++ allow $3 $1_gkeyringd_t:process signal_perms;
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
@@ -6401,7 +6283,7 @@ index f5afe78..3f977fc 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +789,117 @@ interface(`gnome_role',`
+@@ -46,37 +788,117 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -6529,7 +6411,7 @@ index f5afe78..3f977fc 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +907,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +906,53 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -6594,7 +6476,7 @@ index f5afe78..3f977fc 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +961,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +960,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -6616,7 +6498,7 @@ index f5afe78..3f977fc 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +979,299 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +978,299 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -6933,7 +6815,7 @@ index f5afe78..3f977fc 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..c365443 100644
+index 2505654..45b4ca9 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0)
@@ -7021,7 +6903,7 @@ index 2505654..c365443 100644
+# gconf-defaults-mechanisms local policy
+#
+
-+allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace };
++allow gconfdefaultsm_t self:capability { dac_override sys_nice };
+allow gconfdefaultsm_t self:process getsched;
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
+
@@ -7070,7 +6952,7 @@ index 2505654..c365443 100644
+# gnome-system-monitor-mechanisms local policy
+#
+
-+allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
++allow gnomesystemmm_t self:capability sys_nice;
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(gnomesystemmm_t)
@@ -7506,7 +7388,7 @@ index 65ece18..6bfdfd3 100644
+/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0)
/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
-index 4f9dc90..8dc8a5f 100644
+index 4f9dc90..81a0fc6 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -18,9 +18,11 @@
@@ -7528,7 +7410,7 @@ index 4f9dc90..8dc8a5f 100644
+
+ domtrans_pattern($2, irssi_exec_t, irssi_t)
+
-+ allow $2 irssi_t:process { ptrace signal_perms };
++ allow $2 irssi_t:process signal_perms;
+ ps_process_pattern($2, irssi_t)
+
+ manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
@@ -7839,10 +7721,10 @@ index 0000000..cf65577
+')
diff --git a/policy/modules/apps/kde.te b/policy/modules/apps/kde.te
new file mode 100644
-index 0000000..6d0c9e3
+index 0000000..169421f
--- /dev/null
+++ b/policy/modules/apps/kde.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,40 @@
+policy_module(kde,1.0.0)
+
+########################################
@@ -7858,9 +7740,6 @@ index 0000000..6d0c9e3
+#
+# backlighthelper local policy
+#
-+
-+dontaudit kdebacklighthelper_t self:capability sys_ptrace;
-+
+allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(kdebacklighthelper_t)
@@ -7965,13 +7844,18 @@ index b2e27ec..c324f94 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te
-index a0be4ef..9fcc9df 100644
+index a0be4ef..a3d8afd 100644
--- a/policy/modules/apps/livecd.te
+++ b/policy/modules/apps/livecd.te
-@@ -21,15 +21,32 @@ files_tmp_file(livecd_tmp_t)
+@@ -20,16 +20,36 @@ files_tmp_file(livecd_tmp_t)
+
dontaudit livecd_t self:capability2 mac_admin;
- domain_ptrace_all_domains(livecd_t)
+-domain_ptrace_all_domains(livecd_t)
++tunable_policy(`deny_ptrace',`',`
++ domain_ptrace_all_domains(livecd_t)
++')
++
+domain_interactive_fd(livecd_t)
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
@@ -8018,10 +7902,19 @@ index b55edd0..7b8d952 100644
########################################
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
-index 2523758..50629a8 100644
+index 2523758..09669b6 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
-@@ -38,7 +38,7 @@ locallogin_use_fds(loadkeys_t)
+@@ -31,6 +31,8 @@ files_read_etc_runtime_files(loadkeys_t)
+ term_dontaudit_use_console(loadkeys_t)
+ term_use_unallocated_ttys(loadkeys_t)
+
++auth_read_passwd(loadkeys_t)
++
+ init_dontaudit_use_fds(loadkeys_t)
+ init_dontaudit_use_script_ptys(loadkeys_t)
+
+@@ -38,7 +40,7 @@ locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
@@ -8030,7 +7923,7 @@ index 2523758..50629a8 100644
userdom_list_user_home_content(loadkeys_t)
ifdef(`hide_broken_symptoms',`
-@@ -46,5 +46,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -46,5 +48,9 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -8052,18 +7945,21 @@ index 0bac996..ca2388d 100644
+userdom_use_inherited_user_terminals(lockdev_t)
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
-index 7b08e13..1fa8573 100644
+index 7b08e13..b2b83ad 100644
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
-@@ -41,7 +41,6 @@ template(`mono_role_template',`
+@@ -40,16 +40,16 @@ template(`mono_role_template',`
+ domain_interactive_fd($1_mono_t)
application_type($1_mono_t)
- allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+- allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
-
- allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+- allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
++ allow $1_mono_t self:process { signal getsched execheap execmem execstack };
++ allow $3 $1_mono_t:process { getattr noatsecure signal_perms };
domtrans_pattern($3, mono_exec_t, $1_mono_t)
-@@ -49,7 +48,8 @@ template(`mono_role_template',`
+
fs_dontaudit_rw_tmpfs_files($1_mono_t)
corecmd_bin_domtrans($1_mono_t, $1_t)
@@ -8073,6 +7969,19 @@ index 7b08e13..1fa8573 100644
optional_policy(`
xserver_role($1_r, $1_mono_t)
+diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
+index dff0f12..ecab36d 100644
+--- a/policy/modules/apps/mono.te
++++ b/policy/modules/apps/mono.te
+@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
+ # Local policy
+ #
+
+-allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
++allow mono_t self:process { signal getsched execheap execmem execstack };
+
+ init_dbus_chat_script(mono_t)
+
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
index 93ac529..35b51ab 100644
--- a/policy/modules/apps/mozilla.fc
@@ -8108,7 +8017,7 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..8fe4551 100644
+index fbb5c5a..b9b8ac2 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -8165,7 +8074,7 @@ index fbb5c5a..8fe4551 100644
+ allow mozilla_plugin_t $1:sem create_sem_perms;
+
+ ps_process_pattern($1, mozilla_plugin_t)
-+ allow $1 mozilla_plugin_t:process { ptrace signal_perms };
++ allow $1 mozilla_plugin_t:process signal_perms;
')
########################################
@@ -8261,7 +8170,7 @@ index fbb5c5a..8fe4551 100644
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..8768af4 100644
+index 2e9318b..69e2534 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -8304,7 +8213,7 @@ index 2e9318b..8768af4 100644
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-@@ -165,7 +172,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -165,14 +172,18 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -8313,7 +8222,20 @@ index 2e9318b..8768af4 100644
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -262,6 +269,7 @@ optional_policy(`
+ xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+
+-tunable_policy(`allow_execmem',`
+- allow mozilla_t self:process { execmem execstack };
++tunable_policy(`allow_execstack',`
++ allow mozilla_t self:process execstack;
++')
++
++tunable_policy(`deny_execmem',`',`
++ allow mozilla_t self:process execmem;
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -262,6 +273,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -8321,7 +8243,7 @@ index 2e9318b..8768af4 100644
')
optional_policy(`
-@@ -278,7 +286,8 @@ optional_policy(`
+@@ -278,7 +290,8 @@ optional_policy(`
')
optional_policy(`
@@ -8331,12 +8253,12 @@ index 2e9318b..8768af4 100644
')
optional_policy(`
-@@ -296,16 +305,19 @@ optional_policy(`
+@@ -296,16 +309,19 @@ optional_policy(`
# mozilla_plugin local policy
#
-dontaudit mozilla_plugin_t self:capability { sys_ptrace };
-+dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_nice };
++dontaudit mozilla_plugin_t self:capability sys_nice;
+
allow mozilla_plugin_t self:process { setsched signal_perms execmem };
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
@@ -8355,7 +8277,7 @@ index 2e9318b..8768af4 100644
can_exec(mozilla_plugin_t, mozilla_home_t)
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-@@ -313,8 +325,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+@@ -313,8 +329,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -8368,7 +8290,7 @@ index 2e9318b..8768af4 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -332,11 +346,9 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -332,11 +350,9 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -8382,7 +8304,7 @@ index 2e9318b..8768af4 100644
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,6 +356,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+@@ -344,6 +360,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
@@ -8392,7 +8314,7 @@ index 2e9318b..8768af4 100644
dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
-@@ -385,13 +400,19 @@ term_getattr_all_ttys(mozilla_plugin_t)
+@@ -385,20 +404,26 @@ term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -8410,9 +8332,19 @@ index 2e9318b..8768af4 100644
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_dontaudit_write_home_certs(mozilla_plugin_t)
- tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process { execmem execstack };
-@@ -425,7 +446,13 @@ optional_policy(`
+-tunable_policy(`allow_execmem',`
+- allow mozilla_plugin_t self:process { execmem execstack };
++tunable_policy(`deny_execmem',`', `
++ allow mozilla_plugin_t self:process execmem;
+ ')
+
+ tunable_policy(`allow_execstack',`
+- allow mozilla_plugin_t self:process { execstack };
++ allow mozilla_plugin_t self:process execstack;
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -425,7 +450,13 @@ optional_policy(`
')
optional_policy(`
@@ -8426,7 +8358,7 @@ index 2e9318b..8768af4 100644
')
optional_policy(`
-@@ -438,7 +465,14 @@ optional_policy(`
+@@ -438,7 +469,14 @@ optional_policy(`
')
optional_policy(`
@@ -8442,7 +8374,7 @@ index 2e9318b..8768af4 100644
')
optional_policy(`
-@@ -446,10 +480,27 @@ optional_policy(`
+@@ -446,10 +484,27 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -8515,7 +8447,7 @@ index d8ea41d..8bdc526 100644
+ domtrans_pattern($1, mplayer_exec_t, $2)
+')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
-index 072a210..16ce654 100644
+index 072a210..8b1fa1b 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t)
@@ -8535,6 +8467,15 @@ index 072a210..16ce654 100644
# Handle removable media, /tmp, and /home
userdom_list_user_tmp(mencoder_t)
userdom_read_user_tmp_files(mencoder_t)
+@@ -91,7 +92,7 @@ ifndef(`enable_mls',`
+ fs_read_removable_symlinks(mencoder_t)
+ ')
+
+-tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`',`
+ allow mencoder_t self:process execmem;
+ ')
+
@@ -159,6 +160,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
@@ -8559,6 +8500,15 @@ index 072a210..16ce654 100644
# Read media files
userdom_list_user_tmp(mplayer_t)
userdom_read_user_tmp_files(mplayer_t)
+@@ -246,7 +252,7 @@ ifdef(`enable_mls',`',`
+ fs_read_removable_symlinks(mplayer_t)
+ ')
+
+-tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`',`
+ allow mplayer_t self:process execmem;
+ ')
+
@@ -305,7 +311,7 @@ optional_policy(`
')
@@ -8694,7 +8644,7 @@ index 0000000..22e6c96
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
new file mode 100644
-index 0000000..1925bd9
+index 0000000..fce899a
--- /dev/null
+++ b/policy/modules/apps/nsplugin.if
@@ -0,0 +1,472 @@
@@ -8793,7 +8743,7 @@ index 0000000..1925bd9
+ dontaudit nsplugin_t $2:shm destroy;
+ allow $2 nsplugin_t:sem rw_sem_perms;
+
-+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
++ allow $2 nsplugin_t:process { getattr signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
+
+ # Connect to pulseaudit server
@@ -9172,7 +9122,7 @@ index 0000000..1925bd9
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..f0773b4
+index 0000000..3b6b4cb
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
@@ -0,0 +1,335 @@
@@ -9232,7 +9182,7 @@ index 0000000..f0773b4
+#
+dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
+allow nsplugin_t self:fifo_file rw_file_perms;
-+allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
++allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
+
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
@@ -9522,7 +9472,7 @@ index 0000000..4428be4
+
diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if
new file mode 100644
-index 0000000..0578e7c
+index 0000000..792bf9c
--- /dev/null
+++ b/policy/modules/apps/openoffice.if
@@ -0,0 +1,124 @@
@@ -9597,7 +9547,7 @@ index 0000000..0578e7c
+
+ allow $1_openoffice_t self:process { getsched sigkill execmem execstack };
+
-+ allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
++ allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh };
+ allow $1_openoffice_t $3:tcp_socket { read write };
+
+ domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
@@ -9672,6 +9622,20 @@ index 0000000..a842371
+# Unconfined java local policy
+#
+
+diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
+index ccc15ab..9f88c3a 100644
+--- a/policy/modules/apps/podsleuth.te
++++ b/policy/modules/apps/podsleuth.te
+@@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t)
+ # podsleuth local policy
+ #
+ allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
++allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
++
+ allow podsleuth_t self:fifo_file rw_file_perms;
+ allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+ allow podsleuth_t self:sem create_sem_perms;
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
index 84f23dc..af5b87d 100644
--- a/policy/modules/apps/pulseaudio.fc
@@ -9688,21 +9652,20 @@ index 84f23dc..af5b87d 100644
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
-index f40c64d..a08cb82 100644
+index f40c64d..aa9e8e2 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
-@@ -35,6 +35,10 @@ interface(`pulseaudio_role',`
+@@ -35,6 +35,9 @@ interface(`pulseaudio_role',`
allow pulseaudio_t $2:unix_stream_socket connectto;
allow $2 pulseaudio_t:unix_stream_socket connectto;
-+ userdom_manage_home_role($1, pulseaudio_t)
+ userdom_manage_tmp_role($1, pulseaudio_t)
+ userdom_manage_tmpfs_role($1, pulseaudio_t)
+
allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
-@@ -257,4 +261,66 @@ interface(`pulseaudio_manage_home_files',`
+@@ -257,4 +260,66 @@ interface(`pulseaudio_manage_home_files',`
userdom_search_user_home_dirs($1)
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
@@ -9770,7 +9733,7 @@ index f40c64d..a08cb82 100644
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index d1eace5..8522ab4 100644
+index d1eace5..5314e57 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -9801,7 +9764,7 @@ index d1eace5..8522ab4 100644
auth_use_nsswitch(pulseaudio_t)
-@@ -94,10 +95,9 @@ logging_send_syslog_msg(pulseaudio_t)
+@@ -94,10 +95,29 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
@@ -9809,13 +9772,33 @@ index d1eace5..8522ab4 100644
-userdom_manage_user_home_content_files(pulseaudio_t)
-userdom_manage_user_tmp_files(pulseaudio_t)
-userdom_manage_user_tmpfs_files(pulseaudio_t)
++tunable_policy(`use_nfs_home_dirs',`
++ fs_mount_nfs(pulseaudio_t)
++ fs_mounton_nfs(pulseaudio_t)
++ fs_manage_nfs_dirs(pulseaudio_t)
++ fs_manage_nfs_files(pulseaudio_t)
++ fs_manage_nfs_symlinks(pulseaudio_t)
++ fs_manage_nfs_named_sockets(pulseaudio_t)
++ fs_manage_nfs_named_pipes(pulseaudio_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_mount_cifs(pulseaudio_t)
++ fs_mounton_cifs(pulseaudio_t)
++ fs_manage_cifs_dirs(pulseaudio_t)
++ fs_manage_cifs_files(pulseaudio_t)
++ fs_manage_cifs_symlinks(pulseaudio_t)
++ fs_manage_cifs_named_sockets(pulseaudio_t)
++ fs_manage_cifs_named_pipes(pulseaudio_t)
++')
++
+optional_policy(`
+ alsa_read_rw_config(pulseaudio_t)
+')
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
-@@ -127,10 +127,24 @@ optional_policy(`
+@@ -127,10 +147,24 @@ optional_policy(`
')
optional_policy(`
@@ -9840,7 +9823,7 @@ index d1eace5..8522ab4 100644
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
-@@ -148,3 +162,7 @@ optional_policy(`
+@@ -148,3 +182,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -10030,10 +10013,20 @@ index 268d691..da3a26d 100644
+ domain_entry_file($1, qemu_exec_t)
+')
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index 1813e16..50a3a34 100644
+index 1813e16..606d712 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
-@@ -55,6 +55,7 @@ storage_raw_read_removable_device(qemu_t)
+@@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true)
+ ## </desc>
+ gen_tunable(qemu_use_usb, true)
+
+-type qemu_exec_t;
+ virt_domain_template(qemu)
+-application_domain(qemu_t, qemu_exec_t)
+ role system_r types qemu_t;
+
+ ########################################
+@@ -55,6 +53,7 @@ storage_raw_read_removable_device(qemu_t)
userdom_search_user_home_content(qemu_t)
userdom_read_user_tmpfs_files(qemu_t)
@@ -10041,7 +10034,7 @@ index 1813e16..50a3a34 100644
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
-@@ -99,6 +100,13 @@ optional_policy(`
+@@ -99,6 +98,13 @@ optional_policy(`
')
optional_policy(`
@@ -10055,7 +10048,7 @@ index 1813e16..50a3a34 100644
virt_manage_images(qemu_t)
virt_append_log(qemu_t)
')
-@@ -111,18 +119,3 @@ optional_policy(`
+@@ -111,18 +117,3 @@ optional_policy(`
xserver_read_xdm_pid(qemu_t)
xserver_stream_connect(qemu_t)
')
@@ -10488,10 +10481,10 @@ index 0000000..809784d
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..5e75113
+index 0000000..76dbb45
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,488 @@
+@@ -0,0 +1,501 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -10534,7 +10527,12 @@ index 0000000..5e75113
+#
+# sandbox xserver policy
+#
-+allow sandbox_xserver_t self:process { execmem execstack };
++allow sandbox_xserver_t self:process execstack;
++
++tunable_policy(`deny_execmem',`',`
++ allow sandbox_xserver_t self:process execmem;
++')
++
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
@@ -10613,7 +10611,11 @@ index 0000000..5e75113
+# sandbox local policy
+#
+
-+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
++allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
++tunable_policy(`deny_execmem',`',`
++ allow sandbox_domain self:process execmem;
++')
++
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:sem create_sem_perms;
+allow sandbox_domain self:shm create_shm_perms;
@@ -10662,7 +10664,11 @@ index 0000000..5e75113
+#
+# sandbox_x_domain local policy
+#
-+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
++tunable_policy(`deny_execmem',`',`
++ allow sandbox_x_domain self:process execmem;
++')
++
+allow sandbox_x_domain self:fifo_file manage_file_perms;
+allow sandbox_x_domain self:sem create_sem_perms;
+allow sandbox_x_domain self:shm create_shm_perms;
@@ -11923,10 +11929,10 @@ index 0000000..5554dc9
+
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..b4001f1
+index 0000000..01584ce
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,76 @@
+@@ -0,0 +1,81 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -11948,7 +11954,12 @@ index 0000000..b4001f1
+# thumb local policy
+#
+
-+allow thumb_t self:process { setsched signal setrlimit execmem };
++allow thumb_t self:process { setsched signal setrlimit };
++
++tunable_policy(`deny_execmem',`',`
++ allow thumb_t self:process execmem;
++')
++
+allow thumb_t self:fifo_file manage_fifo_file_perms;
+allow thumb_t self:unix_stream_socket create_stream_socket_perms;
+allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
@@ -12016,10 +12027,35 @@ index 11fe4f2..98bfbf3 100644
userdom_read_user_home_content_files(tvtime_t)
# X access, Home files
+diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
+index d2ab7cb..ddb34f1 100644
+--- a/policy/modules/apps/uml.if
++++ b/policy/modules/apps/uml.if
+@@ -31,9 +31,9 @@ interface(`uml_role',`
+ allow $2 uml_t:unix_dgram_socket sendto;
+ allow uml_t $2:unix_dgram_socket sendto;
+
+- # allow ps, ptrace, signal
++ # allow ps, signal
+ ps_process_pattern($2, uml_t)
+- allow $2 uml_t:process { ptrace signal_perms };
++ allow $2 uml_t:process signal_perms;
+
+ allow $2 uml_ro_t:dir list_dir_perms;
+ read_files_pattern($2, uml_ro_t, uml_ro_t)
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
-index 2df1343..7a11f39 100644
+index 2df1343..c716960 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
+@@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t)
+ #
+
+ allow uml_t self:fifo_file rw_fifo_file_perms;
+-allow uml_t self:process { signal_perms ptrace };
++allow uml_t self:process signal_perms;
+ allow uml_t self:unix_stream_socket create_stream_socket_perms;
+ allow uml_t self:unix_dgram_socket create_socket_perms;
+ # Use the network.
@@ -134,7 +134,7 @@ seutil_use_newrole_fds(uml_t)
# Use the network.
sysnet_read_config(uml_t)
@@ -12253,16 +12289,35 @@ index 13b2cea..8ce8577 100644
+ files_search_mnt(consolehelper_domain)
+ fs_search_cifs(consolehelper_domain)
+')
+diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if
+index ba9b9d6..09ae47c 100644
+--- a/policy/modules/apps/usernetctl.if
++++ b/policy/modules/apps/usernetctl.if
+@@ -47,10 +47,6 @@ interface(`usernetctl_run',`
+ sysnet_run_dhcpc(usernetctl_t, $2)
+
+ optional_policy(`
+- consoletype_run(usernetctl_t, $2)
+- ')
+-
+- optional_policy(`
+ iptables_run(usernetctl_t, $2)
+ ')
+
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
-index 9586818..f938024 100644
+index 9586818..93edd6b 100644
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
-@@ -58,7 +58,7 @@ seutil_read_config(usernetctl_t)
+@@ -58,7 +58,11 @@ seutil_read_config(usernetctl_t)
sysnet_read_config(usernetctl_t)
-userdom_use_user_terminals(usernetctl_t)
+userdom_use_inherited_user_terminals(usernetctl_t)
++
++optional_policy(`
++ consoletype_exec(usernetctl_t)
++')
optional_policy(`
hostname_exec(usernetctl_t)
@@ -12294,9 +12349,18 @@ index f647c7e..252468a 100644
/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
-index 23066a1..6aff330 100644
+index 23066a1..dc73652 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
+@@ -72,7 +72,7 @@ ifdef(`enable_mcs',`
+ # VMWare host local policy
+ #
+
+-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
++allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override };
+ dontaudit vmware_host_t self:capability sys_tty_config;
+ allow vmware_host_t self:process { execstack execmem signal_perms };
+ allow vmware_host_t self:fifo_file rw_fifo_file_perms;
@@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t)
dev_read_sysfs(vmware_host_t)
dev_read_urand(vmware_host_t)
@@ -12412,7 +12476,7 @@ index 9d24449..2666317 100644
/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
-index f9a73d0..e10101a 100644
+index f9a73d0..00a98f1 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -29,12 +29,16 @@
@@ -12450,7 +12514,13 @@ index f9a73d0..e10101a 100644
type wine_exec_t;
')
-@@ -101,7 +105,7 @@ template(`wine_role_template',`
+@@ -96,12 +100,12 @@ template(`wine_role_template',`
+ role $2 types $1_wine_t;
+
+ allow $1_wine_t self:process { execmem execstack };
+- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
++ allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
+ domtrans_pattern($3, wine_exec_t, $1_wine_t)
corecmd_bin_domtrans($1_wine_t, $1_t)
userdom_unpriv_usertype($1, $1_wine_t)
@@ -12902,6 +12972,19 @@ index 9e9263a..650e796 100644
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
+diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
+index 23a1c3c..9527971 100644
+--- a/policy/modules/kernel/corecommands.te
++++ b/policy/modules/kernel/corecommands.te
+@@ -13,7 +13,7 @@ attribute exec_type;
+ #
+ # bin_t is the type of files in the system bin/sbin directories.
+ #
+-type bin_t alias { ls_exec_t sbin_t };
++type bin_t alias { ls_exec_t sbin_t java_exec_t execmem_exec_t mono_exec_t };
+ corecmd_executable_file(bin_t)
+ dev_associate(bin_t) #For /dev/MAKEDEV
+
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 4f3b542..cf422f4 100644
--- a/policy/modules/kernel/corenetwork.if.in
@@ -14064,7 +14147,7 @@ index 4f3b542..cf422f4 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..ff28a20 100644
+index 99b71cb..1541989 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -14212,7 +14295,7 @@ index 99b71cb..ff28a20 100644
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(jabber_router, tcp,5347,s0)
-+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 18001, s0)
++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
@@ -16078,7 +16161,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..a60d2f8 100644
+index fae1ab1..f9a1bcc 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -16162,16 +16245,22 @@ index fae1ab1..a60d2f8 100644
')
########################################
-@@ -143,6 +178,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+@@ -143,8 +178,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
# Act upon any other process.
- allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
++allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
++tunable_policy(`deny_ptrace',`',`
++ allow unconfined_domain_type domain:process ptrace;
++')
-@@ -158,5 +195,215 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+ # Create/access any System V IPC objects.
+ allow unconfined_domain_type domain:{ sem msgq shm } *;
+@@ -158,5 +198,217 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -16259,6 +16348,7 @@ index fae1ab1..a60d2f8 100644
+
+optional_policy(`
+ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
++ userdom_filetrans_home_content(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -16387,6 +16477,7 @@ index fae1ab1..a60d2f8 100644
+')
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
++dontaudit domain self:capability sys_ptrace;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c19518a..12e8e9c 100644
--- a/policy/modules/kernel/files.fc
@@ -19215,7 +19306,7 @@ index 6346378..8c500cd 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index d91c62f..c857dc0 100644
+index d91c62f..8852535 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,12 @@
@@ -19248,7 +19339,20 @@ index d91c62f..c857dc0 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -242,11 +252,14 @@ dev_search_usbfs(kernel_t)
+@@ -181,7 +191,11 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+ # kernel local policy
+ #
+
+-allow kernel_t self:capability *;
++allow kernel_t self:capability ~{ sys_ptrace };
++tunable_policy(`deny_ptrace',`',`
++ allow kernel_t self:capability sys_ptrace;
++')
++
+ allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow kernel_t self:shm create_shm_perms;
+ allow kernel_t self:sem create_sem_perms;
+@@ -242,11 +256,14 @@ dev_search_usbfs(kernel_t)
# devtmpfs handling:
dev_create_generic_dirs(kernel_t)
dev_delete_generic_dirs(kernel_t)
@@ -19267,7 +19371,7 @@ index d91c62f..c857dc0 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -255,7 +268,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -255,7 +272,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -19277,7 +19381,7 @@ index d91c62f..c857dc0 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -269,25 +283,47 @@ files_list_root(kernel_t)
+@@ -269,25 +287,47 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -19325,7 +19429,7 @@ index d91c62f..c857dc0 100644
')
optional_policy(`
-@@ -297,6 +333,19 @@ optional_policy(`
+@@ -297,6 +337,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -19345,7 +19449,7 @@ index d91c62f..c857dc0 100644
')
optional_policy(`
-@@ -334,9 +383,7 @@ optional_policy(`
+@@ -334,9 +387,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -19356,7 +19460,7 @@ index d91c62f..c857dc0 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -345,7 +392,7 @@ optional_policy(`
+@@ -345,7 +396,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -19365,7 +19469,7 @@ index d91c62f..c857dc0 100644
')
')
-@@ -358,6 +405,15 @@ optional_policy(`
+@@ -358,6 +409,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -19381,10 +19485,12 @@ index d91c62f..c857dc0 100644
########################################
#
# Unlabeled process local policy
-@@ -387,3 +443,16 @@ allow kern_unconfined unlabeled_t:filesystem *;
+@@ -386,4 +446,17 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+ allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
- allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
+-allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
++allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };
+
+gen_require(`
+ bool secure_mode_insmod;
@@ -21018,9 +21124,18 @@ index 0faef68..4264c9c 100644
consoletype_exec(auditadm_t)
')
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
-index 1875064..e9c9277 100644
+index 1875064..2adc35f 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
+@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm)
+ # database admin local policy
+ #
+
+-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
++allow dbadm_t self:capability { dac_override dac_read_search };
+
+ files_dontaudit_search_all_dirs(dbadm_t)
+ files_delete_generic_locks(dbadm_t)
@@ -37,6 +37,7 @@ files_list_var(dbadm_t)
selinux_get_enforce_mode(dbadm_t)
@@ -21058,6 +21173,18 @@ index 1cb7311..1de82b2 100644
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
+diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
+index 3a45a3e..6b08160 100644
+--- a/policy/modules/roles/logadm.te
++++ b/policy/modules/roles/logadm.te
+@@ -14,6 +14,5 @@ userdom_base_user_template(logadm)
+ # logadmin local policy
+ #
+
+-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+-
++allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
+ logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index be4de58..7e8b6ec 100644
--- a/policy/modules/roles/secadm.te
@@ -21082,7 +21209,7 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..e47e0f0 100644
+index 2be17d2..cfea862 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@@ -21304,7 +21431,18 @@ index 2be17d2..e47e0f0 100644
xserver_role(staff_r, staff_t)
')
-@@ -89,18 +262,10 @@ ifndef(`distro_redhat',`
+@@ -61,6 +234,10 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
++ blueman_dbus_chat(staff_t)
++ ')
++
++ optional_policy(`
+ bluetooth_role(staff_r, staff_t)
+ ')
+
+@@ -89,18 +266,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21323,7 +21461,7 @@ index 2be17d2..e47e0f0 100644
java_role(staff_r, staff_t)
')
-@@ -121,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +290,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21334,7 +21472,7 @@ index 2be17d2..e47e0f0 100644
pyzor_role(staff_r, staff_t)
')
-@@ -137,10 +298,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +302,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21345,7 +21483,7 @@ index 2be17d2..e47e0f0 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +329,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +333,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -21354,10 +21492,24 @@ index 2be17d2..e47e0f0 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..c6aa0bc 100644
+index e14b961..0d1af63 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -24,20 +24,52 @@ ifndef(`enable_mls',`
+@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1)
+ # Declarations
+ #
+
+-## <desc>
+-## <p>
+-## Allow sysadm to debug or ptrace all processes.
+-## </p>
+-## </desc>
+-gen_tunable(allow_ptrace, false)
+-
+ role sysadm_r;
+
+ userdom_admin_user_template(sysadm)
+@@ -24,20 +17,52 @@ ifndef(`enable_mls',`
#
# Local policy
#
@@ -21410,15 +21562,19 @@ index e14b961..c6aa0bc 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,6 +87,7 @@ ifndef(`enable_mls',`
+@@ -55,9 +80,10 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
+ logging_stream_connect_syslog(sysadm_t)
')
- tunable_policy(`allow_ptrace',`
-@@ -67,9 +100,9 @@ optional_policy(`
+-tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(sysadm_t)
+ ')
+
+@@ -67,9 +93,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -21429,7 +21585,7 @@ index e14b961..c6aa0bc 100644
')
optional_policy(`
-@@ -98,6 +131,10 @@ optional_policy(`
+@@ -98,6 +124,10 @@ optional_policy(`
')
optional_policy(`
@@ -21440,19 +21596,20 @@ index e14b961..c6aa0bc 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -110,11 +147,19 @@ optional_policy(`
+@@ -110,11 +140,19 @@ optional_policy(`
')
optional_policy(`
+- consoletype_run(sysadm_t, sysadm_r)
+ cron_admin_role(sysadm_r, sysadm_t)
-+')
-+
-+optional_policy(`
- consoletype_run(sysadm_t, sysadm_r)
')
optional_policy(`
- cvs_exec(sysadm_t)
++ consoletype_exec(sysadm_t)
++')
++
++optional_policy(`
+ daemonstools_run_start(sysadm_t, sysadm_r)
+')
+
@@ -21461,7 +21618,7 @@ index e14b961..c6aa0bc 100644
')
optional_policy(`
-@@ -128,6 +173,10 @@ optional_policy(`
+@@ -128,6 +166,10 @@ optional_policy(`
')
optional_policy(`
@@ -21472,7 +21629,7 @@ index e14b961..c6aa0bc 100644
dmesg_exec(sysadm_t)
')
-@@ -163,6 +212,13 @@ optional_policy(`
+@@ -163,6 +205,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -21486,7 +21643,7 @@ index e14b961..c6aa0bc 100644
')
optional_policy(`
-@@ -170,15 +226,20 @@ optional_policy(`
+@@ -170,15 +219,20 @@ optional_policy(`
')
optional_policy(`
@@ -21510,7 +21667,7 @@ index e14b961..c6aa0bc 100644
')
optional_policy(`
-@@ -198,22 +259,20 @@ optional_policy(`
+@@ -198,22 +252,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -21539,7 +21696,7 @@ index e14b961..c6aa0bc 100644
')
optional_policy(`
-@@ -225,25 +284,47 @@ optional_policy(`
+@@ -225,25 +277,47 @@ optional_policy(`
')
optional_policy(`
@@ -21587,7 +21744,7 @@ index e14b961..c6aa0bc 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,31 +334,32 @@ optional_policy(`
+@@ -253,31 +327,32 @@ optional_policy(`
')
optional_policy(`
@@ -21627,7 +21784,7 @@ index e14b961..c6aa0bc 100644
')
optional_policy(`
-@@ -302,12 +384,18 @@ optional_policy(`
+@@ -302,12 +377,18 @@ optional_policy(`
')
optional_policy(`
@@ -21647,7 +21804,7 @@ index e14b961..c6aa0bc 100644
')
optional_policy(`
-@@ -332,7 +420,10 @@ optional_policy(`
+@@ -332,7 +413,10 @@ optional_policy(`
')
optional_policy(`
@@ -21659,7 +21816,7 @@ index e14b961..c6aa0bc 100644
')
optional_policy(`
-@@ -343,19 +434,15 @@ optional_policy(`
+@@ -343,19 +427,15 @@ optional_policy(`
')
optional_policy(`
@@ -21681,7 +21838,7 @@ index e14b961..c6aa0bc 100644
')
optional_policy(`
-@@ -367,45 +454,45 @@ optional_policy(`
+@@ -367,45 +447,45 @@ optional_policy(`
')
optional_policy(`
@@ -21738,7 +21895,7 @@ index e14b961..c6aa0bc 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +505,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +498,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21749,7 +21906,7 @@ index e14b961..c6aa0bc 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +522,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +515,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -21757,7 +21914,7 @@ index e14b961..c6aa0bc 100644
')
optional_policy(`
-@@ -446,11 +530,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +523,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22536,10 +22693,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..4163dc5
+index 0000000..4ce2685
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,442 @@
+@@ -0,0 +1,401 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -22646,11 +22803,11 @@ index 0000000..4163dc5
+usermanage_run_passwd(unconfined_t, unconfined_r)
+usermanage_run_chfn(unconfined_t, unconfined_r)
+
-+tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`',`
+ allow unconfined_t self:process execmem;
+')
+
-+tunable_policy(`allow_execmem && allow_execstack',`
++tunable_policy(`allow_execstack',`
+ allow unconfined_t self:process execstack;
+')
+
@@ -22688,6 +22845,10 @@ index 0000000..4163dc5
+ ')
+
+ optional_policy(`
++ blueman_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
+ certmonger_dbus_chat(unconfined_usertype)
+ ')
+
@@ -22767,7 +22928,6 @@ index 0000000..4163dc5
+
+ optional_policy(`
+ unconfined_domain(unconfined_dbusd_t)
-+ unconfined_execmem_domtrans(unconfined_dbusd_t)
+
+ optional_policy(`
+ xserver_rw_shm(unconfined_dbusd_t)
@@ -22902,7 +23062,6 @@ index 0000000..4163dc5
+ ')
+
+ samba_role_notrans(unconfined_r)
-+# samba_run_winbind_helper(unconfined_t, unconfined_r)
+ samba_run_smbcontrol(unconfined_t, unconfined_r)
+')
+
@@ -22937,53 +23096,10 @@ index 0000000..4163dc5
+ xserver_manage_home_fonts(unconfined_t)
+')
+
-+########################################
-+#
-+# Unconfined Execmem Local policy
-+#
-+
-+optional_policy(`
-+ execmem_role_template(unconfined, unconfined_r, unconfined_t)
-+ typealias unconfined_execmem_t alias execmem_t;
-+ typealias unconfined_execmem_t alias unconfined_openoffice_t;
-+ unconfined_domain_noaudit(unconfined_execmem_t)
-+ allow unconfined_execmem_t unconfined_t:process transition;
-+ rpm_transition_script(unconfined_execmem_t)
-+ role system_r types unconfined_execmem_t;
-+
-+ optional_policy(`
-+ init_dbus_chat_script(unconfined_execmem_t)
-+ dbus_system_bus_client(unconfined_execmem_t)
-+ unconfined_dbus_chat(unconfined_execmem_t)
-+ unconfined_dbus_connect(unconfined_execmem_t)
-+ ')
-+
-+ optional_policy(`
-+ tunable_policy(`allow_unconfined_nsplugin_transition',`', `
-+ nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
-+ ')
-+ ')
-+
-+ optional_policy(`
-+ tunable_policy(`unconfined_login',`
-+ mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
-+ ')
-+ ')
-+
-+ optional_policy(`
-+ openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
-+ ')
-+')
-+
-+########################################
-+#
-+# Unconfined mount local policy
-+#
-+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..cd87e46 100644
+index e5bfdd4..9db5ebd 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,15 +12,97 @@ role user_r;
@@ -23084,7 +23200,18 @@ index e5bfdd4..cd87e46 100644
vlock_run(user_t, user_r)
')
-@@ -62,19 +144,11 @@ ifndef(`distro_redhat',`
+@@ -34,6 +116,10 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
++ blueman_dbus_chat(staff_t)
++ ')
++
++ optional_policy(`
+ bluetooth_role(user_r, user_t)
+ ')
+
+@@ -62,19 +148,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23105,7 +23232,7 @@ index e5bfdd4..cd87e46 100644
')
optional_policy(`
-@@ -98,10 +172,6 @@ ifndef(`distro_redhat',`
+@@ -98,10 +176,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23116,7 +23243,7 @@ index e5bfdd4..cd87e46 100644
postgresql_role(user_r, user_t)
')
-@@ -118,11 +188,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +192,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23129,15 +23256,24 @@ index e5bfdd4..cd87e46 100644
')
optional_policy(`
-@@ -157,3 +223,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +227,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
+
diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
-index 0ecc786..dbf2710 100644
+index 0ecc786..3e7e984 100644
--- a/policy/modules/roles/webadm.te
+++ b/policy/modules/roles/webadm.te
+@@ -28,7 +28,7 @@ userdom_base_user_template(webadm)
+ # webadmin local policy
+ #
+
+-allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
++allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
+
+ files_dontaudit_search_all_dirs(webadm_t)
+ files_manage_generic_locks(webadm_t)
@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
seutil_domtrans_setfiles(webadm_t)
@@ -23147,7 +23283,7 @@ index 0ecc786..dbf2710 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..1cd57fd 100644
+index e88b95f..b1ea76e 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@@ -23181,7 +23317,7 @@ index e88b95f..1cd57fd 100644
ifndef(`enable_mls',`
fs_exec_noxattr(xguest_t)
-@@ -49,11 +49,23 @@ ifndef(`enable_mls',`
+@@ -49,11 +49,22 @@ ifndef(`enable_mls',`
')
')
@@ -23190,7 +23326,6 @@ index e88b95f..1cd57fd 100644
+ mount_dontaudit_exec_fusermount(xguest_t)
+')
+
-+allow xguest_t self:process execmem;
+kernel_dontaudit_request_load_module(xguest_t)
+
+tunable_policy(`allow_execstack',`
@@ -23206,7 +23341,7 @@ index e88b95f..1cd57fd 100644
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -62,10 +74,9 @@ optional_policy(`
+@@ -62,10 +73,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
@@ -23218,7 +23353,7 @@ index e88b95f..1cd57fd 100644
')
')
-@@ -76,23 +87,102 @@ optional_policy(`
+@@ -76,23 +86,98 @@ optional_policy(`
')
optional_policy(`
@@ -23236,17 +23371,14 @@ index e88b95f..1cd57fd 100644
+
+optional_policy(`
+ gnome_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
+optional_policy(`
-+ java_role_template(xguest, xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ mono_role_template(xguest, xguest_r, xguest_t)
+')
+
@@ -23256,10 +23388,9 @@ index e88b95f..1cd57fd 100644
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
- ')
-
- optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
+ pcscd_read_pub_files(xguest_usertype)
+ pcscd_stream_connect(xguest_usertype)
+')
@@ -23308,7 +23439,7 @@ index e88b95f..1cd57fd 100644
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
-+ ')
+ ')
+
+ #optional_policy(`
+ # telepathy_dbus_session_role(xguest_r, xguest_t)
@@ -23318,7 +23449,7 @@ index e88b95f..1cd57fd 100644
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
- ')
++ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
@@ -23368,7 +23499,7 @@ index 1bd5812..0d7d8d1 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..b2d6129 100644
+index 0b827c5..d83d4dc 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@@ -23379,21 +23510,20 @@ index 0b827c5..b2d6129 100644
ps_process_pattern($1, abrt_t)
')
-@@ -160,8 +161,7 @@ interface(`abrt_run_helper',`
+@@ -160,8 +161,45 @@ interface(`abrt_run_helper',`
########################################
## <summary>
-## Send and receive messages from
-## abrt over dbus.
+## Read abrt cache
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -169,12 +169,52 @@ interface(`abrt_run_helper',`
- ## </summary>
- ## </param>
- #
--interface(`abrt_cache_manage',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`abrt_read_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
@@ -23425,13 +23555,14 @@ index 0b827c5..b2d6129 100644
+########################################
+## <summary>
+## Manage abrt cache
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -169,12 +207,14 @@ interface(`abrt_run_helper',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`abrt_cache_manage',`
+interface(`abrt_manage_cache',`
gen_require(`
type abrt_var_cache_t;
@@ -23468,7 +23599,20 @@ index 0b827c5..b2d6129 100644
#####################################
## <summary>
## All of the rules required to administrate
-@@ -286,18 +344,116 @@ interface(`abrt_admin',`
+@@ -278,26 +336,128 @@ interface(`abrt_admin',`
+ type abrt_initrc_exec_t;
+ ')
+
+- allow $1 abrt_t:process { ptrace signal_perms };
++ allow $1 abrt_t:process { signal_perms };
+ ps_process_pattern($1, abrt_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 abrt_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, abrt_initrc_exec_t)
+ domain_system_change_exemption($1)
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
@@ -23591,7 +23735,7 @@ index 0b827c5..b2d6129 100644
+ dontaudit $1 abrt_t:sock_file write;
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..4b0f7cc 100644
+index 30861ec..d5a9038 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -23643,7 +23787,7 @@ index 30861ec..4b0f7cc 100644
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
-@@ -43,14 +72,34 @@ ifdef(`enable_mcs',`
+@@ -43,22 +72,42 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -23680,15 +23824,16 @@ index 30861ec..4b0f7cc 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +108,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
- allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
+ allow abrt_t self:udp_socket create_socket_perms;
+ allow abrt_t self:unix_dgram_socket create_socket_perms;
+-allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -68,7 +118,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +117,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -23698,7 +23843,7 @@ index 30861ec..4b0f7cc 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +134,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -23710,7 +23855,7 @@ index 30861ec..4b0f7cc 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +155,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +154,7 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -23718,7 +23863,7 @@ index 30861ec..4b0f7cc 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +164,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -23728,7 +23873,7 @@ index 30861ec..4b0f7cc 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +173,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -23737,15 +23882,16 @@ index 30861ec..4b0f7cc 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,15 +186,23 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +185,31 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
-sysnet_read_config(abrt_t)
-+sysnet_dns_name_resolve(abrt_t)
-
+-
logging_read_generic_logs(abrt_t)
-logging_send_syslog_msg(abrt_t)
++
++auth_use_nsswitch(abrt_t)
miscfiles_read_generic_certs(abrt_t)
-miscfiles_read_localization(abrt_t)
@@ -23764,19 +23910,16 @@ index 30861ec..4b0f7cc 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +213,11 @@ optional_policy(`
')
optional_policy(`
+- nis_use_ypbind(abrt_t)
+ nsplugin_read_rw_files(abrt_t)
+ nsplugin_read_home(abrt_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(abrt_t)
- policykit_domtrans_auth(abrt_t)
- policykit_read_lib(abrt_t)
-@@ -167,6 +235,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+@@ -167,6 +230,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -23784,7 +23927,7 @@ index 30861ec..4b0f7cc 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +247,35 @@ optional_policy(`
+@@ -178,12 +242,35 @@ optional_policy(`
')
optional_policy(`
@@ -23821,7 +23964,7 @@ index 30861ec..4b0f7cc 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +292,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +287,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -23850,7 +23993,7 @@ index 30861ec..4b0f7cc 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +315,128 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +310,128 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -23858,7 +24001,7 @@ index 30861ec..4b0f7cc 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
- ')
++')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -23936,7 +24079,7 @@ index 30861ec..4b0f7cc 100644
+
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
-+')
+ ')
+
+########################################
+#
@@ -23980,7 +24123,7 @@ index 30861ec..4b0f7cc 100644
+
+miscfiles_read_localization(abrt_domain)
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
-index c0f858d..d639ae0 100644
+index c0f858d..5770f1a 100644
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
@@ -5,9 +5,9 @@
@@ -24004,17 +24147,22 @@ index c0f858d..d639ae0 100644
## </summary>
## </param>
#
-@@ -138,7 +138,7 @@ interface(`accountsd_admin',`
+@@ -138,8 +138,12 @@ interface(`accountsd_admin',`
type accountsd_t;
')
- allow $1 accountsd_t:process { ptrace signal_perms getattr };
-+ allow $1 accountsd_t:process { ptrace signal_perms };
++ allow $1 accountsd_t:process signal_perms;
ps_process_pattern($1, accountsd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 acountsd_t:process ptrace;
++ ')
++
accountsd_manage_lib_files($1)
+ ')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..493bde2 100644
+index 1632f10..a538582 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
@@ -24026,10 +24174,12 @@ index 1632f10..493bde2 100644
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
-@@ -18,6 +20,7 @@ files_type(accountsd_var_lib_t)
+@@ -17,7 +19,8 @@ files_type(accountsd_var_lib_t)
+ # accountsd local policy
#
- allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
+-allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
++allow accountsd_t self:capability { dac_override setuid setgid };
+allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
@@ -24057,17 +24207,21 @@ index 1632f10..493bde2 100644
+ xserver_manage_xdm_etc_files(accountsd_t)
+')
diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
-index 8559cdc..49c0cc8 100644
+index 8559cdc..641044e 100644
--- a/policy/modules/services/afs.if
+++ b/policy/modules/services/afs.if
-@@ -97,8 +97,8 @@ interface(`afs_admin',`
+@@ -97,8 +97,12 @@ interface(`afs_admin',`
type afs_t, afs_initrc_exec_t;
')
- allow $1 afs_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, afs_t, afs_t)
-+ allow $1 afs_t:process { ptrace signal_perms };
++ allow $1 afs_t:process signal_perms;
+ ps_process_pattern($1, afs_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 afs_t:process ptrace;
++ ')
# Allow afs_admin to restart the afs service
afs_initrc_domtrans($1)
@@ -24086,6 +24240,25 @@ index a496fde..847609a 100644
########################################
#
# AFS bossserver local policy
+diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if
+index 184c9a8..8f77bf5 100644
+--- a/policy/modules/services/aiccu.if
++++ b/policy/modules/services/aiccu.if
+@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
+ type aiccu_var_run_t;
+ ')
+
+- allow $1 aiccu_t:process { ptrace signal_perms };
++ allow $1 aiccu_t:process signal_perms;
+ ps_process_pattern($1, aiccu_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 aiccu_t:process ptrace;
++ ')
++
+ aiccu_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
index 6d685ba..4114d9b 100644
--- a/policy/modules/services/aiccu.te
@@ -24116,7 +24289,7 @@ index 7798464..ff76db7 100644
/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
-index 838d25b..0b0db39 100644
+index 838d25b..b84d045 100644
--- a/policy/modules/services/aide.if
+++ b/policy/modules/services/aide.if
@@ -33,6 +33,7 @@ interface(`aide_domtrans',`
@@ -24127,6 +24300,21 @@ index 838d25b..0b0db39 100644
#
interface(`aide_run',`
gen_require(`
+@@ -60,9 +61,13 @@ interface(`aide_admin',`
+ type aide_t, aide_db_t, aide_log_t;
+ ')
+
+- allow $1 aide_t:process { ptrace signal_perms };
++ allow $1 aide_t:process signal_perms;
+ ps_process_pattern($1, aide_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 aide_t:process ptrace;
++ ')
++
+ files_list_etc($1)
+ admin_pattern($1, aide_db_t)
+
diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te
index 2509dd2..7ada82f 100644
--- a/policy/modules/services/aide.te
@@ -24152,7 +24340,7 @@ index 2509dd2..7ada82f 100644
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if
-index 0370dba..af5d229 100644
+index 0370dba..feea7e5 100644
--- a/policy/modules/services/aisexec.if
+++ b/policy/modules/services/aisexec.if
@@ -5,9 +5,9 @@
@@ -24167,6 +24355,21 @@ index 0370dba..af5d229 100644
## </param>
#
interface(`aisexec_domtrans',`
+@@ -82,9 +82,13 @@ interface(`aisexecd_admin',`
+ type aisexec_initrc_exec_t;
+ ')
+
+- allow $1 aisexec_t:process { ptrace signal_perms };
++ allow $1 aisexec_t:process signal_perms;
+ ps_process_pattern($1, aisexec_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 aisexec_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 aisexec_initrc_exec_t system_r;
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
index 64953f7..99a750b 100644
--- a/policy/modules/services/aisexec.te
@@ -24196,10 +24399,10 @@ index 0000000..aeb1888
+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if
new file mode 100644
-index 0000000..0f3fc36
+index 0000000..7abe946
--- /dev/null
+++ b/policy/modules/services/ajaxterm.if
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,90 @@
+## <summary>policy for ajaxterm</summary>
+
+########################################
@@ -24278,9 +24481,13 @@ index 0000000..0f3fc36
+ type ajaxterm_t, ajaxterm_initrc_exec_t;
+ ')
+
-+ allow $1 ajaxterm_t:process { ptrace signal_perms };
++ allow $1 ajaxterm_t:process signal_perms;
+ ps_process_pattern($1, ajaxterm_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ajaxterm_t:process ptrace;
++ ')
++
+ ajaxterm_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ajaxterm_initrc_exec_t system_r;
@@ -24369,6 +24576,25 @@ index d96fdfa..e07158f 100644
ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
+diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
+index e31d92a..e515cb8 100644
+--- a/policy/modules/services/amavis.if
++++ b/policy/modules/services/amavis.if
+@@ -231,9 +231,13 @@ interface(`amavis_admin',`
+ type amavis_initrc_exec_t;
+ ')
+
+- allow $1 amavis_t:process { ptrace signal_perms };
++ allow $1 amavis_t:process signal_perms;
+ ps_process_pattern($1, amavis_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 amavis_t:process ptrace;
++ ')
++
+ amavis_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index deca9d3..ae8c579 100644
--- a/policy/modules/services/amavis.te
@@ -24566,10 +24792,10 @@ index 9e39aa5..a9959fa 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..e12bbc0 100644
+index 6480167..2ad693a 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
-@@ -13,17 +13,13 @@
+@@ -13,62 +13,46 @@
#
template(`apache_content_template',`
gen_require(`
@@ -24579,6 +24805,7 @@ index 6480167..e12bbc0 100644
+ attribute httpd_exec_scripts, httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_sys_content_t;
++ attribute httpd_script_type, httpd_content_type;
')
- # allow write access to public file transfer
- # services files.
@@ -24587,68 +24814,89 @@ index 6480167..e12bbc0 100644
#This type is for webpages
- type httpd_$1_content_t, httpdcontent; # customizable
+ type httpd_$1_content_t; # customizable;
++ typeattribute httpd_$1_content_t httpd_content_type;
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
files_type(httpd_$1_content_t)
-@@ -36,32 +32,32 @@ template(`apache_content_template',`
+ # This type is used for .htaccess files
+- type httpd_$1_htaccess_t; # customizable;
++ type httpd_$1_htaccess_t, httpd_content_type; # customizable;
++ typeattribute httpd_$1_htaccess_t httpd_content_type;
+ files_type(httpd_$1_htaccess_t)
+
+ # Type that CGI scripts run as
+- type httpd_$1_script_t;
++ type httpd_$1_script_t, httpd_script_type;
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
-+ search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
-+
# This type is used for executable scripts files
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
- corecmd_shell_entry_type(httpd_$1_script_t)
+- corecmd_shell_entry_type(httpd_$1_script_t)
++ typeattribute httpd_$1_script_exec_t httpd_content_type;
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
- type httpd_$1_rw_content_t, httpdcontent; # customizable
+ type httpd_$1_rw_content_t; # customizable
++ typeattribute httpd_$1_rw_content_t httpd_content_type;
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
files_type(httpd_$1_rw_content_t)
- type httpd_$1_ra_content_t, httpdcontent; # customizable
-+ type httpd_$1_ra_content_t; # customizable
++ type httpd_$1_ra_content_t, httpd_content_type; # customizable
++ typeattribute httpd_$1_ra_content_t httpd_content_type;
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
-
+- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
+-
- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-
- allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+- allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
-+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
-
- allow httpd_$1_script_t self:fifo_file rw_file_perms;
- allow httpd_$1_script_t self:unix_stream_socket connectto;
-
- allow httpd_$1_script_t httpd_t:fifo_file write;
- # apache should set close-on-exec
+-
+- allow httpd_$1_script_t self:fifo_file rw_file_perms;
+- allow httpd_$1_script_t self:unix_stream_socket connectto;
+-
+- allow httpd_$1_script_t httpd_t:fifo_file write;
+- # apache should set close-on-exec
- dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
-+ apache_dontaudit_leaks(httpd_$1_script_t)
-
+-
# Allow the script process to search the cgi directory, and users directory
allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
-@@ -86,7 +82,6 @@ template(`apache_content_template',`
+
+- append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
+- logging_search_logs(httpd_$1_script_t)
+-
+ can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
+
+@@ -86,40 +70,6 @@ template(`apache_content_template',`
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
-
- kernel_dontaudit_search_sysctl(httpd_$1_script_t)
- kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -95,6 +90,7 @@ template(`apache_content_template',`
- dev_read_urand(httpd_$1_script_t)
-
- corecmd_exec_all_executables(httpd_$1_script_t)
-+ application_exec_all(httpd_$1_script_t)
-
- files_exec_etc_files(httpd_$1_script_t)
- files_read_etc_files(httpd_$1_script_t)
-@@ -108,19 +104,6 @@ template(`apache_content_template',`
-
- seutil_dontaudit_search_config(httpd_$1_script_t)
-
+-
+- kernel_dontaudit_search_sysctl(httpd_$1_script_t)
+- kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
+-
+- dev_read_rand(httpd_$1_script_t)
+- dev_read_urand(httpd_$1_script_t)
+-
+- corecmd_exec_all_executables(httpd_$1_script_t)
+-
+- files_exec_etc_files(httpd_$1_script_t)
+- files_read_etc_files(httpd_$1_script_t)
+- files_search_home(httpd_$1_script_t)
+-
+- libs_exec_ld_so(httpd_$1_script_t)
+- libs_exec_lib_files(httpd_$1_script_t)
+-
+- miscfiles_read_fonts(httpd_$1_script_t)
+- miscfiles_read_public_files(httpd_$1_script_t)
+-
+- seutil_dontaudit_search_config(httpd_$1_script_t)
+-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t httpdcontent:file entrypoint;
-
@@ -24661,15 +24909,26 @@ index 6480167..e12bbc0 100644
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
--
+
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-@@ -140,26 +123,37 @@ template(`apache_content_template',`
- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
-+ allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
+@@ -128,68 +78,25 @@ template(`apache_content_template',`
+ manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+
+- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
++ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
+ read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+
+- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+-
+- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
')
tunable_policy(`httpd_enable_cgi',`
@@ -24684,45 +24943,50 @@ index 6480167..e12bbc0 100644
+
# apache runs the script:
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-
-+ allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
-+ allow httpd_t httpd_$1_script_exec_t:lnk_file read_lnk_file_perms;
-+
- allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
- allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
-
- allow httpd_$1_script_t self:process { setsched signal_perms };
- allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
-+ allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
-
- allow httpd_$1_script_t httpd_t:fd use;
- allow httpd_$1_script_t httpd_t:process sigchld;
-
-+ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
-+
- kernel_read_system_state(httpd_$1_script_t)
-
- dev_read_urand(httpd_$1_script_t)
-@@ -172,6 +166,7 @@ template(`apache_content_template',`
- libs_read_lib_files(httpd_$1_script_t)
-
- miscfiles_read_localization(httpd_$1_script_t)
-+ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
- ')
-
- optional_policy(`
-@@ -182,10 +177,6 @@ template(`apache_content_template',`
-
- optional_policy(`
- postgresql_unpriv_client(httpd_$1_script_t)
+-
+- allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+- allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
+-
+- allow httpd_$1_script_t self:process { setsched signal_perms };
+- allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+-
+- allow httpd_$1_script_t httpd_t:fd use;
+- allow httpd_$1_script_t httpd_t:process sigchld;
+-
+- kernel_read_system_state(httpd_$1_script_t)
+-
+- dev_read_urand(httpd_$1_script_t)
+-
+- fs_getattr_xattr_fs(httpd_$1_script_t)
+-
+- files_read_etc_runtime_files(httpd_$1_script_t)
+- files_read_usr_files(httpd_$1_script_t)
+-
+- libs_read_lib_files(httpd_$1_script_t)
+-
+- miscfiles_read_localization(httpd_$1_script_t)
+- ')
+-
+- optional_policy(`
+- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
+- nis_use_ypbind_uncond(httpd_$1_script_t)
+- ')
+- ')
+-
+- optional_policy(`
+- postgresql_unpriv_client(httpd_$1_script_t)
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_$1_script_t)
- ')
+- ')
+-
+- optional_policy(`
+- nscd_socket_use(httpd_$1_script_t)
')
+ ')
- optional_policy(`
-@@ -211,9 +202,8 @@ template(`apache_content_template',`
+@@ -211,9 +118,8 @@ template(`apache_content_template',`
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
@@ -24734,7 +24998,7 @@ index 6480167..e12bbc0 100644
')
role $1 types httpd_user_script_t;
-@@ -234,6 +224,13 @@ interface(`apache_role',`
+@@ -234,6 +140,13 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@@ -24748,7 +25012,7 @@ index 6480167..e12bbc0 100644
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -248,6 +245,9 @@ interface(`apache_role',`
+@@ -248,6 +161,9 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
@@ -24758,7 +25022,7 @@ index 6480167..e12bbc0 100644
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -317,6 +317,25 @@ interface(`apache_domtrans',`
+@@ -317,6 +233,25 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -24784,7 +25048,7 @@ index 6480167..e12bbc0 100644
#######################################
## <summary>
## Send a generic signal to apache.
-@@ -405,7 +424,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -405,7 +340,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -24793,7 +25057,7 @@ index 6480167..e12bbc0 100644
')
########################################
-@@ -487,7 +506,7 @@ interface(`apache_setattr_cache_dirs',`
+@@ -487,7 +422,7 @@ interface(`apache_setattr_cache_dirs',`
type httpd_cache_t;
')
@@ -24802,7 +25066,7 @@ index 6480167..e12bbc0 100644
')
########################################
-@@ -531,6 +550,25 @@ interface(`apache_rw_cache_files',`
+@@ -531,6 +466,25 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
## Allow the specified domain to delete
@@ -24828,7 +25092,7 @@ index 6480167..e12bbc0 100644
## Apache cache.
## </summary>
## <param name="domain">
-@@ -549,6 +587,26 @@ interface(`apache_delete_cache_files',`
+@@ -549,6 +503,26 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@@ -24855,7 +25119,7 @@ index 6480167..e12bbc0 100644
## Allow the specified domain to read
## apache configuration files.
## </summary>
-@@ -699,7 +757,7 @@ interface(`apache_dontaudit_append_log',`
+@@ -699,7 +673,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
@@ -24864,7 +25128,7 @@ index 6480167..e12bbc0 100644
')
########################################
-@@ -745,6 +803,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -745,6 +719,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -24890,7 +25154,7 @@ index 6480167..e12bbc0 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -761,6 +838,7 @@ interface(`apache_list_modules',`
+@@ -761,6 +754,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -24898,7 +25162,7 @@ index 6480167..e12bbc0 100644
')
########################################
-@@ -802,6 +880,43 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -802,6 +796,43 @@ interface(`apache_domtrans_rotatelogs',`
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
@@ -24942,7 +25206,7 @@ index 6480167..e12bbc0 100644
########################################
## <summary>
## Allow the specified domain to list
-@@ -819,6 +934,7 @@ interface(`apache_list_sys_content',`
+@@ -819,6 +850,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -24950,7 +25214,7 @@ index 6480167..e12bbc0 100644
files_search_var($1)
')
-@@ -846,6 +962,74 @@ interface(`apache_manage_sys_content',`
+@@ -846,6 +878,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -25025,7 +25289,7 @@ index 6480167..e12bbc0 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -862,7 +1046,12 @@ interface(`apache_manage_sys_content',`
+@@ -862,7 +962,12 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -25039,7 +25303,7 @@ index 6480167..e12bbc0 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1110,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -921,9 +1026,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@@ -25051,7 +25315,7 @@ index 6480167..e12bbc0 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -950,7 +1140,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -950,7 +1056,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -25060,7 +25324,7 @@ index 6480167..e12bbc0 100644
')
########################################
-@@ -1091,6 +1281,25 @@ interface(`apache_read_tmp_files',`
+@@ -1091,6 +1197,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -25086,7 +25350,7 @@ index 6480167..e12bbc0 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1107,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1107,7 +1232,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -25095,7 +25359,7 @@ index 6480167..e12bbc0 100644
')
########################################
-@@ -1150,12 +1359,6 @@ interface(`apache_cgi_domain',`
+@@ -1150,12 +1275,6 @@ interface(`apache_cgi_domain',`
## <summary>
## All of the rules required to administrate an apache environment
## </summary>
@@ -25108,7 +25372,7 @@ index 6480167..e12bbc0 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1170,17 +1373,15 @@ interface(`apache_cgi_domain',`
+@@ -1170,19 +1289,21 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -25127,11 +25391,17 @@ index 6480167..e12bbc0 100644
')
- allow $1 httpd_t:process { getattr ptrace signal_perms };
-+ allow $1 httpd_t:process { ptrace signal_perms };
++ allow $1 httpd_t:process signal_perms;
ps_process_pattern($1, httpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 httpd_t:process ptrace;
++ ')
++
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1191,10 +1392,10 @@ interface(`apache_admin',`
+ domain_system_change_exemption($1)
+ role_transition $2 httpd_initrc_exec_t system_r;
+@@ -1191,10 +1312,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -25144,7 +25414,7 @@ index 6480167..e12bbc0 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1406,69 @@ interface(`apache_admin',`
+@@ -1205,14 +1326,69 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -25220,10 +25490,10 @@ index 6480167..e12bbc0 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..248682c 100644
+index 3136c6a..7cb2fe5 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,130 +18,203 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,211 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -25482,8 +25752,16 @@ index 3136c6a..248682c 100644
+
attribute httpdcontent;
attribute httpd_user_content_type;
++attribute httpd_content_type;
+
+ # domains that can exec all users scripts
+ attribute httpd_exec_scripts;
-@@ -166,7 +239,7 @@ files_type(httpd_cache_t)
++attribute httpd_script_type;
+ attribute httpd_script_exec_type;
+ attribute httpd_user_script_exec_type;
+
+@@ -166,7 +241,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -25492,7 +25770,7 @@ index 3136c6a..248682c 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +250,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +252,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -25502,12 +25780,16 @@ index 3136c6a..248682c 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +292,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +294,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+
++optional_policy(`
++ postgresql_unpriv_client(httpd_sys_script_t)
++')
++
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
@@ -25521,7 +25803,7 @@ index 3136c6a..248682c 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +312,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +318,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -25532,7 +25814,7 @@ index 3136c6a..248682c 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +323,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +329,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -25540,7 +25822,7 @@ index 3136c6a..248682c 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +345,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +351,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -25564,7 +25846,7 @@ index 3136c6a..248682c 100644
########################################
#
# Apache server local policy
-@@ -281,11 +381,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +387,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -25578,7 +25860,7 @@ index 3136c6a..248682c 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +431,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +437,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -25589,7 +25871,7 @@ index 3136c6a..248682c 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +458,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +464,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -25599,7 +25881,7 @@ index 3136c6a..248682c 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +471,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +477,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -25616,7 +25898,7 @@ index 3136c6a..248682c 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +488,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +494,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -25632,7 +25914,7 @@ index 3136c6a..248682c 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +501,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +507,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -25640,7 +25922,7 @@ index 3136c6a..248682c 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +513,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +519,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -25744,7 +26026,7 @@ index 3136c6a..248682c 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +620,47 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +626,47 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -25794,7 +26076,7 @@ index 3136c6a..248682c 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +670,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +676,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -25811,7 +26093,7 @@ index 3136c6a..248682c 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +694,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +700,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -25832,7 +26114,7 @@ index 3136c6a..248682c 100644
')
optional_policy(`
-@@ -513,7 +718,13 @@ optional_policy(`
+@@ -513,7 +724,13 @@ optional_policy(`
')
optional_policy(`
@@ -25847,7 +26129,7 @@ index 3136c6a..248682c 100644
')
optional_policy(`
-@@ -528,7 +739,19 @@ optional_policy(`
+@@ -528,7 +745,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -25868,7 +26150,7 @@ index 3136c6a..248682c 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +760,13 @@ optional_policy(`
+@@ -537,8 +766,13 @@ optional_policy(`
')
optional_policy(`
@@ -25883,7 +26165,7 @@ index 3136c6a..248682c 100644
')
')
-@@ -556,7 +784,13 @@ optional_policy(`
+@@ -556,7 +790,13 @@ optional_policy(`
')
optional_policy(`
@@ -25897,7 +26179,7 @@ index 3136c6a..248682c 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +801,7 @@ optional_policy(`
+@@ -567,6 +807,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -25905,7 +26187,7 @@ index 3136c6a..248682c 100644
')
optional_policy(`
-@@ -577,6 +812,20 @@ optional_policy(`
+@@ -577,6 +818,20 @@ optional_policy(`
')
optional_policy(`
@@ -25926,7 +26208,7 @@ index 3136c6a..248682c 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +840,11 @@ optional_policy(`
+@@ -591,6 +846,11 @@ optional_policy(`
')
optional_policy(`
@@ -25938,7 +26220,7 @@ index 3136c6a..248682c 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +857,12 @@ optional_policy(`
+@@ -603,6 +863,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -25951,7 +26233,7 @@ index 3136c6a..248682c 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +876,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +882,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -25964,7 +26246,7 @@ index 3136c6a..248682c 100644
########################################
#
-@@ -654,28 +918,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +924,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -26008,7 +26290,7 @@ index 3136c6a..248682c 100644
')
########################################
-@@ -685,6 +951,8 @@ optional_policy(`
+@@ -685,6 +957,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -26017,7 +26299,7 @@ index 3136c6a..248682c 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +967,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +973,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -26043,7 +26325,7 @@ index 3136c6a..248682c 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1013,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1019,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -26076,7 +26358,7 @@ index 3136c6a..248682c 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1060,25 @@ optional_policy(`
+@@ -769,6 +1066,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -26102,7 +26384,7 @@ index 3136c6a..248682c 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1099,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1105,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -26120,7 +26402,7 @@ index 3136c6a..248682c 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1118,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1124,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -26177,7 +26459,7 @@ index 3136c6a..248682c 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1169,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1175,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -26208,7 +26490,7 @@ index 3136c6a..248682c 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1204,20 @@ optional_policy(`
+@@ -842,10 +1210,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -26229,7 +26511,7 @@ index 3136c6a..248682c 100644
')
########################################
-@@ -891,11 +1263,49 @@ optional_policy(`
+@@ -891,11 +1269,137 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -26247,13 +26529,13 @@ index 3136c6a..248682c 100644
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
- ')
++')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
-+')
+ ')
+
+########################################
+#
@@ -26282,6 +26564,94 @@ index 3136c6a..248682c 100644
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
++
++search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
++corecmd_shell_entry_type(httpd_script_type)
++
++allow httpd_script_type self:fifo_file rw_file_perms;
++allow httpd_script_type self:unix_stream_socket connectto;
++
++allow httpd_script_type httpd_t:fifo_file write;
++# apache should set close-on-exec
++apache_dontaudit_leaks(httpd_script_type)
++
++append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
++logging_search_logs(httpd_script_type)
++
++kernel_dontaudit_search_sysctl(httpd_script_type)
++kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
++
++dev_read_rand(httpd_script_type)
++dev_read_urand(httpd_script_type)
++
++corecmd_exec_all_executables(httpd_script_type)
++application_exec_all(httpd_script_type)
++
++files_exec_etc_files(httpd_script_type)
++files_read_etc_files(httpd_script_type)
++files_search_home(httpd_script_type)
++
++libs_exec_ld_so(httpd_script_type)
++libs_exec_lib_files(httpd_script_type)
++
++miscfiles_read_fonts(httpd_script_type)
++miscfiles_read_public_files(httpd_script_type)
++
++seutil_dontaudit_search_config(httpd_script_type)
++allow httpd_t httpd_script_type:unix_stream_socket connectto;
++
++allow httpd_t httpd_script_exec_type:file read_file_perms;
++allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
++allow httpd_t httpd_script_type:process { signal sigkill sigstop };
++allow httpd_t httpd_script_exec_type:dir list_dir_perms;
++
++allow httpd_script_type self:process { setsched signal_perms };
++allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
++allow httpd_script_type self:unix_dgram_socket create_socket_perms;
++
++allow httpd_script_type httpd_t:fd use;
++allow httpd_script_type httpd_t:process sigchld;
++
++dontaudit httpd_script_type httpd_t:tcp_socket { read write };
++
++kernel_read_system_state(httpd_script_type)
++
++dev_read_urand(httpd_script_type)
++
++fs_getattr_xattr_fs(httpd_script_type)
++
++files_read_etc_runtime_files(httpd_script_type)
++files_read_usr_files(httpd_script_type)
++
++libs_read_lib_files(httpd_script_type)
++
++miscfiles_read_localization(httpd_script_type)
++allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
++
++tunable_policy(`httpd_enable_cgi && allow_ypbind',`
++ nis_use_ypbind_uncond(httpd_script_type)
++')
++
++optional_policy(`
++ nscd_socket_use(httpd_script_type)
++')
++
++read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++
++tunable_policy(`httpd_builtin_scripting',`
++ allow httpd_t httpd_content_type:dir search_dir_perms;
++ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
++
++ allow httpd_t httpd_content_type:dir list_dir_perms;
++ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++
++ allow httpd_t httpd_content_type:dir list_dir_perms;
++ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++')
++
++
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
index cd07b96..9b7742f 100644
--- a/policy/modules/services/apcupsd.fc
@@ -26300,6 +26670,25 @@ index cd07b96..9b7742f 100644
/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
+index e342775..4ffdb80 100644
+--- a/policy/modules/services/apcupsd.if
++++ b/policy/modules/services/apcupsd.if
+@@ -146,9 +146,13 @@ interface(`apcupsd_admin',`
+ type apcupsd_initrc_exec_t;
+ ')
+
+- allow $1 apcupsd_t:process { ptrace signal_perms };
++ allow $1 apcupsd_t:process signal_perms;
+ ps_process_pattern($1, apcupsd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 apcupsd_t:process ptrace;
++ ')
++
+ apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 apcupsd_initrc_exec_t system_r;
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index d052bf0..ec55314 100644
--- a/policy/modules/services/apcupsd.te
@@ -26355,7 +26744,7 @@ index 1ea99b2..9427dd5 100644
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..21b91de 100644
+index 1c8c27e..f8de34e 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -26375,8 +26764,12 @@ index 1c8c27e..21b91de 100644
domain_use_interactive_fds(apm_t)
-@@ -62,6 +63,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
- dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+@@ -59,9 +60,10 @@ logging_send_syslog_msg(apm_t)
+ # mknod: controlling an orderly resume of PCMCIA requires creating device
+ # nodes 254,{0,1,2} for some reason.
+ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
++dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
+allow apmd_t self:netlink_socket create_socket_perms;
@@ -26473,18 +26866,24 @@ index 1c8c27e..21b91de 100644
')
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
-index c804110..bdefbe1 100644
+index c804110..980cd57 100644
--- a/policy/modules/services/arpwatch.if
+++ b/policy/modules/services/arpwatch.if
-@@ -137,7 +137,7 @@ interface(`arpwatch_admin',`
+@@ -137,9 +137,13 @@ interface(`arpwatch_admin',`
type arpwatch_initrc_exec_t;
')
- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
-+ allow $1 arpwatch_t:process { ptrace signal_perms };
++ allow $1 arpwatch_t:process signal_perms;
ps_process_pattern($1, arpwatch_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 arpwatch_t:process ptrace;
++ ')
++
arpwatch_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 arpwatch_initrc_exec_t system_r;
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index 804135f..af04567 100644
--- a/policy/modules/services/arpwatch.te
@@ -26501,18 +26900,24 @@ index 804135f..af04567 100644
kernel_request_load_module(arpwatch_t)
diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
-index 8b8143e..c1a2b96 100644
+index 8b8143e..a04a8af 100644
--- a/policy/modules/services/asterisk.if
+++ b/policy/modules/services/asterisk.if
-@@ -64,7 +64,7 @@ interface(`asterisk_admin',`
+@@ -64,9 +64,13 @@ interface(`asterisk_admin',`
type asterisk_initrc_exec_t;
')
- allow $1 asterisk_t:process { ptrace signal_perms getattr };
-+ allow $1 asterisk_t:process { ptrace signal_perms };
++ allow $1 asterisk_t:process signal_perms;
ps_process_pattern($1, asterisk_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 asterisk_t:process ptrace;
++ ')
++
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index b3b0176..8e66610 100644
--- a/policy/modules/services/asterisk.te
@@ -26593,8 +26998,21 @@ index b3b0176..8e66610 100644
mysql_stream_connect(asterisk_t)
')
+diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
+index 2b348c7..b89658c 100644
+--- a/policy/modules/services/audioentropy.te
++++ b/policy/modules/services/audioentropy.te
+@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t)
+
+ domain_use_interactive_fds(entropyd_t)
+
++auth_read_passwd(entropyd_t)
++
+ logging_send_syslog_msg(entropyd_t)
+
+ miscfiles_read_localization(entropyd_t)
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
-index d80a16b..68b85e2 100644
+index d80a16b..4f2a53f 100644
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
@@ -26632,15 +27050,21 @@ index d80a16b..68b85e2 100644
')
########################################
-@@ -149,7 +150,7 @@ interface(`automount_admin',`
+@@ -149,9 +150,13 @@ interface(`automount_admin',`
type automount_var_run_t, automount_initrc_exec_t;
')
- allow $1 automount_t:process { ptrace signal_perms getattr };
-+ allow $1 automount_t:process { ptrace signal_perms };
++ allow $1 automount_t:process signal_perms;
ps_process_pattern($1, automount_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 automount_t:process ptrace;
++ ')
++
init_labeled_script_domtrans($1, automount_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 automount_initrc_exec_t system_r;
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 39799db..9390ef1 100644
--- a/policy/modules/services/automount.te
@@ -26678,7 +27102,7 @@ index 39799db..9390ef1 100644
')
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
-index 61c74bc..c6b0498 100644
+index 61c74bc..c7a0db2 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',`
@@ -26689,6 +27113,21 @@ index 61c74bc..c6b0498 100644
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
+@@ -153,9 +154,13 @@ interface(`avahi_admin',`
+ type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+ ')
+
+- allow $1 avahi_t:process { ptrace signal_perms };
++ allow $1 avahi_t:process signal_perms;
+ ps_process_pattern($1, avahi_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 avahi_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 avahi_initrc_exec_t system_r;
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index a7a0e71..5352ef6 100644
--- a/policy/modules/services/avahi.te
@@ -26734,7 +27173,7 @@ index 59aa54f..f944a65 100644
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
-index 44a1e3d..7802b7b 100644
+index 44a1e3d..7cc67ec 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -26822,7 +27261,7 @@ index 44a1e3d..7802b7b 100644
## Manage BIND zone files.
## </summary>
## <param name="domain">
-@@ -359,10 +403,9 @@ interface(`bind_udp_chat_named',`
+@@ -359,18 +403,25 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
@@ -26835,8 +27274,26 @@ index 44a1e3d..7802b7b 100644
+ type dnssec_t, ndc_t, named_keytab_t;
')
- allow $1 named_t:process { ptrace signal_perms };
-@@ -391,9 +434,10 @@ interface(`bind_admin',`
+- allow $1 named_t:process { ptrace signal_perms };
++ allow $1 named_t:process signal_perms;
+ ps_process_pattern($1, named_t)
+
+- allow $1 ndc_t:process { ptrace signal_perms };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 named_t:process ptrace;
++ ')
++
++ allow $1 ndc_t:process signal_perms;
+ ps_process_pattern($1, ndc_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ndc_t:process ptrace;
++ ')
++
+ bind_run_ndc($1, $2)
+
+ init_labeled_script_domtrans($1, named_initrc_exec_t)
+@@ -391,9 +442,10 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
@@ -27004,6 +27461,25 @@ index 0197980..f8bce2c 100644
+
+/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if
+index de0bd67..1df2048 100644
+--- a/policy/modules/services/bitlbee.if
++++ b/policy/modules/services/bitlbee.if
+@@ -43,9 +43,13 @@ interface(`bitlbee_admin',`
+ type bitlbee_initrc_exec_t;
+ ')
+
+- allow $1 bitlbee_t:process { ptrace signal_perms };
++ allow $1 bitlbee_t:process signal_perms;
+ ps_process_pattern($1, bitlbee_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bitlbee_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
index f4e7ad3..2faf42a 100644
--- a/policy/modules/services/bitlbee.te
@@ -27071,8 +27547,106 @@ index f4e7ad3..2faf42a 100644
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
+diff --git a/policy/modules/services/blueman.fc b/policy/modules/services/blueman.fc
+new file mode 100644
+index 0000000..69f2b36
+--- /dev/null
++++ b/policy/modules/services/blueman.fc
+@@ -0,0 +1,2 @@
++
++/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
+diff --git a/policy/modules/services/blueman.if b/policy/modules/services/blueman.if
+new file mode 100644
+index 0000000..d694c0a
+--- /dev/null
++++ b/policy/modules/services/blueman.if
+@@ -0,0 +1,41 @@
++## <summary>policy for blueman</summary>
++
++########################################
++## <summary>
++## Transition to blueman.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`blueman_domtrans',`
++ gen_require(`
++ type blueman_t, blueman_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, blueman_exec_t, blueman_t)
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## blueman over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`blueman_dbus_chat',`
++ gen_require(`
++ type blueman_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 blueman_t:dbus send_msg;
++ allow blueman_t $1:dbus send_msg;
++')
+diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
+new file mode 100644
+index 0000000..fde1531
+--- /dev/null
++++ b/policy/modules/services/blueman.te
+@@ -0,0 +1,37 @@
++policy_module(blueman, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type blueman_t;
++type blueman_exec_t;
++dbus_system_domain(blueman_t, blueman_exec_t)
++
++########################################
++#
++# blueman local policy
++#
++allow blueman_t self:fifo_file rw_fifo_file_perms;
++
++kernel_read_system_state(blueman_t)
++
++corecmd_exec_bin(blueman_t)
++
++dev_rw_wireless(blueman_t)
++
++domain_use_interactive_fds(blueman_t)
++
++files_read_etc_files(blueman_t)
++files_read_usr_files(blueman_t)
++
++auth_read_passwd(blueman_t)
++
++logging_send_syslog_msg(blueman_t)
++
++miscfiles_read_localization(blueman_t)
++
++optional_policy(`
++ avahi_domtrans(blueman_t)
++')
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
-index 3e45431..4aa8fb1 100644
+index 3e45431..a726c09 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -14,6 +14,7 @@
@@ -27083,16 +27657,29 @@ index 3e45431..4aa8fb1 100644
#
interface(`bluetooth_role',`
gen_require(`
-@@ -27,7 +28,7 @@ interface(`bluetooth_role',`
+@@ -27,7 +28,11 @@ interface(`bluetooth_role',`
# allow ps to show cdrecord and allow the user to kill it
ps_process_pattern($2, bluetooth_helper_t)
- allow $2 bluetooth_helper_t:process signal;
-+ allow $2 bluetooth_helper_t:process { ptrace signal_perms };
++ allow $2 bluetooth_helper_t:process signal_perms;
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 bluetooth_helper_t:process ptrace;
++ ')
manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
-@@ -91,7 +92,7 @@ interface(`bluetooth_read_config',`
+@@ -35,6 +40,8 @@ interface(`bluetooth_role',`
+
+ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
++
++ bluetooth_stream_connect($2)
+ ')
+
+ #####################################
+@@ -91,7 +98,7 @@ interface(`bluetooth_read_config',`
type bluetooth_conf_t;
')
@@ -27101,7 +27688,7 @@ index 3e45431..4aa8fb1 100644
')
########################################
-@@ -117,6 +118,27 @@ interface(`bluetooth_dbus_chat',`
+@@ -117,6 +124,27 @@ interface(`bluetooth_dbus_chat',`
########################################
## <summary>
@@ -27129,7 +27716,7 @@ index 3e45431..4aa8fb1 100644
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
-@@ -157,7 +179,7 @@ interface(`bluetooth_run_helper',`
+@@ -157,7 +185,7 @@ interface(`bluetooth_run_helper',`
########################################
## <summary>
@@ -27138,7 +27725,7 @@ index 3e45431..4aa8fb1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -170,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+@@ -170,8 +198,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
type bluetooth_helper_t;
')
@@ -27149,7 +27736,7 @@ index 3e45431..4aa8fb1 100644
')
########################################
-@@ -194,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+@@ -194,14 +222,17 @@ interface(`bluetooth_dontaudit_read_helper_state',`
interface(`bluetooth_admin',`
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
@@ -27159,8 +27746,18 @@ index 3e45431..4aa8fb1 100644
- type bluetooth_initrc_exec_t;
')
- allow $1 bluetooth_t:process { ptrace signal_perms };
-@@ -217,9 +238,6 @@ interface(`bluetooth_admin',`
+- allow $1 bluetooth_t:process { ptrace signal_perms };
++ allow $1 bluetooth_t:process signal_perms;
+ ps_process_pattern($1, bluetooth_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bluetooth_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 bluetooth_initrc_exec_t system_r;
+@@ -217,9 +248,6 @@ interface(`bluetooth_admin',`
admin_pattern($1, bluetooth_conf_t)
admin_pattern($1, bluetooth_conf_rw_t)
@@ -27255,10 +27852,10 @@ index 0000000..c095160
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
new file mode 100644
-index 0000000..fa9b95a
+index 0000000..9fe3f9e
--- /dev/null
+++ b/policy/modules/services/boinc.if
-@@ -0,0 +1,150 @@
+@@ -0,0 +1,154 @@
+## <summary>policy for boinc</summary>
+
+########################################
@@ -27398,9 +27995,13 @@ index 0000000..fa9b95a
+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+ ')
+
-+ allow $1 boinc_t:process { ptrace signal_perms };
++ allow $1 boinc_t:process signal_perms;
+ ps_process_pattern($1, boinc_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 boic_t:process ptrace;
++ ')
++
+ boinc_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 boinc_initrc_exec_t system_r;
@@ -27411,10 +28012,10 @@ index 0000000..fa9b95a
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..e841806
+index 0000000..61db909
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,174 @@
+@@ -0,0 +1,178 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -27538,9 +28139,13 @@ index 0000000..e841806
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+
-+allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
++tunable_policy(`deny_ptrace',`',`
++ allow boinc_project_t self:process ptrace;
++')
++
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
+allow boinc_project_t self:sem create_sem_perms;
+
@@ -27599,10 +28204,10 @@ index 8c84063..c8bfb68 100644
/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if
-index de89d0f..140f520 100644
+index de89d0f..954e726 100644
--- a/policy/modules/services/bugzilla.if
+++ b/policy/modules/services/bugzilla.if
-@@ -58,13 +58,16 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+@@ -58,13 +58,20 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
interface(`bugzilla_admin',`
gen_require(`
type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
@@ -27613,9 +28218,14 @@ index de89d0f..140f520 100644
+ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
+ ')
- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
++ allow $1 httpd_bugzilla_script_t:process signal_perms;
ps_process_pattern($1, httpd_bugzilla_script_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 httpd_bugzilla_script_t:process ptrace;
++ ')
++
+ files_list_tmp($1)
+ admin_pattern($1, httpd_bugzilla_tmp_t)
+
@@ -27893,10 +28503,10 @@ index 0000000..3e15c63
+/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0)
diff --git a/policy/modules/services/callweaver.if b/policy/modules/services/callweaver.if
new file mode 100644
-index 0000000..564acbd
+index 0000000..512fcb9
--- /dev/null
+++ b/policy/modules/services/callweaver.if
-@@ -0,0 +1,358 @@
+@@ -0,0 +1,362 @@
+## <summary>Open source PBX project.</summary>
+
+########################################
@@ -28235,9 +28845,13 @@ index 0000000..564acbd
+ type callweaver_spool_t;
+ ')
+
-+ allow $1 callweaver_t:process { ptrace signal_perms };
++ allow $1 callweaver_t:process signal_perms;
+ ps_process_pattern($1, callweaver_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 callweaver_t:process ptrace;
++ ')
++
+ callweaver_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 callweaver_initrc_exec_t system_r;
@@ -28348,6 +28962,25 @@ index 5432d0e..f77df02 100644
/var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0)
-/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0)
+/var/run/wnn-unix(/.*)? gen_context(system_u:object_r:canna_var_run_t,s0)
+diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if
+index 4a26b0c..00b64dc 100644
+--- a/policy/modules/services/canna.if
++++ b/policy/modules/services/canna.if
+@@ -42,9 +42,13 @@ interface(`canna_admin',`
+ type canna_var_run_t, canna_initrc_exec_t;
+ ')
+
+- allow $1 canna_t:process { ptrace signal_perms };
++ allow $1 canna_t:process signal_perms;
+ ps_process_pattern($1, canna_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 canna_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, canna_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 canna_initrc_exec_t system_r;
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 1d25efe..1b16191 100644
--- a/policy/modules/services/canna.te
@@ -28428,7 +29061,7 @@ index 4c90b57..418eb6b 100644
unconfined_use_fds(ccs_t)
')
diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
-index fa62787..ffd0da5 100644
+index fa62787..d61f61f 100644
--- a/policy/modules/services/certmaster.if
+++ b/policy/modules/services/certmaster.if
@@ -5,9 +5,9 @@
@@ -28452,7 +29085,7 @@ index fa62787..ffd0da5 100644
## </summary>
## </param>
## <rolecap/>
-@@ -116,8 +116,7 @@ interface(`certmaster_manage_log',`
+@@ -116,21 +116,24 @@ interface(`certmaster_manage_log',`
interface(`certmaster_admin',`
gen_require(`
type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
@@ -28461,8 +29094,17 @@ index fa62787..ffd0da5 100644
+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
')
- allow $1 certmaster_t:process { ptrace signal_perms };
-@@ -129,8 +128,8 @@ interface(`certmaster_admin',`
+- allow $1 certmaster_t:process { ptrace signal_perms };
++ allow $1 certmaster_t:process signal_perms;
+ ps_process_pattern($1, certmaster_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 certmaster_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 certmaster_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
@@ -28508,7 +29150,7 @@ index 3384132..97d3269 100644
files_search_var_lib(certmaster_t)
diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
-index 7a6e5ba..d664be8 100644
+index 7a6e5ba..e238dfd 100644
--- a/policy/modules/services/certmonger.if
+++ b/policy/modules/services/certmonger.if
@@ -5,9 +5,9 @@
@@ -28523,7 +29165,20 @@ index 7a6e5ba..d664be8 100644
## </param>
#
interface(`certmonger_domtrans',`
-@@ -166,9 +166,9 @@ interface(`certmonger_admin',`
+@@ -158,7 +158,11 @@ interface(`certmonger_admin',`
+ ')
+
+ ps_process_pattern($1, certmonger_t)
+- allow $1 certmonger_t:process { ptrace signal_perms };
++ allow $1 certmonger_t:process signal_perms;
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 certmonger_t:process ptrace;
++ ')
+
+ # Allow certmonger_t to restart the apache service
+ certmonger_initrc_domtrans($1)
+@@ -166,9 +170,9 @@ interface(`certmonger_admin',`
role_transition $2 certmonger_initrc_exec_t system_r;
allow $2 system_r;
@@ -28630,10 +29285,10 @@ index 0000000..4ec83df
+/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0)
diff --git a/policy/modules/services/cfengine.if b/policy/modules/services/cfengine.if
new file mode 100644
-index 0000000..12fe9ce
+index 0000000..883b697
--- /dev/null
+++ b/policy/modules/services/cfengine.if
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,42 @@
+
+## <summary>policy for cfengine</summary>
+
@@ -28657,6 +29312,25 @@ index 0000000..12fe9ce
+ domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t)
+')
+
++########################################
++## <summary>
++## Read cfengine lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_read_lib_files',`
++ gen_require(`
++ type cfengine_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t)
++')
++
diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te
new file mode 100644
index 0000000..1ba0484
@@ -28791,7 +29465,7 @@ index 0000000..1ba0484
+sysnet_dns_name_resolve(cfengine_monitord_t)
+sysnet_domtrans_ifconfig(cfengine_monitord_t)
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
-index 33facaf..e5cbcef 100644
+index 33facaf..225e70c 100644
--- a/policy/modules/services/cgroup.if
+++ b/policy/modules/services/cgroup.if
@@ -6,9 +6,9 @@
@@ -28830,8 +29504,39 @@ index 33facaf..e5cbcef 100644
## </param>
#
interface(`cgroup_domtrans_cgred',`
+@@ -171,15 +171,27 @@ interface(`cgroup_admin',`
+ type cgrules_etc_t, cgclear_t;
+ ')
+
+- allow $1 cgclear_t:process { ptrace signal_perms };
++ allow $1 cgclear_t:process signal_perms;
+ ps_process_pattern($1, cgclear_t)
+
+- allow $1 cgconfig_t:process { ptrace signal_perms };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cglear_t:process ptrace;
++ ')
++
++ allow $1 cgconfig_t:process signal_perms;
+ ps_process_pattern($1, cgconfig_t)
+
+- allow $1 cgred_t:process { ptrace signal_perms };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cgconfig_t:process ptrace;
++ ')
++
++ allow $1 cgred_t:process signal_perms;
+ ps_process_pattern($1, cgred_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cgred_t:process ptrace;
++ ')
++
+ admin_pattern($1, cgconfig_etc_t)
+ admin_pattern($1, cgrules_etc_t)
+ files_list_etc($1)
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
-index dad226c..7617c53 100644
+index dad226c..084063b 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -28853,7 +29558,17 @@ index dad226c..7617c53 100644
allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
kernel_read_system_state(cgclear_t)
-@@ -86,6 +85,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
+@@ -77,7 +76,8 @@ fs_unmount_cgroup(cgconfig_t)
+ # cgred personal policy.
+ #
+
+-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override };
++
+ allow cgred_t self:netlink_socket { write bind create read };
+ allow cgred_t self:unix_dgram_socket { write create connect };
+
+@@ -86,6 +86,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
allow cgred_t cgrules_etc_t:file read_file_perms;
@@ -28863,7 +29578,7 @@ index dad226c..7617c53 100644
# rc script creates pid file
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
-@@ -104,6 +106,8 @@ files_read_etc_files(cgred_t)
+@@ -104,6 +107,8 @@ files_read_etc_files(cgred_t)
fs_write_cgroup_files(cgred_t)
@@ -28890,7 +29605,7 @@ index fd8cd0b..45096d8 100644
+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..714f905 100644
+index 9a0da94..4d21fbd 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -29044,7 +29759,7 @@ index 9a0da94..714f905 100644
####################################
## <summary>
## All of the rules required to administrate
-@@ -75,9 +212,9 @@ interface(`chronyd_read_log',`
+@@ -75,31 +212,36 @@ interface(`chronyd_read_log',`
#
interface(`chronyd_admin',`
gen_require(`
@@ -29056,8 +29771,16 @@ index 9a0da94..714f905 100644
+ type chronyd_keys_t;
')
- allow $1 chronyd_t:process { ptrace signal_perms };
-@@ -88,18 +225,19 @@ interface(`chronyd_admin',`
+- allow $1 chronyd_t:process { ptrace signal_perms };
++ allow $1 chronyd_t:process signal_perms;
+ ps_process_pattern($1, chronyd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 chronyd_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+ domain_system_change_exemption($1)
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
@@ -29155,7 +29878,7 @@ index e8e9a21..89fc935 100644
/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
-index 1f11572..9eb2461 100644
+index 1f11572..717fb8d 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
@@ -29208,7 +29931,7 @@ index 1f11572..9eb2461 100644
## All of the rules required to administrate
## an clamav environment
## </summary>
-@@ -151,9 +171,8 @@ interface(`clamav_exec_clamscan',`
+@@ -151,19 +171,24 @@ interface(`clamav_exec_clamscan',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
@@ -29220,6 +29943,25 @@ index 1f11572..9eb2461 100644
type freshclam_t, freshclam_var_log_t;
')
+- allow $1 clamd_t:process { ptrace signal_perms };
++ allow $1 clamd_t:process signal_perms;
+ ps_process_pattern($1, clamd_t)
+
+- allow $1 clamscan_t:process { ptrace signal_perms };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 clamd_t:process ptrace;
++ allow $1 clamscan_t:process ptrace;
++ allow $1 freshclam_t:process ptrace;
++ ')
++
++ allow $1 clamscan_t:process signal_perms;
+ ps_process_pattern($1, clamscan_t)
+
+- allow $1 freshclam_t:process { ptrace signal_perms };
++ allow $1 freshclam_t:process signal_perms;
+ ps_process_pattern($1, freshclam_t)
+
+ init_labeled_script_domtrans($1, clamd_initrc_exec_t)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index f758323..8cd02e2 100644
--- a/policy/modules/services/clamav.te
@@ -29763,7 +30505,7 @@ index 049e2b6..dcc7de8 100644
/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
-index f8463c0..bed51fb 100644
+index f8463c0..126b293 100644
--- a/policy/modules/services/cmirrord.if
+++ b/policy/modules/services/cmirrord.if
@@ -70,10 +70,11 @@ interface(`cmirrord_rw_shm',`
@@ -29779,6 +30521,21 @@ index f8463c0..bed51fb 100644
read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
fs_search_tmpfs($1)
')
+@@ -100,9 +101,13 @@ interface(`cmirrord_admin',`
+ type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
+ ')
+
+- allow $1 cmirrord_t:process { ptrace signal_perms };
++ allow $1 cmirrord_t:process signal_perms;
+ ps_process_pattern($1, cmirrord_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cmorrord_t:process ptrace;
++ ')
++
+ cmirrord_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
index 1cf6c4e..e4bac67 100644
--- a/policy/modules/services/cobbler.fc
@@ -29823,7 +30580,7 @@ index 1cf6c4e..e4bac67 100644
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
-index 116d60f..82306eb 100644
+index 116d60f..11f6a31 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -1,12 +1,12 @@
@@ -29964,7 +30721,7 @@ index 116d60f..82306eb 100644
## All of the rules required to administrate
## an cobblerd environment
## </summary>
-@@ -161,25 +185,34 @@ interface(`cobbler_manage_lib_files',`
+@@ -161,25 +185,38 @@ interface(`cobbler_manage_lib_files',`
interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
@@ -29975,10 +30732,14 @@ index 116d60f..82306eb 100644
- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, cobblerd_t, cobblerd_t)
-+ allow $1 cobblerd_t:process { ptrace signal_perms };
++ allow $1 cobblerd_t:process signal_perms;
+ ps_process_pattern($1, cobblerd_t)
- files_search_etc($1)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cobblerd_t:process ptrace;
++ ')
++
+ files_list_etc($1)
admin_pattern($1, cobbler_etc_t)
@@ -30005,7 +30766,7 @@ index 116d60f..82306eb 100644
+ ')
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
-index 0258b48..c6dcdfe 100644
+index 0258b48..1328a63 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
@@ -30066,7 +30827,7 @@ index 0258b48..c6dcdfe 100644
-allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
+allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
-+dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
++dontaudit cobblerd_t self:capability sys_tty_config;
+
allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
@@ -30269,10 +31030,10 @@ index 0000000..9d06a27
+
diff --git a/policy/modules/services/collectd.if b/policy/modules/services/collectd.if
new file mode 100644
-index 0000000..ed13d1e
+index 0000000..40a0157
--- /dev/null
+++ b/policy/modules/services/collectd.if
-@@ -0,0 +1,157 @@
+@@ -0,0 +1,161 @@
+
+## <summary>policy for collectd</summary>
+
@@ -30417,9 +31178,13 @@ index 0000000..ed13d1e
+ type collectd_var_lib_t;
+ ')
+
-+ allow $1 collectd_t:process { ptrace signal_perms };
++ allow $1 collectd_t:process signal_perms;
+ ps_process_pattern($1, collectd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 collectd_t:process ptrace;
++ ')
++
+ collectd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 collectd_initrc_exec_t system_r;
@@ -30714,10 +31479,10 @@ index fd15dfe..d33cc41 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index e67a003..192332a 100644
+index e67a003..5b322ca 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
-@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
+@@ -15,12 +15,16 @@ logging_log_file(consolekit_log_t)
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -30727,13 +31492,22 @@ index e67a003..192332a 100644
########################################
#
# consolekit local policy
-@@ -69,11 +72,14 @@ logging_send_audit_msgs(consolekit_t)
+ #
+
+-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
++allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice };
++
+ allow consolekit_t self:process { getsched signal };
+ allow consolekit_t self:fifo_file rw_fifo_file_perms;
+ allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
+@@ -69,11 +73,15 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
+systemd_exec_systemctl(consolekit_t)
+
+# consolekit needs to be able to ptrace all logged in users
++userdom_read_all_users_state(consolekit_t)
+userdom_ptrace_all_users(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
@@ -30744,7 +31518,7 @@ index e67a003..192332a 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
')
-@@ -83,6 +89,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -83,6 +91,14 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -30759,7 +31533,7 @@ index e67a003..192332a 100644
dbus_system_domain(consolekit_t, consolekit_exec_t)
optional_policy(`
-@@ -99,6 +113,10 @@ optional_policy(`
+@@ -99,6 +115,10 @@ optional_policy(`
')
optional_policy(`
@@ -30770,7 +31544,7 @@ index e67a003..192332a 100644
policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
-@@ -106,9 +124,10 @@ optional_policy(`
+@@ -106,9 +126,10 @@ optional_policy(`
')
optional_policy(`
@@ -30783,11 +31557,13 @@ index e67a003..192332a 100644
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
-@@ -125,5 +144,6 @@ optional_policy(`
+@@ -125,5 +146,8 @@ optional_policy(`
optional_policy(`
#reading .Xauthity
-+ unconfined_ptrace(consolekit_t)
++ tunable_policy(`deny_ptrace',`',`
++ unconfined_ptrace(consolekit_t)
++ ')
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
@@ -30806,7 +31582,7 @@ index 3a6d7eb..3f0e601 100644
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
-index 5220c9d..a2e6830 100644
+index 5220c9d..db158cc 100644
--- a/policy/modules/services/corosync.if
+++ b/policy/modules/services/corosync.if
@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
@@ -30835,8 +31611,23 @@ index 5220c9d..a2e6830 100644
#######################################
## <summary>
## Allow the specified domain to read corosync's log files.
+@@ -82,9 +101,13 @@ interface(`corosyncd_admin',`
+ type corosync_initrc_exec_t;
+ ')
+
+- allow $1 corosync_t:process { ptrace signal_perms };
++ allow $1 corosync_t:process signal_perms;
+ ps_process_pattern($1, corosync_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 corosync_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 corosync_initrc_exec_t system_r;
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 04969e5..b55d7bf 100644
+index 04969e5..0f56485 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
@@ -30853,7 +31644,7 @@ index 04969e5..b55d7bf 100644
-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-allow corosync_t self:process { setrlimit setsched signal };
-+allow corosync_t self:capability { dac_override setuid sys_nice sys_ptrace sys_resource ipc_lock };
++allow corosync_t self:capability { dac_override setuid sys_nice sys_resource ipc_lock };
+allow corosync_t self:process { setpgid setrlimit setsched signal signull };
allow corosync_t self:fifo_file rw_fifo_file_perms;
@@ -31181,7 +31972,7 @@ index 2eefc08..6ea5693 100644
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..445ced4 100644
+index 35241ed..7a0913c 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -31285,7 +32076,7 @@ index 35241ed..445ced4 100644
')
role $1 types { cronjob_t crontab_t };
-@@ -116,9 +131,16 @@ interface(`cron_role',`
+@@ -116,9 +131,20 @@ interface(`cron_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
@@ -31299,11 +32090,15 @@ index 35241ed..445ced4 100644
# crontab shows up in user ps
ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
-+ allow $2 crontab_t:process { ptrace signal_perms };
++ allow $2 crontab_t:process signal_perms;
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 crontab_t:process ptrace;
++ ')
# Run helper programs as the user domain
#corecmd_bin_domtrans(crontab_t, $2)
-@@ -132,9 +154,8 @@ interface(`cron_role',`
+@@ -132,9 +158,8 @@ interface(`cron_role',`
')
dbus_stub(cronjob_t)
@@ -31314,7 +32109,7 @@ index 35241ed..445ced4 100644
')
########################################
-@@ -151,29 +172,18 @@ interface(`cron_role',`
+@@ -151,29 +176,21 @@ interface(`cron_role',`
## User domain for the role
## </summary>
## </param>
@@ -31344,11 +32139,14 @@ index 35241ed..445ced4 100644
- #corecmd_shell_domtrans(crontab_t, $2)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
-+ allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
++ allow $2 unconfined_cronjob_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 unconfined_cronjob_t:process ptrace;
++ ')
optional_policy(`
gen_require(`
-@@ -181,9 +191,8 @@ interface(`cron_unconfined_role',`
+@@ -181,9 +198,8 @@ interface(`cron_unconfined_role',`
')
dbus_stub(unconfined_cronjob_t)
@@ -31359,7 +32157,7 @@ index 35241ed..445ced4 100644
')
########################################
-@@ -200,6 +209,7 @@ interface(`cron_unconfined_role',`
+@@ -200,6 +216,7 @@ interface(`cron_unconfined_role',`
## User domain for the role
## </summary>
## </param>
@@ -31367,16 +32165,19 @@ index 35241ed..445ced4 100644
#
interface(`cron_admin_role',`
gen_require(`
-@@ -220,7 +230,7 @@ interface(`cron_admin_role',`
+@@ -220,7 +237,10 @@ interface(`cron_admin_role',`
# crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
- allow $2 admin_crontab_t:process signal;
-+ allow $2 admin_crontab_t:process { ptrace signal_perms };
++ allow $2 admin_crontab_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 admin_crontab_t:process ptrace;
++ ')
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)
-@@ -234,9 +244,8 @@ interface(`cron_admin_role',`
+@@ -234,9 +254,8 @@ interface(`cron_admin_role',`
')
dbus_stub(admin_cronjob_t)
@@ -31387,7 +32188,7 @@ index 35241ed..445ced4 100644
')
########################################
-@@ -304,7 +313,7 @@ interface(`cron_exec',`
+@@ -304,7 +323,7 @@ interface(`cron_exec',`
########################################
## <summary>
@@ -31396,7 +32197,7 @@ index 35241ed..445ced4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -322,6 +331,29 @@ interface(`cron_initrc_domtrans',`
+@@ -322,6 +341,29 @@ interface(`cron_initrc_domtrans',`
########################################
## <summary>
@@ -31426,7 +32227,7 @@ index 35241ed..445ced4 100644
## Inherit and use a file descriptor
## from the cron daemon.
## </summary>
-@@ -377,6 +409,47 @@ interface(`cron_read_pipes',`
+@@ -377,6 +419,47 @@ interface(`cron_read_pipes',`
########################################
## <summary>
@@ -31474,7 +32275,7 @@ index 35241ed..445ced4 100644
## Do not audit attempts to write cron daemon unnamed pipes.
## </summary>
## <param name="domain">
-@@ -390,6 +463,7 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -390,6 +473,7 @@ interface(`cron_dontaudit_write_pipes',`
type crond_t;
')
@@ -31482,7 +32283,7 @@ index 35241ed..445ced4 100644
dontaudit $1 crond_t:fifo_file write;
')
-@@ -408,7 +482,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +492,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -31527,7 +32328,7 @@ index 35241ed..445ced4 100644
')
########################################
-@@ -468,6 +578,25 @@ interface(`cron_search_spool',`
+@@ -468,6 +588,25 @@ interface(`cron_search_spool',`
########################################
## <summary>
@@ -31553,7 +32354,7 @@ index 35241ed..445ced4 100644
## Manage pid files used by cron
## </summary>
## <param name="domain">
-@@ -481,6 +610,7 @@ interface(`cron_manage_pid_files',`
+@@ -481,6 +620,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -31561,7 +32362,7 @@ index 35241ed..445ced4 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -536,7 +666,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +676,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -31570,7 +32371,7 @@ index 35241ed..445ced4 100644
')
########################################
-@@ -554,7 +684,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +694,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -31579,7 +32380,7 @@ index 35241ed..445ced4 100644
')
########################################
-@@ -587,11 +717,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +727,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -31595,7 +32396,7 @@ index 35241ed..445ced4 100644
')
########################################
-@@ -627,7 +760,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +770,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -31644,7 +32445,7 @@ index 35241ed..445ced4 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..4100ff7 100644
+index f7583ab..258a3d7 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -31846,7 +32647,7 @@ index f7583ab..4100ff7 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -250,11 +279,30 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +279,31 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -31867,6 +32668,7 @@ index f7583ab..4100ff7 100644
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
++ init_dbus_chat(crond_t)
+')
+
+optional_policy(`
@@ -31877,7 +32679,7 @@ index f7583ab..4100ff7 100644
amanda_search_var_lib(crond_t)
')
-@@ -264,6 +312,8 @@ optional_policy(`
+@@ -264,6 +313,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -31886,7 +32688,7 @@ index f7583ab..4100ff7 100644
')
optional_policy(`
-@@ -286,15 +336,26 @@ optional_policy(`
+@@ -286,15 +337,25 @@ optional_policy(`
')
optional_policy(`
@@ -31908,7 +32710,6 @@ index f7583ab..4100ff7 100644
#
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
-+dontaudit system_cronjob_t self:capability sys_ptrace;
+
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
@@ -32106,10 +32907,10 @@ index 0000000..2db6b61
+
diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if
new file mode 100644
-index 0000000..1171f34
+index 0000000..5c1e8b0
--- /dev/null
+++ b/policy/modules/services/ctdbd.if
-@@ -0,0 +1,256 @@
+@@ -0,0 +1,259 @@
+
+## <summary>policy for ctdbd</summary>
+
@@ -32348,8 +33149,11 @@ index 0000000..1171f34
+ type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
+ ')
+
-+ allow $1 ctdbd_t:process { ptrace signal_perms };
++ allow $1 ctdbd_t:process signal_perms;
+ ps_process_pattern($1, ctdbd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ctdbd_t:process ptrace;
++ ')
+
+ ctdbd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -32368,7 +33172,7 @@ index 0000000..1171f34
+
diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
new file mode 100644
-index 0000000..5a15b82
+index 0000000..284fbae
--- /dev/null
+++ b/policy/modules/services/ctdbd.te
@@ -0,0 +1,114 @@
@@ -32407,7 +33211,7 @@ index 0000000..5a15b82
+# ctdbd local policy
+#
+
-+allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice sys_ptrace };
++allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
+allow ctdbd_t self:process { setpgid signal_perms setsched };
+
+allow ctdbd_t self:fifo_file rw_fifo_file_perms;
@@ -32529,7 +33333,7 @@ index 1b492ed..c79454d 100644
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
-index 305ddf4..173cd16 100644
+index 305ddf4..2746e6f 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -9,6 +9,11 @@
@@ -32557,7 +33361,7 @@ index 305ddf4..173cd16 100644
read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
')
-@@ -314,11 +321,10 @@ interface(`cups_stream_connect_ptal',`
+@@ -314,16 +321,19 @@ interface(`cups_stream_connect_ptal',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
@@ -32572,8 +33376,18 @@ index 305ddf4..173cd16 100644
+ type ptal_var_run_t;
')
- allow $1 cupsd_t:process { ptrace signal_perms };
-@@ -341,15 +347,14 @@ interface(`cups_admin',`
+- allow $1 cupsd_t:process { ptrace signal_perms };
++ allow $1 cupsd_t:process signal_perms;
+ ps_process_pattern($1, cupsd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cupsd_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cupsd_initrc_exec_t system_r;
+@@ -341,15 +351,14 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_lpd_var_run_t)
@@ -32818,7 +33632,7 @@ index 0f28095..825cafb 100644
optional_policy(`
dbus_system_bus_client(hplip_t)
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
-index c43ff4c..6ca9a6b 100644
+index c43ff4c..5da88b5 100644
--- a/policy/modules/services/cvs.if
+++ b/policy/modules/services/cvs.if
@@ -1,5 +1,23 @@
@@ -32845,7 +33659,7 @@ index c43ff4c..6ca9a6b 100644
########################################
## <summary>
## Read the CVS data and metadata.
-@@ -58,9 +76,8 @@ interface(`cvs_exec',`
+@@ -58,14 +76,17 @@ interface(`cvs_exec',`
#
interface(`cvs_admin',`
gen_require(`
@@ -32855,7 +33669,17 @@ index c43ff4c..6ca9a6b 100644
- type cvs_initrc_exec_t;
')
- allow $1 cvs_t:process { ptrace signal_perms };
+- allow $1 cvs_t:process { ptrace signal_perms };
++ allow $1 cvs_t:process signal_perms;
+ ps_process_pattern($1, cvs_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cvs_t:process ptrace;
++ ')
++
+ # Allow cvs_t to restart the apache service
+ init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 88e7e97..e18dc0b 100644
--- a/policy/modules/services/cvs.te
@@ -32923,6 +33747,25 @@ index 25546bc..4def4f7 100644
/var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
+diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if
+index e4e86d0..7c30655 100644
+--- a/policy/modules/services/cyrus.if
++++ b/policy/modules/services/cyrus.if
+@@ -62,9 +62,13 @@ interface(`cyrus_admin',`
+ type cyrus_var_run_t, cyrus_initrc_exec_t;
+ ')
+
+- allow $1 cyrus_t:process { ptrace signal_perms };
++ allow $1 cyrus_t:process signal_perms;
+ ps_process_pattern($1, cyrus_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cyrus_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index a01be9d..01f2f23 100644
--- a/policy/modules/services/cyrus.te
@@ -32989,7 +33832,7 @@ index 81eba14..d0ab56c 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..843d5fd 100644
+index 1a1becd..3558f18 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -33014,7 +33857,7 @@ index 1a1becd..843d5fd 100644
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
-@@ -62,107 +61,26 @@ template(`dbus_role_template',`
+@@ -62,107 +61,30 @@ template(`dbus_role_template',`
# Local policy
#
@@ -33039,16 +33882,19 @@ index 1a1becd..843d5fd 100644
- allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
- read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
- read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
--
++ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+
- manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
- manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
- files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
--
- domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
-- allow $3 $1_dbusd_t:process { signull sigkill signal };
-+
+ ps_process_pattern($3, $1_dbusd_t)
-+ allow $3 $1_dbusd_t:process { ptrace signal_perms };
++ allow $3 $1_dbusd_t:process signal_perms;
+
+- domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+- allow $3 $1_dbusd_t:process { signull sigkill signal };
++ tunable_policy(`deny_ptrace',`',`
++ allow $3 $1_dbusd_t:process ptrace;
++ ')
# cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $3)
@@ -33129,7 +33975,7 @@ index 1a1becd..843d5fd 100644
')
#######################################
-@@ -181,11 +99,12 @@ interface(`dbus_system_bus_client',`
+@@ -181,11 +103,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -33143,7 +33989,7 @@ index 1a1becd..843d5fd 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -198,6 +117,34 @@ interface(`dbus_system_bus_client',`
+@@ -198,6 +121,34 @@ interface(`dbus_system_bus_client',`
#######################################
## <summary>
@@ -33178,7 +34024,7 @@ index 1a1becd..843d5fd 100644
## Template for creating connections to
## a user DBUS.
## </summary>
-@@ -218,6 +165,8 @@ interface(`dbus_session_bus_client',`
+@@ -218,6 +169,8 @@ interface(`dbus_session_bus_client',`
# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
@@ -33187,7 +34033,7 @@ index 1a1becd..843d5fd 100644
')
########################################
-@@ -322,6 +271,11 @@ interface(`dbus_connect_session_bus',`
+@@ -322,6 +275,11 @@ interface(`dbus_connect_session_bus',`
## Allow a application domain to be started
## by the session dbus.
## </summary>
@@ -33199,7 +34045,7 @@ index 1a1becd..843d5fd 100644
## <param name="domain">
## <summary>
## Type to be used as a domain.
-@@ -336,13 +290,13 @@ interface(`dbus_connect_session_bus',`
+@@ -336,13 +294,13 @@ interface(`dbus_connect_session_bus',`
#
interface(`dbus_session_domain',`
gen_require(`
@@ -33217,7 +34063,7 @@ index 1a1becd..843d5fd 100644
')
########################################
-@@ -421,27 +375,16 @@ interface(`dbus_system_bus_unconfined',`
+@@ -421,27 +379,16 @@ interface(`dbus_system_bus_unconfined',`
#
interface(`dbus_system_domain',`
gen_require(`
@@ -33247,7 +34093,7 @@ index 1a1becd..843d5fd 100644
')
########################################
-@@ -464,26 +407,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -464,26 +411,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
## <summary>
@@ -33280,7 +34126,7 @@ index 1a1becd..843d5fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -491,10 +433,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +437,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -33653,10 +34499,10 @@ index ec19ff4..2f84017 100644
########################################
#
diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if
-index 0a1a61b..da508f4 100644
+index 0a1a61b..64742c6 100644
--- a/policy/modules/services/ddclient.if
+++ b/policy/modules/services/ddclient.if
-@@ -64,8 +64,8 @@ interface(`ddclient_run',`
+@@ -64,13 +64,17 @@ interface(`ddclient_run',`
interface(`ddclient_admin',`
gen_require(`
type ddclient_t, ddclient_etc_t, ddclient_log_t;
@@ -33666,7 +34512,17 @@ index 0a1a61b..da508f4 100644
+ type ddclient_var_run_t;
')
- allow $1 ddclient_t:process { ptrace signal_perms };
+- allow $1 ddclient_t:process { ptrace signal_perms };
++ allow $1 ddclient_t:process signal_perms;
+ ps_process_pattern($1, ddclient_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ddclient_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index 24ba98a..b8d064a 100644
--- a/policy/modules/services/ddclient.te
@@ -33727,7 +34583,7 @@ index 24ba98a..b8d064a 100644
miscfiles_read_localization(ddclient_t)
diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if
-index 567865f..9c9e65c 100644
+index 567865f..3a57eb9 100644
--- a/policy/modules/services/denyhosts.if
+++ b/policy/modules/services/denyhosts.if
@@ -13,12 +13,12 @@
@@ -33755,7 +34611,7 @@ index 567865f..9c9e65c 100644
gen_require(`
type denyhosts_initrc_exec_t;
')
-@@ -59,8 +59,9 @@ interface(`denyhosts_initrc_domtrans', `
+@@ -59,27 +59,32 @@ interface(`denyhosts_initrc_domtrans', `
## Role allowed access.
## </summary>
## </param>
@@ -33766,7 +34622,18 @@ index 567865f..9c9e65c 100644
gen_require(`
type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
-@@ -74,12 +75,12 @@ interface(`denyhosts_admin', `
+ ')
+
+- allow $1 denyhosts_t:process { ptrace signal_perms };
++ allow $1 denyhosts_t:process signal_perms;
+ ps_process_pattern($1, denyhosts_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 denyhosts_t:process ptrace;
++ ')
++
+ denyhosts_initrc_domtrans($1)
+ domain_system_change_exemption($1)
role_transition $2 denyhosts_initrc_exec_t system_r;
allow $2 system_r;
@@ -33850,7 +34717,7 @@ index 418a5a0..c25fbdc 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..5001351 100644
+index f706b99..b62f5a9 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -34059,20 +34926,25 @@ index f706b99..5001351 100644
## </summary>
## </param>
## <rolecap/>
-@@ -165,21 +308,39 @@ interface(`devicekit_admin',`
+@@ -165,21 +308,44 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
- allow $1 devicekit_t:process { ptrace signal_perms getattr };
-+ allow $1 devicekit_t:process { ptrace signal_perms };
++ allow $1 devicekit_t:process signal_perms;
ps_process_pattern($1, devicekit_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 devicekit_t:process ptrace;
++ allow $1 devicekit_disk_t:process ptrace;
++ allow $1 devicekit_power_t:process ptrace;
++ ')
- allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
-+ allow $1 devicekit_disk_t:process { ptrace signal_perms };
++ allow $1 devicekit_disk_t:process signal_perms;
ps_process_pattern($1, devicekit_disk_t)
- allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
-+ allow $1 devicekit_power_t:process { ptrace signal_perms };
++ allow $1 devicekit_power_t:process signal_perms;
ps_process_pattern($1, devicekit_power_t)
admin_pattern($1, devicekit_tmp_t)
@@ -34106,7 +34978,7 @@ index f706b99..5001351 100644
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..8cc1f09 100644
+index f231f17..f277ea6 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -34119,7 +34991,17 @@ index f231f17..8cc1f09 100644
########################################
#
# DeviceKit local policy
-@@ -75,10 +78,13 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -62,7 +65,8 @@ optional_policy(`
+ # DeviceKit disk local policy
+ #
+
+-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
++
+ allow devicekit_disk_t self:process { getsched signal_perms };
+ allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -75,10 +79,13 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -34133,7 +35015,7 @@ index f231f17..8cc1f09 100644
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
-@@ -97,6 +103,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
+@@ -97,6 +104,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -34141,7 +35023,7 @@ index f231f17..8cc1f09 100644
domain_getattr_all_pipes(devicekit_disk_t)
domain_getattr_all_sockets(devicekit_disk_t)
-@@ -105,14 +112,17 @@ domain_read_all_domains_state(devicekit_disk_t)
+@@ -105,14 +113,17 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
@@ -34160,7 +35042,7 @@ index f231f17..8cc1f09 100644
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
-@@ -127,7 +137,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -127,7 +138,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -34169,7 +35051,7 @@ index f231f17..8cc1f09 100644
auth_use_nsswitch(devicekit_disk_t)
-@@ -178,55 +188,84 @@ optional_policy(`
+@@ -178,55 +189,84 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -34184,8 +35066,9 @@ index f231f17..8cc1f09 100644
# DeviceKit-Power local policy
#
- allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-allow devicekit_power_t self:process getsched;
++allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
+allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -34258,7 +35141,7 @@ index f231f17..8cc1f09 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,7 +274,12 @@ optional_policy(`
+@@ -235,7 +275,12 @@ optional_policy(`
')
optional_policy(`
@@ -34271,7 +35154,7 @@ index f231f17..8cc1f09 100644
')
optional_policy(`
-@@ -261,14 +305,21 @@ optional_policy(`
+@@ -261,14 +306,21 @@ optional_policy(`
')
optional_policy(`
@@ -34294,7 +35177,7 @@ index f231f17..8cc1f09 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +327,30 @@ optional_policy(`
+@@ -276,9 +328,30 @@ optional_policy(`
')
optional_policy(`
@@ -34343,7 +35226,7 @@ index 767e0c7..4fbde9d 100644
-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
-index 5e2cea8..7a18800 100644
+index 5e2cea8..8eec089 100644
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
@@ -34386,7 +35269,7 @@ index 5e2cea8..7a18800 100644
## All of the rules required to administrate
## an dhcp environment
## </summary>
-@@ -77,7 +101,7 @@ interface(`dhcpd_initrc_domtrans',`
+@@ -77,12 +101,15 @@ interface(`dhcpd_initrc_domtrans',`
#
interface(`dhcpd_admin',`
gen_require(`
@@ -34395,7 +35278,16 @@ index 5e2cea8..7a18800 100644
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
')
-@@ -96,4 +120,6 @@ interface(`dhcpd_admin',`
+- allow $1 dhcpd_t:process { ptrace signal_perms };
++ allow $1 dhcpd_t:process signal_perms;
+ ps_process_pattern($1, dhcpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dhcpd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -96,4 +123,6 @@ interface(`dhcpd_admin',`
files_list_pids($1)
admin_pattern($1, dhcpd_var_run_t)
@@ -34448,6 +35340,23 @@ index d4424ad..f90959a 100644
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
+diff --git a/policy/modules/services/dictd.if b/policy/modules/services/dictd.if
+index a0d23ce..83a7ca5 100644
+--- a/policy/modules/services/dictd.if
++++ b/policy/modules/services/dictd.if
+@@ -38,8 +38,11 @@ interface(`dictd_admin',`
+ type dictd_var_run_t, dictd_initrc_exec_t;
+ ')
+
+- allow $1 dictd_t:process { ptrace signal_perms };
++ allow $1 dictd_t:process signal_perms;
+ ps_process_pattern($1, dictd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dictd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, dictd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
index d2d9359..ee10625 100644
--- a/policy/modules/services/dictd.te
@@ -35278,7 +36187,7 @@ index b886676..ab3af9c 100644
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
-index 9bd812b..982c0ea 100644
+index 9bd812b..144cbb7 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -35464,7 +36373,20 @@ index 9bd812b..982c0ea 100644
## All of the rules required to administrate
## an dnsmasq environment
## </summary>
-@@ -208,4 +311,6 @@ interface(`dnsmasq_admin',`
+@@ -195,8 +298,11 @@ interface(`dnsmasq_admin',`
+ type dnsmasq_initrc_exec_t;
+ ')
+
+- allow $1 dnsmasq_t:process { ptrace signal_perms };
++ allow $1 dnsmasq_t:process signal_perms;
+ ps_process_pattern($1, dnsmasq_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dnsmasq_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -208,4 +314,6 @@ interface(`dnsmasq_admin',`
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
@@ -35550,7 +36472,7 @@ index bfc880b..9a1dcba 100644
')
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
-index e1d7dc5..673f185 100644
+index e1d7dc5..0557be0 100644
--- a/policy/modules/services/dovecot.if
+++ b/policy/modules/services/dovecot.if
@@ -1,5 +1,24 @@
@@ -35601,7 +36523,7 @@ index e1d7dc5..673f185 100644
manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
')
-@@ -93,12 +113,10 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
+@@ -93,16 +113,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
#
interface(`dovecot_admin',`
gen_require(`
@@ -35617,8 +36539,16 @@ index e1d7dc5..673f185 100644
+ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
')
- allow $1 dovecot_t:process { ptrace signal_perms };
-@@ -112,8 +130,11 @@ interface(`dovecot_admin',`
+- allow $1 dovecot_t:process { ptrace signal_perms };
++ allow $1 dovecot_t:process signal_perms;
+ ps_process_pattern($1, dovecot_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dovecot_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -112,8 +133,11 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, dovecot_etc_t)
@@ -35632,7 +36562,7 @@ index e1d7dc5..673f185 100644
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
-@@ -121,6 +142,9 @@ interface(`dovecot_admin',`
+@@ -121,6 +145,9 @@ interface(`dovecot_admin',`
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
@@ -35877,10 +36807,10 @@ index 0000000..f96c4f2
+
diff --git a/policy/modules/services/drbd.if b/policy/modules/services/drbd.if
new file mode 100644
-index 0000000..63f11d9
+index 0000000..f92ef50
--- /dev/null
+++ b/policy/modules/services/drbd.if
-@@ -0,0 +1,130 @@
+@@ -0,0 +1,133 @@
+
+## <summary>policy for drbd</summary>
+
@@ -36003,8 +36933,11 @@ index 0000000..63f11d9
+ type drbd_var_lib_t;
+ ')
+
-+ allow $1 drbd_t:process { ptrace signal_perms };
++ allow $1 drbd_t:process signal_perms;
+ ps_process_pattern($1, drbd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 drbd_t:process ptrace;
++ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, drbd_var_lib_t)
@@ -36091,10 +37024,10 @@ index 0000000..cc0815b
+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_content_rw_t,s0)
diff --git a/policy/modules/services/dspam.if b/policy/modules/services/dspam.if
new file mode 100644
-index 0000000..d7a7118
+index 0000000..a446210
--- /dev/null
+++ b/policy/modules/services/dspam.if
-@@ -0,0 +1,264 @@
+@@ -0,0 +1,267 @@
+
+## <summary>policy for dspam</summary>
+
@@ -36341,8 +37274,11 @@ index 0000000..d7a7118
+ type dspam_var_run_t;
+ ')
+
-+ allow $1 dspam_t:process { ptrace signal_perms };
++ allow $1 dspam_t:process signal_perms;
+ ps_process_pattern($1, dspam_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dspam_t:process ptrace;
++ ')
+
+ dspam_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -36474,7 +37410,7 @@ index 298f066..b54de69 100644
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
-index 6bef7f8..885cd43 100644
+index 6bef7f8..fb2fd2f 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -5,9 +5,9 @@
@@ -36551,7 +37487,7 @@ index 6bef7f8..885cd43 100644
## </param>
#
interface(`exim_append_log',`
-@@ -194,3 +237,46 @@ interface(`exim_manage_spool_files',`
+@@ -194,3 +237,49 @@ interface(`exim_manage_spool_files',`
manage_files_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
')
@@ -36578,8 +37514,11 @@ index 6bef7f8..885cd43 100644
+ type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ ')
+
-+ allow $1 exim_t:process { ptrace signal_perms };
++ allow $1 exim_t:process signal_perms;
+ ps_process_pattern($1, exim_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 exim_t:process ptrace;
++ ')
+
+ exim_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -36713,7 +37652,7 @@ index 0de2b83..b93171c 100644
/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
-index f590a1f..338e5bf 100644
+index f590a1f..18bdd33 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -5,9 +5,9 @@
@@ -36802,7 +37741,7 @@ index f590a1f..338e5bf 100644
## All of the rules required to administrate
## an fail2ban environment
## </summary>
-@@ -155,12 +194,13 @@ interface(`fail2ban_read_pid_files',`
+@@ -155,12 +194,16 @@ interface(`fail2ban_read_pid_files',`
#
interface(`fail2ban_admin',`
gen_require(`
@@ -36815,12 +37754,15 @@ index f590a1f..338e5bf 100644
- allow $1 fail2ban_t:process { ptrace signal_perms };
- ps_process_pattern($1, fail2ban_t)
-+ allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
++ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
+ ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
++ ')
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -172,4 +212,10 @@ interface(`fail2ban_admin',`
+@@ -172,4 +215,10 @@ interface(`fail2ban_admin',`
files_list_pids($1)
admin_pattern($1, fail2ban_var_run_t)
@@ -36938,10 +37880,10 @@ index 0000000..83279fb
+/var/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0)
diff --git a/policy/modules/services/fcoemon.if b/policy/modules/services/fcoemon.if
new file mode 100644
-index 0000000..d827274
+index 0000000..f25a1cb
--- /dev/null
+++ b/policy/modules/services/fcoemon.if
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,94 @@
+
+## <summary>policy for fcoemon</summary>
+
@@ -37025,8 +37967,11 @@ index 0000000..d827274
+ type fcoemon_var_run_t;
+ ')
+
-+ allow $1 fcoemon_t:process { ptrace signal_perms };
++ allow $1 fcoemon_t:process signal_perms;
+ ps_process_pattern($1, fcoemon_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 fcoemon_t:process ptrace;
++ ')
+
+ files_search_pids($1)
+ admin_pattern($1, fcoemon_var_run_t)
@@ -37100,17 +38045,21 @@ index 455c620..c263c70 100644
#
# /etc
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
-index 6537214..7d64c0a 100644
+index 6537214..8629354 100644
--- a/policy/modules/services/fetchmail.if
+++ b/policy/modules/services/fetchmail.if
-@@ -18,6 +18,7 @@ interface(`fetchmail_admin',`
+@@ -18,7 +18,11 @@ interface(`fetchmail_admin',`
type fetchmail_var_run_t;
')
-+ allow $1 fetchmail_t:process { ptrace signal_perms };
++ allow $1 fetchmail_t:process signal_perms;
ps_process_pattern($1, fetchmail_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 fetchmail_t:process ptrace;
++ ')
files_list_etc($1)
+ admin_pattern($1, fetchmail_etc_t)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index 3459d93..3d4e162 100644
--- a/policy/modules/services/fetchmail.te
@@ -37203,10 +38152,10 @@ index 0000000..ba9a7a9
+/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if
new file mode 100644
-index 0000000..84d1768
+index 0000000..06462d4
--- /dev/null
+++ b/policy/modules/services/firewalld.if
-@@ -0,0 +1,73 @@
+@@ -0,0 +1,76 @@
+
+## <summary>policy for firewalld</summary>
+
@@ -37271,8 +38220,11 @@ index 0000000..84d1768
+ type firewalld_initrc_exec_t;
+ ')
+
-+ allow $1 firewalld_t:process { ptrace signal_perms };
++ allow $1 firewalld_t:process signal_perms;
+ ps_process_pattern($1, firewalld_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 firewalld_t:process ptrace;
++ ')
+
+ firewalld_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -37376,22 +38328,23 @@ index ebad8c4..c02062c 100644
')
-
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
-index 7df52c7..899feaf 100644
+index 7df52c7..8512254 100644
--- a/policy/modules/services/fprintd.te
+++ b/policy/modules/services/fprintd.te
-@@ -17,9 +17,9 @@ files_type(fprintd_var_lib_t)
+@@ -17,9 +17,10 @@ files_type(fprintd_var_lib_t)
# Local policy
#
-allow fprintd_t self:capability sys_ptrace;
-+allow fprintd_t self:capability { sys_nice sys_ptrace };
++allow fprintd_t self:capability sys_nice;
++
allow fprintd_t self:fifo_file rw_fifo_file_perms;
-allow fprintd_t self:process { getsched signal };
+allow fprintd_t self:process { getsched setsched signal };
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -54,4 +54,5 @@ optional_policy(`
+@@ -54,4 +55,5 @@ optional_policy(`
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
@@ -37417,7 +38370,7 @@ index 69dcd2a..80eefd3 100644
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
-index 9d3201b..7da7267 100644
+index 9d3201b..41c2c99 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -1,5 +1,66 @@
@@ -37487,7 +38440,20 @@ index 9d3201b..7da7267 100644
#######################################
## <summary>
## Allow domain dyntransition to sftpd_anon domain.
-@@ -203,4 +264,6 @@ interface(`ftp_admin',`
+@@ -176,8 +237,11 @@ interface(`ftp_admin',`
+ type ftpd_initrc_exec_t;
+ ')
+
+- allow $1 ftpd_t:process { ptrace signal_perms };
++ allow $1 ftpd_t:process signal_perms;
+ ps_process_pattern($1, ftpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ftpd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -203,4 +267,6 @@ interface(`ftp_admin',`
logging_list_logs($1)
admin_pattern($1, xferlog_t)
@@ -37784,10 +38750,10 @@ index 54f0737..44a9663 100644
+/var/www/git/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/gitweb-caching/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
-index 458aac6..8e83609 100644
+index 458aac6..27945d1 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
-@@ -1 +1,539 @@
+@@ -1 +1,542 @@
-## <summary>GIT revision control system</summary>
+## <summary>Fast Version Control System.</summary>
+## <desc>
@@ -37833,8 +38799,11 @@ index 458aac6..8e83609 100644
+
+ domtrans_pattern($2, gitd_exec_t, git_session_t)
+
-+ allow $2 git_session_t:process { ptrace signal_perms };
++ allow $2 git_session_t:process signal_perms;
+ ps_process_pattern($2, git_session_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 git_session_t:process ptrace;
++ ')
+')
+
+########################################
@@ -38555,10 +39524,10 @@ index 0000000..7d27335
+/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if
new file mode 100644
-index 0000000..3b1870a
+index 0000000..8cc6d17
--- /dev/null
+++ b/policy/modules/services/glance.if
-@@ -0,0 +1,272 @@
+@@ -0,0 +1,276 @@
+
+## <summary>policy for glance</summary>
+
@@ -38806,10 +39775,14 @@ index 0000000..3b1870a
+ type glance_api_initrc_exec_t;
+ ')
+
-+ allow $1 glance_registry_t:process { ptrace signal_perms };
++ allow $1 glance_registry_t:process signal_perms;
+ ps_process_pattern($1, glance_registry_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 glance_registry_t:process ptrace;
++ allow $1 glance_api_t:process ptrace;
++ ')
+
-+ allow $1 glance_api_t:process { ptrace signal_perms };
++ allow $1 glance_api_t:process signal_perms;
+ ps_process_pattern($1, glance_api_t)
+
+ init_labeled_script_domtrans($1, glance_registry_initrc_exec_t)
@@ -38983,14 +39956,16 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..4978f18 100644
+index 4fde46b..a1d38a3 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -15,18 +15,25 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -14,19 +14,26 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+ # gnomeclock local policy
#
- allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
+-allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
-allow gnomeclock_t self:process { getattr getsched };
++allow gnomeclock_t self:capability { sys_nice sys_time };
+allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
@@ -39112,7 +40087,7 @@ index a627b34..c4cfc6d 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..d5795a5 100644
+index 03742d8..f38c5db 100644
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
@@ -39122,7 +40097,7 @@ index 03742d8..d5795a5 100644
-allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
-allow gpsd_t self:process setsched;
+allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-+dontaudit gpsd_t self:capability { dac_read_search dac_override sys_ptrace };
++dontaudit gpsd_t self:capability { dac_read_search dac_override };
+allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -39167,7 +40142,7 @@ index 03742d8..d5795a5 100644
')
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
-index 2d0b4e1..1e40c00 100644
+index 2d0b4e1..6437f07 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -91,7 +91,7 @@ template(`hadoop_domain_template',`
@@ -39187,7 +40162,16 @@ index 2d0b4e1..1e40c00 100644
hadoop_match_lan_spd(hadoop_$1_t)
-@@ -132,10 +133,6 @@ template(`hadoop_domain_template',`
+@@ -126,16 +127,14 @@ template(`hadoop_domain_template',`
+
+ hadoop_exec_config(hadoop_$1_t)
+
+- java_exec(hadoop_$1_t)
++ optional_policy(`
++ java_exec(hadoop_$1_t)
++ ')
+
+ kerberos_use(hadoop_$1_t)
su_exec(hadoop_$1_t)
@@ -39198,7 +40182,7 @@ index 2d0b4e1..1e40c00 100644
####################################
#
# Shared hadoop_$1 initrc policy.
-@@ -175,8 +172,6 @@ template(`hadoop_domain_template',`
+@@ -175,8 +174,6 @@ template(`hadoop_domain_template',`
files_read_etc_files(hadoop_$1_initrc_t)
files_read_usr_files(hadoop_$1_initrc_t)
@@ -39207,7 +40191,7 @@ index 2d0b4e1..1e40c00 100644
fs_getattr_xattr_fs(hadoop_$1_initrc_t)
fs_search_cgroup_dirs(hadoop_$1_initrc_t)
-@@ -184,6 +179,8 @@ template(`hadoop_domain_template',`
+@@ -184,6 +181,8 @@ template(`hadoop_domain_template',`
hadoop_exec_config(hadoop_$1_initrc_t)
@@ -39216,7 +40200,7 @@ index 2d0b4e1..1e40c00 100644
init_rw_utmp(hadoop_$1_initrc_t)
init_use_fds(hadoop_$1_initrc_t)
init_use_script_ptys(hadoop_$1_initrc_t)
-@@ -196,8 +193,9 @@ template(`hadoop_domain_template',`
+@@ -196,8 +195,9 @@ template(`hadoop_domain_template',`
userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)
optional_policy(`
@@ -39227,39 +40211,64 @@ index 2d0b4e1..1e40c00 100644
')
########################################
+@@ -224,14 +224,21 @@ interface(`hadoop_role',`
+ hadoop_domtrans($2)
+ role $1 types hadoop_t;
+
+- allow $2 hadoop_t:process { ptrace signal_perms };
++ allow $2 hadoop_t:process signal_perms;
+ ps_process_pattern($2, hadoop_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 hadoop_t:process ptrace;
++ ')
+
+ hadoop_domtrans_zookeeper_client($2)
+ role $1 types zookeeper_t;
+
+- allow $2 zookeeper_t:process { ptrace signal_perms };
++ allow $2 zookeeper_t:process signal_perms;
+ ps_process_pattern($2, zookeeper_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 zookeeper_t:process ptrace;
++ ')
++
+ ')
+
+ ########################################
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
-index 7d3a469..3889dc9 100644
+index 7d3a469..c6824f1 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
-@@ -161,24 +161,16 @@ files_read_usr_files(hadoop_t)
+@@ -161,23 +161,17 @@ files_read_usr_files(hadoop_t)
fs_getattr_xattr_fs(hadoop_t)
-miscfiles_read_localization(hadoop_t)
+-
+-sysnet_read_config(hadoop_t)
+-
+-userdom_use_user_terminals(hadoop_t)
+auth_use_nsswitch(hadoop_t)
--sysnet_read_config(hadoop_t)
+-java_exec(hadoop_t)
+miscfiles_read_localization(hadoop_t)
--userdom_use_user_terminals(hadoop_t)
+-kerberos_use(hadoop_t)
+userdom_use_inherited_user_terminals(hadoop_t)
- java_exec(hadoop_t)
-
- kerberos_use(hadoop_t)
-
--optional_policy(`
+ optional_policy(`
- nis_use_ypbind(hadoop_t)
--')
--
++ java_exec(hadoop_t)
+ ')
+
-optional_policy(`
- nscd_socket_use(hadoop_t)
-')
--
++kerberos_use(hadoop_t)
+
########################################
#
- # Hadoop datanode policy.
-@@ -341,19 +333,17 @@ domain_use_interactive_fds(zookeeper_t)
+@@ -341,17 +335,17 @@ domain_use_interactive_fds(zookeeper_t)
files_read_etc_files(zookeeper_t)
files_read_usr_files(zookeeper_t)
@@ -39273,15 +40282,22 @@ index 7d3a469..3889dc9 100644
+userdom_use_inherited_user_terminals(zookeeper_t)
userdom_dontaudit_search_user_home_dirs(zookeeper_t)
- java_exec(zookeeper_t)
-
--optional_policy(`
-- nscd_socket_use(zookeeper_t)
--')
+-java_exec(zookeeper_t)
-
+ optional_policy(`
+- nscd_socket_use(zookeeper_t)
++ java_exec(zookeeper_t)
+ ')
+
########################################
- #
- # Hadoop zookeeper server policy.
+@@ -437,4 +431,6 @@ miscfiles_read_localization(zookeeper_server_t)
+
+ sysnet_read_config(zookeeper_server_t)
+
+-java_exec(zookeeper_server_t)
++optional_policy(`
++ java_exec(zookeeper_server_t)
++')
diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
index c98b0df..3b1a051 100644
--- a/policy/modules/services/hal.fc
@@ -39301,7 +40317,7 @@ index c98b0df..3b1a051 100644
/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
-index 7cf6763..ce32fe5 100644
+index 7cf6763..4a7bc56 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -51,6 +51,7 @@ interface(`hal_read_state',`
@@ -39312,7 +40328,18 @@ index 7cf6763..ce32fe5 100644
ps_process_pattern($1, hald_t)
')
-@@ -87,7 +88,7 @@ interface(`hal_use_fds',`
+@@ -69,7 +70,9 @@ interface(`hal_ptrace',`
+ type hald_t;
+ ')
+
+- allow $1 hald_t:process ptrace;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 hald_t:process ptrace;
++ ')
+ ')
+
+ ########################################
+@@ -87,7 +90,7 @@ interface(`hal_use_fds',`
type hald_t;
')
@@ -39321,7 +40348,7 @@ index 7cf6763..ce32fe5 100644
')
########################################
-@@ -105,7 +106,7 @@ interface(`hal_dontaudit_use_fds',`
+@@ -105,7 +108,7 @@ interface(`hal_dontaudit_use_fds',`
type hald_t;
')
@@ -39330,7 +40357,7 @@ index 7cf6763..ce32fe5 100644
')
########################################
-@@ -124,7 +125,7 @@ interface(`hal_rw_pipes',`
+@@ -124,7 +127,7 @@ interface(`hal_rw_pipes',`
type hald_t;
')
@@ -39339,7 +40366,7 @@ index 7cf6763..ce32fe5 100644
')
########################################
-@@ -143,7 +144,7 @@ interface(`hal_dontaudit_rw_pipes',`
+@@ -143,7 +146,7 @@ interface(`hal_dontaudit_rw_pipes',`
type hald_t;
')
@@ -39348,7 +40375,7 @@ index 7cf6763..ce32fe5 100644
')
########################################
-@@ -377,6 +378,25 @@ interface(`hal_read_pid_files',`
+@@ -377,6 +380,25 @@ interface(`hal_read_pid_files',`
########################################
## <summary>
@@ -39374,7 +40401,7 @@ index 7cf6763..ce32fe5 100644
## Read/Write hald PID files.
## </summary>
## <param name="domain">
-@@ -431,3 +451,25 @@ interface(`hal_manage_pid_files',`
+@@ -431,3 +453,25 @@ interface(`hal_manage_pid_files',`
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
')
@@ -39401,7 +40428,7 @@ index 7cf6763..ce32fe5 100644
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
-index 24c6253..bc08625 100644
+index 24c6253..6fdb0cd 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
@@ -39414,6 +40441,15 @@ index 24c6253..bc08625 100644
########################################
#
# Local policy
+@@ -61,7 +64,7 @@ files_type(hald_var_lib_t)
+
+ # execute openvt which needs setuid
+ allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+-dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
++dontaudit hald_t self:capability sys_tty_config;
+ allow hald_t self:process { getsched getattr signal_perms };
+ allow hald_t self:fifo_file rw_fifo_file_perms;
+ allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -99,7 +102,7 @@ kernel_read_fs_sysctls(hald_t)
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
@@ -39610,10 +40646,23 @@ index 24c6253..bc08625 100644
optional_policy(`
dbus_system_bus_client(hald_dccm_t)
diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if
-index 87b4531..db2d189 100644
+index 87b4531..901d905 100644
--- a/policy/modules/services/hddtemp.if
+++ b/policy/modules/services/hddtemp.if
-@@ -69,9 +69,5 @@ interface(`hddtemp_admin',`
+@@ -60,8 +60,11 @@ interface(`hddtemp_admin',`
+ type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
+ ')
+
+- allow $1 hddtemp_t:process { ptrace signal_perms };
++ allow $1 hddtemp_t:process signal_perms;
+ ps_process_pattern($1, hddtemp_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 hddtemp_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -69,9 +72,5 @@ interface(`hddtemp_admin',`
allow $2 system_r;
admin_pattern($1, hddtemp_etc_t)
@@ -39647,7 +40696,7 @@ index c234b32..6c0a73d 100644
+ sysnet_dns_name_resolve(hddtemp_t)
+')
diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
-index ecab47a..40affd8 100644
+index ecab47a..6ba84cf 100644
--- a/policy/modules/services/icecast.if
+++ b/policy/modules/services/icecast.if
@@ -5,9 +5,9 @@
@@ -39674,15 +40723,19 @@ index ecab47a..40affd8 100644
## </param>
#
interface(`icecast_append_log',`
-@@ -173,6 +173,7 @@ interface(`icecast_admin',`
+@@ -173,7 +173,11 @@ interface(`icecast_admin',`
type icecast_t, icecast_initrc_exec_t;
')
-+ allow $1 icecast_t:process { ptrace signal_perms };
++ allow $1 icecast_t:process signal_perms;
ps_process_pattern($1, icecast_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 icecast_t:process ptrace;
++ ')
# Allow icecast_t to restart the apache service
-@@ -182,7 +183,5 @@ interface(`icecast_admin',`
+ icecast_initrc_domtrans($1)
+@@ -182,7 +186,5 @@ interface(`icecast_admin',`
allow $2 system_r;
icecast_manage_pid_files($1)
@@ -39691,7 +40744,7 @@ index ecab47a..40affd8 100644
-
')
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
-index fdb7e9a..1c02a45 100644
+index fdb7e9a..17ed705 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
@@ -5,6 +5,14 @@ policy_module(icecast, 1.1.0)
@@ -39718,9 +40771,14 @@ index fdb7e9a..1c02a45 100644
manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
-@@ -40,6 +48,13 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
+@@ -39,7 +47,18 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
+
kernel_read_system_state(icecast_t)
++dev_read_sysfs(icecast_t)
++dev_read_urand(icecast_t)
++dev_read_rand(icecast_t)
++
corenet_tcp_bind_soundd_port(icecast_t)
+corenet_tcp_connect_soundd_port(icecast_t)
+
@@ -39733,7 +40791,7 @@ index fdb7e9a..1c02a45 100644
# Init script handling
domain_use_interactive_fds(icecast_t)
diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if
-index dfb4232..7665429 100644
+index dfb4232..fa1b91d 100644
--- a/policy/modules/services/ifplugd.if
+++ b/policy/modules/services/ifplugd.if
@@ -5,9 +5,9 @@
@@ -39748,7 +40806,7 @@ index dfb4232..7665429 100644
## </param>
#
interface(`ifplugd_domtrans',`
-@@ -113,8 +113,8 @@ interface(`ifplugd_read_pid_files',`
+@@ -113,11 +113,11 @@ interface(`ifplugd_read_pid_files',`
#
interface(`ifplugd_admin',`
gen_require(`
@@ -39758,9 +40816,13 @@ index dfb4232..7665429 100644
+ type ifplugd_initrc_exec_t;
')
- allow $1 ifplugd_t:process { ptrace signal_perms };
+- allow $1 ifplugd_t:process { ptrace signal_perms };
++ allow $1 ifplugd_t:process signal_perms;
+ ps_process_pattern($1, ifplugd_t)
+
+ init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te
-index 978c32f..81c5ca2 100644
+index 978c32f..9bf1f1e 100644
--- a/policy/modules/services/ifplugd.te
+++ b/policy/modules/services/ifplugd.te
@@ -11,7 +11,7 @@ init_daemon_domain(ifplugd_t, ifplugd_exec_t)
@@ -39772,6 +40834,15 @@ index 978c32f..81c5ca2 100644
type ifplugd_initrc_exec_t;
init_script_file(ifplugd_initrc_exec_t)
+@@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t)
+ #
+
+ allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
+-dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
++dontaudit ifplugd_t self:capability sys_tty_config;
+ allow ifplugd_t self:process { signal signull };
+ allow ifplugd_t self:fifo_file rw_fifo_file_perms;
+ allow ifplugd_t self:tcp_socket create_stream_socket_perms;
@@ -54,7 +54,7 @@ corecmd_exec_bin(ifplugd_t)
# reading of hardware information
dev_read_sysfs(ifplugd_t)
@@ -39902,7 +40973,7 @@ index 8ca038d..8507ee2 100644
/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0)
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
-index ebc9e0d..a0c625d 100644
+index ebc9e0d..617f52f 100644
--- a/policy/modules/services/inn.if
+++ b/policy/modules/services/inn.if
@@ -13,7 +13,7 @@
@@ -39938,7 +41009,7 @@ index ebc9e0d..a0c625d 100644
allow $1 news_spool_t:dir list_dir_perms;
allow $1 news_spool_t:file read_file_perms;
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
-@@ -195,8 +198,8 @@ interface(`inn_domtrans',`
+@@ -195,12 +198,15 @@ interface(`inn_domtrans',`
interface(`inn_admin',`
gen_require(`
type innd_t, innd_etc_t, innd_log_t;
@@ -39948,7 +41019,15 @@ index ebc9e0d..a0c625d 100644
+ type innd_initrc_exec_t;
')
- allow $1 innd_t:process { ptrace signal_perms };
+- allow $1 innd_t:process { ptrace signal_perms };
++ allow $1 innd_t:process signal_perms;
+ ps_process_pattern($1, innd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 innd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, innd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 9fab1dc..2462aa7 100644
--- a/policy/modules/services/inn.te
@@ -40045,16 +41124,15 @@ index 4c9acec..9a9ca2a 100644
+
+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
-index 9878499..81fcd0f 100644
+index 9878499..8643cd3 100644
--- a/policy/modules/services/jabber.if
+++ b/policy/modules/services/jabber.if
-@@ -1,8 +1,109 @@
+@@ -1,8 +1,71 @@
## <summary>Jabber instant messaging server</summary>
-########################################
+#####################################
- ## <summary>
--## Connect to jabber over a TCP socket (Deprecated)
++## <summary>
+## Creates types and rules for a basic
+## jabber init daemon domain.
+## </summary>
@@ -40117,15 +41195,18 @@ index 9878499..81fcd0f 100644
+')
+
+#######################################
-+## <summary>
+ ## <summary>
+-## Connect to jabber over a TCP socket (Deprecated)
+## Read jabberd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -10,8 +73,51 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`jabber_tcp_connect',`
+- refpolicywarn(`$0($*) has been deprecated.')
+interface(`jabberd_read_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
@@ -40157,15 +41238,13 @@ index 9878499..81fcd0f 100644
+## <summary>
+## Create, read, write, and delete
+## jabberd lib files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -10,8 +111,13 @@
- ## </summary>
- ## </param>
- #
--interface(`jabber_tcp_connect',`
-- refpolicywarn(`$0($*) has been deprecated.')
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`jabberd_manage_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
@@ -40176,7 +41255,7 @@ index 9878499..81fcd0f 100644
')
########################################
-@@ -33,24 +139,21 @@ interface(`jabber_tcp_connect',`
+@@ -33,24 +139,25 @@ interface(`jabber_tcp_connect',`
#
interface(`jabber_admin',`
gen_require(`
@@ -40186,12 +41265,17 @@ index 9878499..81fcd0f 100644
+ type jabberd_initrc_exec_t, jabberd_router_t;
')
- allow $1 jabberd_t:process { ptrace signal_perms };
+- allow $1 jabberd_t:process { ptrace signal_perms };
++ allow $1 jabberd_t:process signal_perms;
ps_process_pattern($1, jabberd_t)
-
-+ allow $1 jabberd_router_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, jabberd_router_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 jabberd_t:process ptrace;
++ allow $1 jabberd_router_t:process ptrace;
++ ')
+
++ allow $1 jabberd_router_t:process signal_perms;
++ ps_process_pattern($1, jabberd_router_t)
+
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 jabberd_initrc_exec_t system_r;
@@ -40440,7 +41524,7 @@ index 3525d24..033de90 100644
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..1b608a7 100644
+index 604f67b..91ef376 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -40560,7 +41644,7 @@ index 604f67b..1b608a7 100644
## All of the rules required to administrate
## an kerberos environment
## </summary>
-@@ -338,9 +336,8 @@ interface(`kerberos_admin',`
+@@ -338,18 +336,22 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -40570,8 +41654,25 @@ index 604f67b..1b608a7 100644
- type kpropd_t;
')
- allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +375,109 @@ interface(`kerberos_admin',`
+- allow $1 kadmind_t:process { ptrace signal_perms };
++ allow $1 kadmind_t:process signal_perms;
+ ps_process_pattern($1, kadmind_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 kadmind_t:process ptrace;
++ allow $1 krb5kdc_t:process ptrace;
++ allow $1 kpropd_t:process ptrace;
++ ')
+
+- allow $1 krb5kdc_t:process { ptrace signal_perms };
++ allow $1 krb5kdc_t:process signal_perms;
+ ps_process_pattern($1, krb5kdc_t)
+
+- allow $1 kpropd_t:process { ptrace signal_perms };
++ allow $1 kpropd_t:process signal_perms;
+ ps_process_pattern($1, kpropd_t)
+
+ init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+@@ -378,3 +380,109 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -40832,7 +41933,7 @@ index 8edc29b..92dde2c 100644
')
diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if
-index 835b16b..dd32883 100644
+index 835b16b..a0f9bc6 100644
--- a/policy/modules/services/kerneloops.if
+++ b/policy/modules/services/kerneloops.if
@@ -5,15 +5,14 @@
@@ -40854,7 +41955,7 @@ index 835b16b..dd32883 100644
')
domtrans_pattern($1, kerneloops_exec_t, kerneloops_t)
-@@ -99,8 +98,7 @@ interface(`kerneloops_manage_tmp_files',`
+@@ -99,17 +98,20 @@ interface(`kerneloops_manage_tmp_files',`
#
interface(`kerneloops_admin',`
gen_require(`
@@ -40863,8 +41964,15 @@ index 835b16b..dd32883 100644
+ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
')
- allow $1 kerneloops_t:process { ptrace signal_perms };
-@@ -111,5 +109,6 @@ interface(`kerneloops_admin',`
+- allow $1 kerneloops_t:process { ptrace signal_perms };
++ allow $1 kerneloops_t:process signal_perms;
+ ps_process_pattern($1, kerneloops_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 kerneloops_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
+ domain_system_change_exemption($1)
role_transition $2 kerneloops_initrc_exec_t system_r;
allow $2 system_r;
@@ -40967,7 +42075,7 @@ index 9c0c835..8360166 100644
+
+/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if
-index 6fd0b4c..b733e45 100644
+index 6fd0b4c..5024e1e 100644
--- a/policy/modules/services/ksmtuned.if
+++ b/policy/modules/services/ksmtuned.if
@@ -5,9 +5,9 @@
@@ -40982,7 +42090,7 @@ index 6fd0b4c..b733e45 100644
## </param>
#
interface(`ksmtuned_domtrans',`
-@@ -55,12 +55,11 @@ interface(`ksmtuned_initrc_domtrans',`
+@@ -55,12 +55,14 @@ interface(`ksmtuned_initrc_domtrans',`
#
interface(`ksmtuned_admin',`
gen_require(`
@@ -40991,20 +42099,24 @@ index 6fd0b4c..b733e45 100644
+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
')
- allow $1 ksmtuned_t:process { ptrace signal_perms };
+- allow $1 ksmtuned_t:process { ptrace signal_perms };
- ps_process_pattern(ksmtumed_t)
++ allow $1 ksmtuned_t:process signal_perms;
+ ps_process_pattern($1, ksmtuned_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ksmtuned_t:process ptrace;
++ ')
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
-@@ -70,5 +69,4 @@ interface(`ksmtuned_admin',`
+@@ -70,5 +72,4 @@ interface(`ksmtuned_admin',`
domain_system_change_exemption($1)
role_transition $2 ksmtuned_initrc_exec_t system_r;
allow $2 system_r;
-
')
diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
-index a73b7a1..2fcd590 100644
+index a73b7a1..d845f46 100644
--- a/policy/modules/services/ksmtuned.te
+++ b/policy/modules/services/ksmtuned.te
@@ -9,6 +9,9 @@ type ksmtuned_t;
@@ -41017,8 +42129,12 @@ index a73b7a1..2fcd590 100644
type ksmtuned_initrc_exec_t;
init_script_file(ksmtuned_initrc_exec_t)
-@@ -23,6 +26,10 @@ files_pid_file(ksmtuned_var_run_t)
- allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
+@@ -20,9 +23,13 @@ files_pid_file(ksmtuned_var_run_t)
+ # ksmtuned local policy
+ #
+
+-allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
++allow ksmtuned_t self:capability sys_tty_config;
allow ksmtuned_t self:fifo_file rw_file_perms;
+manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
@@ -41080,10 +42196,10 @@ index 0000000..76d879e
+
diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if
new file mode 100644
-index 0000000..5783d58
+index 0000000..c8b246f
--- /dev/null
+++ b/policy/modules/services/l2tpd.if
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,118 @@
+
+## <summary>policy for l2tpd</summary>
+
@@ -41187,8 +42303,11 @@ index 0000000..5783d58
+ type l2tpd_var_run_t;
+ ')
+
-+ allow $1 l2tpd_t:process { ptrace signal_perms };
++ allow $1 l2tpd_t:process signal_perms;
+ ps_process_pattern($1, l2tpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 l2tpd_t:process ptrace;
++ ')
+
+ l2tpd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -41283,7 +42402,7 @@ index c62f23e..f8a4301 100644
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
-index 3aa8fa7..40b10fa 100644
+index 3aa8fa7..21b3ecd 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -1,5 +1,64 @@
@@ -41387,7 +42506,20 @@ index 3aa8fa7..40b10fa 100644
')
########################################
-@@ -110,6 +187,7 @@ interface(`ldap_admin',`
+@@ -97,8 +174,11 @@ interface(`ldap_admin',`
+ type slapd_initrc_exec_t;
+ ')
+
+- allow $1 slapd_t:process { ptrace signal_perms };
++ allow $1 slapd_t:process signal_perms;
+ ps_process_pattern($1, slapd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 slapd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -110,6 +190,7 @@ interface(`ldap_admin',`
admin_pattern($1, slapd_lock_t)
@@ -41395,7 +42527,7 @@ index 3aa8fa7..40b10fa 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -117,4 +195,6 @@ interface(`ldap_admin',`
+@@ -117,4 +198,6 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -41518,6 +42650,23 @@ index 49e04e5..69db026 100644
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
+diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if
+index 418cc81..cdb2561 100644
+--- a/policy/modules/services/lircd.if
++++ b/policy/modules/services/lircd.if
+@@ -80,8 +80,11 @@ interface(`lircd_admin',`
+ type lircd_initrc_exec_t, lircd_etc_t;
+ ')
+
+- allow $1 lircd_t:process { ptrace signal_perms };
++ allow $1 lircd_t:process signal_perms;
+ ps_process_pattern($1, lircd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 lircd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, lircd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
index 6a78de1..8db7d14 100644
--- a/policy/modules/services/lircd.te
@@ -41578,10 +42727,10 @@ index 0000000..83a4348
+/var/run/lldpad\.pid -- gen_context(system_u:object_r:lldpad_var_run_t,s0)
diff --git a/policy/modules/services/lldpad.if b/policy/modules/services/lldpad.if
new file mode 100644
-index 0000000..9d1bac3
+index 0000000..6550968
--- /dev/null
+++ b/policy/modules/services/lldpad.if
-@@ -0,0 +1,198 @@
+@@ -0,0 +1,201 @@
+
+## <summary>policy for lldpad</summary>
+
@@ -41764,8 +42913,11 @@ index 0000000..9d1bac3
+ type lldpad_var_run_t;
+ ')
+
-+ allow $1 lldpad_t:process { ptrace signal_perms };
++ allow $1 lldpad_t:process signal_perms;
+ ps_process_pattern($1, lldpad_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 lldpad_t:process ptrace;
++ ')
+
+ lldpad_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -41858,8 +43010,17 @@ index 0000000..b7f4268
+optional_policy(`
+ fcoemon_dgram_send(lldpad_t)
+')
+diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc
+index 5c9eb68..ca4fd2b 100644
+--- a/policy/modules/services/lpd.fc
++++ b/policy/modules/services/lpd.fc
+@@ -35,3 +35,4 @@
+ /var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+ /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
+ /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
++/var/spool/turboprint(/.*)? gen_context(system_u:object_r:lpd_var_run_t,mls_systemhigh)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
-index a4f32f5..ea7dca0 100644
+index a4f32f5..32824fb 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -14,6 +14,7 @@
@@ -41870,16 +43031,19 @@ index a4f32f5..ea7dca0 100644
#
interface(`lpd_role',`
gen_require(`
-@@ -27,7 +28,7 @@ interface(`lpd_role',`
+@@ -27,7 +28,10 @@ interface(`lpd_role',`
dontaudit lpr_t $2:unix_stream_socket { read write };
ps_process_pattern($2, lpr_t)
- allow $2 lpr_t:process signull;
-+ allow $2 lpr_t:process { ptrace signal_perms };
++ allow $2 lpr_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 lpr_t:process ptrace;
++ ')
optional_policy(`
cups_read_config($2)
-@@ -153,7 +154,7 @@ interface(`lpd_relabel_spool',`
+@@ -153,7 +157,7 @@ interface(`lpd_relabel_spool',`
')
files_search_spool($1)
@@ -41888,7 +43052,7 @@ index a4f32f5..ea7dca0 100644
')
########################################
-@@ -186,7 +187,7 @@ interface(`lpd_read_config',`
+@@ -186,7 +190,7 @@ interface(`lpd_read_config',`
## </summary>
## </param>
#
@@ -42179,10 +43343,10 @@ index 0000000..827e22e
+/var/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0)
diff --git a/policy/modules/services/mailscanner.if b/policy/modules/services/mailscanner.if
new file mode 100644
-index 0000000..39c12cb
+index 0000000..bd1d48e
--- /dev/null
+++ b/policy/modules/services/mailscanner.if
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,61 @@
+## <summary>E-mail security and anti-spam package for e-mail gateway systems.</summary>
+
+########################################
@@ -42232,8 +43396,11 @@ index 0000000..39c12cb
+ role_transition $2 mscan_initrc_exec_t system_r;
+ allow $2 system_r;
+
-+ allow $1 mscan_t:process { ptrace signal_perms };
++ allow $1 mscan_t:process signal_perms;
+ ps_process_pattern($1, mscan_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mscan_t:process ptrace;
++ ')
+
+ admin_pattern($1, mscan_etc_t)
+ files_list_etc($1)
@@ -42628,10 +43795,10 @@ index 0000000..0d771fd
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
-index 0000000..215407c
+index 0000000..372ed05
--- /dev/null
+++ b/policy/modules/services/matahari.te
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,97 @@
+policy_module(matahari,1.0.0)
+
+########################################
@@ -42659,9 +43826,6 @@ index 0000000..215407c
+#
+# matahari_hostd local policy
+#
-+
-+allow matahari_hostd_t self:capability sys_ptrace;
-+
+kernel_read_network_state(matahari_hostd_t)
+
+dev_read_sysfs(matahari_hostd_t)
@@ -42778,7 +43942,7 @@ index 98d28b4..1c1d012 100644
+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
-index db4fd6f..5008a6c 100644
+index db4fd6f..ce07b3f 100644
--- a/policy/modules/services/memcached.if
+++ b/policy/modules/services/memcached.if
@@ -5,15 +5,14 @@
@@ -42800,7 +43964,7 @@ index db4fd6f..5008a6c 100644
')
domtrans_pattern($1, memcached_exec_t, memcached_t)
-@@ -57,8 +56,7 @@ interface(`memcached_read_pid_files',`
+@@ -57,17 +56,20 @@ interface(`memcached_read_pid_files',`
#
interface(`memcached_admin',`
gen_require(`
@@ -42809,8 +43973,15 @@ index db4fd6f..5008a6c 100644
+ type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
')
- allow $1 memcached_t:process { ptrace signal_perms };
-@@ -69,5 +67,6 @@ interface(`memcached_admin',`
+- allow $1 memcached_t:process { ptrace signal_perms };
++ allow $1 memcached_t:process signal_perms;
+ ps_process_pattern($1, memcached_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 memcached_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, memcached_initrc_exec_t)
+ domain_system_change_exemption($1)
role_transition $2 memcached_initrc_exec_t system_r;
allow $2 system_r;
@@ -43039,10 +44210,10 @@ index 0000000..8d0e473
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
new file mode 100644
-index 0000000..0615cc5
+index 0000000..1d76fb8
--- /dev/null
+++ b/policy/modules/services/mock.if
-@@ -0,0 +1,306 @@
+@@ -0,0 +1,313 @@
+## <summary>policy for mock</summary>
+
+########################################
@@ -43290,7 +44461,10 @@ index 0000000..0615cc5
+ mock_run($2, $1)
+
+ ps_process_pattern($2, mock_t)
-+ allow $2 mock_t:process { ptrace signal_perms };
++ allow $2 mock_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 mock_t:process ptrace;
++ ')
+')
+
+#######################################
@@ -43334,10 +44508,14 @@ index 0000000..0615cc5
+ type mock_build_t, mock_etc_t, mock_tmp_t;
+ ')
+
-+ allow $1 mock_t:process { ptrace signal_perms };
++ allow $1 mock_t:process signal_perms;
+ ps_process_pattern($1, mock_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mock_t:process ptrace;
++ allow $1 mock_build_t:process ptrace;
++ ')
+
-+ allow $1 mock_build_t:process { ptrace signal_perms };
++ allow $1 mock_build_t:process signal_perms;
+ ps_process_pattern($1, mock_build_t)
+
+ files_list_var_lib($1)
@@ -43351,7 +44529,7 @@ index 0000000..0615cc5
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..b7e5bcc
+index 0000000..b1107b5
--- /dev/null
+++ b/policy/modules/services/mock.te
@@ -0,0 +1,250 @@
@@ -43398,7 +44576,7 @@ index 0000000..b7e5bcc
+# mock local policy
+#
+
-+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_t self:capability { sys_admin setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
+# Needed because mock can run java and mono withing build environment
+allow mock_t self:process { execmem execstack };
@@ -43521,7 +44699,7 @@ index 0000000..b7e5bcc
+#
+# mock_build local policy
+#
-+allow mock_build_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
+dontaudit mock_build_t self:capability audit_write;
+allow mock_build_t self:process { fork setsched setpgid signal_perms };
+allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
@@ -43664,10 +44842,10 @@ index b3ace16..6c9f30c 100644
optional_policy(`
udev_read_db(modemmanager_t)
diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if
-index 657a9fc..88e7330 100644
+index 657a9fc..0b9bf04 100644
--- a/policy/modules/services/mojomojo.if
+++ b/policy/modules/services/mojomojo.if
-@@ -19,18 +19,20 @@
+@@ -19,18 +19,23 @@
#
interface(`mojomojo_admin',`
gen_require(`
@@ -43680,16 +44858,20 @@ index 657a9fc..88e7330 100644
+ type httpd_mojomojo_script_exec_t;
')
- allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
+- allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
++ allow $1 httpd_mojomojo_script_t:process signal_perms;
ps_process_pattern($1, httpd_mojomojo_script_t)
-
-- files_search_var_lib(httpd_mojomojo_script_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 httpd_mojomo_script_t:process ptrace;
++ ')
++
+ files_list_tmp($1)
+ admin_pattern($1, httpd_mojomojo_tmp_t)
-- apache_search_sys_content($1)
+- files_search_var_lib(httpd_mojomojo_script_t)
+ files_list_var_lib(httpd_mojomojo_script_t)
-+
+
+- apache_search_sys_content($1)
+ apache_list_sys_content($1)
admin_pattern($1, httpd_mojomojo_script_exec_t)
admin_pattern($1, httpd_mojomojo_script_t)
@@ -43719,6 +44901,23 @@ index 83f002c..ed69996 100644
corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
+diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if
+index d72276f..cb8c563 100644
+--- a/policy/modules/services/mpd.if
++++ b/policy/modules/services/mpd.if
+@@ -244,8 +244,11 @@ interface(`mpd_admin',`
+ type mpd_tmpfs_t;
+ ')
+
+- allow $1 mpd_t:process { ptrace signal_perms };
++ allow $1 mpd_t:process signal_perms;
+ ps_process_pattern($1, mpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mpd_t:process ptrace;
++ ')
+
+ mpd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
index 7f68872..e4ac35e 100644
--- a/policy/modules/services/mpd.te
@@ -44258,7 +45457,7 @@ index 343cee3..e5519fd 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..c84e80f 100644
+index 64268e4..65fd01f 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -44505,7 +45704,7 @@ index 64268e4..c84e80f 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(user_mail_t)
fs_manage_cifs_symlinks(user_mail_t)
-@@ -292,3 +316,46 @@ optional_policy(`
+@@ -292,3 +316,47 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -44519,6 +45718,7 @@ index 64268e4..c84e80f 100644
+allow user_mail_domain mta_exec_type:file entrypoint;
+
+append_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
++read_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
+
+read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
+
@@ -44573,7 +45773,7 @@ index fd71d69..bf90863 100644
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
-index c358d8f..fec6a97 100644
+index c358d8f..7c097ec 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -13,10 +13,11 @@
@@ -44650,7 +45850,7 @@ index c358d8f..fec6a97 100644
#######################################
## <summary>
## Append to the munin log.
-@@ -172,8 +180,7 @@ interface(`munin_admin',`
+@@ -172,12 +180,14 @@ interface(`munin_admin',`
gen_require(`
type munin_t, munin_etc_t, munin_tmp_t;
type munin_log_t, munin_var_lib_t, munin_var_run_t;
@@ -44659,9 +45859,17 @@ index c358d8f..fec6a97 100644
+ type httpd_munin_content_t, munin_initrc_exec_t;
')
- allow $1 munin_t:process { ptrace signal_perms };
+- allow $1 munin_t:process { ptrace signal_perms };
++ allow $1 munin_t:process signal_perms;
+ ps_process_pattern($1, munin_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 munin_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, munin_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..6b17513 100644
+index f17583b..9850f4d 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -44778,15 +45986,16 @@ index f17583b..6b17513 100644
')
optional_policy(`
-@@ -245,6 +253,7 @@ optional_policy(`
+@@ -245,6 +253,8 @@ optional_policy(`
# local policy for service plugins
#
++allow services_munin_plugin_t self:shm create_sem_perms;
+allow services_munin_plugin_t self:sem create_sem_perms;
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +264,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -255,13 +265,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -44801,7 +46010,7 @@ index f17583b..6b17513 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +292,10 @@ optional_policy(`
+@@ -286,6 +293,10 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -44812,7 +46021,7 @@ index f17583b..6b17513 100644
##################################
#
# local policy for system plugins
-@@ -295,13 +305,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,13 +306,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -44829,7 +46038,7 @@ index f17583b..6b17513 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +322,31 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +323,31 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -44862,7 +46071,7 @@ index f17583b..6b17513 100644
+
+miscfiles_read_localization(munin_plugin_domain)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..14af30a 100644
+index e9c0982..ac7e846 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@@ -44963,7 +46172,7 @@ index e9c0982..14af30a 100644
#####################################
## <summary>
## Read MySQL PID files.
-@@ -329,10 +384,9 @@ interface(`mysql_search_pid_files',`
+@@ -329,27 +384,35 @@ interface(`mysql_search_pid_files',`
#
interface(`mysql_admin',`
gen_require(`
@@ -44976,8 +46185,15 @@ index e9c0982..14af30a 100644
+ type mysqld_etc_t;
')
- allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +397,19 @@ interface(`mysql_admin',`
+- allow $1 mysqld_t:process { ptrace signal_perms };
++ allow $1 mysqld_t:process signal_perms;
+ ps_process_pattern($1, mysqld_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mysqld_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
+ domain_system_change_exemption($1)
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
@@ -44998,7 +46214,7 @@ index e9c0982..14af30a 100644
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..91de41a 100644
+index 0a0d63c..d19d2d2 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -45057,15 +46273,16 @@ index 0a0d63c..91de41a 100644
')
tunable_policy(`mysql_connect_any',`
-@@ -155,6 +159,7 @@ optional_policy(`
+@@ -154,7 +158,7 @@ optional_policy(`
+ #
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
- dontaudit mysqld_safe_t self:capability sys_ptrace;
+-dontaudit mysqld_safe_t self:capability sys_ptrace;
+allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -175,21 +179,27 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -45238,7 +46455,7 @@ index 1fc9905..1d05c60 100644
-/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
-index 8581040..2367841 100644
+index 8581040..039bfa0 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@@ -12,10 +12,8 @@
@@ -45313,7 +46530,7 @@ index 8581040..2367841 100644
## Execute the nagios NRPE with
## a domain transition.
## </summary>
-@@ -195,11 +220,9 @@ interface(`nagios_domtrans_nrpe',`
+@@ -195,15 +220,16 @@ interface(`nagios_domtrans_nrpe',`
#
interface(`nagios_admin',`
gen_require(`
@@ -45327,7 +46544,15 @@ index 8581040..2367841 100644
+ type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
')
- allow $1 nagios_t:process { ptrace signal_perms };
+- allow $1 nagios_t:process { ptrace signal_perms };
++ allow $1 nagios_t:process signal_perms;
+ ps_process_pattern($1, nagios_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 nagios_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, nagios_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index bf64a4c..1147e19 100644
--- a/policy/modules/services/nagios.te
@@ -45683,7 +46908,7 @@ index 2324d9e..8666a3c 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..c985b07 100644
+index 0619395..e5fb258 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -45702,18 +46927,24 @@ index 0619395..c985b07 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -35,16 +44,21 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -35,16 +44,25 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
- dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+-dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++dontaudit NetworkManager_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit NetworkManager_t self:capability sys_module;
+')
- allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
++allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
++tunable_policy(`deny_ptrace',`',`
++ allow NetworkManager_t self:process ptrace;
++')
++
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
@@ -45726,7 +46957,7 @@ index 0619395..c985b07 100644
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -52,9 +66,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+@@ -52,9 +70,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
can_exec(NetworkManager_t, NetworkManager_exec_t)
@@ -45747,7 +46978,7 @@ index 0619395..c985b07 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -100,6 +125,7 @@ dev_read_rand(NetworkManager_t)
+@@ -100,6 +129,7 @@ dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
@@ -45755,7 +46986,7 @@ index 0619395..c985b07 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,7 +139,7 @@ corecmd_exec_shell(NetworkManager_t)
+@@ -113,7 +143,7 @@ corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
@@ -45764,7 +46995,7 @@ index 0619395..c985b07 100644
files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
-@@ -133,30 +159,37 @@ logging_send_syslog_msg(NetworkManager_t)
+@@ -133,30 +163,37 @@ logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
@@ -45804,19 +47035,14 @@ index 0619395..c985b07 100644
')
optional_policy(`
-@@ -172,14 +205,21 @@ optional_policy(`
+@@ -176,10 +213,17 @@ optional_policy(`
')
optional_policy(`
-- consoletype_exec(NetworkManager_t)
-+ consoletype_domtrans(NetworkManager_t)
++ cron_read_system_job_lib_files(NetworkManager_t)
+')
+
+optional_policy(`
-+ cron_read_system_job_lib_files(NetworkManager_t)
- ')
-
- optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+ init_dbus_chat(NetworkManager_t)
@@ -45827,7 +47053,7 @@ index 0619395..c985b07 100644
')
')
-@@ -191,6 +231,7 @@ optional_policy(`
+@@ -191,6 +235,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -45835,7 +47061,7 @@ index 0619395..c985b07 100644
')
optional_policy(`
-@@ -202,23 +243,45 @@ optional_policy(`
+@@ -202,23 +247,45 @@ optional_policy(`
')
optional_policy(`
@@ -45881,7 +47107,7 @@ index 0619395..c985b07 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -241,6 +304,7 @@ optional_policy(`
+@@ -241,6 +308,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -45889,7 +47115,7 @@ index 0619395..c985b07 100644
')
optional_policy(`
-@@ -263,6 +327,7 @@ optional_policy(`
+@@ -263,6 +331,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -45930,7 +47156,7 @@ index 15448d5..3587f6a 100644
+/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..2214d71 100644
+index abe3f7f..d3595cf 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
@@ -46040,7 +47266,7 @@ index abe3f7f..2214d71 100644
## All of the rules required to administrate
## an nis environment
## </summary>
-@@ -354,10 +384,10 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -354,22 +384,28 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -46052,8 +47278,30 @@ index abe3f7f..2214d71 100644
+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
')
- allow $1 ypbind_t:process { ptrace signal_perms };
-@@ -384,6 +414,7 @@ interface(`nis_admin',`
+- allow $1 ypbind_t:process { ptrace signal_perms };
++ allow $1 ypbind_t:process signal_perms;
+ ps_process_pattern($1, ypbind_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ypbind_t:process ptrace;
++ allow $1 yppasswdd_t:process ptrace;
++ allow $1 ypserv_t:process ptrace;
++ allow $1 ypxfr_t:process ptrace;
++ ')
+
+- allow $1 yppasswdd_t:process { ptrace signal_perms };
++ allow $1 yppasswdd_t:process signal_perms;
+ ps_process_pattern($1, yppasswdd_t)
+
+- allow $1 ypserv_t:process { ptrace signal_perms };
++ allow $1 ypserv_t:process signal_perms;
+ ps_process_pattern($1, ypserv_t)
+
+- allow $1 ypxfr_t:process { ptrace signal_perms };
++ allow $1 ypxfr_t:process signal_perms;
+ ps_process_pattern($1, ypxfr_t)
+
+ nis_initrc_domtrans($1)
+@@ -384,6 +420,7 @@ interface(`nis_admin',`
files_list_pids($1)
admin_pattern($1, ypbind_var_run_t)
@@ -46061,7 +47309,7 @@ index abe3f7f..2214d71 100644
admin_pattern($1, yppasswdd_var_run_t)
-@@ -393,4 +424,5 @@ interface(`nis_admin',`
+@@ -393,4 +430,5 @@ interface(`nis_admin',`
admin_pattern($1, ypserv_tmp_t)
admin_pattern($1, ypserv_var_run_t)
@@ -46503,7 +47751,7 @@ index 0000000..49acffa
+')
+
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
-index 85188dc..56dd1f0 100644
+index 85188dc..0a96e14 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
@@ -46599,7 +47847,20 @@ index 85188dc..56dd1f0 100644
## All of the rules required to administrate
## an nscd environment
## </summary>
-@@ -288,4 +334,6 @@ interface(`nscd_admin',`
+@@ -275,8 +321,11 @@ interface(`nscd_admin',`
+ type nscd_initrc_exec_t;
+ ')
+
+- allow $1 nscd_t:process { ptrace signal_perms };
++ allow $1 nscd_t:process signal_perms;
+ ps_process_pattern($1, nscd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 nscd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -288,4 +337,6 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
@@ -46607,7 +47868,7 @@ index 85188dc..56dd1f0 100644
+ nscd_systemctl($1)
')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
-index 7936e09..812f966 100644
+index 7936e09..2f6a98f 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,9 +1,16 @@
@@ -46638,15 +47899,6 @@ index 7936e09..812f966 100644
type nscd_log_t;
logging_log_file(nscd_log_t)
-@@ -30,7 +40,7 @@ logging_log_file(nscd_log_t)
- # Local policy
- #
-
--allow nscd_t self:capability { kill setgid setuid };
-+allow nscd_t self:capability { kill setgid setuid sys_ptrace };
- dontaudit nscd_t self:capability sys_tty_config;
- allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
- allow nscd_t self:fifo_file read_fifo_file_perms;
@@ -47,9 +57,10 @@ allow nscd_t self:nscd { admin getstat };
allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t, nscd_log_t, file)
@@ -46697,7 +47949,7 @@ index 7936e09..812f966 100644
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if
-index 23c769c..be5a5b4 100644
+index 23c769c..549d7f8 100644
--- a/policy/modules/services/nslcd.if
+++ b/policy/modules/services/nslcd.if
@@ -5,9 +5,9 @@
@@ -46712,7 +47964,7 @@ index 23c769c..be5a5b4 100644
## </param>
#
interface(`nslcd_domtrans',`
-@@ -93,8 +93,8 @@ interface(`nslcd_stream_connect',`
+@@ -93,12 +93,15 @@ interface(`nslcd_stream_connect',`
#
interface(`nslcd_admin',`
gen_require(`
@@ -46723,7 +47975,15 @@ index 23c769c..be5a5b4 100644
')
ps_process_pattern($1, nslcd_t)
-@@ -106,9 +106,9 @@ interface(`nslcd_admin',`
+- allow $1 nslcd_t:process { ptrace signal_perms };
++ allow $1 nslcd_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 nslcd_t:process ptrace;
++ ')
+
+ # Allow nslcd_t to restart the apache service
+ nslcd_initrc_domtrans($1)
+@@ -106,9 +109,9 @@ interface(`nslcd_admin',`
role_transition $2 nslcd_initrc_exec_t system_r;
allow $2 system_r;
@@ -46800,7 +48060,7 @@ index e79dccc..50202ef 100644
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..9e9091c 100644
+index e80f8c0..3d17408 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -98,6 +98,48 @@ interface(`ntp_initrc_domtrans',`
@@ -46878,7 +48138,7 @@ index e80f8c0..9e9091c 100644
## All of the rules required to administrate
## an ntp environment
## </summary>
-@@ -140,11 +201,10 @@ interface(`ntp_rw_shm',`
+@@ -140,12 +201,14 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -46888,11 +48148,15 @@ index e80f8c0..9e9091c 100644
')
- allow $1 ntpd_t:process { ptrace signal_perms getattr };
-+ allow $1 ntpd_t:process { ptrace signal_perms };
++ allow $1 ntpd_t:process signal_perms;
ps_process_pattern($1, ntpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ntpd_t:process ptrace;
++ ')
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
-@@ -162,4 +222,6 @@ interface(`ntp_admin',`
+ domain_system_change_exemption($1)
+@@ -162,4 +225,6 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -47193,7 +48457,7 @@ index cadfc63..c8f4d64 100644
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if
-index bb4fae5..b1b5e51 100644
+index bb4fae5..044486c 100644
--- a/policy/modules/services/oident.if
+++ b/policy/modules/services/oident.if
@@ -18,7 +18,7 @@
@@ -47223,7 +48487,7 @@ index bb4fae5..b1b5e51 100644
gen_require(`
type oidentd_home_t;
')
-@@ -66,3 +66,37 @@ interface(`oident_relabel_user_content', `
+@@ -66,3 +66,40 @@ interface(`oident_relabel_user_content', `
allow $1 oidentd_home_t:file relabel_file_perms;
userdom_search_user_home_dirs($1)
')
@@ -47250,8 +48514,11 @@ index bb4fae5..b1b5e51 100644
+ type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
+ ')
+
-+ allow $1 oidentd_t:process { ptrace signal_perms };
++ allow $1 oidentd_t:process signal_perms;
+ ps_process_pattern($1, oidentd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 oidentd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
+ domain_system_change_exemption($1)
@@ -47308,6 +48575,23 @@ index 9d0a67b..9197ef0 100644
## </param>
#
interface(`openct_domtrans',`
+diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
+index d883214..d6afa87 100644
+--- a/policy/modules/services/openvpn.if
++++ b/policy/modules/services/openvpn.if
+@@ -144,8 +144,11 @@ interface(`openvpn_admin',`
+ type openvpn_var_run_t, openvpn_initrc_exec_t;
+ ')
+
+- allow $1 openvpn_t:process { ptrace signal_perms };
++ allow $1 openvpn_t:process signal_perms;
+ ps_process_pattern($1, openvpn_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 openvpn_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 8b550f4..ed5aae9 100644
--- a/policy/modules/services/openvpn.te
@@ -47441,10 +48725,10 @@ index 0870c56..6d5fb1d 100644
-/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
+/var/run/pads\.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if
-index 8ac407e..8235fb6 100644
+index 8ac407e..45673ad 100644
--- a/policy/modules/services/pads.if
+++ b/policy/modules/services/pads.if
-@@ -25,10 +25,10 @@
+@@ -25,20 +25,26 @@
## </param>
## <rolecap/>
#
@@ -47457,8 +48741,15 @@ index 8ac407e..8235fb6 100644
+ type pads_var_run_t;
')
- allow $1 pads_t:process { ptrace signal_perms };
-@@ -39,6 +39,9 @@ interface(`pads_admin', `
+- allow $1 pads_t:process { ptrace signal_perms };
++ allow $1 pads_t:process signal_perms;
+ ps_process_pattern($1, pads_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 pads_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, pads_initrc_exec_t)
+ domain_system_change_exemption($1)
role_transition $2 pads_initrc_exec_t system_r;
allow $2 system_r;
@@ -47699,7 +48990,7 @@ index 3185114..4abd429 100644
+ xen_stream_connect_xenstore(pegasus_t)
+')
diff --git a/policy/modules/services/pingd.if b/policy/modules/services/pingd.if
-index 8688aae..1bfd8d2 100644
+index 8688aae..f1c3000 100644
--- a/policy/modules/services/pingd.if
+++ b/policy/modules/services/pingd.if
@@ -5,9 +5,9 @@
@@ -47722,7 +49013,7 @@ index 8688aae..1bfd8d2 100644
')
#######################################
-@@ -77,8 +76,8 @@ interface(`pingd_manage_config',`
+@@ -77,12 +76,15 @@ interface(`pingd_manage_config',`
#
interface(`pingd_admin',`
gen_require(`
@@ -47732,7 +49023,15 @@ index 8688aae..1bfd8d2 100644
+ type pingd_initrc_exec_t;
')
- allow $1 pingd_t:process { ptrace signal_perms };
+- allow $1 pingd_t:process { ptrace signal_perms };
++ allow $1 pingd_t:process signal_perms;
+ ps_process_pattern($1, pingd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 pingd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, pingd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te
index e9cf8a4..9a7e5dc 100644
--- a/policy/modules/services/pingd.te
@@ -47970,10 +49269,10 @@ index 0000000..548d0a2
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..9c4df9f
+index 0000000..1c69a1a
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,299 @@
+@@ -0,0 +1,304 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -48041,7 +49340,11 @@ index 0000000..9c4df9f
+#
+
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
-+allow piranha_web_t self:process { getsched setsched signal signull ptrace };
++allow piranha_web_t self:process { getsched setsched signal signull };
++tunable_policy(`deny_ptrace',`',`
++ allow piranha_web_t self:process ptrace;
++')
++
+allow piranha_web_t self:rawip_socket create_socket_perms;
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
+allow piranha_web_t self:sem create_sem_perms;
@@ -48077,6 +49380,7 @@ index 0000000..9c4df9f
+corenet_tcp_bind_piranha_port(piranha_web_t)
+corenet_tcp_connect_ricci_port(piranha_web_t)
+
++dev_read_rand(piranha_web_t)
+dev_read_urand(piranha_web_t)
+
+domain_read_all_domains_state(piranha_web_t)
@@ -48284,7 +49588,7 @@ index 5702ca4..08528da 100644
+
+#/var/log/boot\.log -- gen_context(system_u:object_r:plymouthd_var_log_t,s0)
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
-index 9759ed8..48a5431 100644
+index 9759ed8..34b79af 100644
--- a/policy/modules/services/plymouthd.if
+++ b/policy/modules/services/plymouthd.if
@@ -5,12 +5,12 @@
@@ -48472,7 +49776,7 @@ index 9759ed8..48a5431 100644
## All of the rules required to administrate
## an plymouthd environment
## </summary>
-@@ -243,18 +285,20 @@ interface(`plymouthd_read_pid_files', `
+@@ -243,18 +285,23 @@ interface(`plymouthd_read_pid_files', `
## </param>
## <rolecap/>
#
@@ -48485,8 +49789,11 @@ index 9759ed8..48a5431 100644
- allow $1 plymouthd_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, plymouthd_t, plymouthd_t)
-+ allow $1 plymouthd_t:process { ptrace signal_perms };
++ allow $1 plymouthd_t:process signal_perms;
+ ps_process_pattern($1, plymouthd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 plymouthd_t:process ptrace;
++ ')
+ files_list_var_lib($1)
admin_pattern($1, plymouthd_spool_t)
@@ -48497,7 +49804,7 @@ index 9759ed8..48a5431 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index 06e217d..48c56f9 100644
+index 06e217d..cadc832 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.0.1)
@@ -48534,7 +49841,7 @@ index 06e217d..48c56f9 100644
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -60,10 +68,30 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -60,10 +68,32 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
@@ -48545,6 +49852,8 @@ index 06e217d..48c56f9 100644
+logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
++auth_read_passwd(plymouthd_t)
++
miscfiles_read_localization(plymouthd_t)
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
@@ -48565,7 +49874,7 @@ index 06e217d..48c56f9 100644
########################################
#
# Plymouth private policy
-@@ -74,6 +102,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +104,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -48573,7 +49882,7 @@ index 06e217d..48c56f9 100644
domain_use_interactive_fds(plymouth_t)
-@@ -87,7 +116,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +118,7 @@ sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
@@ -48745,7 +50054,7 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..add05dd 100644
+index 1e7169d..9cdbfa8 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
@@ -48765,7 +50074,7 @@ index 1e7169d..add05dd 100644
-allow policykit_t self:capability { setgid setuid };
-allow policykit_t self:process getattr;
-allow policykit_t self:fifo_file rw_file_perms;
-+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
++allow policykit_t self:capability { dac_override dac_read_search setgid setuid };
+allow policykit_t self:process { getsched getattr signal };
+allow policykit_t self:fifo_file rw_fifo_file_perms;
allow policykit_t self:unix_dgram_socket create_socket_perms;
@@ -48929,9 +50238,12 @@ index 1e7169d..add05dd 100644
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -169,7 +237,8 @@ optional_policy(`
+@@ -167,9 +235,10 @@ optional_policy(`
+ # polkit_resolve local policy
+ #
- allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
+-allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
++allow policykit_resolve_t self:capability { setuid sys_nice };
allow policykit_resolve_t self:process getattr;
-allow policykit_resolve_t self:fifo_file rw_file_perms;
+allow policykit_resolve_t self:fifo_file rw_fifo_file_perms;
@@ -48966,10 +50278,10 @@ index 0000000..8a06f66
+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
diff --git a/policy/modules/services/polipo.if b/policy/modules/services/polipo.if
new file mode 100644
-index 0000000..b11f37a
+index 0000000..7dc2c0c
--- /dev/null
+++ b/policy/modules/services/polipo.if
-@@ -0,0 +1,185 @@
+@@ -0,0 +1,191 @@
+## <summary>Caching web proxy.</summary>
+
+########################################
@@ -49004,8 +50316,11 @@ index 0000000..b11f37a
+ # Policy
+ #
+
-+ allow $2 polipo_session_t:process { ptrace signal_perms };
++ allow $2 polipo_session_t:process signal_perms;
+ ps_process_pattern($2, polipo_session_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 polipo_session_t:process ptrace;
++ ')
+
+ tunable_policy(`polipo_session_users',`
+ domtrans_pattern($2, polipo_exec_t, polipo_session_t)
@@ -49135,8 +50450,11 @@ index 0000000..b11f37a
+ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
+ ')
+
-+ allow $1 polipo_t:process { ptrace signal_perms };
++ allow $1 polipo_t:process signal_perms;
+ ps_process_pattern($1, polipo_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 polipo_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, polipo_initrc_exec_t)
+ domain_system_change_exemption($1)
@@ -49379,6 +50697,23 @@ index 4313a6f..1d9fa76 100644
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if
+index 7719d16..d283895 100644
+--- a/policy/modules/services/portreserve.if
++++ b/policy/modules/services/portreserve.if
+@@ -104,8 +104,11 @@ interface(`portreserve_admin',`
+ type portreserve_initrc_exec_t;
+ ')
+
+- allow $1 portreserve_t:process { ptrace signal_perms };
++ allow $1 portreserve_t:process signal_perms;
+ ps_process_pattern($1, portreserve_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 portreserve_t:process ptrace;
++ ')
+
+ portreserve_initrc_domtrans($1)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te
index 152af92..1594066 100644
--- a/policy/modules/services/portreserve.te
@@ -49469,7 +50804,7 @@ index a3e85c9..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..ca32d30 100644
+index 46bee12..e50a72c 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -49714,7 +51049,7 @@ index 46bee12..ca32d30 100644
')
########################################
-@@ -621,3 +701,125 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +701,136 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -49746,25 +51081,36 @@ index 46bee12..ca32d30 100644
+ type postfix_smtpd_t, postfix_var_run_t;
+ ')
+
-+ allow $1 postfix_bounce_t:process { ptrace signal_perms };
++ allow $1 postfix_bounce_t:process signal_perms;
+ ps_process_pattern($1, postfix_bounce_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 postfix_bounce_t:process ptrace;
++ ')
+
-+ allow $1 postfix_cleanup_t:process { ptrace signal_perms };
++ allow $1 postfix_cleanup_t:process signal_perms;
+ ps_process_pattern($1, postfix_cleanup_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 postfix_cleanup_t:process ptrace;
++ allow $1 postfix_local_t:process ptrace;
++ allow $1 postfix_master_t:process ptrace;
++ allow $1 postfix_pickup_t:process ptrace;
++ allow $1 postfix_qmgr_t:process ptrace;
++ allow $1 postfix_smtpd_t:process ptrace;
++ ')
+
-+ allow $1 postfix_local_t:process { ptrace signal_perms };
++ allow $1 postfix_local_t:process signal_perms;
+ ps_process_pattern($1, postfix_local_t)
+
-+ allow $1 postfix_master_t:process { ptrace signal_perms };
++ allow $1 postfix_master_t:process signal_perms;
+ ps_process_pattern($1, postfix_master_t)
+
-+ allow $1 postfix_pickup_t:process { ptrace signal_perms };
++ allow $1 postfix_pickup_t:process signal_perms;
+ ps_process_pattern($1, postfix_pickup_t)
+
-+ allow $1 postfix_qmgr_t:process { ptrace signal_perms };
++ allow $1 postfix_qmgr_t:process signal_perms;
+ ps_process_pattern($1, postfix_qmgr_t)
+
-+ allow $1 postfix_smtpd_t:process { ptrace signal_perms };
++ allow $1 postfix_smtpd_t:process signal_perms;
+ ps_process_pattern($1, postfix_smtpd_t)
+
+ postfix_run_map($1, $2)
@@ -50256,10 +51602,10 @@ index a32c4b3..3a59bac 100644
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if
-index feae93b..d960d3f 100644
+index feae93b..b2af729 100644
--- a/policy/modules/services/postfixpolicyd.if
+++ b/policy/modules/services/postfixpolicyd.if
-@@ -20,8 +20,7 @@
+@@ -20,12 +20,14 @@
interface(`postfixpolicyd_admin',`
gen_require(`
type postfix_policyd_t, postfix_policyd_conf_t;
@@ -50268,7 +51614,15 @@ index feae93b..d960d3f 100644
+ type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
')
- allow $1 postfix_policyd_t:process { ptrace signal_perms };
+- allow $1 postfix_policyd_t:process { ptrace signal_perms };
++ allow $1 postfix_policyd_t:process signal_perms;
+ ps_process_pattern($1, postfix_policyd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 postfix_policyd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te
index 7257526..7d73656 100644
--- a/policy/modules/services/postfixpolicyd.te
@@ -50309,7 +51663,7 @@ index f03fad4..1865d8f 100644
ifdef(`distro_debian', `
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index 09aeffa..f8a0d88 100644
+index 09aeffa..d728f3a 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -10,7 +10,7 @@
@@ -50420,7 +51774,7 @@ index 09aeffa..f8a0d88 100644
')
########################################
-@@ -531,13 +533,10 @@ interface(`postgresql_unconfined',`
+@@ -531,33 +533,38 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
@@ -50438,7 +51792,16 @@ index 09aeffa..f8a0d88 100644
')
typeattribute $1 sepgsql_admin_type;
-@@ -550,14 +549,19 @@ interface(`postgresql_admin',`
+
+- allow $1 postgresql_t:process { ptrace signal_perms };
++ allow $1 postgresql_t:process signal_perms;
+ ps_process_pattern($1, postgresql_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 postgresql_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
+ domain_system_change_exemption($1)
role_transition $2 postgresql_initrc_exec_t system_r;
allow $2 system_r;
@@ -50459,7 +51822,7 @@ index 09aeffa..f8a0d88 100644
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 4a5387a..acf8ed1 100644
+index 4a5387a..6a6dd0e 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,16 +19,16 @@ gen_require(`
@@ -50504,8 +51867,17 @@ index 4a5387a..acf8ed1 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
+@@ -330,7 +329,7 @@ userdom_dontaudit_use_user_terminals(postgresql_t)
+
+ mta_getattr_spool(postgresql_t)
+
+-tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`',`
+ allow postgresql_t self:process execmem;
+ ')
+
diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if
-index ad15fde..6f55445 100644
+index ad15fde..12202e1 100644
--- a/policy/modules/services/postgrey.if
+++ b/policy/modules/services/postgrey.if
@@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',`
@@ -50528,7 +51900,7 @@ index ad15fde..6f55445 100644
allow $1 postgrey_spool_t:dir search_dir_perms;
')
-@@ -57,9 +58,8 @@ interface(`postgrey_search_spool',`
+@@ -57,13 +58,15 @@ interface(`postgrey_search_spool',`
#
interface(`postgrey_admin',`
gen_require(`
@@ -50538,7 +51910,15 @@ index ad15fde..6f55445 100644
- type postgrey_initrc_exec_t;
')
- allow $1 postgrey_t:process { ptrace signal_perms };
+- allow $1 postgrey_t:process { ptrace signal_perms };
++ allow $1 postgrey_t:process signal_perms;
+ ps_process_pattern($1, postgrey_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 postgrey_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index db843e2..4389e81 100644
--- a/policy/modules/services/postgrey.te
@@ -50581,7 +51961,7 @@ index 2d82c6d..adf5731 100644
-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
-index b524673..921a60f 100644
+index b524673..3089841 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
@@ -50650,7 +52030,7 @@ index b524673..921a60f 100644
## All of the rules required to administrate
## an ppp environment
## </summary>
-@@ -348,21 +371,27 @@ interface(`ppp_initrc_domtrans',`
+@@ -348,20 +371,30 @@ interface(`ppp_initrc_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -50674,16 +52054,19 @@ index b524673..921a60f 100644
')
- allow $1 pppd_t:process { ptrace signal_perms getattr };
-+ allow $1 pppd_t:process { ptrace signal_perms };
++ allow $1 pppd_t:process signal_perms;
ps_process_pattern($1, pppd_t)
-
-+ allow $1 pptp_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, pptp_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 pppd_t:process ptrace;
++ allow $1 pptp_t:process ptrace;
++ ')
+
++ allow $1 pptp_t:process signal_perms;
++ ps_process_pattern($1, pptp_t)
+
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
- role_transition $2 pppd_initrc_exec_t system_r;
-@@ -374,6 +403,7 @@ interface(`ppp_admin',`
+@@ -374,6 +407,7 @@ interface(`ppp_admin',`
logging_list_logs($1)
admin_pattern($1, pppd_log_t)
@@ -50691,7 +52074,7 @@ index b524673..921a60f 100644
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
-@@ -386,10 +416,9 @@ interface(`ppp_admin',`
+@@ -386,10 +420,9 @@ interface(`ppp_admin',`
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
@@ -50864,7 +52247,7 @@ index 2af42e7..20f5d6b 100644
files_read_etc_files(pptp_t)
diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
-index 2316653..77ef768 100644
+index 2316653..b295b91 100644
--- a/policy/modules/services/prelude.if
+++ b/policy/modules/services/prelude.if
@@ -5,9 +5,9 @@
@@ -50915,7 +52298,7 @@ index 2316653..77ef768 100644
## </param>
#
interface(`prelude_manage_spool',`
-@@ -112,13 +112,10 @@ interface(`prelude_manage_spool',`
+@@ -112,22 +112,24 @@ interface(`prelude_manage_spool',`
#
interface(`prelude_admin',`
gen_require(`
@@ -50932,8 +52315,25 @@ index 2316653..77ef768 100644
+ type prelude_lml_t;
')
- allow $1 prelude_t:process { ptrace signal_perms };
-@@ -135,10 +132,17 @@ interface(`prelude_admin',`
+- allow $1 prelude_t:process { ptrace signal_perms };
++ allow $1 prelude_t:process signal_perms;
+ ps_process_pattern($1, prelude_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 prelude_t:process ptrace;
++ allow $1 prelude_audisp_t:process ptrace;
++ allow $1 prelude_lml_t:process ptrace;
++ ')
+
+- allow $1 prelude_audisp_t:process { ptrace signal_perms };
++ allow $1 prelude_audisp_t:process signal_perms;
+ ps_process_pattern($1, prelude_audisp_t)
+
+- allow $1 prelude_lml_t:process { ptrace signal_perms };
++ allow $1 prelude_lml_t:process signal_perms;
+ ps_process_pattern($1, prelude_lml_t)
+
+ init_labeled_script_domtrans($1, prelude_initrc_exec_t)
+@@ -135,10 +137,17 @@ interface(`prelude_admin',`
role_transition $2 prelude_initrc_exec_t system_r;
allow $2 system_r;
@@ -50998,6 +52398,23 @@ index b1bc02c..e0c0f70 100644
corenet_tcp_connect_prelude_port(prelude_lml_t)
dev_read_rand(prelude_lml_t)
+diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
+index afd1751..5aff531 100644
+--- a/policy/modules/services/privoxy.if
++++ b/policy/modules/services/privoxy.if
+@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
+ type privoxy_etc_rw_t, privoxy_var_run_t;
+ ')
+
+- allow $1 privoxy_t:process { ptrace signal_perms };
++ allow $1 privoxy_t:process signal_perms;
+ ps_process_pattern($1, privoxy_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 privoxy_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index 2dbf4d4..28d7fe5 100644
--- a/policy/modules/services/privoxy.te
@@ -51142,7 +52559,7 @@ index 29b9295..6451f82 100644
optional_policy(`
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
-index bc329d1..0589f97 100644
+index bc329d1..20bb463 100644
--- a/policy/modules/services/psad.if
+++ b/policy/modules/services/psad.if
@@ -91,7 +91,6 @@ interface(`psad_manage_config',`
@@ -51244,7 +52661,7 @@ index bc329d1..0589f97 100644
## Read and write psad tmp files.
## </summary>
## <param name="domain">
-@@ -233,7 +291,7 @@ interface(`psad_rw_tmp_files',`
+@@ -233,30 +291,33 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
@@ -51253,7 +52670,15 @@ index bc329d1..0589f97 100644
type psad_tmp_t;
')
-@@ -245,18 +303,18 @@ interface(`psad_admin',`
+- allow $1 psad_t:process { ptrace signal_perms };
++ allow $1 psad_t:process signal_perms;
+ ps_process_pattern($1, psad_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 psad_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, psad_initrc_exec_t)
+ domain_system_change_exemption($1)
role_transition $2 psad_initrc_exec_t system_r;
allow $2 system_r;
@@ -51498,7 +52923,7 @@ index 2855a44..58bb459 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..5f6e7b8 100644
+index 64c5f95..fb500de 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -51536,6 +52961,15 @@ index 64c5f95..5f6e7b8 100644
type puppetmaster_t;
type puppetmaster_exec_t;
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
+@@ -50,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t)
+ # Puppet personal policy
+ #
+
+-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
++allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
+ allow puppet_t self:process { signal signull getsched setsched };
+ allow puppet_t self:fifo_file rw_fifo_file_perms;
+ allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
@@ -63,7 +75,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib(puppet_t)
@@ -51545,7 +52979,42 @@ index 64c5f95..5f6e7b8 100644
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-@@ -132,7 +144,7 @@ sysnet_dns_name_resolve(puppet_t)
+@@ -80,7 +92,10 @@ kernel_dontaudit_search_sysctl(puppet_t)
+ kernel_dontaudit_search_kernel_sysctl(puppet_t)
+ kernel_read_system_state(puppet_t)
+ kernel_read_crypto_sysctls(puppet_t)
++kernel_read_kernel_sysctls(puppet_t)
+
++corecmd_read_all_executables(puppet_t)
++corecmd_dontaudit_access_all_executables(puppet_t)
+ corecmd_exec_bin(puppet_t)
+ corecmd_exec_shell(puppet_t)
+
+@@ -103,6 +118,7 @@ files_manage_config_files(puppet_t)
+ files_manage_config_dirs(puppet_t)
+ files_manage_etc_dirs(puppet_t)
+ files_manage_etc_files(puppet_t)
++files_read_usr_files(puppet_t)
+ files_read_usr_symlinks(puppet_t)
+ files_relabel_config_dirs(puppet_t)
+ files_relabel_config_files(puppet_t)
+@@ -115,6 +131,9 @@ selinux_validate_context(puppet_t)
+ term_dontaudit_getattr_unallocated_ttys(puppet_t)
+ term_dontaudit_getattr_all_ttys(puppet_t)
+
++auth_use_nsswitch(puppet_t)
++auth_read_passwd(puppet_t)
++
+ init_all_labeled_script_domtrans(puppet_t)
+ init_domtrans_script(puppet_t)
+ init_read_utmp(puppet_t)
+@@ -127,16 +146,21 @@ miscfiles_read_localization(puppet_t)
+
+ seutil_domtrans_setfiles(puppet_t)
+ seutil_domtrans_semanage(puppet_t)
++seutil_read_file_contexts(puppet_t)
+
+ sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
tunable_policy(`puppet_manage_all_files',`
@@ -51554,7 +53023,16 @@ index 64c5f95..5f6e7b8 100644
')
optional_policy(`
-@@ -144,6 +156,10 @@ optional_policy(`
+- consoletype_domtrans(puppet_t)
++ cfengine_read_lib_files(puppet_t)
++')
++
++optional_policy(`
++ consoletype_exec(puppet_t)
+ ')
+
+ optional_policy(`
+@@ -144,6 +168,14 @@ optional_policy(`
')
optional_policy(`
@@ -51562,14 +53040,26 @@ index 64c5f95..5f6e7b8 100644
+')
+
+optional_policy(`
++ mta_send_mail(puppet_t)
++')
++
++optional_policy(`
files_rw_var_files(puppet_t)
rpm_domtrans(puppet_t)
-@@ -162,7 +178,60 @@ optional_policy(`
+@@ -156,13 +188,68 @@ optional_policy(`
+ ')
- ########################################
- #
--# Pupper master personal policy
+ optional_policy(`
+- usermanage_domtrans_groupadd(puppet_t)
+- usermanage_domtrans_useradd(puppet_t)
++ usermanage_access_check_groupadd(puppet_t)
++ usermanage_access_check_passwd(puppet_t)
++ usermanage_access_check_useradd(puppet_t)
++')
++
++########################################
++#
+# PuppetCA personal policy
+#
+
@@ -51617,17 +53107,19 @@ index 64c5f95..5f6e7b8 100644
+')
+
+optional_policy(`
-+ usermanage_access_check_passwd(puppetca_t)
-+ usermanage_access_check_useradd(puppetca_t)
-+')
-+
-+########################################
-+#
++ usermanage_access_check_groupadd(puppet_t)
++ usermanage_access_check_passwd(puppet_t)
++ usermanage_access_check_useradd(puppet_t)
+ ')
+
+ ########################################
+ #
+-# Pupper master personal policy
+# Puppet master personal policy
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -171,29 +240,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+@@ -171,29 +258,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
@@ -51666,7 +53158,7 @@ index 64c5f95..5f6e7b8 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +281,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +299,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
@@ -51716,7 +53208,7 @@ index 64c5f95..5f6e7b8 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +331,9 @@ optional_policy(`
+@@ -231,3 +349,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -51755,7 +53247,7 @@ index d4a7750..705196e 100644
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
-index 494f7e2..aa3d0b4 100644
+index 494f7e2..2c411af 100644
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@@ -14,6 +14,7 @@
@@ -51766,16 +53258,19 @@ index 494f7e2..aa3d0b4 100644
#
interface(`pyzor_role',`
gen_require(`
-@@ -28,7 +29,7 @@ interface(`pyzor_role',`
+@@ -28,7 +29,10 @@ interface(`pyzor_role',`
# allow ps to show pyzor and allow the user to kill it
ps_process_pattern($2, pyzor_t)
- allow $2 pyzor_t:process signal;
-+ allow $2 pyzor_t:process { ptrace signal_perms };
++ allow $2 pyzor_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 pyzor_t:process ptrace;
++ ')
')
########################################
-@@ -88,3 +89,47 @@ interface(`pyzor_exec',`
+@@ -88,3 +92,50 @@ interface(`pyzor_exec',`
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
')
@@ -51803,8 +53298,11 @@ index 494f7e2..aa3d0b4 100644
+ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
+ ')
+
-+ allow $1 pyzord_t:process { ptrace signal_perms };
++ allow $1 pyzord_t:process signal_perms;
+ ps_process_pattern($1, pyzord_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 pyzord_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+ domain_system_change_exemption($1)
@@ -52232,7 +53730,7 @@ index 4f94229..f3b89e4 100644
/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
diff --git a/policy/modules/services/qpid.if b/policy/modules/services/qpid.if
-index 5a9630c..c403abc 100644
+index 5a9630c..61f0099 100644
--- a/policy/modules/services/qpid.if
+++ b/policy/modules/services/qpid.if
@@ -1,4 +1,4 @@
@@ -52410,7 +53908,20 @@ index 5a9630c..c403abc 100644
')
########################################
-@@ -180,7 +186,43 @@ interface(`qpidd_admin',`
+@@ -171,8 +177,11 @@ interface(`qpidd_admin',`
+ type qpidd_t, qpidd_initrc_exec_t;
+ ')
+
+- allow $1 qpidd_t:process { ptrace signal_perms };
++ allow $1 qpidd_t:process signal_perms;
+ ps_process_pattern($1, qpidd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 qpidd_t:process ptrace;
++ ')
+
+ # Allow qpidd_t to restart the apache service
+ qpidd_initrc_domtrans($1)
+@@ -180,7 +189,43 @@ interface(`qpidd_admin',`
role_transition $2 qpidd_initrc_exec_t system_r;
allow $2 system_r;
@@ -52419,8 +53930,7 @@ index 5a9630c..c403abc 100644
+
+ qpidd_manage_var_lib($1)
+')
-
-- admin_pattern($1, qpidd_var_run_t)
++
+#####################################
+## <summary>
+## Allow read and write access to qpidd semaphores.
@@ -52453,7 +53963,8 @@ index 5a9630c..c403abc 100644
+ gen_require(`
+ type qpidd_t;
+ ')
-+
+
+- admin_pattern($1, qpidd_var_run_t)
+ allow $1 qpidd_t:shm rw_shm_perms;
')
diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te
@@ -52655,6 +54166,23 @@ index 0000000..55aaca1
+
+miscfiles_read_localization(rabbitmq_epmd_t)
+
+diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
+index 75e5dc4..87d75fe 100644
+--- a/policy/modules/services/radius.if
++++ b/policy/modules/services/radius.if
+@@ -38,8 +38,11 @@ interface(`radius_admin',`
+ type radiusd_initrc_exec_t;
+ ')
+
+- allow $1 radiusd_t:process { ptrace signal_perms };
++ allow $1 radiusd_t:process signal_perms;
+ ps_process_pattern($1, radiusd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 radiusd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index b1ed1bf..124971d 100644
--- a/policy/modules/services/radius.te
@@ -52676,10 +54204,10 @@ index b1ed1bf..124971d 100644
corenet_tcp_connect_snmp_port(radiusd_t)
corenet_sendrecv_radius_server_packets(radiusd_t)
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
-index be05bff..2bd662a 100644
+index be05bff..7b00e1e 100644
--- a/policy/modules/services/radvd.if
+++ b/policy/modules/services/radvd.if
-@@ -19,8 +19,8 @@
+@@ -19,12 +19,15 @@
#
interface(`radvd_admin',`
gen_require(`
@@ -52689,7 +54217,15 @@ index be05bff..2bd662a 100644
+ type radvd_var_run_t;
')
- allow $1 radvd_t:process { ptrace signal_perms };
+- allow $1 radvd_t:process { ptrace signal_perms };
++ allow $1 radvd_t:process signal_perms;
+ ps_process_pattern($1, radvd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 radvd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, radvd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
index 1efba0c..71d657c 100644
--- a/policy/modules/services/razor.fc
@@ -52700,7 +54236,7 @@ index 1efba0c..71d657c 100644
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
-index f04a595..3203212 100644
+index f04a595..d6a6e1a 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -26,6 +26,7 @@ template(`razor_common_domain_template',`
@@ -52728,16 +54264,19 @@ index f04a595..3203212 100644
#
interface(`razor_role',`
gen_require(`
-@@ -130,7 +132,7 @@ interface(`razor_role',`
+@@ -130,7 +132,10 @@ interface(`razor_role',`
# allow ps to show razor and allow the user to kill it
ps_process_pattern($2, razor_t)
- allow $2 razor_t:process signal;
-+ allow $2 razor_t:process { ptrace signal_perms };
++ allow $2 razor_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 razor_t:process ptrace;
++ ')
manage_dirs_pattern($2, razor_home_t, razor_home_t)
manage_files_pattern($2, razor_home_t, razor_home_t)
-@@ -157,3 +159,43 @@ interface(`razor_domtrans',`
+@@ -157,3 +162,43 @@ interface(`razor_domtrans',`
domtrans_pattern($1, razor_exec_t, razor_t)
')
@@ -53133,7 +54672,7 @@ index 3c97ef0..c025d59 100644
/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if
-index 7dc38d1..9c2c963 100644
+index 7dc38d1..e3bdea7 100644
--- a/policy/modules/services/rgmanager.if
+++ b/policy/modules/services/rgmanager.if
@@ -5,9 +5,9 @@
@@ -53148,7 +54687,7 @@ index 7dc38d1..9c2c963 100644
## </param>
#
interface(`rgmanager_domtrans',`
-@@ -75,3 +75,64 @@ interface(`rgmanager_manage_tmpfs_files',`
+@@ -75,3 +75,67 @@ interface(`rgmanager_manage_tmpfs_files',`
fs_search_tmpfs($1)
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
')
@@ -53194,8 +54733,11 @@ index 7dc38d1..9c2c963 100644
+ type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
+ ')
+
-+ allow $1 rgmanager_t:process { ptrace signal_perms };
++ allow $1 rgmanager_t:process signal_perms;
+ ps_process_pattern($1, rgmanager_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rgmanager_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
+ domain_system_change_exemption($1)
@@ -53214,7 +54756,7 @@ index 7dc38d1..9c2c963 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..bac3e66 100644
+index 00fa514..d3d5f2b 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -53241,16 +54783,18 @@ index 00fa514..bac3e66 100644
type rgmanager_tmp_t;
files_tmp_file(rgmanager_tmp_t)
-@@ -37,7 +39,7 @@ files_pid_file(rgmanager_var_run_t)
+@@ -35,9 +37,8 @@ files_pid_file(rgmanager_var_run_t)
+ #
+
allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
- dontaudit rgmanager_t self:capability { sys_ptrace };
+-dontaudit rgmanager_t self:capability { sys_ptrace };
allow rgmanager_t self:process { setsched signal };
-dontaudit rgmanager_t self:process { ptrace };
+dontaudit rgmanager_t self:process ptrace;
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
-@@ -55,11 +57,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
+@@ -55,11 +56,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
@@ -53266,7 +54810,7 @@ index 00fa514..bac3e66 100644
kernel_read_system_state(rgmanager_t)
kernel_rw_rpc_sysctls(rgmanager_t)
kernel_search_debugfs(rgmanager_t)
-@@ -67,7 +72,6 @@ kernel_search_network_state(rgmanager_t)
+@@ -67,7 +71,6 @@ kernel_search_network_state(rgmanager_t)
corecmd_exec_bin(rgmanager_t)
corecmd_exec_shell(rgmanager_t)
@@ -53274,7 +54818,7 @@ index 00fa514..bac3e66 100644
# need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t)
-@@ -78,29 +82,35 @@ domain_read_all_domains_state(rgmanager_t)
+@@ -78,29 +81,35 @@ domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
domain_dontaudit_ptrace_all_domains(rgmanager_t)
@@ -53314,7 +54858,7 @@ index 00fa514..bac3e66 100644
tunable_policy(`rgmanager_can_network_connect',`
corenet_tcp_connect_all_ports(rgmanager_t)
-@@ -118,6 +128,14 @@ optional_policy(`
+@@ -118,6 +127,14 @@ optional_policy(`
')
optional_policy(`
@@ -53329,7 +54873,7 @@ index 00fa514..bac3e66 100644
fstools_domtrans(rgmanager_t)
')
-@@ -140,6 +158,16 @@ optional_policy(`
+@@ -140,6 +157,16 @@ optional_policy(`
')
optional_policy(`
@@ -53346,7 +54890,7 @@ index 00fa514..bac3e66 100644
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
-@@ -165,6 +193,8 @@ optional_policy(`
+@@ -165,6 +192,8 @@ optional_policy(`
optional_policy(`
rpc_initrc_domtrans_nfsd(rgmanager_t)
rpc_initrc_domtrans_rpcd(rgmanager_t)
@@ -54085,10 +55629,10 @@ index 0000000..5094d93
+/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0)
diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if
new file mode 100644
-index 0000000..811c52e
+index 0000000..61d0a4c
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.if
-@@ -0,0 +1,305 @@
+@@ -0,0 +1,308 @@
+
+## <summary>Subscription Management Certificate Daemon policy</summary>
+
@@ -54375,8 +55919,11 @@ index 0000000..811c52e
+ type rhsmcertd_var_run_t;
+ ')
+
-+ allow $1 rhsmcertd_t:process { ptrace signal_perms };
++ allow $1 rhsmcertd_t:process signal_perms;
+ ps_process_pattern($1, rhsmcertd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rhsmcertd_t:process ptrace;
++ ')
+
+ rhsmcertd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -54473,7 +56020,7 @@ index 5b08327..ed5dc05 100644
/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if
-index f7826f9..679d185 100644
+index f7826f9..62ccd55 100644
--- a/policy/modules/services/ricci.if
+++ b/policy/modules/services/ricci.if
@@ -5,9 +5,9 @@
@@ -54609,7 +56156,7 @@ index f7826f9..679d185 100644
## </param>
#
interface(`ricci_domtrans_modstorage',`
-@@ -165,3 +201,67 @@ interface(`ricci_domtrans_modstorage',`
+@@ -165,3 +201,70 @@ interface(`ricci_domtrans_modstorage',`
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
@@ -54657,8 +56204,11 @@ index f7826f9..679d185 100644
+ type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
+ ')
+
-+ allow $1 ricci_t:process { ptrace signal_perms };
++ allow $1 ricci_t:process signal_perms;
+ ps_process_pattern($1, ricci_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ricci_t:process ptrace;
++ ')
+
+ ricci_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -55018,6 +56568,23 @@ index 779fa44..4bcaacc 100644
+optional_policy(`
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
')
+diff --git a/policy/modules/services/roundup.if b/policy/modules/services/roundup.if
+index 30c4b75..e07c2ff 100644
+--- a/policy/modules/services/roundup.if
++++ b/policy/modules/services/roundup.if
+@@ -23,8 +23,11 @@ interface(`roundup_admin',`
+ type roundup_initrc_exec_t;
+ ')
+
+- allow $1 roundup_t:process { ptrace signal_perms };
++ allow $1 roundup_t:process signal_perms;
+ ps_process_pattern($1, roundup_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 roundup_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, roundup_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
index 5c70c0c..f9f0f54 100644
--- a/policy/modules/services/rpc.fc
@@ -55387,7 +56954,7 @@ index f5c47d6..5a965e9 100644
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
-index a96249c..3942dfc 100644
+index a96249c..b4f950d 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -5,9 +5,9 @@
@@ -55437,9 +57004,16 @@ index a96249c..3942dfc 100644
## All of the rules required to administrate
## an rpcbind environment
## </summary>
-@@ -141,8 +158,14 @@ interface(`rpcbind_admin',`
- allow $1 rpcbind_t:process { ptrace signal_perms };
+@@ -138,11 +155,20 @@ interface(`rpcbind_admin',`
+ type rpcbind_initrc_exec_t;
+ ')
+
+- allow $1 rpcbind_t:process { ptrace signal_perms };
++ allow $1 rpcbind_t:process signal_perms;
ps_process_pattern($1, rpcbind_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rpcbind_t:process ptrace;
++ ')
- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
@@ -55693,10 +57267,10 @@ index 46dad1f..6586da0 100644
allow rtkit_daemon_t $1:process { getsched setsched };
rtkit_daemon_dbus_chat($1)
diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te
-index 6f8e268..7d64285 100644
+index 6f8e268..a53e4f0 100644
--- a/policy/modules/services/rtkit.te
+++ b/policy/modules/services/rtkit.te
-@@ -8,6 +8,7 @@ policy_module(rtkit, 1.1.0)
+@@ -8,13 +8,14 @@ policy_module(rtkit, 1.1.0)
type rtkit_daemon_t;
type rtkit_daemon_exec_t;
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
@@ -55704,8 +57278,16 @@ index 6f8e268..7d64285 100644
########################################
#
+ # rtkit_daemon local policy
+ #
+
+-allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
++allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice };
+ allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
+
+ kernel_read_system_state(rtkit_daemon_t)
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
-index 71ea0ea..664e68e 100644
+index 71ea0ea..26af97f 100644
--- a/policy/modules/services/rwho.if
+++ b/policy/modules/services/rwho.if
@@ -5,9 +5,9 @@
@@ -55720,6 +57302,19 @@ index 71ea0ea..664e68e 100644
## </param>
#
interface(`rwho_domtrans',`
+@@ -138,8 +138,11 @@ interface(`rwho_admin',`
+ type rwho_initrc_exec_t;
+ ')
+
+- allow $1 rwho_t:process { ptrace signal_perms };
++ allow $1 rwho_t:process signal_perms;
+ ps_process_pattern($1, rwho_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rwho_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, rwho_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index a07b2f4..ee39810 100644
--- a/policy/modules/services/rwho.te
@@ -55775,7 +57370,7 @@ index 69a6074..596dbb3 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
-index 82cb169..0a29f68 100644
+index 82cb169..48c023e 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -60,6 +60,29 @@ interface(`samba_initrc_domtrans',`
@@ -55986,7 +57581,7 @@ index 82cb169..0a29f68 100644
## All of the rules required to administrate
## an samba environment
## </summary>
-@@ -661,21 +776,12 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,29 +776,28 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
@@ -56013,18 +57608,26 @@ index 82cb169..0a29f68 100644
+ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
')
- allow $1 smbd_t:process { ptrace signal_perms };
-@@ -684,6 +790,9 @@ interface(`samba_admin',`
- allow $1 nmbd_t:process { ptrace signal_perms };
+- allow $1 smbd_t:process { ptrace signal_perms };
++ allow $1 smbd_t:process signal_perms;
+ ps_process_pattern($1, smbd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 smbd_t:process ptrace;
++ allow $1 nmbd_t:process ptrace;
++ allow $1 samba_unconfined_script_t:process ptrace;
++ ')
+
+- allow $1 nmbd_t:process { ptrace signal_perms };
++ allow $1 nmbd_t:process signal_perms;
ps_process_pattern($1, nmbd_t)
-+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
++ allow $1 samba_unconfined_script_t:process signal_perms;
+ ps_process_pattern($1, samba_unconfined_script_t)
+
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)
-@@ -709,9 +818,6 @@ interface(`samba_admin',`
+@@ -709,9 +823,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
@@ -56034,7 +57637,7 @@ index 82cb169..0a29f68 100644
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
-@@ -727,4 +833,7 @@ interface(`samba_admin',`
+@@ -727,4 +838,7 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
@@ -56043,7 +57646,7 @@ index 82cb169..0a29f68 100644
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..9010ac2 100644
+index e30bb63..d893f99 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
@@ -56207,8 +57810,16 @@ index e30bb63..9010ac2 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +565,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -555,18 +560,21 @@ optional_policy(`
+ # smbcontrol local policy
+ #
+
++
++allow smbcontrol_t self:process signal;
+ # internal communication is often done using fifo and unix sockets.
+ allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
++allow smbcontrol_t self:process { signal signull };
allow smbcontrol_t nmbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
@@ -56225,7 +57836,7 @@ index e30bb63..9010ac2 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -574,11 +579,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +582,19 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -56246,7 +57857,7 @@ index e30bb63..9010ac2 100644
########################################
#
-@@ -644,19 +657,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +660,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -56271,7 +57882,7 @@ index e30bb63..9010ac2 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +692,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +695,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -56280,7 +57891,7 @@ index e30bb63..9010ac2 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +707,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +710,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -56295,7 +57906,7 @@ index e30bb63..9010ac2 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +727,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +730,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -56303,7 +57914,7 @@ index e30bb63..9010ac2 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +772,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +775,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -56312,7 +57923,7 @@ index e30bb63..9010ac2 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +803,7 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +806,7 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -56321,7 +57932,7 @@ index e30bb63..9010ac2 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +826,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +829,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -56343,7 +57954,7 @@ index e30bb63..9010ac2 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +854,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +857,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -56351,7 +57962,7 @@ index e30bb63..9010ac2 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -863,6 +885,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -863,6 +888,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
@@ -56364,7 +57975,7 @@ index e30bb63..9010ac2 100644
optional_policy(`
kerberos_use(winbind_t)
')
-@@ -904,7 +932,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +935,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -56373,7 +57984,7 @@ index e30bb63..9010ac2 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +950,18 @@ optional_policy(`
+@@ -922,6 +953,18 @@ optional_policy(`
#
optional_policy(`
@@ -56392,7 +58003,7 @@ index e30bb63..9010ac2 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +972,12 @@ optional_policy(`
+@@ -932,9 +975,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -56406,6 +58017,27 @@ index e30bb63..9010ac2 100644
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
+diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if
+index c040ebf..2b601a5 100644
+--- a/policy/modules/services/samhain.if
++++ b/policy/modules/services/samhain.if
+@@ -271,10 +271,14 @@ interface(`samhain_admin',`
+ type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
+ ')
+
+- allow $1 samhain_t:process { ptrace signal_perms };
++ allow $1 samhain_t:process signal_perms;
+ ps_process_pattern($1, samhain_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 samhain_t:process ptrace;
++ allow $1 samhaind_t:process ptrace;
++ ')
+
+- allow $1 samhaind_t:process { ptrace signal_perms };
++ allow $1 samhaind_t:process signal_perms;
+ ps_process_pattern($1, samhaind_t)
+
+ files_list_var_lib($1)
diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
index 150c85d..71e9315 100644
--- a/policy/modules/services/samhain.te
@@ -56435,10 +58067,10 @@ index 0000000..630960e
+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if
new file mode 100644
-index 0000000..486d53d
+index 0000000..0d53457
--- /dev/null
+++ b/policy/modules/services/sanlock.if
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,113 @@
+
+## <summary>policy for sanlock</summary>
+
@@ -56540,8 +58172,11 @@ index 0000000..486d53d
+ type sanlock_initrc_exec_t;
+ ')
+
-+ allow $1 sanlock_t:process { ptrace signal_perms };
++ allow $1 sanlock_t:process signal_perms;
+ ps_process_pattern($1, sanlock_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 sanlock_t:process ptrace;
++ ')
+
+ sanlock_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -56628,10 +58263,10 @@ index 0000000..0c1e385
+ virt_signal_svirt(sanlock_t)
+')
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
-index f1aea88..a5a75a8 100644
+index f1aea88..3e6a93f 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
-@@ -38,11 +38,11 @@ interface(`sasl_connect',`
+@@ -38,21 +38,21 @@ interface(`sasl_connect',`
#
interface(`sasl_admin',`
gen_require(`
@@ -56641,11 +58276,14 @@ index f1aea88..a5a75a8 100644
')
- allow $1 saslauthd_t:process { ptrace signal_perms getattr };
-+ allow $1 saslauthd_t:process { ptrace signal_perms };
++ allow $1 saslauthd_t:process signal_perms;
ps_process_pattern($1, saslauthd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 saslauthd_t:process ptrace;
++ ')
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
-@@ -50,9 +50,6 @@ interface(`sasl_admin',`
+ domain_system_change_exemption($1)
role_transition $2 saslauthd_initrc_exec_t system_r;
allow $2 system_r;
@@ -56715,10 +58353,10 @@ index 0000000..d5c3c3f
+/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if
new file mode 100644
-index 0000000..b077a62
+index 0000000..40d0049
--- /dev/null
+++ b/policy/modules/services/sblim.if
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,82 @@
+
+## <summary> policy for SBLIM Gatherer </summary>
+
@@ -56786,11 +58424,15 @@ index 0000000..b077a62
+ type sblim_var_run_t;
+ ')
+
-+ allow $1 sblim_gatherd_t:process { ptrace signal_perms };
++ allow $1 sblim_gatherd_t:process signal_perms;
+ ps_process_pattern($1, sblim_gatherd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 sblim_gatherd_t:process ptrace;
++ allow $1 sblim_reposd_t:process ptrace;
++ ')
+
-+ allow $1 sblim_reposd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, sblim_reposd_t)
++ allow $1 sblim_reposd_t:process signal_perms;
++ ps_process_pattern($1, sblim_reposd_t)
+
+ files_search_pids($1)
+ admin_pattern($1, sblim_var_run_t)
@@ -56799,7 +58441,7 @@ index 0000000..b077a62
+
diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te
new file mode 100644
-index 0000000..067c552
+index 0000000..c4d9192
--- /dev/null
+++ b/policy/modules/services/sblim.te
@@ -0,0 +1,108 @@
@@ -56829,7 +58471,7 @@ index 0000000..067c552
+#
+
+#needed by ps
-+allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override };
++allow sblim_gatherd_t self:capability { kill dac_override };
+allow sblim_gatherd_t self:process signal;
+
+allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
@@ -56923,7 +58565,7 @@ index a86ec50..ef4199b 100644
/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
-index 7e94c7c..5700fb8 100644
+index 7e94c7c..e918b16 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -51,10 +51,24 @@ interface(`sendmail_domtrans',`
@@ -56931,10 +58573,7 @@ index 7e94c7c..5700fb8 100644
mta_sendmail_domtrans($1, sendmail_t)
+')
-
-- allow sendmail_t $1:fd use;
-- allow sendmail_t $1:fifo_file rw_file_perms;
-- allow sendmail_t $1:process sigchld;
++
+#######################################
+## <summary>
+## Execute sendmail in the sendmail domain.
@@ -56949,7 +58588,10 @@ index 7e94c7c..5700fb8 100644
+ gen_require(`
+ type sendmail_initrc_exec_t;
+ ')
-+
+
+- allow sendmail_t $1:fd use;
+- allow sendmail_t $1:fifo_file rw_file_perms;
+- allow sendmail_t $1:process sigchld;
+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
')
@@ -56972,7 +58614,7 @@ index 7e94c7c..5700fb8 100644
')
########################################
-@@ -295,3 +309,50 @@ interface(`sendmail_run_unconfined',`
+@@ -295,3 +309,54 @@ interface(`sendmail_run_unconfined',`
sendmail_domtrans_unconfined($1)
role $2 types unconfined_sendmail_t;
')
@@ -57001,10 +58643,14 @@ index 7e94c7c..5700fb8 100644
+ type mail_spool_t;
+ ')
+
-+ allow $1 sendmail_t:process { ptrace signal_perms };
++ allow $1 sendmail_t:process signal_perms;
+ ps_process_pattern($1, sendmail_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 sendmail_t:process ptrace;
++ allow $1 unconfined_sendmail_t:process ptrace;
++ ')
+
-+ allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
++ allow $1 unconfined_sendmail_t:process signal_perms;
+ ps_process_pattern($1, unconfined_sendmail_t)
+
+ sendmail_initrc_domtrans($1)
@@ -57108,7 +58754,7 @@ index 22dac1f..1c27bd6 100644
+ uucp_domtrans_uux(sendmail_t)
')
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
-index bcdd16c..7c379a8 100644
+index bcdd16c..b1c92f9 100644
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
@@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',`
@@ -57137,7 +58783,7 @@ index bcdd16c..7c379a8 100644
## All of the rules required to administrate
## an setroubleshoot environment
## </summary>
-@@ -117,15 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+@@ -117,15 +136,18 @@ interface(`setroubleshoot_dbus_chat_fixit',`
#
interface(`setroubleshoot_admin',`
gen_require(`
@@ -57147,8 +58793,12 @@ index bcdd16c..7c379a8 100644
+ type setroubleshoot_var_lib_t;
')
- allow $1 setroubleshootd_t:process { ptrace signal_perms };
+- allow $1 setroubleshootd_t:process { ptrace signal_perms };
++ allow $1 setroubleshootd_t:process signal_perms;
ps_process_pattern($1, setroubleshootd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 setroubleshootd_t:process ptrace;
++ ')
logging_list_logs($1)
- admin_pattern($1, setroubleshoot_log_t)
@@ -57277,7 +58927,7 @@ index e5e72fd..92eecec 100644
type slrnpull_log_t;
logging_log_file(slrnpull_log_t)
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
-index adea9f9..d5b2d93 100644
+index adea9f9..145adbd 100644
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
@@ -57288,15 +58938,19 @@ index adea9f9..d5b2d93 100644
allow $1 fsdaemon_tmp_t:file read_file_perms;
')
-@@ -41,7 +42,7 @@ interface(`smartmon_admin',`
+@@ -41,8 +42,11 @@ interface(`smartmon_admin',`
type fsdaemon_initrc_exec_t;
')
- allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
-+ allow $1 fsdaemon_t:process { ptrace signal_perms };
++ allow $1 fsdaemon_t:process signal_perms;
ps_process_pattern($1, fsdaemon_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 smartmon_t:process ptrace;
++ ')
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 606a098..5e4d100 100644
--- a/policy/modules/services/smartmon.te
@@ -57339,6 +58993,23 @@ index 606a098..5e4d100 100644
libs_exec_ld_so(fsdaemon_t)
libs_exec_lib_files(fsdaemon_t)
+diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if
+index 8265278..017b923 100644
+--- a/policy/modules/services/smokeping.if
++++ b/policy/modules/services/smokeping.if
+@@ -153,8 +153,11 @@ interface(`smokeping_admin',`
+ type smokeping_t, smokeping_initrc_exec_t;
+ ')
+
+- allow $1 smokeping_t:process { ptrace signal_perms };
++ allow $1 smokeping_t:process signal_perms;
+ ps_process_pattern($1, smokeping_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 smokeping_t:process ptrace;
++ ')
+
+ smokeping_initrc_domtrans($1)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
index 740994a..a92ba26 100644
--- a/policy/modules/services/smokeping.te
@@ -57367,7 +59038,7 @@ index 623c8fa..0a802f7 100644
/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
-index 275f9fb..4f4a192 100644
+index 275f9fb..ad10bef 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -11,12 +11,12 @@
@@ -57453,7 +59124,7 @@ index 275f9fb..4f4a192 100644
')
########################################
-@@ -123,12 +164,11 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
+@@ -123,13 +164,15 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
#
interface(`snmp_admin',`
gen_require(`
@@ -57464,12 +59135,16 @@ index 275f9fb..4f4a192 100644
')
- allow $1 snmpd_t:process { ptrace signal_perms getattr };
-+ allow $1 snmpd_t:process { ptrace signal_perms };
++ allow $1 snmpd_t:process signal_perms;
ps_process_pattern($1, snmpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 snmpd_t:process ptrace;
++ ')
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..9509742 100644
+index 3d8d1b3..9c747d4 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -57480,13 +59155,14 @@ index 3d8d1b3..9509742 100644
type snmpd_t;
type snmpd_exec_t;
init_daemon_domain(snmpd_t, snmpd_exec_t)
-@@ -24,12 +25,13 @@ files_type(snmpd_var_lib_t)
+@@ -24,12 +25,14 @@ files_type(snmpd_var_lib_t)
#
# Local policy
#
-allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+
-+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
++allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config };
++
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
@@ -57496,7 +59172,7 @@ index 3d8d1b3..9509742 100644
allow snmpd_t self:tcp_socket create_stream_socket_perms;
allow snmpd_t self:udp_socket connected_stream_socket_perms;
-@@ -41,10 +43,11 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+@@ -41,10 +44,11 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
@@ -57510,7 +59186,7 @@ index 3d8d1b3..9509742 100644
kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
-@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
+@@ -94,15 +98,19 @@ files_search_home(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
fs_search_auto_mountpoints(snmpd_t)
@@ -57531,7 +59207,7 @@ index 3d8d1b3..9509742 100644
logging_send_syslog_msg(snmpd_t)
-@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
+@@ -115,7 +123,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
@@ -57541,7 +59217,7 @@ index 3d8d1b3..9509742 100644
rpm_read_db(snmpd_t)
rpm_dontaudit_manage_db(snmpd_t)
diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
-index c117e8b..88ebedb 100644
+index c117e8b..e428bb9 100644
--- a/policy/modules/services/snort.if
+++ b/policy/modules/services/snort.if
@@ -5,9 +5,9 @@
@@ -57556,7 +59232,20 @@ index c117e8b..88ebedb 100644
## </param>
#
interface(`snort_domtrans',`
-@@ -50,11 +50,11 @@ interface(`snort_admin',`
+@@ -41,8 +41,11 @@ interface(`snort_admin',`
+ type snort_etc_t, snort_initrc_exec_t;
+ ')
+
+- allow $1 snort_t:process { ptrace signal_perms };
++ allow $1 snort_t:process signal_perms;
+ ps_process_pattern($1, snort_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 snort_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, snort_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -50,11 +53,11 @@ interface(`snort_admin',`
allow $2 system_r;
admin_pattern($1, snort_etc_t)
@@ -57597,10 +59286,10 @@ index 179bc1b..735c400 100644
manage_files_pattern(snort_t, snort_log_t, snort_log_t)
create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if
-index 93fe7bf..4a15633 100644
+index 93fe7bf..1b07ed4 100644
--- a/policy/modules/services/soundserver.if
+++ b/policy/modules/services/soundserver.if
-@@ -33,9 +33,8 @@ interface(`soundserver_tcp_connect',`
+@@ -33,13 +33,15 @@ interface(`soundserver_tcp_connect',`
#
interface(`soundserver_admin',`
gen_require(`
@@ -57610,7 +59299,15 @@ index 93fe7bf..4a15633 100644
- type soundd_initrc_exec_t;
')
- allow $1 soundd_t:process { ptrace signal_perms };
+- allow $1 soundd_t:process { ptrace signal_perms };
++ allow $1 soundd_t:process signal_perms;
+ ps_process_pattern($1, soundd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 soundd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, soundd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index 6b3abf9..a785741 100644
--- a/policy/modules/services/spamassassin.fc
@@ -57647,7 +59344,7 @@ index 6b3abf9..a785741 100644
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
-index c954f31..c7cadcb 100644
+index c954f31..85e8212 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -14,6 +14,7 @@
@@ -57663,12 +59360,12 @@ index c954f31..c7cadcb 100644
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+
-+ allow $2 spamassassin_t:process { ptrace signal_perms };
++ allow $2 spamassassin_t:process signal_perms;
ps_process_pattern($2, spamassassin_t)
domtrans_pattern($2, spamc_exec_t, spamc_t)
+
-+ allow $2 spamc_t:process { ptrace signal_perms };
++ allow $2 spamc_t:process signal_perms;
ps_process_pattern($2, spamc_t)
manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
@@ -57766,7 +59463,7 @@ index c954f31..c7cadcb 100644
allow $1 spamd_tmp_t:file read_file_perms;
')
-@@ -223,5 +291,72 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+@@ -223,5 +291,75 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
type spamd_tmp_t;
')
@@ -57817,8 +59514,11 @@ index c954f31..c7cadcb 100644
+ type spamd_initrc_exec_t;
+ ')
+
-+ allow $1 spamd_t:process { ptrace signal_perms };
++ allow $1 spamd_t:process signal_perms;
+ ps_process_pattern($1, spamd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 spamd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, spamd_initrc_exec_t)
+ domain_system_change_exemption($1)
@@ -58311,7 +60011,7 @@ index 6cc4a90..2015152 100644
/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
-index d2496bd..1d0c078 100644
+index d2496bd..c7614d7 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
@@ -58331,7 +60031,7 @@ index d2496bd..1d0c078 100644
#
interface(`squid_dontaudit_search_cache',`
gen_require(`
-@@ -207,8 +206,7 @@ interface(`squid_use',`
+@@ -207,12 +206,14 @@ interface(`squid_use',`
interface(`squid_admin',`
gen_require(`
type squid_t, squid_cache_t, squid_conf_t;
@@ -58340,7 +60040,15 @@ index d2496bd..1d0c078 100644
+ type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
')
- allow $1 squid_t:process { ptrace signal_perms };
+- allow $1 squid_t:process { ptrace signal_perms };
++ allow $1 squid_t:process signal_perms;
+ ps_process_pattern($1, squid_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 squid_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, squid_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 4b2230e..950e65a 100644
--- a/policy/modules/services/squid.te
@@ -58429,7 +60137,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..b13cd67 100644
+index 22adaca..5439f7e 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -58634,7 +60342,7 @@ index 22adaca..b13cd67 100644
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
- allow $3 ssh_t:process signal;
-+ allow $3 ssh_t:process { ptrace signal_perms };
++ allow $3 ssh_t:process signal_perms;
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
@@ -58656,7 +60364,7 @@ index 22adaca..b13cd67 100644
# Allow the user shell to signal the ssh program.
- allow $3 $1_ssh_agent_t:process signal;
-+ allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
++ allow $3 $1_ssh_agent_t:process signal_perms;
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
@@ -59421,7 +61129,7 @@ index 2dad3c8..02e70c9 100644
+ ssh_rw_dgram_sockets(chroot_user_t)
')
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
-index 941380a..ce8c972 100644
+index 941380a..4afc698 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -5,9 +5,9 @@
@@ -59468,7 +61176,7 @@ index 941380a..ce8c972 100644
')
########################################
-@@ -225,21 +227,15 @@ interface(`sssd_stream_connect',`
+@@ -225,21 +227,18 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
@@ -59488,8 +61196,11 @@ index 941380a..ce8c972 100644
- allow $1 sssd_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, sssd_t, sssd_t)
-+ allow $1 sssd_t:process { ptrace signal_perms };
++ allow $1 sssd_t:process signal_perms;
+ ps_process_pattern($1, sssd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 sssd_t:process ptrace;
++ ')
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
@@ -59754,10 +61465,23 @@ index 7038b55..4e84f23 100644
type tcpd_tmp_t;
files_tmp_file(tcpd_tmp_t)
diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if
-index 595f5a7..459d773 100644
+index 595f5a7..0f12947 100644
--- a/policy/modules/services/tcsd.if
+++ b/policy/modules/services/tcsd.if
-@@ -147,4 +147,5 @@ interface(`tcsd_admin',`
+@@ -137,8 +137,11 @@ interface(`tcsd_admin',`
+ type tcsd_var_lib_t;
+ ')
+
+- allow $1 tcsd_t:process { ptrace signal_perms };
++ allow $1 tcsd_t:process signal_perms;
+ ps_process_pattern($1, tcsd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 tcsd_t:process ptrace;
++ ')
+
+ tcsd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+@@ -147,4 +150,5 @@ interface(`tcsd_admin',`
files_search_var_lib($1)
admin_pattern($1, tcsd_var_lib_t)
@@ -59882,7 +61606,7 @@ index f40e67b..8d1e658 100644
+ remotelogin_domtrans(telnetd_t)
+')
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
-index 38bb312..414e03f 100644
+index 38bb312..0fee098 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -13,9 +13,33 @@
@@ -59956,13 +61680,16 @@ index 38bb312..414e03f 100644
## All of the rules required to administrate
## an tftp environment
## </summary>
-@@ -55,9 +109,10 @@ interface(`tftp_admin',`
+@@ -55,9 +109,13 @@ interface(`tftp_admin',`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
')
- allow $1 tftpd_t:process { ptrace signal_perms getattr };
-+ allow $1 tftpd_t:process { ptrace signal_perms };
++ allow $1 tftpd_t:process signal_perms;
ps_process_pattern($1, tftpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 tftp_t:process ptrace;
++ ')
+ files_list_var_lib($1)
admin_pattern($1, tftpdir_rw_t)
@@ -60080,18 +61807,22 @@ index 665bf7c..d100080 100644
+ iscsi_manage_semaphores(tgtd_t)
+')
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
-index 904f13e..464347f 100644
+index 904f13e..f9d007b 100644
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
-@@ -42,7 +42,7 @@ interface(`tor_admin',`
+@@ -42,8 +42,11 @@ interface(`tor_admin',`
type tor_initrc_exec_t;
')
- allow $1 tor_t:process { ptrace signal_perms getattr };
-+ allow $1 tor_t:process { ptrace signal_perms };
++ allow $1 tor_t:process signal_perms;
ps_process_pattern($1, tor_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 tor_t:process ptrace;
++ ')
init_labeled_script_domtrans($1, tor_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index c842cad..1136b10 100644
--- a/policy/modules/services/tor.te
@@ -60117,7 +61848,7 @@ index c842cad..1136b10 100644
domain_use_interactive_fds(tor_t)
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
-index 54b8605..752697f 100644
+index 54b8605..a04f013 100644
--- a/policy/modules/services/tuned.if
+++ b/policy/modules/services/tuned.if
@@ -5,9 +5,9 @@
@@ -60132,7 +61863,7 @@ index 54b8605..752697f 100644
## </param>
#
interface(`tuned_domtrans',`
-@@ -112,8 +112,7 @@ interface(`tuned_initrc_domtrans',`
+@@ -112,18 +112,20 @@ interface(`tuned_initrc_domtrans',`
#
interface(`tuned_admin',`
gen_require(`
@@ -60141,8 +61872,15 @@ index 54b8605..752697f 100644
+ type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
')
- allow $1 tuned_t:process { ptrace signal_perms };
-@@ -124,6 +123,6 @@ interface(`tuned_admin',`
+- allow $1 tuned_t:process { ptrace signal_perms };
++ allow $1 tuned_t:process signal_perms;
+ ps_process_pattern($1, tuned_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 tuned_t:process ptrace;
++ ')
+
+ tuned_initrc_domtrans($1)
+ domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
allow $2 system_r;
@@ -60243,6 +61981,23 @@ index 831b4a3..8590730 100644
/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
+diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if
+index d23be5c..a05cd68 100644
+--- a/policy/modules/services/ulogd.if
++++ b/policy/modules/services/ulogd.if
+@@ -123,8 +123,11 @@ interface(`ulogd_admin',`
+ type ulogd_var_log_t, ulogd_initrc_exec_t;
+ ')
+
+- allow $1 ulogd_t:process { ptrace signal_perms };
++ allow $1 ulogd_t:process signal_perms;
+ ps_process_pattern($1, ulogd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ulogd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
index 3b953f5..70f687a 100644
--- a/policy/modules/services/ulogd.te
@@ -60305,6 +62060,23 @@ index 4440aa6..34ffbfd 100644
+optional_policy(`
+ virt_dontaudit_read_chr_dev(usbmuxd_t)
+')
+diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
+index ebc5414..8f8ac45 100644
+--- a/policy/modules/services/uucp.if
++++ b/policy/modules/services/uucp.if
+@@ -99,8 +99,11 @@ interface(`uucp_admin',`
+ type uucpd_var_run_t;
+ ')
+
+- allow $1 uucpd_t:process { ptrace signal_perms };
++ allow $1 uucpd_t:process signal_perms;
+ ps_process_pattern($1, uucpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 uucpd_t:process ptrace;
++ ')
+
+ logging_list_logs($1)
+ admin_pattern($1, uucpd_log_t)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index d4349e9..f14d337 100644
--- a/policy/modules/services/uucp.te
@@ -60351,10 +62123,10 @@ index 0000000..c184667
+/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0)
diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if
new file mode 100644
-index 0000000..5a2fd4c
+index 0000000..c82f178
--- /dev/null
+++ b/policy/modules/services/uuidd.if
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,196 @@
+## <summary>policy for uuidd</summary>
+
+########################################
@@ -60534,8 +62306,11 @@ index 0000000..5a2fd4c
+ type uuidd_var_run_t;
+ ')
+
-+ allow $1 uuidd_t:process { ptrace signal_perms };
++ allow $1 uuidd_t:process signal_perms;
+ ps_process_pattern($1, uuidd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 uuidd_t:process ptrace;
++ ')
+
+ uuidd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -60600,6 +62375,36 @@ index 0000000..ac053f3
+
+miscfiles_read_localization(uuidd_t)
+
+diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if
+index 93975d6..7a665ff 100644
+--- a/policy/modules/services/varnishd.if
++++ b/policy/modules/services/varnishd.if
+@@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',`
+ type varnishlog_var_run_t;
+ ')
+
+- allow $1 varnishlog_t:process { ptrace signal_perms };
++ allow $1 varnishlog_t:process signal_perms;
+ ps_process_pattern($1, varnishlog_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 varnishd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -194,8 +197,11 @@ interface(`varnishd_admin',`
+ type varnishd_initrc_exec_t;
+ ')
+
+- allow $1 varnishd_t:process { ptrace signal_perms };
++ allow $1 varnishd_t:process signal_perms;
+ ps_process_pattern($1, varnishd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 varnishd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
index f9310f3..7a350f1 100644
--- a/policy/modules/services/varnishd.te
@@ -60656,10 +62461,10 @@ index 0000000..71d9784
+
diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
new file mode 100644
-index 0000000..7647279
+index 0000000..57471cc
--- /dev/null
+++ b/policy/modules/services/vdagent.if
-@@ -0,0 +1,128 @@
+@@ -0,0 +1,131 @@
+
+## <summary>policy for vdagent</summary>
+
@@ -60780,8 +62585,11 @@ index 0000000..7647279
+ type vdagent_var_run_t;
+ ')
+
-+ allow $1 vdagent_t:process { ptrace signal_perms };
++ allow $1 vdagent_t:process signal_perms;
+ ps_process_pattern($1, vdagent_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 vdagent_t:process ptrace;
++ ')
+
+ files_search_pids($1)
+ admin_pattern($1, vdagent_var_run_t)
@@ -60849,7 +62657,7 @@ index 0000000..4fd2377
+')
+
diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
-index 1f872b5..da605ba 100644
+index 1f872b5..1250e30 100644
--- a/policy/modules/services/vhostmd.if
+++ b/policy/modules/services/vhostmd.if
@@ -5,9 +5,9 @@
@@ -60901,44 +62709,57 @@ index 1f872b5..da605ba 100644
')
########################################
-@@ -209,7 +210,7 @@ interface(`vhostmd_admin',`
+@@ -209,8 +210,11 @@ interface(`vhostmd_admin',`
type vhostmd_t, vhostmd_initrc_exec_t;
')
- allow $1 vhostmd_t:process { ptrace signal_perms getattr };
-+ allow $1 vhostmd_t:process { ptrace signal_perms };
++ allow $1 vhostmd_t:process signal_perms;
ps_process_pattern($1, vhostmd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 vhostmd_t:process ptrace;
++ ')
vhostmd_initrc_domtrans($1)
-@@ -220,5 +221,4 @@ interface(`vhostmd_admin',`
+ domain_system_change_exemption($1)
+@@ -220,5 +224,4 @@ interface(`vhostmd_admin',`
vhostmd_manage_tmpfs_files($1)
vhostmd_manage_pid_files($1)
-
')
diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te
-index 32a3c13..7baeb6f 100644
+index 32a3c13..e3d91ad 100644
--- a/policy/modules/services/vhostmd.te
+++ b/policy/modules/services/vhostmd.te
-@@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t)
+@@ -24,8 +24,8 @@ files_pid_file(vhostmd_var_run_t)
+ #
allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
- allow vhostmd_t self:process { setsched getsched };
+-allow vhostmd_t self:process { setsched getsched };
-allow vhostmd_t self:fifo_file rw_file_perms;
++allow vhostmd_t self:process { setsched getsched signal };
+allow vhostmd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-@@ -44,6 +44,8 @@ corecmd_exec_shell(vhostmd_t)
+@@ -44,9 +44,15 @@ corecmd_exec_shell(vhostmd_t)
corenet_tcp_connect_soundd_port(vhostmd_t)
++dev_read_rand(vhostmd_t)
++dev_read_sysfs(vhostmd_t)
++
+# 579803
+files_list_tmp(vhostmd_t)
files_read_etc_files(vhostmd_t)
files_read_usr_files(vhostmd_t)
-@@ -66,6 +68,7 @@ optional_policy(`
++dev_read_rand(vhostmd_t)
+ dev_read_sysfs(vhostmd_t)
+
+ auth_use_nsswitch(vhostmd_t)
+@@ -66,6 +72,7 @@ optional_policy(`
optional_policy(`
virt_stream_connect(vhostmd_t)
@@ -61003,10 +62824,10 @@ index 2124b6a..49c15d1 100644
+# support for nova-stack
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..fc6beb9 100644
+index 7c5d8d8..3fd8f12 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
-@@ -13,39 +13,44 @@
+@@ -13,39 +13,45 @@
#
template(`virt_domain_template',`
gen_require(`
@@ -61016,10 +62837,12 @@ index 7c5d8d8..fc6beb9 100644
+ attribute virt_image_type, virt_domain;
+ attribute virt_tmpfs_type;
+ attribute virt_ptynode;
++ type qemu_exec_t;
')
type $1_t, virt_domain;
- domain_type($1_t)
+- domain_type($1_t)
++ application_domain($1_t, qemu_exec_t)
domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
+ mcs_untrusted_proc($1_t)
@@ -61059,7 +62882,7 @@ index 7c5d8d8..fc6beb9 100644
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +62,6 @@ template(`virt_domain_template',`
+@@ -57,18 +63,6 @@ template(`virt_domain_template',`
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -61078,7 +62901,7 @@ index 7c5d8d8..fc6beb9 100644
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -96,14 +89,32 @@ interface(`virt_image',`
+@@ -96,14 +90,32 @@ interface(`virt_image',`
dev_node($1)
')
@@ -61113,7 +62936,7 @@ index 7c5d8d8..fc6beb9 100644
## </param>
#
interface(`virt_domtrans',`
-@@ -114,6 +125,25 @@ interface(`virt_domtrans',`
+@@ -114,6 +126,25 @@ interface(`virt_domtrans',`
domtrans_pattern($1, virtd_exec_t, virtd_t)
')
@@ -61139,7 +62962,7 @@ index 7c5d8d8..fc6beb9 100644
#######################################
## <summary>
## Connect to virt over an unix domain stream socket.
-@@ -164,13 +194,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +195,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -61155,7 +62978,7 @@ index 7c5d8d8..fc6beb9 100644
')
########################################
-@@ -185,13 +215,13 @@ interface(`virt_read_config',`
+@@ -185,13 +216,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -61171,7 +62994,7 @@ index 7c5d8d8..fc6beb9 100644
')
########################################
-@@ -231,6 +261,24 @@ interface(`virt_read_content',`
+@@ -231,6 +262,24 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -61196,7 +63019,7 @@ index 7c5d8d8..fc6beb9 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -269,6 +317,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +318,36 @@ interface(`virt_manage_pid_files',`
########################################
## <summary>
@@ -61233,7 +63056,7 @@ index 7c5d8d8..fc6beb9 100644
## Search virt lib directories.
## </summary>
## <param name="domain">
-@@ -308,6 +386,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +387,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -61258,7 +63081,7 @@ index 7c5d8d8..fc6beb9 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -352,9 +448,9 @@ interface(`virt_read_log',`
+@@ -352,9 +449,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -61270,7 +63093,7 @@ index 7c5d8d8..fc6beb9 100644
## </param>
#
interface(`virt_append_log',`
-@@ -408,6 +504,7 @@ interface(`virt_read_images',`
+@@ -408,6 +505,7 @@ interface(`virt_read_images',`
read_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
read_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -61278,7 +63101,7 @@ index 7c5d8d8..fc6beb9 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -424,6 +521,24 @@ interface(`virt_read_images',`
+@@ -424,6 +522,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -61303,7 +63126,7 @@ index 7c5d8d8..fc6beb9 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +548,15 @@ interface(`virt_read_images',`
+@@ -433,15 +549,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -61324,7 +63147,7 @@ index 7c5d8d8..fc6beb9 100644
')
########################################
-@@ -466,6 +581,7 @@ interface(`virt_manage_images',`
+@@ -466,6 +582,7 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -61332,7 +63155,7 @@ index 7c5d8d8..fc6beb9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
-@@ -500,11 +616,16 @@ interface(`virt_manage_images',`
+@@ -500,10 +617,19 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -61340,23 +63163,27 @@ index 7c5d8d8..fc6beb9 100644
+ type virt_lxc_t;
')
- allow $1 virtd_t:process { ptrace signal_perms };
+- allow $1 virtd_t:process { ptrace signal_perms };
++ allow $1 virtd_t:process signal_perms;
ps_process_pattern($1, virtd_t)
-
-+ allow $1 virt_lxc_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, virt_lxc_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 virtd_t:process ptrace;
++ allow $1 virt_lxc_t:process ptrace;
++ ')
+
++ allow $1 virt_lxc_t:process signal_perms;
++ ps_process_pattern($1, virt_lxc_t)
+
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
- role_transition $2 virtd_initrc_exec_t system_r;
-@@ -515,4 +636,213 @@ interface(`virt_admin',`
+@@ -515,4 +641,231 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
+
+ virt_manage_images($1)
+
-+ allow $1 virt_domain:process { ptrace signal_perms };
++ allow $1 virt_domain:process signal_perms;
+')
+
+########################################
@@ -61563,11 +63390,29 @@ index 7c5d8d8..fc6beb9 100644
+ role system_r types $1_t;
+')
+
++########################################
++## <summary>
++## Execute a qemu_exec_t in the callers domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_exec_qemu',`
++ gen_require(`
++ type qemu_exec_t;
++ ')
++
++ can_exec($1, qemu_exec_t)
++')
++
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..54e53fb 100644
+index 3eca020..3619ec3 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
-@@ -5,56 +5,81 @@ policy_module(virt, 1.4.0)
+@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
# Declarations
#
@@ -61657,20 +63502,23 @@ index 3eca020..54e53fb 100644
virt_domain_template(svirt)
role system_r types svirt_t;
-
+-
-type svirt_cache_t;
-files_type(svirt_cache_t)
--
++typealias svirt_t alias qemu_t;
+
attribute virt_domain;
attribute virt_image_type;
+attribute virt_tmpfs_type;
+
++type qemu_exec_t;
++
+type virt_cache_t alias svirt_cache_t;
+files_type(virt_cache_t)
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -62,23 +87,31 @@ files_config_file(virt_etc_t)
+@@ -62,23 +90,31 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
@@ -61703,7 +63551,7 @@ index 3eca020..54e53fb 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,6 +122,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +125,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -61715,7 +63563,7 @@ index 3eca020..54e53fb 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -97,6 +135,27 @@ ifdef(`enable_mls',`
+@@ -97,6 +138,27 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -61743,7 +63591,7 @@ index 3eca020..54e53fb 100644
########################################
#
# svirt local policy
-@@ -104,15 +163,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +166,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -61760,7 +63608,7 @@ index 3eca020..54e53fb 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +186,13 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +189,13 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -61774,7 +63622,7 @@ index 3eca020..54e53fb 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +207,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +210,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -61790,7 +63638,7 @@ index 3eca020..54e53fb 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +224,24 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +227,24 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -61815,11 +63663,13 @@ index 3eca020..54e53fb 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +251,36 @@ optional_policy(`
+@@ -173,22 +253,40 @@ optional_policy(`
+ # virtd local policy
#
- allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
++allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
@@ -61849,6 +63699,9 @@ index 3eca020..54e53fb 100644
+allow virt_domain virtd_t:fd use;
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
+
++can_exec(virtd_t, qemu_exec_t)
++can_exec(virt_domain, qemu_exec_t)
++
+allow virtd_t qemu_var_run_t:file relabel_file_perms;
+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
@@ -61858,7 +63711,7 @@ index 3eca020..54e53fb 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -199,9 +291,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -199,9 +297,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -61879,7 +63732,7 @@ index 3eca020..54e53fb 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +318,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +324,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -61895,7 +63748,7 @@ index 3eca020..54e53fb 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +346,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +352,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -61930,7 +63783,7 @@ index 3eca020..54e53fb 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +380,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +386,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -61949,14 +63802,23 @@ index 3eca020..54e53fb 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +415,30 @@ modutils_read_module_config(virtd_t)
+@@ -276,6 +412,8 @@ term_use_ptmx(virtd_t)
+
+ auth_use_nsswitch(virtd_t)
+
++init_dbus_chat(virtd_t)
++
+ miscfiles_read_localization(virtd_t)
+ miscfiles_read_generic_certs(virtd_t)
+ miscfiles_read_hwdata(virtd_t)
+@@ -285,16 +423,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -61980,7 +63842,7 @@ index 3eca020..54e53fb 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +457,10 @@ optional_policy(`
+@@ -313,6 +465,10 @@ optional_policy(`
')
optional_policy(`
@@ -61991,7 +63853,7 @@ index 3eca020..54e53fb 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,16 +477,23 @@ optional_policy(`
+@@ -329,16 +485,23 @@ optional_policy(`
')
optional_policy(`
@@ -62015,7 +63877,7 @@ index 3eca020..54e53fb 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +515,11 @@ optional_policy(`
+@@ -360,11 +523,11 @@ optional_policy(`
')
optional_policy(`
@@ -62032,7 +63894,7 @@ index 3eca020..54e53fb 100644
')
optional_policy(`
-@@ -394,20 +549,36 @@ optional_policy(`
+@@ -394,20 +557,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -62072,7 +63934,7 @@ index 3eca020..54e53fb 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +589,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +597,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -62085,7 +63947,7 @@ index 3eca020..54e53fb 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +601,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +609,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -62098,7 +63960,7 @@ index 3eca020..54e53fb 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +614,367 @@ files_search_all(virt_domain)
+@@ -440,25 +622,362 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -62106,12 +63968,12 @@ index 3eca020..54e53fb 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -62136,11 +63998,6 @@ index 3eca020..54e53fb 100644
+')
+
+optional_policy(`
-+ qemu_entry_type(virt_domain)
-+ qemu_exec(virt_domain)
-+')
-+
-+optional_policy(`
virt_read_config(virt_domain)
virt_read_lib_files(virt_domain)
virt_read_content(virt_domain)
@@ -62344,7 +64201,6 @@ index 3eca020..54e53fb 100644
+# virt_lxc_domain local policy
+#
+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override };
-+dontaudit svirt_lxc_domain self:capability sys_ptrace;
+
+allow virtd_t svirt_lxc_domain:process { signal_perms };
+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
@@ -62394,6 +64250,7 @@ index 3eca020..54e53fb 100644
+fs_list_inotifyfs(svirt_lxc_domain)
+fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
+
++auth_dontaudit_read_passwd(svirt_lxc_domain)
+auth_dontaudit_read_login_records(svirt_lxc_domain)
+auth_dontaudit_write_login_records(svirt_lxc_domain)
+auth_search_pam_console_data(svirt_lxc_domain)
@@ -62479,7 +64336,7 @@ index 11533cc..4d81b99 100644
/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if
-index 727fe95..21af852 100644
+index 727fe95..adbb3fb 100644
--- a/policy/modules/services/vnstatd.if
+++ b/policy/modules/services/vnstatd.if
@@ -113,6 +113,7 @@ interface(`vnstatd_manage_lib_files',`
@@ -62490,6 +64347,19 @@ index 727fe95..21af852 100644
########################################
## <summary>
## All of the rules required to administrate
+@@ -135,8 +136,11 @@ interface(`vnstatd_admin',`
+ type vnstatd_t, vnstatd_var_lib_t;
+ ')
+
+- allow $1 vnstatd_t:process { ptrace signal_perms };
++ allow $1 vnstatd_t:process signal_perms;
+ ps_process_pattern($1, vnstatd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 vnstatd_t:process ptrace;
++ ')
+
+ files_list_var_lib($1)
+ admin_pattern($1, vnstatd_var_lib_t)
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
index 8121937..5a462fb 100644
--- a/policy/modules/services/vnstatd.te
@@ -62559,10 +64429,10 @@ index 0000000..2f21759
+/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
diff --git a/policy/modules/services/wdmd.if b/policy/modules/services/wdmd.if
new file mode 100644
-index 0000000..a554011
+index 0000000..955f1ac
--- /dev/null
+++ b/policy/modules/services/wdmd.if
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,114 @@
+
+## <summary>policy for wdmd</summary>
+
@@ -62627,8 +64497,11 @@ index 0000000..a554011
+ type wdmd_initrc_exec_t;
+ ')
+
-+ allow $1 wdmd_t:process { ptrace signal_perms };
++ allow $1 wdmd_t:process signal_perms;
+ ps_process_pattern($1, wdmd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 wdmd_t:process ptrace;
++ ')
+
+ wdmd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -64072,7 +65945,7 @@ index 130ced9..b6fb17a 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..40e56f1 100644
+index 143c893..743ea2b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -64397,14 +66270,17 @@ index 143c893..40e56f1 100644
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -304,20 +417,36 @@ optional_policy(`
- # XDM Local policy
+@@ -305,19 +418,40 @@ optional_policy(`
#
--allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+ allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
-+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
-+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate ptrace };
++
++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
++tunable_policy(`deny_ptrace',`',`
++ allow xdm_t self:process ptrace;
++')
++
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -64438,7 +66314,7 @@ index 143c893..40e56f1 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +454,63 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +459,63 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -64508,7 +66384,7 @@ index 143c893..40e56f1 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +519,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +524,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -64536,7 +66412,7 @@ index 143c893..40e56f1 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +550,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +555,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -64590,7 +66466,7 @@ index 143c893..40e56f1 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +603,24 @@ files_list_mnt(xdm_t)
+@@ -435,9 +608,24 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -64615,7 +66491,7 @@ index 143c893..40e56f1 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +629,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +634,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -64655,7 +66531,7 @@ index 143c893..40e56f1 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,9 +668,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,9 +673,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -64686,7 +66562,7 @@ index 143c893..40e56f1 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -494,6 +707,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -494,6 +712,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -64701,7 +66577,7 @@ index 143c893..40e56f1 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +728,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +733,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -64723,7 +66599,7 @@ index 143c893..40e56f1 100644
')
optional_policy(`
-@@ -519,12 +750,63 @@ optional_policy(`
+@@ -519,12 +755,63 @@ optional_policy(`
')
optional_policy(`
@@ -64787,7 +66663,7 @@ index 143c893..40e56f1 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +824,69 @@ optional_policy(`
+@@ -542,28 +829,69 @@ optional_policy(`
')
optional_policy(`
@@ -64866,7 +66742,7 @@ index 143c893..40e56f1 100644
')
optional_policy(`
-@@ -575,6 +898,14 @@ optional_policy(`
+@@ -575,6 +903,14 @@ optional_policy(`
')
optional_policy(`
@@ -64881,16 +66757,15 @@ index 143c893..40e56f1 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +930,7 @@ allow xserver_t input_xevent_t:x_event send;
- # execheap needed until the X module loader is fixed.
+@@ -600,6 +936,7 @@ allow xserver_t input_xevent_t:x_event send;
# NVIDIA Needs execstack
--allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
-+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+ allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +944,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -64906,7 +66781,7 @@ index 143c893..40e56f1 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +971,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -64928,7 +66803,7 @@ index 143c893..40e56f1 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +991,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +997,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -64936,7 +66811,7 @@ index 143c893..40e56f1 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,21 +1018,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +1024,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -64967,7 +66842,7 @@ index 143c893..40e56f1 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1050,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1056,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -64981,7 +66856,7 @@ index 143c893..40e56f1 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1069,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1075,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -64990,7 +66865,7 @@ index 143c893..40e56f1 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1076,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1082,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -65005,7 +66880,7 @@ index 143c893..40e56f1 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1135,40 @@ optional_policy(`
+@@ -778,16 +1141,40 @@ optional_policy(`
')
optional_policy(`
@@ -65047,7 +66922,7 @@ index 143c893..40e56f1 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1177,10 @@ optional_policy(`
+@@ -796,6 +1183,10 @@ optional_policy(`
')
optional_policy(`
@@ -65058,7 +66933,7 @@ index 143c893..40e56f1 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1196,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1202,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -65072,7 +66947,7 @@ index 143c893..40e56f1 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1207,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1213,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -65081,7 +66956,7 @@ index 143c893..40e56f1 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,6 +1220,9 @@ init_use_fds(xserver_t)
+@@ -835,6 +1226,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -65091,7 +66966,7 @@ index 143c893..40e56f1 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -842,6 +1230,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -842,6 +1236,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -65103,7 +66978,7 @@ index 143c893..40e56f1 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -850,11 +1243,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -850,11 +1249,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -65120,7 +66995,7 @@ index 143c893..40e56f1 100644
')
optional_policy(`
-@@ -862,6 +1258,10 @@ optional_policy(`
+@@ -862,6 +1264,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -65131,7 +67006,7 @@ index 143c893..40e56f1 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1305,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1311,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -65140,7 +67015,7 @@ index 143c893..40e56f1 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1359,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1365,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -65172,7 +67047,7 @@ index 143c893..40e56f1 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1405,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1411,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -65196,7 +67071,7 @@ index 143c893..40e56f1 100644
+')
+
+# Hack to handle the problem of using the nvidia blobs
-+tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`',`
+ allow xdm_t self:process execmem;
+')
+
@@ -65239,7 +67114,7 @@ index 664cd7a..e3eaec5 100644
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
-index c9981d1..11013a6 100644
+index c9981d1..0629472 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -5,9 +5,9 @@
@@ -65275,6 +67150,19 @@ index c9981d1..11013a6 100644
')
corenet_sendrecv_zabbix_agent_client_packets($1)
+@@ -142,8 +142,11 @@ interface(`zabbix_admin',`
+ type zabbix_initrc_exec_t;
+ ')
+
+- allow $1 zabbix_t:process { ptrace signal_perms };
++ allow $1 zabbix_t:process signal_perms;
+ ps_process_pattern($1, zabbix_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 zabbix_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
index 7f88f5f..bd6493d 100644
--- a/policy/modules/services/zabbix.te
@@ -65468,7 +67356,7 @@ index 9fb4747..6e2c42a 100644
miscfiles_read_localization(zarafa_domain)
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
-index 6b87605..347f754 100644
+index 6b87605..ef64e73 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
@@ -65481,7 +67369,7 @@ index 6b87605..347f754 100644
')
########################################
-@@ -62,8 +61,7 @@ interface(`zebra_stream_connect',`
+@@ -62,12 +61,14 @@ interface(`zebra_stream_connect',`
interface(`zebra_admin',`
gen_require(`
type zebra_t, zebra_tmp_t, zebra_log_t;
@@ -65490,7 +67378,15 @@ index 6b87605..347f754 100644
+ type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
')
- allow $1 zebra_t:process { ptrace signal_perms };
+- allow $1 zebra_t:process { ptrace signal_perms };
++ allow $1 zebra_t:process signal_perms;
+ ps_process_pattern($1, zebra_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 zebra_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, zebra_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index ade6c2c..2b78f0d 100644
--- a/policy/modules/services/zebra.te
@@ -65621,18 +67517,22 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..59742f4 100644
+index 28ad538..02a592a 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -5,6 +5,7 @@
+@@ -5,7 +5,11 @@
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/passwd-? -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/group-? -- gen_context(system_u:object_r:passwd_file_t,s0)
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
-@@ -30,6 +31,7 @@ ifdef(`distro_gentoo', `
+ /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
+@@ -30,6 +34,7 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -65640,14 +67540,14 @@ index 28ad538..59742f4 100644
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -45,5 +47,4 @@ ifdef(`distro_gentoo', `
+@@ -45,5 +50,4 @@ ifdef(`distro_gentoo', `
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..6a25dd6 100644
+index 73554ec..6355d14 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -65709,13 +67609,14 @@ index 73554ec..6a25dd6 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -123,13 +141,19 @@ interface(`auth_login_pgm_domain',`
+@@ -123,13 +141,20 @@ interface(`auth_login_pgm_domain',`
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
+ tunable_policy(`authlogin_radius',`
+ corenet_udp_bind_all_unreserved_ports($1)
+ ')
++ corenet_tcp_connect_pki_ca_port($1)
+
# for fingerprint readers
dev_rw_input_dev($1)
@@ -65730,7 +67631,7 @@ index 73554ec..6a25dd6 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -145,6 +169,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +170,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -65739,7 +67640,7 @@ index 73554ec..6a25dd6 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,9 +181,83 @@ interface(`auth_login_pgm_domain',`
+@@ -155,13 +182,87 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -65779,16 +67680,16 @@ index 73554ec..6a25dd6 100644
+
+ optional_policy(`
+ fprintd_dbus_chat($1)
- ')
++ ')
+
+ optional_policy(`
+ ssh_agent_exec($1)
+ ssh_read_user_home_files($1)
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Read authlogin state files.
+## </summary>
+## <param name="domain">
@@ -65822,10 +67723,14 @@ index 73554ec..6a25dd6 100644
+ ')
+
+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -368,13 +468,15 @@ interface(`auth_domtrans_chk_passwd',`
++')
++
++########################################
++## <summary>
+ ## Use the login program as an entry point program.
+ ## </summary>
+ ## <param name="domain">
+@@ -368,13 +469,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -65842,7 +67747,7 @@ index 73554ec..6a25dd6 100644
')
########################################
-@@ -421,6 +523,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +524,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -65868,7 +67773,26 @@ index 73554ec..6a25dd6 100644
')
########################################
-@@ -736,7 +857,47 @@ interface(`auth_rw_faillog',`
+@@ -440,7 +562,6 @@ interface(`auth_domtrans_upd_passwd',`
+
+ domtrans_pattern($1, updpwd_exec_t, updpwd_t)
+ auth_dontaudit_read_shadow($1)
+-
+ ')
+
+ ########################################
+@@ -637,6 +758,10 @@ interface(`auth_manage_shadow',`
+
+ allow $1 shadow_t:file manage_file_perms;
+ typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
++ files_var_filetrans($1, shadow_t, file, "shadow")
++ files_var_filetrans($1, shadow_t, file, "shadow-")
++ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
++ files_etc_filetrans($1, shadow_t, file, "gshadow")
+ ')
+
+ #######################################
+@@ -736,7 +861,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -65914,10 +67838,13 @@ index 73554ec..6a25dd6 100644
+ files_search_pids($1)
+ allow $1 faillog_t:dir manage_dir_perms;
+ allow $1 faillog_t:file manage_file_perms;
++ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
++ logging_log_named_filetrans($1, faillog_t, file, "faillog")
++ logging_log_named_filetrans($1, faillog_t, file, "btmp")
')
#######################################
-@@ -932,9 +1093,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1100,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -65951,7 +67878,7 @@ index 73554ec..6a25dd6 100644
')
########################################
-@@ -1387,6 +1569,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1576,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -65977,35 +67904,73 @@ index 73554ec..6a25dd6 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1541,24 +1742,6 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1745,49 @@ interface(`auth_manage_login_records',`
+
+ logging_rw_generic_log_dirs($1)
+ allow $1 wtmp_t:file manage_file_perms;
++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+ ')
########################################
## <summary>
-## Relabel login record files.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## Use nsswitch to look up user, password, group, or
++## host information.
+ ## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to look up user, password,
++## group, or host information using the name service.
++## The most common use of this interface is for services
++## that do host name resolution (usually DNS resolution).
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <infoflow type="both" weight="10"/>
+ #
-interface(`auth_relabel_login_records',`
-- gen_require(`
++interface(`auth_use_nsswitch',`
+ gen_require(`
- type wtmp_t;
-- ')
--
++ attribute nsswitch_domain;
+ ')
+
- allow $1 wtmp_t:file relabel_file_perms;
--')
--
--########################################
--## <summary>
- ## Use nsswitch to look up user, password, group, or
- ## host information.
++ typeattribute $1 nsswitch_domain;
+ ')
+
+ ########################################
+ ## <summary>
+-## Use nsswitch to look up user, password, group, or
+-## host information.
++## Unconfined access to the authlogin module.
## </summary>
-@@ -1578,54 +1761,11 @@ interface(`auth_relabel_login_records',`
- ## <infoflow type="both" weight="10"/>
+ ## <desc>
+ ## <p>
+-## Allow the specified domain to look up user, password,
+-## group, or host information using the name service.
+-## The most common use of this interface is for services
+-## that do host name resolution (usually DNS resolution).
++## Unconfined access to the authlogin module.
++## </p>
++## <p>
++## Currently, this only allows assertions for
++## the shadow passwords file (/etc/shadow) to
++## be passed. No access is granted yet.
+ ## </p>
+ ## </desc>
+ ## <param name="domain">
+@@ -1575,87 +1795,149 @@ interface(`auth_relabel_login_records',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="both" weight="10"/>
#
- interface(`auth_use_nsswitch',`
+-interface(`auth_use_nsswitch',`
-
- files_list_var_lib($1)
-
@@ -66013,89 +67978,197 @@ index 73554ec..6a25dd6 100644
- files_read_etc_files($1)
-
- miscfiles_read_generic_certs($1)
--
++interface(`auth_unconfined',`
++ gen_require(`
++ attribute can_read_shadow_passwords;
++ attribute can_write_shadow_passwords;
++ attribute can_relabelto_shadow_passwords;
++ ')
+
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
--
++ typeattribute $1 can_read_shadow_passwords;
++ typeattribute $1 can_write_shadow_passwords;
++ typeattribute $1 can_relabelto_shadow_passwords;
++')
+
- optional_policy(`
- avahi_stream_connect($1)
-- ')
--
++########################################
++## <summary>
++## Transition to authlogin named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`authlogin_filetrans_named_content',`
++ gen_require(`
++ type shadow_t;
++ type passwd_file_t;
++ type faillog_t;
++ type wtmp_t;
+ ')
+
- optional_policy(`
- ldap_stream_connect($1)
- ')
--
++ files_etc_filetrans($1, passwd_file_t, file, "group")
++ files_etc_filetrans($1, passwd_file_t, file, "group-")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
++ files_etc_filetrans($1, shadow_t, file, "shadow")
++ files_etc_filetrans($1, shadow_t, file, "shadow-")
++ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
++ files_etc_filetrans($1, shadow_t, file, "gshadow")
++ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
++ logging_log_named_filetrans($1, faillog_t, file, "faillog")
++ logging_log_named_filetrans($1, faillog_t, file, "btmp")
++ files_pid_filetrans($1, faillog_t, file, "faillog")
++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
++')
+
- optional_policy(`
- likewise_stream_connect_lsassd($1)
-- ')
--
++########################################
++## <summary>
++## Get the attributes of the passwd passwords file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_getattr_passwd',`
++ gen_require(`
++ type passwd_file_t;
+ ')
+
- optional_policy(`
- kerberos_use($1)
- ')
--
++ files_search_etc($1)
++ allow $1 passwd_file_t:file getattr;
++')
+
- optional_policy(`
- nis_use_ypbind($1)
-- ')
--
++########################################
++## <summary>
++## Do not audit attempts to get the attributes
++## of the passwd passwords file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`auth_dontaudit_getattr_passwd',`
++ gen_require(`
++ type passwd_file_t;
+ ')
+
- optional_policy(`
- nscd_socket_use($1)
- ')
--
++ dontaudit $1 passwd_file_t:file getattr;
++')
+
- optional_policy(`
- nslcd_stream_connect($1)
-- ')
--
-- optional_policy(`
-- sssd_stream_connect($1)
++########################################
++## <summary>
++## Read the passwd passwords file (/etc/passwd)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_read_passwd',`
+ gen_require(`
-+ attribute nsswitch_domain;
++ type passwd_file_t;
')
- optional_policy(`
+- sssd_stream_connect($1)
+- ')
++ allow $1 passwd_file_t:file read_file_perms;
++')
+
+- optional_policy(`
- samba_stream_connect_winbind($1)
- samba_read_var_files($1)
- samba_dontaudit_write_var_files($1)
-- ')
-+ typeattribute $1 nsswitch_domain;
- ')
-
- ########################################
-@@ -1659,3 +1799,33 @@ interface(`auth_unconfined',`
- typeattribute $1 can_write_shadow_passwords;
- typeattribute $1 can_relabelto_shadow_passwords;
- ')
-+
+########################################
+## <summary>
-+## Transition to authlogin named content
++## Do not audit attempts to read the passwd
++## password file (/etc/passwd).
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`authlogin_filetrans_named_content',`
++interface(`auth_dontaudit_read_passwd',`
+ gen_require(`
-+ type shadow_t;
-+ type faillog_t;
-+ type wtmp_t;
-+ ')
++ type passwd_file_t;
+ ')
+
-+ files_etc_filetrans($1, shadow_t, file, "shadow")
-+ files_etc_filetrans($1, shadow_t, file, "shadow-")
-+ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
-+ files_etc_filetrans($1, shadow_t, file, "gshadow")
-+ files_var_filetrans($1, shadow_t, file, "shadow")
-+ files_var_filetrans($1, shadow_t, file, "shadow-")
-+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
-+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
-+ logging_log_named_filetrans($1, faillog_t, file, "btmp")
-+ files_pid_filetrans($1, faillog_t, file, "faillog")
-+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
-+')
++ dontaudit $1 passwd_file_t:file read_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Unconfined access to the authlogin module.
++## Create, read, write, and delete the passwd
++## password file.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Unconfined access to the authlogin module.
+-## </p>
+-## <p>
+-## Currently, this only allows assertions for
+-## the shadow passwords file (/etc/shadow) to
+-## be passed. No access is granted yet.
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`auth_unconfined',`
++interface(`auth_manage_passwd',`
+ gen_require(`
+- attribute can_read_shadow_passwords;
+- attribute can_write_shadow_passwords;
+- attribute can_relabelto_shadow_passwords;
++ type passwd_file_t;
+ ')
+
+- typeattribute $1 can_read_shadow_passwords;
+- typeattribute $1 can_write_shadow_passwords;
+- typeattribute $1 can_relabelto_shadow_passwords;
++ files_rw_etc_dirs($1)
++ allow $1 passwd_file_t:file manage_file_perms;
++ files_etc_filetrans($1, passwd_file_t, file, "passwd")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
++ files_etc_filetrans($1, passwd_file_t, file, "group")
++ files_etc_filetrans($1, passwd_file_t, file, "group-")
+ ')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..7edafde 100644
+index b7a5f00..39d91d4 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1)
@@ -66132,7 +68205,17 @@ index b7a5f00..7edafde 100644
type lastlog_t;
logging_log_file(lastlog_t)
-@@ -100,6 +117,8 @@ dev_read_urand(chkpwd_t)
+@@ -55,6 +72,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
+ neverallow ~can_write_shadow_passwords shadow_t:file { create write };
+ neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
+
++type passwd_file_t;
++files_type(passwd_file_t)
++
+ type updpwd_t;
+ type updpwd_exec_t;
+ domain_type(updpwd_t)
+@@ -100,6 +120,8 @@ dev_read_urand(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
files_dontaudit_search_var(chkpwd_t)
@@ -66141,7 +68224,7 @@ index b7a5f00..7edafde 100644
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
-@@ -118,7 +137,7 @@ miscfiles_read_localization(chkpwd_t)
+@@ -118,7 +140,7 @@ miscfiles_read_localization(chkpwd_t)
seutil_read_config(chkpwd_t)
seutil_dontaudit_use_newrole_fds(chkpwd_t)
@@ -66150,7 +68233,15 @@ index b7a5f00..7edafde 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -343,7 +362,7 @@ logging_send_syslog_msg(updpwd_t)
+@@ -332,6 +354,7 @@ kernel_read_system_state(updpwd_t)
+ dev_read_urand(updpwd_t)
+
+ files_manage_etc_files(updpwd_t)
++auth_manage_passwd(updpwd_t)
+
+ term_dontaudit_use_console(updpwd_t)
+ term_dontaudit_use_unallocated_ttys(updpwd_t)
+@@ -343,7 +366,7 @@ logging_send_syslog_msg(updpwd_t)
miscfiles_read_localization(updpwd_t)
@@ -66159,7 +68250,7 @@ index b7a5f00..7edafde 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -371,13 +390,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -371,13 +394,15 @@ term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
@@ -66176,7 +68267,7 @@ index b7a5f00..7edafde 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -388,10 +409,71 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +413,74 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -66197,6 +68288,9 @@ index b7a5f00..7edafde 100644
+ ')
+')
+
++
++auth_read_passwd(nsswitch_domain)
++
+# read /etc/nsswitch.conf
+files_read_etc_files(nsswitch_domain)
+
@@ -66576,9 +68670,18 @@ index 40eb10c..2a0a32c 100644
corecmd_search_bin($1)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
-index 1a3d970..ba2f286 100644
+index 1a3d970..0995a02 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
+@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
+ #
+
+ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
+-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
++dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit hotplug_t self:capability { dac_override dac_read_search };
+ allow hotplug_t self:process { setpgid getsession getattr signal_perms };
@@ -96,6 +96,8 @@ init_domtrans_script(hotplug_t)
# kernel threads inherit from shared descriptor table used by init
init_dontaudit_rw_initctl(hotplug_t)
@@ -66648,7 +68751,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..b5e5c70 100644
+index 94fd8dd..5a963ef 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -67025,7 +69128,7 @@ index 94fd8dd..b5e5c70 100644
')
')
-@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +935,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -67048,11 +69151,11 @@ index 94fd8dd..b5e5c70 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -67065,12 +69168,16 @@ index 94fd8dd..b5e5c70 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
@@ -67086,7 +69193,18 @@ index 94fd8dd..b5e5c70 100644
files_search_etc($1)
')
-@@ -1079,6 +1241,24 @@ interface(`init_read_all_script_files',`
+@@ -961,7 +1123,9 @@ interface(`init_ptrace',`
+ type init_t;
+ ')
+
+- allow $1 init_t:process ptrace;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 init_t:process ptrace;
++ ')
+ ')
+
+ ########################################
+@@ -1079,6 +1243,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -67111,7 +69229,7 @@ index 94fd8dd..b5e5c70 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1310,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1312,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -67125,7 +69243,7 @@ index 94fd8dd..b5e5c70 100644
')
########################################
-@@ -1375,6 +1550,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1552,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -67153,7 +69271,7 @@ index 94fd8dd..b5e5c70 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1657,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1659,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -67179,7 +69297,7 @@ index 94fd8dd..b5e5c70 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1734,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1736,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -67204,7 +69322,7 @@ index 94fd8dd..b5e5c70 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1586,6 +1819,24 @@ interface(`init_read_utmp',`
+@@ -1586,6 +1821,24 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -67229,7 +69347,7 @@ index 94fd8dd..b5e5c70 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1674,7 +1925,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1927,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -67238,7 +69356,7 @@ index 94fd8dd..b5e5c70 100644
')
########################################
-@@ -1715,6 +1966,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1968,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -67367,7 +69485,7 @@ index 94fd8dd..b5e5c70 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2122,194 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2124,194 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -67563,7 +69681,7 @@ index 94fd8dd..b5e5c70 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..7752aa1 100644
+index 29a9565..75f6d6b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -67635,7 +69753,7 @@ index 29a9565..7752aa1 100644
# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
-+allow init_t self:capability ~{ audit_control audit_write sys_module };
++allow init_t self:capability ~{ sys_ptrace audit_control audit_write sys_module };
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -67757,7 +69875,7 @@ index 29a9565..7752aa1 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +251,138 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +251,139 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -67807,6 +69925,7 @@ index 29a9565..7752aa1 100644
+ files_mounton_all_mountpoints(init_t)
+ files_unmount_all_file_type_fs(init_t)
+ files_manage_all_pid_dirs(init_t)
++ files_manage_generic_tmp_dirs(init_t)
+ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
+ files_create_all_pid_sockets(init_t)
@@ -67898,7 +70017,7 @@ index 29a9565..7752aa1 100644
')
optional_policy(`
-@@ -203,6 +390,17 @@ optional_policy(`
+@@ -203,6 +391,17 @@ optional_policy(`
')
optional_policy(`
@@ -67916,16 +70035,17 @@ index 29a9565..7752aa1 100644
unconfined_domain(init_t)
')
-@@ -212,7 +410,7 @@ optional_policy(`
+@@ -212,7 +411,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
-+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
++allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
++
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +439,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +441,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -67941,7 +70061,7 @@ index 29a9565..7752aa1 100644
init_write_initctl(initrc_t)
-@@ -258,20 +459,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +461,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -67978,7 +70098,7 @@ index 29a9565..7752aa1 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +492,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +494,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -67986,7 +70106,7 @@ index 29a9565..7752aa1 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +503,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +505,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -67997,7 +70117,7 @@ index 29a9565..7752aa1 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +514,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +516,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -68013,7 +70133,7 @@ index 29a9565..7752aa1 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +532,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +534,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -68021,7 +70141,7 @@ index 29a9565..7752aa1 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +540,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +542,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -68033,7 +70153,7 @@ index 29a9565..7752aa1 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +559,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +561,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -68047,7 +70167,7 @@ index 29a9565..7752aa1 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,8 +574,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,8 +576,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -68060,7 +70180,7 @@ index 29a9565..7752aa1 100644
mcs_ptrace_all(initrc_t)
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -363,6 +590,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +592,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -68068,7 +70188,7 @@ index 29a9565..7752aa1 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +602,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +604,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -68076,7 +70196,7 @@ index 29a9565..7752aa1 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +623,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +625,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -68098,7 +70218,7 @@ index 29a9565..7752aa1 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +686,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +688,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -68109,7 +70229,7 @@ index 29a9565..7752aa1 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +710,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +712,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -68118,7 +70238,7 @@ index 29a9565..7752aa1 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +725,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +727,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -68126,7 +70246,7 @@ index 29a9565..7752aa1 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +755,34 @@ ifdef(`distro_redhat',`
+@@ -522,8 +757,34 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -68161,7 +70281,7 @@ index 29a9565..7752aa1 100644
')
optional_policy(`
-@@ -531,10 +790,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +792,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -68184,7 +70304,7 @@ index 29a9565..7752aa1 100644
')
optional_policy(`
-@@ -549,6 +820,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +822,39 @@ ifdef(`distro_suse',`
')
')
@@ -68224,7 +70344,7 @@ index 29a9565..7752aa1 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +865,8 @@ optional_policy(`
+@@ -561,6 +867,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -68233,7 +70353,7 @@ index 29a9565..7752aa1 100644
')
optional_policy(`
-@@ -577,6 +883,7 @@ optional_policy(`
+@@ -577,6 +885,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -68241,7 +70361,7 @@ index 29a9565..7752aa1 100644
')
optional_policy(`
-@@ -589,6 +896,17 @@ optional_policy(`
+@@ -589,6 +898,17 @@ optional_policy(`
')
optional_policy(`
@@ -68259,7 +70379,7 @@ index 29a9565..7752aa1 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +923,13 @@ optional_policy(`
+@@ -605,9 +925,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -68273,7 +70393,7 @@ index 29a9565..7752aa1 100644
')
optional_policy(`
-@@ -632,6 +954,10 @@ optional_policy(`
+@@ -632,6 +956,10 @@ optional_policy(`
')
optional_policy(`
@@ -68284,7 +70404,7 @@ index 29a9565..7752aa1 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +975,11 @@ optional_policy(`
+@@ -649,6 +977,11 @@ optional_policy(`
')
optional_policy(`
@@ -68296,7 +70416,7 @@ index 29a9565..7752aa1 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1020,7 @@ optional_policy(`
+@@ -689,6 +1022,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -68304,7 +70424,7 @@ index 29a9565..7752aa1 100644
')
optional_policy(`
-@@ -706,7 +1038,13 @@ optional_policy(`
+@@ -706,7 +1040,13 @@ optional_policy(`
')
optional_policy(`
@@ -68318,7 +70438,7 @@ index 29a9565..7752aa1 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1067,10 @@ optional_policy(`
+@@ -729,6 +1069,10 @@ optional_policy(`
')
optional_policy(`
@@ -68329,7 +70449,7 @@ index 29a9565..7752aa1 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1080,20 @@ optional_policy(`
+@@ -738,10 +1082,20 @@ optional_policy(`
')
optional_policy(`
@@ -68350,7 +70470,7 @@ index 29a9565..7752aa1 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1102,10 @@ optional_policy(`
+@@ -750,6 +1104,10 @@ optional_policy(`
')
optional_policy(`
@@ -68361,7 +70481,7 @@ index 29a9565..7752aa1 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1127,6 @@ optional_policy(`
+@@ -771,8 +1129,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -68370,7 +70490,7 @@ index 29a9565..7752aa1 100644
')
optional_policy(`
-@@ -790,10 +1144,12 @@ optional_policy(`
+@@ -790,10 +1146,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -68383,7 +70503,7 @@ index 29a9565..7752aa1 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1161,6 @@ optional_policy(`
+@@ -805,7 +1163,6 @@ optional_policy(`
')
optional_policy(`
@@ -68391,7 +70511,7 @@ index 29a9565..7752aa1 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1170,26 @@ optional_policy(`
+@@ -815,11 +1172,26 @@ optional_policy(`
')
optional_policy(`
@@ -68419,7 +70539,7 @@ index 29a9565..7752aa1 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1199,25 @@ optional_policy(`
+@@ -829,6 +1201,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -68445,7 +70565,7 @@ index 29a9565..7752aa1 100644
')
optional_policy(`
-@@ -844,6 +1233,10 @@ optional_policy(`
+@@ -844,6 +1235,10 @@ optional_policy(`
')
optional_policy(`
@@ -68456,7 +70576,7 @@ index 29a9565..7752aa1 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1247,160 @@ optional_policy(`
+@@ -854,3 +1249,160 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -68692,10 +70812,18 @@ index 0d4c8d3..9d66bf7 100644
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 55a6cd8..2af2952 100644
+index 55a6cd8..94e11eb 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
-@@ -80,6 +80,8 @@ allow ipsec_t self:udp_socket create_socket_perms;
+@@ -73,13 +73,15 @@ role system_r types setkey_t;
+ #
+
+ allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
++dontaudit ipsec_t self:capability sys_tty_config;
+ allow ipsec_t self:process { getcap setcap getsched signal setsched };
+ allow ipsec_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
allow ipsec_t self:fifo_file read_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
@@ -68742,13 +70870,21 @@ index 55a6cd8..2af2952 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -245,6 +251,19 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -187,8 +193,8 @@ optional_policy(`
+ #
+
+ allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
+-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
++dontaudit ipsec_mgmt_t self:capability sys_tty_config;
++allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
+ allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+@@ -245,6 +251,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
-+# don't audit using of lsof
-+dontaudit ipsec_mgmt_t self:capability sys_ptrace;
-+
+domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
+domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
+
@@ -68762,7 +70898,7 @@ index 55a6cd8..2af2952 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -277,9 +296,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -277,9 +293,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -68774,7 +70910,7 @@ index 55a6cd8..2af2952 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -297,7 +317,7 @@ sysnet_manage_config(ipsec_mgmt_t)
+@@ -297,7 +314,7 @@ sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
@@ -68783,7 +70919,7 @@ index 55a6cd8..2af2952 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -324,10 +344,6 @@ optional_policy(`
+@@ -324,10 +341,6 @@ optional_policy(`
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -68794,7 +70930,7 @@ index 55a6cd8..2af2952 100644
ifdef(`TODO',`
# ideally it would not need this. It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
-@@ -377,12 +393,12 @@ corecmd_exec_shell(racoon_t)
+@@ -377,12 +390,12 @@ corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
@@ -68813,7 +70949,7 @@ index 55a6cd8..2af2952 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -411,6 +427,8 @@ miscfiles_read_localization(racoon_t)
+@@ -411,6 +424,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -68822,7 +70958,7 @@ index 55a6cd8..2af2952 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -448,5 +466,6 @@ miscfiles_read_localization(setkey_t)
+@@ -448,5 +463,6 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
@@ -69010,10 +71146,18 @@ index f3e1b57..d7fd7fb 100644
')
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
-index ddbd8be..ac8e814 100644
+index ddbd8be..65b5762 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
-@@ -66,6 +66,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
+ #
+
+ allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
+-dontaudit iscsid_t self:capability sys_ptrace;
+ allow iscsid_t self:process { setrlimit setsched signal };
+ allow iscsid_t self:fifo_file rw_fifo_file_perms;
+ allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -66,6 +65,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
@@ -69021,7 +71165,7 @@ index ddbd8be..ac8e814 100644
corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -78,6 +79,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
+@@ -78,6 +78,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -69737,7 +71881,7 @@ index 0e3c2a9..40adf5a 100644
+')
+
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a0b379d..bf90918 100644
+index a0b379d..37a5bb4 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -17,6 +17,9 @@ type local_login_tmp_t;
@@ -69757,7 +71901,7 @@ index a0b379d..bf90918 100644
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec };
-+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config };
++allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
@@ -69921,7 +72065,7 @@ index 02f4c97..cd16709 100644
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 831b909..efe1038 100644
+index 831b909..0410fa3 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -491,6 +491,63 @@ interface(`logging_log_filetrans',`
@@ -70114,15 +72258,40 @@ index 831b909..efe1038 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -990,6 +1141,7 @@ interface(`logging_admin_syslog',`
+@@ -944,9 +1095,13 @@ interface(`logging_admin_audit',`
+ type auditd_initrc_exec_t;
+ ')
+
+- allow $1 auditd_t:process { ptrace signal_perms };
++ allow $1 auditd_t:process signal_perms;
+ ps_process_pattern($1, auditd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 auditd_t:process ptrace;
++ ')
++
+ manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
+ manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+
+@@ -990,10 +1145,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
+- allow $1 syslogd_t:process { ptrace signal_perms };
+- allow $1 klogd_t:process { ptrace signal_perms };
+ allow $1 self:capability2 syslog;
- allow $1 syslogd_t:process { ptrace signal_perms };
- allow $1 klogd_t:process { ptrace signal_perms };
++ allow $1 syslogd_t:process signal_perms;
++ allow $1 klogd_t:process signal_perms;
ps_process_pattern($1, syslogd_t)
-@@ -1015,6 +1167,8 @@ interface(`logging_admin_syslog',`
+ ps_process_pattern($1, klogd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 syslogd_t:process ptrace;
++ allow $1 klogd_t:process ptrace;
++ ')
+
+ manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
+ manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
+@@ -1015,6 +1175,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -71388,7 +73557,7 @@ index 8b5c196..da41726 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..4930474 100644
+index 15832c7..f1121f7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,17 +17,29 @@ type mount_exec_t;
@@ -71426,20 +73595,24 @@ index 15832c7..4930474 100644
########################################
#
-@@ -35,7 +47,11 @@ application_domain(unconfined_mount_t, mount_exec_t)
+@@ -35,7 +47,15 @@ application_domain(unconfined_mount_t, mount_exec_t)
#
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
-+allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
++allow mount_t self:process { getcap getsched setcap setrlimit signal };
++tunable_policy(`deny_ptrace',`',`
++ allow mount_t self:process ptrace;
++')
++
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket create_socket_perms;
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,9 +62,24 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,9 +66,24 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -71465,7 +73638,7 @@ index 15832c7..4930474 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -57,65 +88,93 @@ kernel_request_load_module(mount_t)
+@@ -57,65 +92,93 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -71568,7 +73741,7 @@ index 15832c7..4930474 100644
logging_send_syslog_msg(mount_t)
-@@ -126,6 +185,8 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +189,8 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -71577,7 +73750,7 @@ index 15832c7..4930474 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -141,26 +202,28 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +206,28 @@ ifdef(`distro_ubuntu',`
')
')
@@ -71616,7 +73789,7 @@ index 15832c7..4930474 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +237,8 @@ optional_policy(`
+@@ -174,6 +241,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -71625,7 +73798,7 @@ index 15832c7..4930474 100644
')
optional_policy(`
-@@ -181,6 +246,28 @@ optional_policy(`
+@@ -181,6 +250,28 @@ optional_policy(`
')
optional_policy(`
@@ -71654,7 +73827,7 @@ index 15832c7..4930474 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,21 +275,87 @@ optional_policy(`
+@@ -188,21 +279,87 @@ optional_policy(`
')
')
@@ -71697,20 +73870,20 @@ index 15832c7..4930474 100644
+optional_policy(`
+ ssh_exec(mount_t)
+')
-
- optional_policy(`
-- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
-- unconfined_domain(unconfined_mount_t)
-+ usbmuxd_stream_connect(mount_t)
- ')
+
+optional_policy(`
-+ userhelper_exec_console(mount_t)
++ usbmuxd_stream_connect(mount_t)
+')
+
+optional_policy(`
-+ virt_read_blk_images(mount_t)
++ userhelper_exec_console(mount_t)
+')
+
+ optional_policy(`
+- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+- unconfined_domain(unconfined_mount_t)
++ virt_read_blk_images(mount_t)
+ ')
+
+optional_policy(`
+ vmware_exec_host(mount_t)
@@ -72934,10 +75107,21 @@ index 694fd94..334e80e 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index ff80d0a..be800df 100644
+index ff80d0a..22c9f0d 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
-@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
+@@ -49,10 +49,6 @@ interface(`sysnet_run_dhcpc',`
+ sysnet_run_ifconfig(dhcpc_t, $2)
+
+ optional_policy(`
+- consoletype_run(dhcpc_t, $2)
+- ')
+-
+- optional_policy(`
+ hostname_run(dhcpc_t, $2)
+ ')
+
+@@ -60,6 +56,24 @@ interface(`sysnet_run_dhcpc',`
netutils_run(dhcpc_t, $2)
netutils_run_ping(dhcpc_t, $2)
')
@@ -72962,7 +75146,7 @@ index ff80d0a..be800df 100644
')
########################################
-@@ -269,6 +287,43 @@ interface(`sysnet_delete_dhcpc_state',`
+@@ -269,6 +283,43 @@ interface(`sysnet_delete_dhcpc_state',`
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
@@ -73006,7 +75190,7 @@ index ff80d0a..be800df 100644
#######################################
## <summary>
## Set the attributes of network config files.
-@@ -290,6 +345,44 @@ interface(`sysnet_setattr_config',`
+@@ -290,6 +341,44 @@ interface(`sysnet_setattr_config',`
#######################################
## <summary>
@@ -73051,7 +75235,7 @@ index ff80d0a..be800df 100644
## Read network config files.
## </summary>
## <desc>
-@@ -405,7 +498,7 @@ interface(`sysnet_etc_filetrans_config',`
+@@ -405,7 +494,7 @@ interface(`sysnet_etc_filetrans_config',`
type net_conf_t;
')
@@ -73060,7 +75244,7 @@ index ff80d0a..be800df 100644
')
#######################################
-@@ -426,6 +519,7 @@ interface(`sysnet_manage_config',`
+@@ -426,6 +515,7 @@ interface(`sysnet_manage_config',`
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_redhat',`
@@ -73068,7 +75252,7 @@ index ff80d0a..be800df 100644
manage_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -464,6 +558,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -464,6 +554,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@@ -73076,7 +75260,7 @@ index ff80d0a..be800df 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -554,6 +649,25 @@ interface(`sysnet_signal_ifconfig',`
+@@ -554,6 +645,25 @@ interface(`sysnet_signal_ifconfig',`
########################################
## <summary>
@@ -73102,7 +75286,7 @@ index ff80d0a..be800df 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -661,6 +775,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -661,6 +771,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
@@ -73111,7 +75295,7 @@ index ff80d0a..be800df 100644
sysnet_read_config($1)
optional_policy(`
-@@ -698,6 +814,9 @@ interface(`sysnet_use_ldap',`
+@@ -698,6 +810,9 @@ interface(`sysnet_use_ldap',`
corenet_sendrecv_ldap_client_packets($1)
sysnet_read_config($1)
@@ -73121,7 +75305,7 @@ index ff80d0a..be800df 100644
')
########################################
-@@ -731,3 +850,73 @@ interface(`sysnet_use_portmap',`
+@@ -731,3 +846,73 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -73196,7 +75380,7 @@ index ff80d0a..be800df 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..767ccbd 100644
+index 34d0ec5..8aa3908 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -73223,7 +75407,7 @@ index 34d0ec5..767ccbd 100644
type dhcpc_state_t;
files_type(dhcpc_state_t)
-@@ -34,7 +44,7 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
+@@ -34,17 +44,20 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t;
type net_conf_t alias resolv_conf_t;
@@ -73232,7 +75416,22 @@ index 34d0ec5..767ccbd 100644
########################################
#
-@@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+ # DHCP client local policy
+ #
+ allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
++dontaudit dhcpc_t self:capability sys_tty_config;
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
++allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms };
++tunable_policy(`deny_ptrace',`',`
++ allow dhcpc_t self:process ptrace;
++')
+
+ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
+ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+@@ -57,8 +70,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
@@ -73244,7 +75443,7 @@ index 34d0ec5..767ccbd 100644
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -66,6 +79,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
+@@ -66,6 +82,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -73253,7 +75452,7 @@ index 34d0ec5..767ccbd 100644
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -91,25 +106,28 @@ corecmd_exec_shell(dhcpc_t)
+@@ -91,25 +109,28 @@ corecmd_exec_shell(dhcpc_t)
corenet_all_recvfrom_unlabeled(dhcpc_t)
corenet_all_recvfrom_netlabel(dhcpc_t)
@@ -73290,7 +75489,7 @@ index 34d0ec5..767ccbd 100644
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -130,13 +148,14 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
+@@ -130,13 +151,14 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
init_rw_utmp(dhcpc_t)
@@ -73307,24 +75506,27 @@ index 34d0ec5..767ccbd 100644
userdom_use_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-@@ -155,6 +174,16 @@ optional_policy(`
+@@ -151,7 +173,18 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
+- consoletype_domtrans(dhcpc_t)
++ consoletype_exec(dhcpc_t)
++')
++
++optional_policy(`
+ chronyd_initrc_domtrans(dhcpc_t)
+ chronyd_systemctl(dhcpc_t)
++ chronyd_read_keys(dhcpc_t)
+')
+
+optional_policy(`
+ devicekit_dontaudit_rw_log(dhcpc_t)
+ devicekit_dontaudit_read_pid_files(dhcpc_t)
-+')
-+
-+optional_policy(`
- init_dbus_chat_script(dhcpc_t)
+ ')
- dbus_system_bus_client(dhcpc_t)
-@@ -171,6 +200,8 @@ optional_policy(`
+ optional_policy(`
+@@ -171,6 +204,8 @@ optional_policy(`
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -73333,7 +75535,7 @@ index 34d0ec5..767ccbd 100644
')
optional_policy(`
-@@ -192,17 +223,31 @@ optional_policy(`
+@@ -192,17 +227,31 @@ optional_policy(`
')
optional_policy(`
@@ -73365,7 +75567,7 @@ index 34d0ec5..767ccbd 100644
')
optional_policy(`
-@@ -213,6 +258,11 @@ optional_policy(`
+@@ -213,6 +262,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -73377,7 +75579,7 @@ index 34d0ec5..767ccbd 100644
')
optional_policy(`
-@@ -255,6 +305,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +309,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -73385,7 +75587,7 @@ index 34d0ec5..767ccbd 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +327,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +331,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -73397,7 +75599,7 @@ index 34d0ec5..767ccbd 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -301,11 +355,12 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +359,12 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -73412,7 +75614,7 @@ index 34d0ec5..767ccbd 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +369,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +373,18 @@ ifdef(`distro_ubuntu',`
')
')
@@ -73431,7 +75633,7 @@ index 34d0ec5..767ccbd 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +391,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +395,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -73446,7 +75648,7 @@ index 34d0ec5..767ccbd 100644
')
optional_policy(`
-@@ -335,6 +407,18 @@ optional_policy(`
+@@ -335,6 +411,18 @@ optional_policy(`
')
optional_policy(`
@@ -73465,7 +75667,7 @@ index 34d0ec5..767ccbd 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -356,3 +440,9 @@ optional_policy(`
+@@ -356,3 +444,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -74621,7 +76823,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..c31aeb2 100644
+index d88f7c3..6a93c64 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -74640,20 +76842,29 @@ index d88f7c3..c31aeb2 100644
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
-@@ -38,6 +36,12 @@ ifdef(`enable_mcs',`
+@@ -36,9 +34,19 @@ ifdef(`enable_mcs',`
+ # Local policy
+ #
- allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
+-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
++allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
dontaudit udev_t self:capability sys_tty_config;
+-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit udev_t self:capability sys_module;
+')
+
- allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++tunable_policy(`deny_ptrace',`',`
++ allow udev_t self:process ptrace;
++')
++
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
-@@ -52,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
+ allow udev_t self:fifo_file rw_fifo_file_perms;
+@@ -52,6 +60,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -74661,7 +76872,7 @@ index d88f7c3..c31aeb2 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -62,17 +67,17 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -62,17 +71,17 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -74685,7 +76896,7 @@ index d88f7c3..c31aeb2 100644
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
-@@ -87,6 +92,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
+@@ -87,6 +96,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
@@ -74693,7 +76904,7 @@ index d88f7c3..c31aeb2 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -97,6 +103,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -97,6 +107,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -74701,7 +76912,7 @@ index d88f7c3..c31aeb2 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,21 +112,30 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,21 +116,30 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -74733,7 +76944,7 @@ index d88f7c3..c31aeb2 100644
mcs_ptrace_all(udev_t)
-@@ -143,6 +159,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +163,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -74741,7 +76952,7 @@ index d88f7c3..c31aeb2 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +190,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -74750,7 +76961,7 @@ index d88f7c3..c31aeb2 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -186,8 +205,9 @@ ifdef(`distro_redhat',`
+@@ -186,8 +209,9 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -74761,16 +76972,15 @@ index d88f7c3..c31aeb2 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -216,11 +236,16 @@ optional_policy(`
+@@ -216,11 +240,16 @@ optional_policy(`
')
optional_policy(`
-- consoletype_exec(udev_t)
+ consolekit_read_pid_files(udev_t)
+')
+
+optional_policy(`
-+ consoletype_domtrans(udev_t)
+ consoletype_exec(udev_t)
')
optional_policy(`
@@ -74779,7 +76989,7 @@ index d88f7c3..c31aeb2 100644
')
optional_policy(`
-@@ -230,10 +255,20 @@ optional_policy(`
+@@ -230,10 +259,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -74800,7 +77010,7 @@ index d88f7c3..c31aeb2 100644
')
optional_policy(`
-@@ -259,6 +294,10 @@ optional_policy(`
+@@ -259,6 +298,10 @@ optional_policy(`
')
optional_policy(`
@@ -74811,7 +77021,7 @@ index d88f7c3..c31aeb2 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +312,11 @@ optional_policy(`
+@@ -273,6 +316,11 @@ optional_policy(`
')
optional_policy(`
@@ -74844,10 +77054,10 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..46f9aaf 100644
+index 416e668..3d4780b 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
-@@ -12,27 +12,29 @@
+@@ -12,27 +12,34 @@
#
interface(`unconfined_domain_noaudit',`
gen_require(`
@@ -74860,7 +77070,12 @@ index 416e668..46f9aaf 100644
# Use any Linux capability.
- allow $1 self:capability *;
- allow $1 self:fifo_file manage_fifo_file_perms;
-+ allow $1 self:capability ~sys_module;
++
++ allow $1 self:capability ~{ sys_module sys_ptrace };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 self:capability sys_ptrace;
++ ')
++
+ allow $1 self:capability2 syslog;
+ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
@@ -74884,7 +77099,7 @@ index 416e668..46f9aaf 100644
kernel_unconfined($1)
corenet_unconfined($1)
-@@ -43,6 +45,13 @@ interface(`unconfined_domain_noaudit',`
+@@ -43,22 +50,27 @@ interface(`unconfined_domain_noaudit',`
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
@@ -74898,7 +77113,25 @@ index 416e668..46f9aaf 100644
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
-@@ -69,6 +78,7 @@ interface(`unconfined_domain_noaudit',`
+ allow $1 self:process execheap;
+ ')
+
+- tunable_policy(`allow_execmem',`
++ tunable_policy(`deny_execmem',`',`
+ # Allow making anonymous memory executable, e.g.
+ # for runtime-code generation or executable stack.
+ allow $1 self:process execmem;
+ ')
+
+ tunable_policy(`allow_execstack',`
+- # Allow making the stack executable via mprotect;
+- # execstack implies execmem;
+- allow $1 self:process { execstack execmem };
++ allow $1 self:process execstack;
+ # auditallow $1 self:process execstack;
+ ')
+
+@@ -69,6 +81,7 @@ interface(`unconfined_domain_noaudit',`
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
@@ -74906,7 +77139,7 @@ index 416e668..46f9aaf 100644
')
optional_policy(`
-@@ -122,6 +132,10 @@ interface(`unconfined_domain_noaudit',`
+@@ -122,6 +135,10 @@ interface(`unconfined_domain_noaudit',`
## </param>
#
interface(`unconfined_domain',`
@@ -74917,7 +77150,7 @@ index 416e668..46f9aaf 100644
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
-@@ -150,7 +164,7 @@ interface(`unconfined_domain',`
+@@ -150,7 +167,7 @@ interface(`unconfined_domain',`
## </param>
#
interface(`unconfined_alias_domain',`
@@ -74926,7 +77159,7 @@ index 416e668..46f9aaf 100644
')
########################################
-@@ -176,414 +190,5 @@ interface(`unconfined_alias_domain',`
+@@ -176,414 +193,5 @@ interface(`unconfined_alias_domain',`
## </param>
#
interface(`unconfined_execmem_alias_program',`
@@ -75605,7 +77838,7 @@ index db75976..494ec08 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..9b49159 100644
+index 4b2878a..31047e8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -75621,7 +77854,7 @@ index 4b2878a..9b49159 100644
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -43,69 +45,106 @@ template(`userdom_base_user_template',`
+@@ -43,79 +45,133 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -75642,7 +77875,10 @@ index 4b2878a..9b49159 100644
- term_create_pty($1_t, user_devpts_t)
+ term_dontaudit_getattr_generic_ptys($1_t)
+
-+ allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
++ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1_usertype $1_usertype:process ptrace;
++ ')
+ allow $1_usertype $1_usertype:fd use;
+ allow $1_usertype $1_t:key { create view read write search link setattr };
+
@@ -75775,9 +78011,14 @@ index 4b2878a..9b49159 100644
+
+ systemd_dbus_chat_logind($1_usertype)
- tunable_policy(`allow_execmem',`
+- tunable_policy(`allow_execmem',`
++ tunable_policy(`deny_execmem',`', `
# Allow loading DSOs that require executable stack.
-@@ -116,6 +155,20 @@ template(`userdom_base_user_template',`
+ allow $1_t self:process execmem;
+ ')
+
+- tunable_policy(`allow_execmem && allow_execstack',`
++ tunable_policy(`allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -75798,7 +78039,7 @@ index 4b2878a..9b49159 100644
')
#######################################
-@@ -149,6 +202,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +205,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -75807,7 +78048,7 @@ index 4b2878a..9b49159 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +221,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +224,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -75835,7 +78076,7 @@ index 4b2878a..9b49159 100644
')
#######################################
-@@ -218,8 +252,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +255,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -75847,7 +78088,7 @@ index 4b2878a..9b49159 100644
##############################
#
# Domain access to home dir
-@@ -228,17 +265,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,43 +268,47 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -75877,9 +78118,11 @@ index 4b2878a..9b49159 100644
+ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
++ userdom_filetrans_home_content($2)
++
files_list_home($2)
-@@ -246,25 +287,23 @@ interface(`userdom_manage_home_role',`
+ # cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -75909,7 +78152,7 @@ index 4b2878a..9b49159 100644
')
')
-@@ -286,17 +325,63 @@ interface(`userdom_manage_home_role',`
+@@ -286,17 +330,63 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -75978,7 +78221,7 @@ index 4b2878a..9b49159 100644
')
#######################################
-@@ -316,6 +401,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +406,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -75986,7 +78229,7 @@ index 4b2878a..9b49159 100644
files_search_tmp($1)
')
-@@ -347,59 +433,62 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -347,59 +438,62 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -76081,7 +78324,7 @@ index 4b2878a..9b49159 100644
')
#######################################
-@@ -430,6 +519,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +524,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -76089,7 +78332,7 @@ index 4b2878a..9b49159 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -462,8 +552,8 @@ template(`userdom_change_password_template',`
+@@ -462,8 +557,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -76100,7 +78343,7 @@ index 4b2878a..9b49159 100644
')
')
-@@ -490,7 +580,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +585,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -76109,7 +78352,7 @@ index 4b2878a..9b49159 100644
##############################
#
-@@ -500,73 +590,81 @@ template(`userdom_common_user_template',`
+@@ -500,73 +595,81 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -76131,27 +78374,27 @@ index 4b2878a..9b49159 100644
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
--
-- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- corecmd_exec_bin($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+-
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -76175,10 +78418,10 @@ index 4b2878a..9b49159 100644
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
++
++ application_getattr_socket($1_usertype)
- fs_rw_cgroup_files($1_t)
-+ application_getattr_socket($1_usertype)
-+
+ logging_send_syslog_msg($1_usertype)
+ logging_send_audit_msgs($1_usertype)
+ selinux_get_enforce_mode($1_usertype)
@@ -76233,7 +78476,7 @@ index 4b2878a..9b49159 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +672,117 @@ template(`userdom_common_user_template',`
+@@ -574,67 +677,117 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -76242,25 +78485,25 @@ index 4b2878a..9b49159 100644
- alsa_relabel_home_files($1_t)
+ # Allow graphical boot to check battery lifespan
+ apm_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ canna_stream_connect($1_usertype)
')
optional_policy(`
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
-+ canna_stream_connect($1_usertype)
++ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
-+ chrome_role($1_r, $1_usertype)
++ colord_read_lib_files($1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
-+ colord_read_lib_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -76268,66 +78511,64 @@ index 4b2878a..9b49159 100644
+ optional_policy(`
+ avahi_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ policykit_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ bluetooth_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ gnome_dbus_chat_gconfdefault($1_usertype)
-+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
++ policykit_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ kde_dbus_chat_backlighthelper($1_usertype)
++ bluetooth_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ vpn_dbus_chat($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
- ')
-
- optional_policy(`
-- inetd_use_fds($1_t)
-- inetd_rw_tcp_sockets($1_t)
++
++ optional_policy(`
++ gnome_dbus_chat_gconfdefault($1_usertype)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ kde_dbus_chat_backlighthelper($1_usertype)
++ ')
++
++ optional_policy(`
++ modemmanager_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
++ ')
++
++ optional_policy(`
++ vpn_dbus_chat($1_usertype)
++ ')
++ ')
++
++ optional_policy(`
+ git_session_role($1_r, $1_usertype)
+ ')
+
@@ -76337,20 +78578,22 @@ index 4b2878a..9b49159 100644
')
optional_policy(`
-- inn_read_config($1_t)
-- inn_read_news_lib($1_t)
-- inn_read_news_spool($1_t)
+- inetd_use_fds($1_t)
+- inetd_rw_tcp_sockets($1_t)
+ inn_read_config($1_usertype)
+ inn_read_news_lib($1_usertype)
+ inn_read_news_spool($1_usertype)
')
optional_policy(`
-- locate_read_lib_files($1_t)
+- inn_read_config($1_t)
+- inn_read_news_lib($1_t)
+- inn_read_news_spool($1_t)
+ lircd_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- locate_read_lib_files($1_t)
+ locate_read_lib_files($1_usertype)
')
@@ -76358,21 +78601,21 @@ index 4b2878a..9b49159 100644
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
-+ mta_filetrans_home_content($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
++ mta_filetrans_home_content($1_usertype)
++ ')
++
++ optional_policy(`
+ nsplugin_role($1_r, $1_usertype)
')
optional_policy(`
-@@ -650,40 +798,52 @@ template(`userdom_common_user_template',`
+@@ -650,40 +803,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -76408,51 +78651,49 @@ index 4b2878a..9b49159 100644
+
+ optional_policy(`
+ rpcbind_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ slrnpull_search_spool($1_usertype)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
-+ slrnpull_search_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ thumb_role($1_r, $1_usertype)
')
')
-@@ -712,13 +872,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +877,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
-+
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
++
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -76460,7 +78701,9 @@ index 4b2878a..9b49159 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -76468,7 +78711,14 @@ index 4b2878a..9b49159 100644
userdom_change_password_template($1)
-@@ -736,72 +909,76 @@ template(`userdom_login_user_template', `
+@@ -730,78 +908,82 @@ template(`userdom_login_user_template', `
+ allow $1_t self:capability { setgid chown fowner };
+ dontaudit $1_t self:capability { sys_nice fsetid };
+
+- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
++ allow $1_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+ dontaudit $1_t self:process setrlimit;
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
allow $1_t self:context contains;
@@ -76536,49 +78786,49 @@ index 4b2878a..9b49159 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
++
++ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
-+ seutil_read_config($1_usertype)
++ optional_policy(`
++ cups_read_config($1_usertype)
++ cups_stream_connect($1_usertype)
++ cups_stream_connect_ptal($1_usertype)
++ ')
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ cups_read_config($1_usertype)
-+ cups_stream_connect($1_usertype)
-+ cups_stream_connect_ptal($1_usertype)
++ kerberos_use($1_usertype)
++ kerberos_filetrans_home_content($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
-+ kerberos_use($1_usertype)
-+ kerberos_filetrans_home_content($1_usertype)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
++ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ oddjob_run_mkhomedir($1_t, $1_r)
')
')
-@@ -833,6 +1010,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1015,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -76588,7 +78838,7 @@ index 4b2878a..9b49159 100644
##############################
#
# Local policy
-@@ -874,45 +1054,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1059,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -76718,7 +78968,7 @@ index 4b2878a..9b49159 100644
')
')
-@@ -947,7 +1200,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1205,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -76727,7 +78977,7 @@ index 4b2878a..9b49159 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1209,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1214,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -76745,7 +78995,7 @@ index 4b2878a..9b49159 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1234,72 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1239,64 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -76780,11 +79030,9 @@ index 4b2878a..9b49159 100644
+
+ optional_policy(`
+ cron_role($1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ games_rw_data($1_usertype)
+ ')
+
@@ -76801,18 +79049,12 @@ index 4b2878a..9b49159 100644
+ ')
+
+ optional_policy(`
-+ execmem_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ java_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
+ ')
@@ -76827,7 +79069,7 @@ index 4b2878a..9b49159 100644
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1308,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1305,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -76838,7 +79080,7 @@ index 4b2878a..9b49159 100644
')
')
-@@ -1039,7 +1346,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1343,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -76847,10 +79089,15 @@ index 4b2878a..9b49159 100644
')
##############################
-@@ -1066,6 +1373,7 @@ template(`userdom_admin_user_template',`
+@@ -1065,7 +1369,11 @@ template(`userdom_admin_user_template',`
+ # $1_t local policy
#
- allow $1_t self:capability ~{ sys_module audit_control audit_write };
+- allow $1_t self:capability ~{ sys_module audit_control audit_write };
++ allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1_t self:capability sys_ptrace;
++ ')
+ allow $1_t self:capability2 syslog;
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
@@ -77086,16 +79333,18 @@ index 4b2878a..9b49159 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1334,7 +1686,44 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,12 +1686,49 @@ interface(`userdom_setattr_user_ptys',`
## </summary>
## </param>
#
-interface(`userdom_create_user_pty',`
+interface(`userdom_attach_admin_tun_iface',`
-+ gen_require(`
+ gen_require(`
+- type user_devpts_t;
+ attribute admindomain;
-+ ')
-+
+ ')
+
+- term_create_pty($1, user_devpts_t)
+ allow $1 admindomain:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
@@ -77129,9 +79378,14 @@ index 4b2878a..9b49159 100644
+## </param>
+#
+interface(`userdom_create_user_pty',`
- gen_require(`
- type user_devpts_t;
- ')
++ gen_require(`
++ type user_devpts_t;
++ ')
++
++ term_create_pty($1, user_devpts_t)
+ ')
+
+ ########################################
@@ -1395,6 +1784,7 @@ interface(`userdom_search_user_home_dirs',`
')
@@ -78001,7 +80255,7 @@ index 4b2878a..9b49159 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3922,1094 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3922,1146 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -78092,7 +80346,9 @@ index 4b2878a..9b49159 100644
+ attribute userdomain;
+ ')
+
-+ allow $1 userdomain:process ptrace;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 userdomain:process ptrace;
++ ')
+')
+
+########################################
@@ -78728,6 +80984,29 @@ index 4b2878a..9b49159 100644
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
+')
+
++########################################
++## <summary>
++## Manage system SSL certificates in the users homedir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_home_certs',`
++ gen_require(`
++ type home_cert_t;
++ ')
++
++ allow $1 home_cert_t:dir list_dir_perms;
++ manage_files_pattern($1, home_cert_t, home_cert_t)
++ manage_lnk_files_pattern($1, home_cert_t, home_cert_t)
++
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++')
++
+#######################################
+## <summary>
+## Dontaudit Write system SSL certificates in the users homedir.
@@ -79096,6 +81375,33 @@ index 4b2878a..9b49159 100644
+
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
++
++########################################
++## <summary>
++## Transition to userdom named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_filetrans_home_content',`
++ gen_require(`
++ type home_bin_t, home_cert_t;
++ type audio_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
++ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio")
++ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++
++ #optional_policy(`
++ # gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin")
++ #')
++')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 9b4a930..d6c3860 100644
--- a/policy/modules/system/userdomain.te
@@ -79335,7 +81641,7 @@ index 77d41b6..7ccb440 100644
files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..e50a784 100644
+index 4350ba0..5d6dbad 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -79366,16 +81672,17 @@ index 4350ba0..e50a784 100644
########################################
#
# blktap local policy
-@@ -208,7 +205,7 @@ tunable_policy(`xend_run_qemu',`
+@@ -208,8 +205,7 @@ tunable_policy(`xend_run_qemu',`
# xend local policy
#
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
+-dontaudit xend_t self:capability { sys_ptrace };
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
- dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { signal sigkill };
dontaudit xend_t self:process ptrace;
-@@ -320,12 +317,9 @@ locallogin_dontaudit_use_fds(xend_t)
+ # internal communication is often done using fifo and unix sockets.
+@@ -320,12 +316,9 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
@@ -79388,7 +81695,7 @@ index 4350ba0..e50a784 100644
sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
-@@ -339,8 +333,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+@@ -339,8 +332,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
xen_stream_connect_xenstore(xend_t)
@@ -79397,7 +81704,7 @@ index 4350ba0..e50a784 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +341,22 @@ optional_policy(`
+@@ -349,6 +340,22 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -79420,7 +81727,7 @@ index 4350ba0..e50a784 100644
########################################
#
# Xen console local policy
-@@ -413,9 +421,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +420,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -79432,7 +81739,7 @@ index 4350ba0..e50a784 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +451,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +450,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -79444,7 +81751,7 @@ index 4350ba0..e50a784 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -457,96 +468,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +467,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -79541,7 +81848,7 @@ index 4350ba0..e50a784 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +483,4 @@ optional_policy(`
+@@ -559,8 +482,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4f24b43..726dd6c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 56%{?dist}
+Release: 57%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Nov 11 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-57
+- Pulseaudio changes
+- Merge patches
+
* Thu Nov 10 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-56
- Merge patches back into git repository.
More information about the scm-commits
mailing list