[selinux-policy/f16] - Allow logrotate setuid and setgid since logrotate is supposed to do it - Fixes for thumb policy by
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Oct 3 19:11:44 UTC 2011
commit e02e8f098744a33e7898c00036b8979f2b80f505
Author: Miroslav <mgrepl at redhat.com>
Date: Mon Oct 3 21:11:24 2011 +0200
- Allow logrotate setuid and setgid since logrotate is supposed to do it
- Fixes for thumb policy by grift
- Add new nfsd ports
- Added fix to allow confined apps to execmod on chrome
- Add labeling for additional vdsm directories
- Allow Exim and Dovecot SASL
- Add label for /var/run/nmbd
- Add fixes to make virsh and xen working together
- Colord executes ls
- /var/spool/cron is now labeled as user_cron_spool_t
policy-F16.patch | 1013 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 14 +-
2 files changed, 698 insertions(+), 329 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 29e1ca4..9591fd2 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -634,6 +634,22 @@ index 2c2cdb6..73b3814 100644
+ brctl_domtrans($1)
+ role $2 types brctl_t;
+')
+diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
+index 9a62a1d..eb017ef 100644
+--- a/policy/modules/admin/brctl.te
++++ b/policy/modules/admin/brctl.te
+@@ -20,6 +20,11 @@ allow brctl_t self:unix_stream_socket create_stream_socket_perms;
+ allow brctl_t self:unix_dgram_socket create_socket_perms;
+ allow brctl_t self:tcp_socket create_socket_perms;
+
++ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit brctl_t self:capability sys_module;
++')
++
+ kernel_request_load_module(brctl_t)
+ kernel_read_network_state(brctl_t)
+ kernel_read_sysctl(brctl_t)
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
index 6b02433..1e28e62 100644
--- a/policy/modules/admin/certwatch.te
@@ -1123,9 +1139,21 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..b80d4c6 100644
+index 7090dae..db17bbe 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
+@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
+ #
+
+ # Change ownership on log files.
+-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
+ # for mailx
+-dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
++dontaudit logrotate_t self:capability { sys_ptrace };
+
+ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
@@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
allow logrotate_t self:process setfscreate;
@@ -4564,10 +4592,10 @@ index 0000000..6f3570a
+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
-index 0000000..fc9014f
+index 0000000..e23f640
--- /dev/null
+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,132 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -4636,9 +4664,8 @@ index 0000000..fc9014f
+
+ files_execmod_tmp($1_execmem_t)
+
-+ optional_policy(`
-+ execmem_execmod($1_execmem_t)
-+ ')
++ allow $3 execmem_exec_t:file execmod;
++ allow $1_execmem_t execmem_exec_t:file execmod;
+
+ # needed by plasma-desktop
+ optional_policy(`
@@ -4917,10 +4944,10 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..19f3c30 100644
+index f5afe78..9a0377f 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,731 @@
+@@ -1,44 +1,768 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -5217,7 +5244,7 @@ index f5afe78..19f3c30 100644
+ type cache_home_t;
+ ')
+
-+ filetrans_pattern($1, cache_home_t, $2, $3)
++ filetrans_pattern($1, cache_home_t, $2, $3, $4)
+ userdom_search_user_home_dirs($1)
+')
+
@@ -5362,7 +5389,7 @@ index f5afe78..19f3c30 100644
+ type data_home_t;
+ ')
+
-+ filetrans_pattern($1, data_home_t, $2, $3)
++ filetrans_pattern($1, data_home_t, $2, $3, $4)
+ gnome_search_gconf($1)
+')
+
@@ -5596,11 +5623,10 @@ index f5afe78..19f3c30 100644
+## search gconf homedir (.local)
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+#
+interface(`gnome_search_gconf',`
+ gen_require(`
@@ -5615,6 +5641,26 @@ index f5afe78..19f3c30 100644
+## <summary>
+## Set attributes of Gnome config dirs.
+## </summary>
++## <param name="domain">
+ ## <summary>
+-## Role allowed access
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++#
++interface(`gnome_setattr_config_dirs',`
++ gen_require(`
++ type gnome_home_t;
++ ')
++
++ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
++ files_search_home($1)
++')
++
++########################################
++## <summary>
++## Manage generic gnome home files.
++## </summary>
## <param name="domain">
## <summary>
-## User domain for the role
@@ -5623,7 +5669,7 @@ index f5afe78..19f3c30 100644
## </param>
#
-interface(`gnome_role',`
-+interface(`gnome_setattr_config_dirs',`
++interface(`gnome_manage_generic_home_files',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
@@ -5631,19 +5677,37 @@ index f5afe78..19f3c30 100644
')
- role $1 types gconfd_t;
--
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, gnome_home_t, gnome_home_t)
++')
++
++########################################
++## <summary>
++## Manage generic gnome home directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_generic_home_dirs',`
++ gen_require(`
++ type gnome_home_t;
++ ')
+
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
- allow gconfd_t $2:unix_stream_socket connectto;
-+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
-+ files_search_home($1)
++ userdom_search_user_home_dirs($1)
++ allow $1 gnome_home_t:dir manage_dir_perms;
+')
- ps_process_pattern($2, gconfd_t)
+########################################
+## <summary>
-+## Manage generic gnome home files.
++## Append gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -5651,129 +5715,128 @@ index f5afe78..19f3c30 100644
+## </summary>
+## </param>
+#
-+interface(`gnome_manage_generic_home_files',`
++interface(`gnome_append_gconf_home_files',`
+ gen_require(`
-+ type gnome_home_t;
++ type gconf_home_t;
+ ')
- #gnome_stream_connect_gconf_template($1, $2)
- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
- allow $2 gconfd_t:unix_stream_socket connectto;
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
++ append_files_pattern($1, gconf_home_t, gconf_home_t)
')
########################################
## <summary>
-## Execute gconf programs in
-## in the caller domain.
-+## Manage generic gnome home directories.
++## manage gconf home files
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +733,36 @@ interface(`gnome_role',`
+@@ -46,37 +770,60 @@ interface(`gnome_role',`
## </summary>
## </param>
#
-interface(`gnome_exec_gconf',`
-+interface(`gnome_manage_generic_home_dirs',`
++interface(`gnome_manage_gconf_home_files',`
gen_require(`
- type gconfd_exec_t;
-+ type gnome_home_t;
++ type gconf_home_t;
')
- can_exec($1, gconfd_exec_t)
-+ userdom_search_user_home_dirs($1)
-+ allow $1 gnome_home_t:dir manage_dir_perms;
++ allow $1 gconf_home_t:dir list_dir_perms;
++ manage_files_pattern($1, gconf_home_t, gconf_home_t)
')
########################################
## <summary>
-## Read gconf config files.
-+## Append gconf home files
++## Connect to gnome over an unix stream socket.
## </summary>
--## <param name="user_domain">
+## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+ ## <param name="user_domain">
## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++#
++interface(`gnome_stream_connect',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ # Connect to pulseaudit server
++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
++')
++
++########################################
++## <summary>
++## list gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-template(`gnome_read_gconf_config',`
-+interface(`gnome_append_gconf_home_files',`
++interface(`gnome_list_home_config',`
gen_require(`
- type gconf_etc_t;
-+ type gconf_home_t;
++ type config_home_t;
')
- allow $1 gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ append_files_pattern($1, gconf_home_t, gconf_home_t)
++ allow $1 config_home_t:dir list_dir_perms;
')
-#######################################
+########################################
## <summary>
-## Create, read, write, and delete gconf config files.
-+## manage gconf home files
++## Set attributes of gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +770,60 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +831,38 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
-interface(`gnome_manage_gconf_config',`
-+interface(`gnome_manage_gconf_home_files',`
++interface(`gnome_setattr_home_config',`
gen_require(`
- type gconf_etc_t;
-+ type gconf_home_t;
++ type config_home_t;
')
- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ allow $1 gconf_home_t:dir list_dir_perms;
-+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
++ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## gconf connection template.
-+## Connect to gnome over an unix stream socket.
++## read gnome homedir content (.config)
## </summary>
+-## <param name="user_domain">
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
- ## <param name="user_domain">
## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_stream_connect',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ # Connect to pulseaudit server
-+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
-+')
-+
-+########################################
-+## <summary>
-+## list gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_list_home_config',`
++interface(`gnome_read_home_config',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
+ type config_home_t;
@@ -5781,45 +5844,46 @@ index f5afe78..19f3c30 100644
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
-+ allow $1 config_home_t:dir list_dir_perms;
++ list_dirs_pattern($1, config_home_t, config_home_t)
++ read_files_pattern($1, config_home_t, config_home_t)
++ read_lnk_files_pattern($1, config_home_t, config_home_t)
')
########################################
## <summary>
-## Run gconfd in gconfd domain.
-+## Set attributes of gnome homedir content (.config)
++## manage gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +831,18 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +870,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
-interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_setattr_home_config',`
++interface(`gnome_manage_home_config',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
+ type config_home_t;
')
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+ setattr_dirs_pattern($1, config_home_t, config_home_t)
-+ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, config_home_t, config_home_t)
')
########################################
## <summary>
-## Set attributes of Gnome config dirs.
-+## read gnome homedir content (.config)
++## manage gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +850,355 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +888,335 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
-interface(`gnome_setattr_config_dirs',`
-+interface(`gnome_read_home_config',`
++interface(`gnome_manage_home_config_dirs',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
@@ -5827,15 +5891,13 @@ index f5afe78..19f3c30 100644
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
- files_search_home($1)
-+ list_dirs_pattern($1, config_home_t, config_home_t)
-+ read_files_pattern($1, config_home_t, config_home_t)
-+ read_lnk_files_pattern($1, config_home_t, config_home_t)
++ manage_dirs_pattern($1, config_home_t, config_home_t)
')
########################################
## <summary>
-## Read gnome homedir content (.config)
-+## manage gnome homedir content (.config)
++## manage gstreamer home content files.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
@@ -5845,21 +5907,22 @@ index f5afe78..19f3c30 100644
## </param>
#
-template(`gnome_read_config',`
-+interface(`gnome_manage_home_config',`
++interface(`gnome_manage_gstreamer_home_files',`
gen_require(`
- type gnome_home_t;
-+ type config_home_t;
++ type gstreamer_home_t;
')
- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
- read_files_pattern($1, gnome_home_t, gnome_home_t)
- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
-+ manage_files_pattern($1, config_home_t, config_home_t)
++ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
')
########################################
## <summary>
- ## manage gnome homedir content (.config)
+-## manage gnome homedir content (.config)
++## Read/Write all inherited gnome home config
## </summary>
-## <param name="user_domain">
+## <param name="domain">
@@ -5869,24 +5932,6 @@ index f5afe78..19f3c30 100644
## </param>
#
-interface(`gnome_manage_config',`
-+interface(`gnome_manage_home_config_dirs',`
-+ gen_require(`
-+ type config_home_t;
-+ ')
-+
-+ manage_dirs_pattern($1, config_home_t, config_home_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read/Write all inherited gnome home config
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+interface(`gnome_rw_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
@@ -6518,7 +6563,7 @@ index 40e0a2a..93d212c 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..538d39e 100644
+index 9050e8c..3b10693 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -6666,17 +6711,18 @@ index 9050e8c..538d39e 100644
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
')
-@@ -332,6 +358,9 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -332,6 +358,10 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
+# Bug: user pulseaudio files need open,read and unlink:
+allow gpg_pinentry_t user_tmpfs_t:file unlink;
+userdom_signull_unpriv_users(gpg_pinentry_t)
++userdom_use_user_terminals(gpg_pinentry_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
-@@ -342,11 +371,21 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -342,11 +372,21 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -6698,7 +6744,7 @@ index 9050e8c..538d39e 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +395,28 @@ optional_policy(`
+@@ -356,4 +396,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -10638,19 +10684,39 @@ index 7590165..7e6f53c 100644
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_mounton_fusefs(seunshare_domain)
+')
+diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
+index b07ee19..5d12aa3 100644
+--- a/policy/modules/apps/telepathy.fc
++++ b/policy/modules/apps/telepathy.fc
+@@ -1,8 +1,12 @@
+ HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
+-HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
++HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
++HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
+ HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+ HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
++HOME_DIR/\.cache/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+ HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
++HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
++HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0)
+ HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+ HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
+
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
-index 3cfb128..609921d 100644
+index 3cfb128..d49274d 100644
--- a/policy/modules/apps/telepathy.if
+++ b/policy/modules/apps/telepathy.if
-@@ -11,7 +11,6 @@
+@@ -11,9 +11,7 @@
## </summary>
## </param>
#
-#
template(`telepathy_domain_template',`
-
+-
gen_require(`
-@@ -23,16 +22,18 @@ template(`telepathy_domain_template',`
+ attribute telepathy_domain;
+ attribute telepathy_executable;
+@@ -23,16 +21,18 @@ template(`telepathy_domain_template',`
type telepathy_$1_exec_t, telepathy_executable;
application_domain(telepathy_$1_t, telepathy_$1_exec_t)
ubac_constrained(telepathy_$1_t)
@@ -10664,13 +10730,14 @@ index 3cfb128..609921d 100644
#######################################
## <summary>
- ## Role access for telepathy domains
+-## Role access for telepathy domains
-### that executes via dbus-session
-+## that executes via dbus-session
++## Role access for telepathy domains
++## that executes via dbus-session
## </summary>
## <param name="user_role">
## <summary>
-@@ -44,8 +45,13 @@ template(`telepathy_domain_template',`
+@@ -44,8 +44,13 @@ template(`telepathy_domain_template',`
## The type of the user domain.
## </summary>
## </param>
@@ -10685,7 +10752,7 @@ index 3cfb128..609921d 100644
gen_require(`
attribute telepathy_domain;
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
-@@ -76,6 +82,8 @@ template(`telepathy_role', `
+@@ -76,6 +81,8 @@ template(`telepathy_role', `
dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
@@ -10694,7 +10761,7 @@ index 3cfb128..609921d 100644
')
########################################
-@@ -122,11 +130,6 @@ interface(`telepathy_gabble_dbus_chat', `
+@@ -122,11 +129,6 @@ interface(`telepathy_gabble_dbus_chat', `
## <summary>
## Read telepathy mission control state.
## </summary>
@@ -10706,117 +10773,194 @@ index 3cfb128..609921d 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -179,3 +182,75 @@ interface(`telepathy_salut_stream_connect', `
+@@ -166,7 +168,7 @@ interface(`telepathy_msn_stream_connect', `
+ ## Stream connect to Telepathy Salut
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+@@ -179,3 +181,111 @@ interface(`telepathy_salut_stream_connect', `
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
files_search_tmp($1)
')
+
+#######################################
+## <summary>
-+## Send DBus messages to and from
-+## all Telepathy domain.
++## Send DBus messages to and from
++## all Telepathy domain.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`telepathy_dbus_chat', `
-+ gen_require(`
-+ attribute telepathy_domain;
-+ class dbus send_msg;
-+ ')
++interface(`telepathy_dbus_chat',`
++ gen_require(`
++ attribute telepathy_domain;
++ class dbus send_msg;
++ ')
+
-+ allow $1 telepathy_domain:dbus send_msg;
-+ allow telepathy_domain $1:dbus send_msg;
++ allow $1 telepathy_domain:dbus send_msg;
++ allow telepathy_domain $1:dbus send_msg;
+')
+
+######################################
+## <summary>
-+## Execute telepathy executable
-+## in the specified domain.
++## Execute telepathy executable
++## in the specified domain.
+## </summary>
+## <desc>
-+## <p>
-+## Execute a telepathy executable
-+## in the specified domain. This allows
-+## the specified domain to execute any file
-+## on these filesystems in the specified
-+## domain.
-+## </p>
-+## <p>
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+## </p>
-+## <p>
-+## This interface was added to handle
-+## the ssh-agent policy.
-+## </p>
++## <p>
++## Execute a telepathy executable
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
+## </desc>
+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
+## </param>
+## <param name="target_domain">
-+## <summary>
-+## The type of the new process.
-+## </summary>
++## <summary>
++## The type of the new process.
++## </summary>
+## </param>
+#
+interface(`telepathy_command_domtrans', `
++ gen_require(`
++ attribute telepathy_executable;
++ ')
+
-+ gen_require(`
-+ attribute telepathy_executable;
-+ ')
-+
-+ allow $2 telepathy_executable:file entrypoint;
-+ domain_transition_pattern($1, telepathy_executable, $2)
-+ type_transition $1 telepathy_executable:process $2;
++ allow $2 telepathy_executable:file entrypoint;
++ domain_transition_pattern($1, telepathy_executable, $2)
++ type_transition $1 telepathy_executable:process $2;
+
+ # needs to dbus chat with unconfined_t and unconfined_dbusd_t
-+ optional_policy(`
-+ telepathy_dbus_chat($1)
-+ telepathy_dbus_chat($2)
-+ ')
++ optional_policy(`
++ telepathy_dbus_chat($1)
++ telepathy_dbus_chat($2)
++ ')
++')
++
++########################################
++## <summary>
++## Create telepathy content in the user home directory
++## with an correct label.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`telepathy_filetrans_home_content',`
++ gen_require(`
++ type telepathy_mission_control_cache_home_t;
++ type telepathy_mission_control_home_t;
++ type telepathy_logger_cache_home_t;
++ type telepathy_gabble_cache_home_t;
++ type telepathy_sunshine_home_t;
++ type telepathy_logger_data_home_t;
++ type telepathy_cache_home_t, telepathy_data_home_t;
++ type telepathy_mission_control_data_home_t;
++ ')
++
++ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
++ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal")
++ filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
++
++ filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
++
++ userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control")
++ userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
++
++ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
++ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")
++ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
++ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
++
++ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
++ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..11187e0 100644
+index 2533ea0..58f8728 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
-@@ -67,6 +67,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
+@@ -26,12 +26,18 @@ attribute telepathy_executable;
+
+ telepathy_domain_template(gabble)
+
++type telepathy_cache_home_t;
++userdom_user_home_content(telepathy_cache_home_t)
++
+ type telepathy_gabble_cache_home_t;
+ userdom_user_home_content(telepathy_gabble_cache_home_t)
+
+ telepathy_domain_template(idle)
+ telepathy_domain_template(logger)
+
++type telepathy_data_home_t;
++userdom_user_home_content(telepathy_data_home_t)
++
+ type telepathy_logger_cache_home_t;
+ userdom_user_home_content(telepathy_logger_cache_home_t)
+
+@@ -43,6 +49,9 @@ telepathy_domain_template(mission_control)
+ type telepathy_mission_control_home_t;
+ userdom_user_home_content(telepathy_mission_control_home_t)
+
++type telepathy_mission_control_data_home_t;
++userdom_user_home_content(telepathy_mission_control_data_home_t)
++
+ type telepathy_mission_control_cache_home_t;
+ userdom_user_home_content(telepathy_mission_control_cache_home_t)
+
+@@ -67,6 +76,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
+# ~/.cache/gabble/caps-cache.db-journal
-+# optional_policy(`
+optional_policy(`
-+ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-+ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-+ gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, { dir file })
-+')
++ manage_dirs_pattern(telepathy_gabble_t, { telepathy_cache_home_t telepathy_gabble_cache_home_t } , { telepathy_cache_home_t telepathy_gabble_cache_home_t })
++ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
++ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, { dir file })
++ gnome_cache_filetrans(telepathy_gabble_t, telepathy_cache_home_t, dir)
++')
+
corenet_all_recvfrom_netlabel(telepathy_gabble_t)
corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
-@@ -112,6 +120,10 @@ optional_policy(`
+@@ -112,6 +129,10 @@ optional_policy(`
dbus_system_bus_client(telepathy_gabble_t)
')
+optional_policy(`
-+ gnome_read_home_config(telepathy_gabble_t)
++ gnome_manage_home_config(telepathy_gabble_t)
+')
+
#######################################
#
# Telepathy Idle local policy.
-@@ -148,9 +160,11 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -147,10 +168,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+
allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
++manage_dirs_pattern(telepathy_logger_t, { telepathy_cache_home_t telepathy_logger_cache_home_t }, { telepathy_cache_home_t telepathy_logger_cache_home_t })
manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
-+gnome_cache_filetrans(telepathy_logger_t, telepathy_logger_cache_home_t, file)
++filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, { dir file })
++gnome_cache_filetrans(telepathy_logger_t, telepathy_cache_home_t, dir)
manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
@@ -10824,27 +10968,32 @@ index 2533ea0..11187e0 100644
files_read_etc_files(telepathy_logger_t)
files_read_usr_files(telepathy_logger_t)
-@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -168,6 +193,11 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_logger_t)
')
+optional_policy(`
-+# ~/.config/dconf/user
++ # ~/.config/dconf/user
+ gnome_manage_home_config(telepathy_logger_t)
+')
+
#######################################
#
# Telepathy Mission-Control local policy.
-@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -176,6 +206,12 @@ tunable_policy(`use_samba_home_dirs',`
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_mission_control_t)
++
++manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
++manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
++filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
++gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
dev_read_rand(telepathy_mission_control_t)
-@@ -194,6 +214,16 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -194,6 +230,16 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_mission_control_t)
')
@@ -10854,14 +11003,14 @@ index 2533ea0..11187e0 100644
+
+# ~/.cache/.mc_connections.
+optional_policy(`
-+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
-+ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
++ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
++ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
+')
+
#######################################
#
# Telepathy Butterfly and Haze local policy.
-@@ -205,8 +235,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +251,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -10873,18 +11022,18 @@ index 2533ea0..11187e0 100644
corenet_all_recvfrom_netlabel(telepathy_msn_t)
corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -246,6 +279,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +295,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
')
optional_policy(`
-+ gnome_read_gconf_home_files(telepathy_msn_t)
++ gnome_read_gconf_home_files(telepathy_msn_t)
+')
+
+optional_policy(`
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -365,10 +402,9 @@ dev_read_urand(telepathy_domain)
+@@ -365,10 +418,9 @@ dev_read_urand(telepathy_domain)
kernel_read_system_state(telepathy_domain)
@@ -10896,12 +11045,12 @@ index 2533ea0..11187e0 100644
miscfiles_read_localization(telepathy_domain)
optional_policy(`
-@@ -376,5 +412,23 @@ optional_policy(`
+@@ -376,5 +428,23 @@ optional_policy(`
')
optional_policy(`
-+ gnome_read_generic_cache_files(telepathy_domain)
-+ gnome_write_generic_cache_files(telepathy_domain)
++ gnome_read_generic_cache_files(telepathy_domain)
++ gnome_write_generic_cache_files(telepathy_domain)
+')
+
+optional_policy(`
@@ -10914,11 +11063,11 @@ index 2533ea0..11187e0 100644
+
+# Just for F15
+optional_policy(`
-+ gen_require(`
-+ role unconfined_r;
-+ ')
++ gen_require(`
++ role unconfined_r;
++ ')
+
-+ role unconfined_r types telepathy_domain;
++ role unconfined_r types telepathy_domain;
+')
diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc
new file mode 100644
@@ -11017,10 +11166,10 @@ index 0000000..b78aa77
+
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..7eba136
+index 0000000..73e7983
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,127 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -11031,38 +11180,123 @@ index 0000000..7eba136
+type thumb_t;
+type thumb_exec_t;
+application_domain(thumb_t, thumb_exec_t)
-+role system_r types thumb_t;
++ubac_constrained(thumb_t)
++
++role system_r types thumb_t; # why is system_r needed
++
++# this is for liborc: ~/orcexec.*
++# these should normally go to /tmp but it goes to ~ if not executable in /tmp
++# there is also a bug in liborc where it does to ~ by default
++# no longer needed orc fix available
++# type thumb_home_t;
++#userdom_user_home_content(thumb_home_t)
+
+type thumb_tmp_t;
+files_tmp_file(thumb_tmp_t)
++ubac_constrained(thumb_tmp_t)
+
+########################################
+#
+# thumb local policy
+#
+
-+allow thumb_t self:process { setsched signal setrlimit };
++# execmem is for totem-video-thumbnailer
++allow thumb_t self:process { setsched signal setrlimit execmem };
+
+allow thumb_t self:fifo_file manage_fifo_file_perms;
+allow thumb_t self:unix_stream_socket create_stream_socket_perms;
+
-+domain_use_interactive_fds(thumb_t)
++# please reproduce this, because i cannot
++# manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
++# userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir)
++
++# for totem-video-thumbnailer
++allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
++allow thumb_t self:udp_socket create_socket_perms;
++allow thumb_t self:tcp_socket create_socket_perms;
++
++# gst-plugin-scanner/liborc, ~/orcexec.*
++# no longer need fix in latest orc package
++# exec_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
++# manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
++# userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file)
++
++manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++# please reproduce this, because it cannot
++# userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file)
++files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
+
+kernel_read_system_state(thumb_t)
+
++domain_use_interactive_fds(thumb_t)
++
++# /usr/libexec/gstreamer.*/gst-plugin-scanner
++corecmd_exec_bin(thumb_t)
++
++# gst-plugin-scanner
++dev_read_sysfs(thumb_t)
++
++domain_use_interactive_fds(thumb_t)
++
+files_read_etc_files(thumb_t)
+files_read_usr_files(thumb_t)
+
-+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file)
-+
+miscfiles_read_fonts(thumb_t)
+miscfiles_read_localization(thumb_t)
+
++# totem-video-thumbnailer
++sysnet_read_config(thumb_t)
++
++# read files to be thumbed
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
-+userdom_dontaudit_write_user_tmp_files(thumb_t)
++# .gnome_desktop_thumbnail.* is created by something in the user domain.
++# probably libgnome.
++userdom_write_user_tmp_files(thumb_t)
++
+userdom_use_inherited_user_ptys(thumb_t)
++
++optional_policy(`
++ dbus_dontaudit_session_bus_connect(thumb_t)
++')
++
++# optional_policy(`
++# gnome_read_gconf_home_files(thumb_t)
++# gnome_read_gstreamer_home_content(thumb_t)
++# ')
++
++# please reproduce this, because i cannot
++# optional_policy(`
++# gnome_read_gconf_home_files(thumb_t)
++# ')
++
++# these two are inherited
++# should probably create and call xserver_ra_inherited_xdm_home_files()
++xserver_read_xdm_home_files(thumb_t)
++xserver_append_xdm_home_files(thumb_t)
++# seems to not be needed
++xserver_dontaudit_read_xdm_pid(thumb_t)
++# this is required for totem-video-thumbnailer
++# although thumb does not need to write xserver_tmp_t sock_files
++# we probably want a xserver_connect to support but unix stream socket
++# connections as well tcp connections
++# allow thumb_t xserver_port_t:tcp_socket name_connect;
++xserver_stream_connect(thumb_t)
++
++optional_policy(`
++ # This seems not strictly needed
++ dbus_dontaudit_stream_connect_session_bus(thumb_t)
++')
++
++optional_policy(`
++ # this seems to work
++ # thumb_t tries to search data_home_t, config_home_t and gconf_home_t
++ gnome_dontaudit_search_config(thumb_t)
++ # totem-video-thumbnailer
++ gnome_manage_gstreamer_home_files(thumb_t)
++')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 11fe4f2..98bfbf3 100644
--- a/policy/modules/apps/tvtime.te
@@ -13055,7 +13289,7 @@ index 4f3b542..54e4c81 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..67c5d0f 100644
+index 99b71cb..17d942f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -13226,7 +13460,7 @@ index 99b71cb..67c5d0f 100644
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
-+network_port(nfs, tcp,2049,s0, udp,2049,s0)
++network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
@@ -13306,21 +13540,20 @@ index 99b71cb..67c5d0f 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,7 +300,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +300,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
--
+portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+
########################################
#
- # Network nodes
-@@ -282,9 +349,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +350,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -17099,7 +17332,7 @@ index 22821ff..20251b0 100644
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..5923a0a 100644
+index 97fcdac..a75dbe4 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -17345,7 +17578,32 @@ index 97fcdac..5923a0a 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -2148,6 +2290,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2080,6 +2222,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+
+ ########################################
+ ## <summary>
++## Read hugetlbfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_hugetlbfs_files',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++## <summary>
+ ## Read and write hugetlbfs files.
+ ## </summary>
+ ## <param name="domain">
+@@ -2148,6 +2308,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -17353,7 +17611,7 @@ index 97fcdac..5923a0a 100644
')
########################################
-@@ -2480,6 +2623,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2641,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -17361,7 +17619,7 @@ index 97fcdac..5923a0a 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2662,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2680,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -17369,7 +17627,7 @@ index 97fcdac..5923a0a 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +2689,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2707,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -17395,7 +17653,7 @@ index 97fcdac..5923a0a 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2584,6 +2748,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2766,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -17438,7 +17696,7 @@ index 97fcdac..5923a0a 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2598,7 +2798,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2816,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -17447,7 +17705,7 @@ index 97fcdac..5923a0a 100644
')
########################################
-@@ -2736,7 +2936,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2954,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -17456,7 +17714,7 @@ index 97fcdac..5923a0a 100644
## </summary>
## </param>
#
-@@ -2772,7 +2972,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +2990,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -17465,7 +17723,7 @@ index 97fcdac..5923a0a 100644
## </summary>
## </param>
#
-@@ -2965,6 +3165,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3183,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -17473,7 +17731,7 @@ index 97fcdac..5923a0a 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3206,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3224,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -17481,7 +17739,7 @@ index 97fcdac..5923a0a 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3247,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3265,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -17489,7 +17747,7 @@ index 97fcdac..5923a0a 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3958,6 +4161,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4179,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -17532,7 +17790,7 @@ index 97fcdac..5923a0a 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4175,6 +4414,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4432,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -17557,7 +17815,7 @@ index 97fcdac..5923a0a 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4457,6 +4714,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4732,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -17566,7 +17824,7 @@ index 97fcdac..5923a0a 100644
')
########################################
-@@ -4503,7 +4762,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4780,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -17575,7 +17833,7 @@ index 97fcdac..5923a0a 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5125,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5143,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -19715,10 +19973,10 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..31a210f 100644
+index 2be17d2..bfabe3f 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,53 @@ policy_module(staff, 2.2.0)
+@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -19738,6 +19996,8 @@ index 2be17d2..31a210f 100644
+kernel_read_software_raid_state(staff_usertype)
+kernel_read_fs_sysctls(staff_usertype)
+
++fs_read_hugetlbfs_files(staff_usertype)
++
+dev_read_cpuid(staff_usertype)
+
+domain_read_all_domains_state(staff_usertype)
@@ -19772,7 +20032,7 @@ index 2be17d2..31a210f 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,19 +68,113 @@ optional_policy(`
+@@ -27,19 +70,113 @@ optional_policy(`
')
optional_policy(`
@@ -19888,7 +20148,7 @@ index 2be17d2..31a210f 100644
')
optional_policy(`
-@@ -48,10 +183,48 @@ optional_policy(`
+@@ -48,10 +185,48 @@ optional_policy(`
')
optional_policy(`
@@ -19937,7 +20197,7 @@ index 2be17d2..31a210f 100644
xserver_role(staff_r, staff_t)
')
-@@ -89,18 +262,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +264,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19956,7 +20216,7 @@ index 2be17d2..31a210f 100644
java_role(staff_r, staff_t)
')
-@@ -121,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +288,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19967,7 +20227,7 @@ index 2be17d2..31a210f 100644
pyzor_role(staff_r, staff_t)
')
-@@ -137,10 +298,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +300,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19978,7 +20238,7 @@ index 2be17d2..31a210f 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +329,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +331,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -19987,7 +20247,7 @@ index 2be17d2..31a210f 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..c464d3b 100644
+index e14b961..7cd6d4f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,51 @@ ifndef(`enable_mls',`
@@ -20072,7 +20332,7 @@ index e14b961..c464d3b 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -110,11 +146,15 @@ optional_policy(`
+@@ -110,11 +146,19 @@ optional_policy(`
')
optional_policy(`
@@ -20086,21 +20346,25 @@ index e14b961..c464d3b 100644
optional_policy(`
- cvs_exec(sysadm_t)
+ daemonstools_run_start(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
++ dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
optional_policy(`
-@@ -124,6 +164,10 @@ optional_policy(`
+@@ -128,6 +172,10 @@ optional_policy(`
')
optional_policy(`
-+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
++ devicekit_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
- ddcprobe_run(sysadm_t, sysadm_r)
+ dmesg_exec(sysadm_t)
')
-@@ -163,6 +207,13 @@ optional_policy(`
+@@ -163,6 +211,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -20114,7 +20378,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -170,15 +221,20 @@ optional_policy(`
+@@ -170,15 +225,20 @@ optional_policy(`
')
optional_policy(`
@@ -20126,19 +20390,19 @@ index e14b961..c464d3b 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
-+ kudzu_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -198,22 +254,19 @@ optional_policy(`
+@@ -198,22 +258,19 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -20166,7 +20430,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -225,25 +278,47 @@ optional_policy(`
+@@ -225,25 +282,47 @@ optional_policy(`
')
optional_policy(`
@@ -20214,7 +20478,7 @@ index e14b961..c464d3b 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,19 +328,19 @@ optional_policy(`
+@@ -253,19 +332,19 @@ optional_policy(`
')
optional_policy(`
@@ -20238,7 +20502,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -274,10 +349,7 @@ optional_policy(`
+@@ -274,10 +353,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
@@ -20250,7 +20514,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -302,12 +374,18 @@ optional_policy(`
+@@ -302,12 +378,18 @@ optional_policy(`
')
optional_policy(`
@@ -20270,7 +20534,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -332,7 +410,10 @@ optional_policy(`
+@@ -332,7 +414,10 @@ optional_policy(`
')
optional_policy(`
@@ -20282,7 +20546,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -343,19 +424,15 @@ optional_policy(`
+@@ -343,19 +428,15 @@ optional_policy(`
')
optional_policy(`
@@ -20304,7 +20568,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -367,45 +444,45 @@ optional_policy(`
+@@ -367,45 +448,45 @@ optional_policy(`
')
optional_policy(`
@@ -20361,7 +20625,7 @@ index e14b961..c464d3b 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +495,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +499,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20372,7 +20636,7 @@ index e14b961..c464d3b 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +512,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +516,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -20380,7 +20644,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -446,11 +520,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +524,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20395,9 +20659,8 @@ index e14b961..c464d3b 100644
+
+ optional_policy(`
+ mock_admin(sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
@@ -20444,8 +20707,9 @@ index e14b961..c464d3b 100644
+
+ optional_policy(`
+ wireshark_role(sysadm_r, sysadm_t)
-+ ')
-+
+ ')
+-')
+
+ optional_policy(`
+ xserver_role(sysadm_r, sysadm_t)
+ ')
@@ -21159,10 +21423,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..1105ff5
+index 0000000..fcc8949
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,502 @@
+@@ -0,0 +1,503 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -21334,6 +21598,7 @@ index 0000000..1105ff5
+ devicekit_dbus_chat(unconfined_usertype)
+ devicekit_dbus_chat_disk(unconfined_usertype)
+ devicekit_dbus_chat_power(unconfined_usertype)
++ devicekit_filetrans_named_content(unconfined_usertype)
+ ')
+
+ optional_policy(`
@@ -21666,14 +21931,15 @@ index 0000000..1105ff5
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..476f1dc 100644
+index e5bfdd4..e5a8559 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,92 @@ role user_r;
+@@ -12,15 +12,93 @@ role user_r;
userdom_unpriv_user_template(user)
+fs_exec_noxattr(user_t)
++fs_read_hugetlbfs_files(user_usertype)
+
+storage_read_scsi_generic(user_t)
+storage_write_scsi_generic(user_t)
@@ -21762,7 +22028,7 @@ index e5bfdd4..476f1dc 100644
vlock_run(user_t, user_r)
')
-@@ -62,19 +139,11 @@ ifndef(`distro_redhat',`
+@@ -62,19 +140,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21783,7 +22049,7 @@ index e5bfdd4..476f1dc 100644
')
optional_policy(`
-@@ -98,10 +167,6 @@ ifndef(`distro_redhat',`
+@@ -98,10 +168,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21794,7 +22060,7 @@ index e5bfdd4..476f1dc 100644
postgresql_role(user_r, user_t)
')
-@@ -118,11 +183,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +184,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21807,7 +22073,7 @@ index e5bfdd4..476f1dc 100644
')
optional_policy(`
-@@ -157,3 +218,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +219,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -28858,7 +29124,7 @@ index 0000000..1783fe6
+')
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..810b790 100644
+index 74505cc..6ff206b 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -23,6 +23,7 @@ files_type(colord_var_lib_t)
@@ -28879,8 +29145,8 @@ index 74505cc..810b790 100644
kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
+
-+#reads *.ini files
-+corecmd_read_bin_files(colord_t)
++# reads *.ini files
++corecmd_exec_bin(colord_t)
corenet_all_recvfrom_unlabeled(colord_t)
corenet_all_recvfrom_netlabel(colord_t)
@@ -29457,7 +29723,7 @@ index 13d2f63..861fad7 100644
')
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..b0cdf28 100644
+index 2eefc08..6ea5693 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -2,6 +2,7 @@
@@ -29468,7 +29734,7 @@ index 2eefc08..b0cdf28 100644
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-@@ -14,9 +15,10 @@
+@@ -14,14 +15,15 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -29480,6 +29746,12 @@ index 2eefc08..b0cdf28 100644
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+
+-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
+ #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+ /var/spool/cron/[^/]* -- <<none>>
+
@@ -45,3 +47,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -31287,7 +31559,7 @@ index 81eba14..d0ab56c 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..d4357ec 100644
+index 1a1becd..0ca1861 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -31406,7 +31678,7 @@ index 1a1becd..d4357ec 100644
-
- seutil_read_config($1_dbusd_t)
- seutil_read_default_contexts($1_dbusd_t)
--
+
- term_use_all_terms($1_dbusd_t)
-
- userdom_read_user_home_content_files($1_dbusd_t)
@@ -31418,7 +31690,7 @@ index 1a1becd..d4357ec 100644
- optional_policy(`
- hal_dbus_chat($1_dbusd_t)
- ')
-
+-
- optional_policy(`
- xserver_use_xdm_fds($1_dbusd_t)
- xserver_rw_xdm_pipes($1_dbusd_t)
@@ -31578,7 +31850,7 @@ index 1a1becd..d4357ec 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -491,10 +433,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +433,31 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -31592,8 +31864,27 @@ index 1a1becd..d4357ec 100644
- typeattribute $1 dbusd_unconfined;
+ files_search_pids($1)
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
- ')
++')
+
++########################################
++## <summary>
++## Do not audit attempts to connect to
++## session bus types with a unix
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dbus_dontaudit_stream_connect_session_bus',`
++ gen_require(`
++ attribute session_bus_type;
++ ')
++
++ dontaudit $1 session_bus_type:unix_stream_socket connectto;
+ ')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 1bff6ee..9540fee 100644
--- a/policy/modules/services/dbus.te
@@ -32096,7 +32387,7 @@ index 418a5a0..c25fbdc 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..13d3a35 100644
+index f706b99..afb61c9 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -32305,7 +32596,7 @@ index f706b99..13d3a35 100644
## </summary>
## </param>
## <rolecap/>
-@@ -165,21 +308,21 @@ interface(`devicekit_admin',`
+@@ -165,21 +308,39 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -32332,6 +32623,24 @@ index f706b99..13d3a35 100644
admin_pattern($1, devicekit_var_run_t)
- files_search_pids($1)
+ files_list_pids($1)
++')
++
++########################################
++## <summary>
++## Transition to devicekit named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`devicekit_filetrans_named_content',`
++ gen_require(`
++ type devicekit_var_run_t;
++ ')
++
++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f231f17..c5244c8 100644
@@ -34780,7 +35089,7 @@ index 6bef7f8..885cd43 100644
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
-index f28f64b..05784e2 100644
+index f28f64b..9d0a5db 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
@@ -34851,7 +35160,18 @@ index f28f64b..05784e2 100644
files_read_etc_files(exim_t)
files_read_etc_runtime_files(exim_t)
files_getattr_all_mountpoints(exim_t)
-@@ -171,6 +175,10 @@ optional_policy(`
+@@ -162,6 +166,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dovecot_stream_connect(exim_t)
++')
++
++optional_policy(`
+ kerberos_keytab_template(exim, exim_t)
+ ')
+
+@@ -171,6 +179,10 @@ optional_policy(`
')
optional_policy(`
@@ -34862,7 +35182,7 @@ index f28f64b..05784e2 100644
tunable_policy(`exim_can_connect_db',`
mysql_stream_connect(exim_t)
')
-@@ -184,6 +192,7 @@ optional_policy(`
+@@ -184,6 +196,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -41747,7 +42067,7 @@ index 3368699..7a7fc02 100644
#
interface(`modemmanager_domtrans',`
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
-index b3ace16..812a9ff 100644
+index b3ace16..6c9f30c 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
@@ -41760,12 +42080,14 @@ index b3ace16..812a9ff 100644
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -28,13 +29,24 @@ dev_rw_modem(modemmanager_t)
+@@ -28,13 +29,25 @@ dev_rw_modem(modemmanager_t)
files_read_etc_files(modemmanager_t)
+-term_use_unallocated_ttys(modemmanager_t)
+term_use_generic_ptys(modemmanager_t)
- term_use_unallocated_ttys(modemmanager_t)
++term_use_unallocated_ttys(modemmanager_t) # this should be reproduced, might have been mislabelled usbtty_device_t
++term_use_usb_ttys(modemmanager_t)
miscfiles_read_localization(modemmanager_t)
@@ -47480,7 +47802,7 @@ index 46bee12..c22af86 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..ef34196 100644
+index a32c4b3..318ef45 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -47622,7 +47944,7 @@ index a32c4b3..ef34196 100644
+manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
@@ -53210,7 +53532,7 @@ index a07b2f4..ee39810 100644
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
-index 69a6074..c79b415 100644
+index 69a6074..596dbb3 100644
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
@@ -11,6 +11,8 @@
@@ -53222,7 +53544,16 @@ index 69a6074..c79b415 100644
#
# /usr
#
-@@ -51,3 +53,7 @@
+@@ -36,6 +38,8 @@
+
+ /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+
++/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
++
+ /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+@@ -51,3 +55,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
@@ -55865,7 +56196,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..040ec9b 100644
+index 22adaca..8e3e9de 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -56065,7 +56396,7 @@ index 22adaca..040ec9b 100644
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,17 +367,19 @@ template(`ssh_role_template',`
+@@ -327,17 +367,20 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -56076,6 +56407,7 @@ index 22adaca..040ec9b 100644
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
+ allow ssh_t $3:key manage_key_perms;
++ allow $3 ssh_t:key read;
# user can manage the keys and config
manage_files_pattern($3, ssh_home_t, ssh_home_t)
@@ -56086,7 +56418,7 @@ index 22adaca..040ec9b 100644
##############################
#
-@@ -359,7 +401,7 @@ template(`ssh_role_template',`
+@@ -359,7 +402,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -56095,7 +56427,7 @@ index 22adaca..040ec9b 100644
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +423,6 @@ template(`ssh_role_template',`
+@@ -381,7 +424,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -56103,7 +56435,7 @@ index 22adaca..040ec9b 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -393,14 +434,13 @@ template(`ssh_role_template',`
+@@ -393,14 +435,13 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@@ -56121,7 +56453,7 @@ index 22adaca..040ec9b 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +517,27 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +518,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -56150,7 +56482,7 @@ index 22adaca..040ec9b 100644
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +553,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +554,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -56159,7 +56491,7 @@ index 22adaca..040ec9b 100644
')
########################################
-@@ -586,6 +645,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +646,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@@ -56184,7 +56516,7 @@ index 22adaca..040ec9b 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -618,7 +695,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +696,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -56193,7 +56525,7 @@ index 22adaca..040ec9b 100644
files_search_pids($1)
')
-@@ -680,6 +757,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +758,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -56226,7 +56558,7 @@ index 22adaca..040ec9b 100644
########################################
## <summary>
## Read ssh server keys
-@@ -695,7 +798,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +799,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -56235,7 +56567,7 @@ index 22adaca..040ec9b 100644
')
######################################
-@@ -735,3 +838,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +839,81 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -58288,7 +58620,7 @@ index 32a3c13..7baeb6f 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..49d35d3 100644
+index 2124b6a..c60a0e7 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,5 +1,6 @@
@@ -58300,7 +58632,7 @@ index 2124b6a..49d35d3 100644
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,30 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,34 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -58321,11 +58653,14 @@ index 2124b6a..49d35d3 100644
-/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
++/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
++/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
++/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+
@@ -58334,6 +58669,7 @@ index 2124b6a..49d35d3 100644
+/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 7c5d8d8..d711fd5 100644
--- a/policy/modules/services/virt.if
@@ -58880,7 +59216,7 @@ index 7c5d8d8..d711fd5 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..8ae6778 100644
+index 3eca020..52df08a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,74 @@ policy_module(virt, 1.4.0)
@@ -59408,12 +59744,12 @@ index 3eca020..8ae6778 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -59424,7 +59760,7 @@ index 3eca020..8ae6778 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +635,315 @@ optional_policy(`
+@@ -457,8 +635,319 @@ optional_policy(`
')
optional_policy(`
@@ -59504,6 +59840,7 @@ index 3eca020..8ae6778 100644
+optional_policy(`
+ xen_manage_image_dirs(virsh_t)
+ xen_append_log(virsh_t)
++ xen_domtrans(virsh_t)
+ xen_stream_connect(virsh_t)
+ xen_stream_connect_xenstore(virsh_t)
+')
@@ -59567,6 +59904,13 @@ index 3eca020..8ae6778 100644
+manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
+
++manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++
+kernel_read_network_state(virtd_lxc_t)
+kernel_search_network_sysctl(virtd_lxc_t)
+kernel_read_sysctl(virtd_lxc_t)
@@ -59635,17 +59979,13 @@ index 3eca020..8ae6778 100644
+allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+dontaudit svirt_lxc_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
-+manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+
+manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++rw_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++rw_blk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+
+kernel_getattr_proc(svirt_lxc_domain)
@@ -71587,7 +71927,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..2627fa4 100644
+index d88f7c3..e5fef27 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -71666,7 +72006,7 @@ index d88f7c3..2627fa4 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,21 +111,29 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,21 +111,30 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -71678,6 +72018,7 @@ index d88f7c3..2627fa4 100644
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
-files_read_etc_files(udev_t)
++files_read_kernel_modules(udev_t)
+files_read_system_conf_files(udev_t)
+
+# console_init manages files in /etc/sysconfig
@@ -71697,7 +72038,7 @@ index d88f7c3..2627fa4 100644
mcs_ptrace_all(udev_t)
-@@ -143,6 +157,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +158,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -71705,7 +72046,7 @@ index d88f7c3..2627fa4 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -169,6 +184,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +185,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -71714,7 +72055,7 @@ index d88f7c3..2627fa4 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -186,8 +203,9 @@ ifdef(`distro_redhat',`
+@@ -186,8 +204,9 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -71725,7 +72066,7 @@ index d88f7c3..2627fa4 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -216,11 +234,16 @@ optional_policy(`
+@@ -216,11 +235,16 @@ optional_policy(`
')
optional_policy(`
@@ -71743,7 +72084,7 @@ index d88f7c3..2627fa4 100644
')
optional_policy(`
-@@ -230,10 +253,20 @@ optional_policy(`
+@@ -230,10 +254,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -71764,7 +72105,7 @@ index d88f7c3..2627fa4 100644
')
optional_policy(`
-@@ -259,6 +292,10 @@ optional_policy(`
+@@ -259,6 +293,10 @@ optional_policy(`
')
optional_policy(`
@@ -71775,7 +72116,7 @@ index d88f7c3..2627fa4 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +310,11 @@ optional_policy(`
+@@ -273,6 +311,11 @@ optional_policy(`
')
optional_policy(`
@@ -71808,7 +72149,7 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..683497a 100644
+index 416e668..46f9aaf 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,27 +12,29 @@
@@ -71881,10 +72222,21 @@ index 416e668..683497a 100644
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
-@@ -178,412 +192,3 @@ interface(`unconfined_alias_domain',`
- interface(`unconfined_execmem_alias_program',`
- refpolicywarn(`$0($1) has been deprecated.')
+@@ -150,7 +164,7 @@ interface(`unconfined_domain',`
+ ## </param>
+ #
+ interface(`unconfined_alias_domain',`
+- refpolicywarn(`$0($1) has been deprecated.')
++ refpolicywarn(`$0() has been deprecated.')
')
+
+ ########################################
+@@ -176,414 +190,5 @@ interface(`unconfined_alias_domain',`
+ ## </param>
+ #
+ interface(`unconfined_execmem_alias_program',`
+- refpolicywarn(`$0($1) has been deprecated.')
+-')
-
-########################################
-## <summary>
@@ -72293,7 +72645,8 @@ index 416e668..683497a 100644
- ')
-
- allow $1 unconfined_t:dbus acquire_svc;
--')
++ refpolicywarn(`$0() has been deprecated.')
+ ')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index eae5001..71e46b2 100644
--- a/policy/modules/system/unconfined.te
@@ -75995,7 +76348,7 @@ index 4b2878a..e7a65ae 100644
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..5cd0c45 100644
+index 9b4a930..04d748b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -76048,7 +76401,7 @@ index 9b4a930..5cd0c45 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +98,74 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,78 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -76123,6 +76476,10 @@ index 9b4a930..5cd0c45 100644
+')
+
+optional_policy(`
++ telepathy_filetrans_home_content(userdomain)
++')
++
++optional_policy(`
+ xserver_filetrans_home_content(userdomain)
+')
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d5c1773..2a0d606 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 35%{?dist}
+Release: 36%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Oct 3 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-36
+- Allow logrotate setuid and setgid since logrotate is supposed to do it
+- Fixes for thumb policy by grift
+- Add new nfsd ports
+- Added fix to allow confined apps to execmod on chrome
+- Add labeling for additional vdsm directories
+- Allow Exim and Dovecot SASL
+- Add label for /var/run/nmbd
+- Add fixes to make virsh and xen working together
+- Colord executes ls
+- /var/spool/cron is now labeled as user_cron_spool_t
+
* Thu Sep 29 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-35
- Stop complaining about leaked file descriptors during install
More information about the scm-commits
mailing list