[selinux-policy] Allow logrotate setuid and setgid since logrotate is supposed to do it Fixes for thumb policy by gri
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Oct 4 14:53:27 UTC 2011
commit 3b9467424f1736338d2ec6d7c95b92a948349bda
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Oct 4 10:53:11 2011 -0400
Allow logrotate setuid and setgid since logrotate is supposed to do it
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron is now labeled as user_cron_spool_t
policy-F16.patch | 1013 ++++++++++++++++++++++++++++++++++++------------------
1 files changed, 685 insertions(+), 328 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 29e1ca4..9591fd2 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -634,6 +634,22 @@ index 2c2cdb6..73b3814 100644
+ brctl_domtrans($1)
+ role $2 types brctl_t;
+')
+diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
+index 9a62a1d..eb017ef 100644
+--- a/policy/modules/admin/brctl.te
++++ b/policy/modules/admin/brctl.te
+@@ -20,6 +20,11 @@ allow brctl_t self:unix_stream_socket create_stream_socket_perms;
+ allow brctl_t self:unix_dgram_socket create_socket_perms;
+ allow brctl_t self:tcp_socket create_socket_perms;
+
++ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit brctl_t self:capability sys_module;
++')
++
+ kernel_request_load_module(brctl_t)
+ kernel_read_network_state(brctl_t)
+ kernel_read_sysctl(brctl_t)
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
index 6b02433..1e28e62 100644
--- a/policy/modules/admin/certwatch.te
@@ -1123,9 +1139,21 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..b80d4c6 100644
+index 7090dae..db17bbe 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
+@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
+ #
+
+ # Change ownership on log files.
+-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
+ # for mailx
+-dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
++dontaudit logrotate_t self:capability { sys_ptrace };
+
+ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
@@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
allow logrotate_t self:process setfscreate;
@@ -4564,10 +4592,10 @@ index 0000000..6f3570a
+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
-index 0000000..fc9014f
+index 0000000..e23f640
--- /dev/null
+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,132 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -4636,9 +4664,8 @@ index 0000000..fc9014f
+
+ files_execmod_tmp($1_execmem_t)
+
-+ optional_policy(`
-+ execmem_execmod($1_execmem_t)
-+ ')
++ allow $3 execmem_exec_t:file execmod;
++ allow $1_execmem_t execmem_exec_t:file execmod;
+
+ # needed by plasma-desktop
+ optional_policy(`
@@ -4917,10 +4944,10 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..19f3c30 100644
+index f5afe78..9a0377f 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,731 @@
+@@ -1,44 +1,768 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -5217,7 +5244,7 @@ index f5afe78..19f3c30 100644
+ type cache_home_t;
+ ')
+
-+ filetrans_pattern($1, cache_home_t, $2, $3)
++ filetrans_pattern($1, cache_home_t, $2, $3, $4)
+ userdom_search_user_home_dirs($1)
+')
+
@@ -5362,7 +5389,7 @@ index f5afe78..19f3c30 100644
+ type data_home_t;
+ ')
+
-+ filetrans_pattern($1, data_home_t, $2, $3)
++ filetrans_pattern($1, data_home_t, $2, $3, $4)
+ gnome_search_gconf($1)
+')
+
@@ -5596,11 +5623,10 @@ index f5afe78..19f3c30 100644
+## search gconf homedir (.local)
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+#
+interface(`gnome_search_gconf',`
+ gen_require(`
@@ -5615,6 +5641,26 @@ index f5afe78..19f3c30 100644
+## <summary>
+## Set attributes of Gnome config dirs.
+## </summary>
++## <param name="domain">
+ ## <summary>
+-## Role allowed access
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++#
++interface(`gnome_setattr_config_dirs',`
++ gen_require(`
++ type gnome_home_t;
++ ')
++
++ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
++ files_search_home($1)
++')
++
++########################################
++## <summary>
++## Manage generic gnome home files.
++## </summary>
## <param name="domain">
## <summary>
-## User domain for the role
@@ -5623,7 +5669,7 @@ index f5afe78..19f3c30 100644
## </param>
#
-interface(`gnome_role',`
-+interface(`gnome_setattr_config_dirs',`
++interface(`gnome_manage_generic_home_files',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
@@ -5631,19 +5677,37 @@ index f5afe78..19f3c30 100644
')
- role $1 types gconfd_t;
--
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, gnome_home_t, gnome_home_t)
++')
++
++########################################
++## <summary>
++## Manage generic gnome home directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_generic_home_dirs',`
++ gen_require(`
++ type gnome_home_t;
++ ')
+
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
- allow gconfd_t $2:unix_stream_socket connectto;
-+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
-+ files_search_home($1)
++ userdom_search_user_home_dirs($1)
++ allow $1 gnome_home_t:dir manage_dir_perms;
+')
- ps_process_pattern($2, gconfd_t)
+########################################
+## <summary>
-+## Manage generic gnome home files.
++## Append gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -5651,129 +5715,128 @@ index f5afe78..19f3c30 100644
+## </summary>
+## </param>
+#
-+interface(`gnome_manage_generic_home_files',`
++interface(`gnome_append_gconf_home_files',`
+ gen_require(`
-+ type gnome_home_t;
++ type gconf_home_t;
+ ')
- #gnome_stream_connect_gconf_template($1, $2)
- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
- allow $2 gconfd_t:unix_stream_socket connectto;
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
++ append_files_pattern($1, gconf_home_t, gconf_home_t)
')
########################################
## <summary>
-## Execute gconf programs in
-## in the caller domain.
-+## Manage generic gnome home directories.
++## manage gconf home files
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +733,36 @@ interface(`gnome_role',`
+@@ -46,37 +770,60 @@ interface(`gnome_role',`
## </summary>
## </param>
#
-interface(`gnome_exec_gconf',`
-+interface(`gnome_manage_generic_home_dirs',`
++interface(`gnome_manage_gconf_home_files',`
gen_require(`
- type gconfd_exec_t;
-+ type gnome_home_t;
++ type gconf_home_t;
')
- can_exec($1, gconfd_exec_t)
-+ userdom_search_user_home_dirs($1)
-+ allow $1 gnome_home_t:dir manage_dir_perms;
++ allow $1 gconf_home_t:dir list_dir_perms;
++ manage_files_pattern($1, gconf_home_t, gconf_home_t)
')
########################################
## <summary>
-## Read gconf config files.
-+## Append gconf home files
++## Connect to gnome over an unix stream socket.
## </summary>
--## <param name="user_domain">
+## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+ ## <param name="user_domain">
## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++#
++interface(`gnome_stream_connect',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ # Connect to pulseaudit server
++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
++')
++
++########################################
++## <summary>
++## list gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-template(`gnome_read_gconf_config',`
-+interface(`gnome_append_gconf_home_files',`
++interface(`gnome_list_home_config',`
gen_require(`
- type gconf_etc_t;
-+ type gconf_home_t;
++ type config_home_t;
')
- allow $1 gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ append_files_pattern($1, gconf_home_t, gconf_home_t)
++ allow $1 config_home_t:dir list_dir_perms;
')
-#######################################
+########################################
## <summary>
-## Create, read, write, and delete gconf config files.
-+## manage gconf home files
++## Set attributes of gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +770,60 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +831,38 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
-interface(`gnome_manage_gconf_config',`
-+interface(`gnome_manage_gconf_home_files',`
++interface(`gnome_setattr_home_config',`
gen_require(`
- type gconf_etc_t;
-+ type gconf_home_t;
++ type config_home_t;
')
- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ allow $1 gconf_home_t:dir list_dir_perms;
-+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
++ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## gconf connection template.
-+## Connect to gnome over an unix stream socket.
++## read gnome homedir content (.config)
## </summary>
+-## <param name="user_domain">
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
- ## <param name="user_domain">
## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_stream_connect',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ # Connect to pulseaudit server
-+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
-+')
-+
-+########################################
-+## <summary>
-+## list gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_list_home_config',`
++interface(`gnome_read_home_config',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
+ type config_home_t;
@@ -5781,45 +5844,46 @@ index f5afe78..19f3c30 100644
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
-+ allow $1 config_home_t:dir list_dir_perms;
++ list_dirs_pattern($1, config_home_t, config_home_t)
++ read_files_pattern($1, config_home_t, config_home_t)
++ read_lnk_files_pattern($1, config_home_t, config_home_t)
')
########################################
## <summary>
-## Run gconfd in gconfd domain.
-+## Set attributes of gnome homedir content (.config)
++## manage gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +831,18 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +870,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
-interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_setattr_home_config',`
++interface(`gnome_manage_home_config',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
+ type config_home_t;
')
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+ setattr_dirs_pattern($1, config_home_t, config_home_t)
-+ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, config_home_t, config_home_t)
')
########################################
## <summary>
-## Set attributes of Gnome config dirs.
-+## read gnome homedir content (.config)
++## manage gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +850,355 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +888,335 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
-interface(`gnome_setattr_config_dirs',`
-+interface(`gnome_read_home_config',`
++interface(`gnome_manage_home_config_dirs',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
@@ -5827,15 +5891,13 @@ index f5afe78..19f3c30 100644
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
- files_search_home($1)
-+ list_dirs_pattern($1, config_home_t, config_home_t)
-+ read_files_pattern($1, config_home_t, config_home_t)
-+ read_lnk_files_pattern($1, config_home_t, config_home_t)
++ manage_dirs_pattern($1, config_home_t, config_home_t)
')
########################################
## <summary>
-## Read gnome homedir content (.config)
-+## manage gnome homedir content (.config)
++## manage gstreamer home content files.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
@@ -5845,21 +5907,22 @@ index f5afe78..19f3c30 100644
## </param>
#
-template(`gnome_read_config',`
-+interface(`gnome_manage_home_config',`
++interface(`gnome_manage_gstreamer_home_files',`
gen_require(`
- type gnome_home_t;
-+ type config_home_t;
++ type gstreamer_home_t;
')
- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
- read_files_pattern($1, gnome_home_t, gnome_home_t)
- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
-+ manage_files_pattern($1, config_home_t, config_home_t)
++ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
')
########################################
## <summary>
- ## manage gnome homedir content (.config)
+-## manage gnome homedir content (.config)
++## Read/Write all inherited gnome home config
## </summary>
-## <param name="user_domain">
+## <param name="domain">
@@ -5869,24 +5932,6 @@ index f5afe78..19f3c30 100644
## </param>
#
-interface(`gnome_manage_config',`
-+interface(`gnome_manage_home_config_dirs',`
-+ gen_require(`
-+ type config_home_t;
-+ ')
-+
-+ manage_dirs_pattern($1, config_home_t, config_home_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read/Write all inherited gnome home config
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+interface(`gnome_rw_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
@@ -6518,7 +6563,7 @@ index 40e0a2a..93d212c 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..538d39e 100644
+index 9050e8c..3b10693 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -6666,17 +6711,18 @@ index 9050e8c..538d39e 100644
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
')
-@@ -332,6 +358,9 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -332,6 +358,10 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
+# Bug: user pulseaudio files need open,read and unlink:
+allow gpg_pinentry_t user_tmpfs_t:file unlink;
+userdom_signull_unpriv_users(gpg_pinentry_t)
++userdom_use_user_terminals(gpg_pinentry_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
-@@ -342,11 +371,21 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -342,11 +372,21 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -6698,7 +6744,7 @@ index 9050e8c..538d39e 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +395,28 @@ optional_policy(`
+@@ -356,4 +396,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -10638,19 +10684,39 @@ index 7590165..7e6f53c 100644
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_mounton_fusefs(seunshare_domain)
+')
+diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
+index b07ee19..5d12aa3 100644
+--- a/policy/modules/apps/telepathy.fc
++++ b/policy/modules/apps/telepathy.fc
+@@ -1,8 +1,12 @@
+ HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
+-HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
++HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
++HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
+ HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+ HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
++HOME_DIR/\.cache/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+ HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
++HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
++HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0)
+ HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+ HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
+
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
-index 3cfb128..609921d 100644
+index 3cfb128..d49274d 100644
--- a/policy/modules/apps/telepathy.if
+++ b/policy/modules/apps/telepathy.if
-@@ -11,7 +11,6 @@
+@@ -11,9 +11,7 @@
## </summary>
## </param>
#
-#
template(`telepathy_domain_template',`
-
+-
gen_require(`
-@@ -23,16 +22,18 @@ template(`telepathy_domain_template',`
+ attribute telepathy_domain;
+ attribute telepathy_executable;
+@@ -23,16 +21,18 @@ template(`telepathy_domain_template',`
type telepathy_$1_exec_t, telepathy_executable;
application_domain(telepathy_$1_t, telepathy_$1_exec_t)
ubac_constrained(telepathy_$1_t)
@@ -10664,13 +10730,14 @@ index 3cfb128..609921d 100644
#######################################
## <summary>
- ## Role access for telepathy domains
+-## Role access for telepathy domains
-### that executes via dbus-session
-+## that executes via dbus-session
++## Role access for telepathy domains
++## that executes via dbus-session
## </summary>
## <param name="user_role">
## <summary>
-@@ -44,8 +45,13 @@ template(`telepathy_domain_template',`
+@@ -44,8 +44,13 @@ template(`telepathy_domain_template',`
## The type of the user domain.
## </summary>
## </param>
@@ -10685,7 +10752,7 @@ index 3cfb128..609921d 100644
gen_require(`
attribute telepathy_domain;
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
-@@ -76,6 +82,8 @@ template(`telepathy_role', `
+@@ -76,6 +81,8 @@ template(`telepathy_role', `
dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
@@ -10694,7 +10761,7 @@ index 3cfb128..609921d 100644
')
########################################
-@@ -122,11 +130,6 @@ interface(`telepathy_gabble_dbus_chat', `
+@@ -122,11 +129,6 @@ interface(`telepathy_gabble_dbus_chat', `
## <summary>
## Read telepathy mission control state.
## </summary>
@@ -10706,117 +10773,194 @@ index 3cfb128..609921d 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -179,3 +182,75 @@ interface(`telepathy_salut_stream_connect', `
+@@ -166,7 +168,7 @@ interface(`telepathy_msn_stream_connect', `
+ ## Stream connect to Telepathy Salut
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+@@ -179,3 +181,111 @@ interface(`telepathy_salut_stream_connect', `
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
files_search_tmp($1)
')
+
+#######################################
+## <summary>
-+## Send DBus messages to and from
-+## all Telepathy domain.
++## Send DBus messages to and from
++## all Telepathy domain.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`telepathy_dbus_chat', `
-+ gen_require(`
-+ attribute telepathy_domain;
-+ class dbus send_msg;
-+ ')
++interface(`telepathy_dbus_chat',`
++ gen_require(`
++ attribute telepathy_domain;
++ class dbus send_msg;
++ ')
+
-+ allow $1 telepathy_domain:dbus send_msg;
-+ allow telepathy_domain $1:dbus send_msg;
++ allow $1 telepathy_domain:dbus send_msg;
++ allow telepathy_domain $1:dbus send_msg;
+')
+
+######################################
+## <summary>
-+## Execute telepathy executable
-+## in the specified domain.
++## Execute telepathy executable
++## in the specified domain.
+## </summary>
+## <desc>
-+## <p>
-+## Execute a telepathy executable
-+## in the specified domain. This allows
-+## the specified domain to execute any file
-+## on these filesystems in the specified
-+## domain.
-+## </p>
-+## <p>
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+## </p>
-+## <p>
-+## This interface was added to handle
-+## the ssh-agent policy.
-+## </p>
++## <p>
++## Execute a telepathy executable
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
+## </desc>
+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
+## </param>
+## <param name="target_domain">
-+## <summary>
-+## The type of the new process.
-+## </summary>
++## <summary>
++## The type of the new process.
++## </summary>
+## </param>
+#
+interface(`telepathy_command_domtrans', `
++ gen_require(`
++ attribute telepathy_executable;
++ ')
+
-+ gen_require(`
-+ attribute telepathy_executable;
-+ ')
-+
-+ allow $2 telepathy_executable:file entrypoint;
-+ domain_transition_pattern($1, telepathy_executable, $2)
-+ type_transition $1 telepathy_executable:process $2;
++ allow $2 telepathy_executable:file entrypoint;
++ domain_transition_pattern($1, telepathy_executable, $2)
++ type_transition $1 telepathy_executable:process $2;
+
+ # needs to dbus chat with unconfined_t and unconfined_dbusd_t
-+ optional_policy(`
-+ telepathy_dbus_chat($1)
-+ telepathy_dbus_chat($2)
-+ ')
++ optional_policy(`
++ telepathy_dbus_chat($1)
++ telepathy_dbus_chat($2)
++ ')
++')
++
++########################################
++## <summary>
++## Create telepathy content in the user home directory
++## with an correct label.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`telepathy_filetrans_home_content',`
++ gen_require(`
++ type telepathy_mission_control_cache_home_t;
++ type telepathy_mission_control_home_t;
++ type telepathy_logger_cache_home_t;
++ type telepathy_gabble_cache_home_t;
++ type telepathy_sunshine_home_t;
++ type telepathy_logger_data_home_t;
++ type telepathy_cache_home_t, telepathy_data_home_t;
++ type telepathy_mission_control_data_home_t;
++ ')
++
++ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
++ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal")
++ filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
++
++ filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
++
++ userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control")
++ userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
++
++ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
++ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")
++ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
++ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
++
++ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
++ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..11187e0 100644
+index 2533ea0..58f8728 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
-@@ -67,6 +67,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
+@@ -26,12 +26,18 @@ attribute telepathy_executable;
+
+ telepathy_domain_template(gabble)
+
++type telepathy_cache_home_t;
++userdom_user_home_content(telepathy_cache_home_t)
++
+ type telepathy_gabble_cache_home_t;
+ userdom_user_home_content(telepathy_gabble_cache_home_t)
+
+ telepathy_domain_template(idle)
+ telepathy_domain_template(logger)
+
++type telepathy_data_home_t;
++userdom_user_home_content(telepathy_data_home_t)
++
+ type telepathy_logger_cache_home_t;
+ userdom_user_home_content(telepathy_logger_cache_home_t)
+
+@@ -43,6 +49,9 @@ telepathy_domain_template(mission_control)
+ type telepathy_mission_control_home_t;
+ userdom_user_home_content(telepathy_mission_control_home_t)
+
++type telepathy_mission_control_data_home_t;
++userdom_user_home_content(telepathy_mission_control_data_home_t)
++
+ type telepathy_mission_control_cache_home_t;
+ userdom_user_home_content(telepathy_mission_control_cache_home_t)
+
+@@ -67,6 +76,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
+# ~/.cache/gabble/caps-cache.db-journal
-+# optional_policy(`
+optional_policy(`
-+ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-+ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-+ gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, { dir file })
-+')
++ manage_dirs_pattern(telepathy_gabble_t, { telepathy_cache_home_t telepathy_gabble_cache_home_t } , { telepathy_cache_home_t telepathy_gabble_cache_home_t })
++ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
++ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, { dir file })
++ gnome_cache_filetrans(telepathy_gabble_t, telepathy_cache_home_t, dir)
++')
+
corenet_all_recvfrom_netlabel(telepathy_gabble_t)
corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
-@@ -112,6 +120,10 @@ optional_policy(`
+@@ -112,6 +129,10 @@ optional_policy(`
dbus_system_bus_client(telepathy_gabble_t)
')
+optional_policy(`
-+ gnome_read_home_config(telepathy_gabble_t)
++ gnome_manage_home_config(telepathy_gabble_t)
+')
+
#######################################
#
# Telepathy Idle local policy.
-@@ -148,9 +160,11 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -147,10 +168,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+
allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
++manage_dirs_pattern(telepathy_logger_t, { telepathy_cache_home_t telepathy_logger_cache_home_t }, { telepathy_cache_home_t telepathy_logger_cache_home_t })
manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
-+gnome_cache_filetrans(telepathy_logger_t, telepathy_logger_cache_home_t, file)
++filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, { dir file })
++gnome_cache_filetrans(telepathy_logger_t, telepathy_cache_home_t, dir)
manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
@@ -10824,27 +10968,32 @@ index 2533ea0..11187e0 100644
files_read_etc_files(telepathy_logger_t)
files_read_usr_files(telepathy_logger_t)
-@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -168,6 +193,11 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_logger_t)
')
+optional_policy(`
-+# ~/.config/dconf/user
++ # ~/.config/dconf/user
+ gnome_manage_home_config(telepathy_logger_t)
+')
+
#######################################
#
# Telepathy Mission-Control local policy.
-@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -176,6 +206,12 @@ tunable_policy(`use_samba_home_dirs',`
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_mission_control_t)
++
++manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
++manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
++filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
++gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
dev_read_rand(telepathy_mission_control_t)
-@@ -194,6 +214,16 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -194,6 +230,16 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_mission_control_t)
')
@@ -10854,14 +11003,14 @@ index 2533ea0..11187e0 100644
+
+# ~/.cache/.mc_connections.
+optional_policy(`
-+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
-+ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
++ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
++ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
+')
+
#######################################
#
# Telepathy Butterfly and Haze local policy.
-@@ -205,8 +235,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +251,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -10873,18 +11022,18 @@ index 2533ea0..11187e0 100644
corenet_all_recvfrom_netlabel(telepathy_msn_t)
corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -246,6 +279,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +295,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
')
optional_policy(`
-+ gnome_read_gconf_home_files(telepathy_msn_t)
++ gnome_read_gconf_home_files(telepathy_msn_t)
+')
+
+optional_policy(`
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -365,10 +402,9 @@ dev_read_urand(telepathy_domain)
+@@ -365,10 +418,9 @@ dev_read_urand(telepathy_domain)
kernel_read_system_state(telepathy_domain)
@@ -10896,12 +11045,12 @@ index 2533ea0..11187e0 100644
miscfiles_read_localization(telepathy_domain)
optional_policy(`
-@@ -376,5 +412,23 @@ optional_policy(`
+@@ -376,5 +428,23 @@ optional_policy(`
')
optional_policy(`
-+ gnome_read_generic_cache_files(telepathy_domain)
-+ gnome_write_generic_cache_files(telepathy_domain)
++ gnome_read_generic_cache_files(telepathy_domain)
++ gnome_write_generic_cache_files(telepathy_domain)
+')
+
+optional_policy(`
@@ -10914,11 +11063,11 @@ index 2533ea0..11187e0 100644
+
+# Just for F15
+optional_policy(`
-+ gen_require(`
-+ role unconfined_r;
-+ ')
++ gen_require(`
++ role unconfined_r;
++ ')
+
-+ role unconfined_r types telepathy_domain;
++ role unconfined_r types telepathy_domain;
+')
diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc
new file mode 100644
@@ -11017,10 +11166,10 @@ index 0000000..b78aa77
+
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..7eba136
+index 0000000..73e7983
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,127 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -11031,38 +11180,123 @@ index 0000000..7eba136
+type thumb_t;
+type thumb_exec_t;
+application_domain(thumb_t, thumb_exec_t)
-+role system_r types thumb_t;
++ubac_constrained(thumb_t)
++
++role system_r types thumb_t; # why is system_r needed
++
++# this is for liborc: ~/orcexec.*
++# these should normally go to /tmp but it goes to ~ if not executable in /tmp
++# there is also a bug in liborc where it does to ~ by default
++# no longer needed orc fix available
++# type thumb_home_t;
++#userdom_user_home_content(thumb_home_t)
+
+type thumb_tmp_t;
+files_tmp_file(thumb_tmp_t)
++ubac_constrained(thumb_tmp_t)
+
+########################################
+#
+# thumb local policy
+#
+
-+allow thumb_t self:process { setsched signal setrlimit };
++# execmem is for totem-video-thumbnailer
++allow thumb_t self:process { setsched signal setrlimit execmem };
+
+allow thumb_t self:fifo_file manage_fifo_file_perms;
+allow thumb_t self:unix_stream_socket create_stream_socket_perms;
+
-+domain_use_interactive_fds(thumb_t)
++# please reproduce this, because i cannot
++# manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
++# userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir)
++
++# for totem-video-thumbnailer
++allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
++allow thumb_t self:udp_socket create_socket_perms;
++allow thumb_t self:tcp_socket create_socket_perms;
++
++# gst-plugin-scanner/liborc, ~/orcexec.*
++# no longer need fix in latest orc package
++# exec_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
++# manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
++# userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file)
++
++manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++# please reproduce this, because it cannot
++# userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file)
++files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
+
+kernel_read_system_state(thumb_t)
+
++domain_use_interactive_fds(thumb_t)
++
++# /usr/libexec/gstreamer.*/gst-plugin-scanner
++corecmd_exec_bin(thumb_t)
++
++# gst-plugin-scanner
++dev_read_sysfs(thumb_t)
++
++domain_use_interactive_fds(thumb_t)
++
+files_read_etc_files(thumb_t)
+files_read_usr_files(thumb_t)
+
-+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file)
-+
+miscfiles_read_fonts(thumb_t)
+miscfiles_read_localization(thumb_t)
+
++# totem-video-thumbnailer
++sysnet_read_config(thumb_t)
++
++# read files to be thumbed
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
-+userdom_dontaudit_write_user_tmp_files(thumb_t)
++# .gnome_desktop_thumbnail.* is created by something in the user domain.
++# probably libgnome.
++userdom_write_user_tmp_files(thumb_t)
++
+userdom_use_inherited_user_ptys(thumb_t)
++
++optional_policy(`
++ dbus_dontaudit_session_bus_connect(thumb_t)
++')
++
++# optional_policy(`
++# gnome_read_gconf_home_files(thumb_t)
++# gnome_read_gstreamer_home_content(thumb_t)
++# ')
++
++# please reproduce this, because i cannot
++# optional_policy(`
++# gnome_read_gconf_home_files(thumb_t)
++# ')
++
++# these two are inherited
++# should probably create and call xserver_ra_inherited_xdm_home_files()
++xserver_read_xdm_home_files(thumb_t)
++xserver_append_xdm_home_files(thumb_t)
++# seems to not be needed
++xserver_dontaudit_read_xdm_pid(thumb_t)
++# this is required for totem-video-thumbnailer
++# although thumb does not need to write xserver_tmp_t sock_files
++# we probably want a xserver_connect to support but unix stream socket
++# connections as well tcp connections
++# allow thumb_t xserver_port_t:tcp_socket name_connect;
++xserver_stream_connect(thumb_t)
++
++optional_policy(`
++ # This seems not strictly needed
++ dbus_dontaudit_stream_connect_session_bus(thumb_t)
++')
++
++optional_policy(`
++ # this seems to work
++ # thumb_t tries to search data_home_t, config_home_t and gconf_home_t
++ gnome_dontaudit_search_config(thumb_t)
++ # totem-video-thumbnailer
++ gnome_manage_gstreamer_home_files(thumb_t)
++')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 11fe4f2..98bfbf3 100644
--- a/policy/modules/apps/tvtime.te
@@ -13055,7 +13289,7 @@ index 4f3b542..54e4c81 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..67c5d0f 100644
+index 99b71cb..17d942f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -13226,7 +13460,7 @@ index 99b71cb..67c5d0f 100644
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
-+network_port(nfs, tcp,2049,s0, udp,2049,s0)
++network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
@@ -13306,21 +13540,20 @@ index 99b71cb..67c5d0f 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,7 +300,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +300,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
--
+portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+
########################################
#
- # Network nodes
-@@ -282,9 +349,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +350,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -17099,7 +17332,7 @@ index 22821ff..20251b0 100644
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..5923a0a 100644
+index 97fcdac..a75dbe4 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -17345,7 +17578,32 @@ index 97fcdac..5923a0a 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -2148,6 +2290,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2080,6 +2222,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+
+ ########################################
+ ## <summary>
++## Read hugetlbfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_hugetlbfs_files',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++## <summary>
+ ## Read and write hugetlbfs files.
+ ## </summary>
+ ## <param name="domain">
+@@ -2148,6 +2308,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -17353,7 +17611,7 @@ index 97fcdac..5923a0a 100644
')
########################################
-@@ -2480,6 +2623,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2641,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -17361,7 +17619,7 @@ index 97fcdac..5923a0a 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2662,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2680,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -17369,7 +17627,7 @@ index 97fcdac..5923a0a 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +2689,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2707,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -17395,7 +17653,7 @@ index 97fcdac..5923a0a 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2584,6 +2748,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2766,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -17438,7 +17696,7 @@ index 97fcdac..5923a0a 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2598,7 +2798,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2816,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -17447,7 +17705,7 @@ index 97fcdac..5923a0a 100644
')
########################################
-@@ -2736,7 +2936,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2954,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -17456,7 +17714,7 @@ index 97fcdac..5923a0a 100644
## </summary>
## </param>
#
-@@ -2772,7 +2972,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +2990,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -17465,7 +17723,7 @@ index 97fcdac..5923a0a 100644
## </summary>
## </param>
#
-@@ -2965,6 +3165,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3183,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -17473,7 +17731,7 @@ index 97fcdac..5923a0a 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3206,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3224,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -17481,7 +17739,7 @@ index 97fcdac..5923a0a 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3247,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3265,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -17489,7 +17747,7 @@ index 97fcdac..5923a0a 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3958,6 +4161,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4179,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -17532,7 +17790,7 @@ index 97fcdac..5923a0a 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4175,6 +4414,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4432,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -17557,7 +17815,7 @@ index 97fcdac..5923a0a 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4457,6 +4714,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4732,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -17566,7 +17824,7 @@ index 97fcdac..5923a0a 100644
')
########################################
-@@ -4503,7 +4762,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4780,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -17575,7 +17833,7 @@ index 97fcdac..5923a0a 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5125,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5143,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -19715,10 +19973,10 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..31a210f 100644
+index 2be17d2..bfabe3f 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,53 @@ policy_module(staff, 2.2.0)
+@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -19738,6 +19996,8 @@ index 2be17d2..31a210f 100644
+kernel_read_software_raid_state(staff_usertype)
+kernel_read_fs_sysctls(staff_usertype)
+
++fs_read_hugetlbfs_files(staff_usertype)
++
+dev_read_cpuid(staff_usertype)
+
+domain_read_all_domains_state(staff_usertype)
@@ -19772,7 +20032,7 @@ index 2be17d2..31a210f 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,19 +68,113 @@ optional_policy(`
+@@ -27,19 +70,113 @@ optional_policy(`
')
optional_policy(`
@@ -19888,7 +20148,7 @@ index 2be17d2..31a210f 100644
')
optional_policy(`
-@@ -48,10 +183,48 @@ optional_policy(`
+@@ -48,10 +185,48 @@ optional_policy(`
')
optional_policy(`
@@ -19937,7 +20197,7 @@ index 2be17d2..31a210f 100644
xserver_role(staff_r, staff_t)
')
-@@ -89,18 +262,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +264,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19956,7 +20216,7 @@ index 2be17d2..31a210f 100644
java_role(staff_r, staff_t)
')
-@@ -121,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +288,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19967,7 +20227,7 @@ index 2be17d2..31a210f 100644
pyzor_role(staff_r, staff_t)
')
-@@ -137,10 +298,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +300,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19978,7 +20238,7 @@ index 2be17d2..31a210f 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +329,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +331,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -19987,7 +20247,7 @@ index 2be17d2..31a210f 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..c464d3b 100644
+index e14b961..7cd6d4f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,51 @@ ifndef(`enable_mls',`
@@ -20072,7 +20332,7 @@ index e14b961..c464d3b 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -110,11 +146,15 @@ optional_policy(`
+@@ -110,11 +146,19 @@ optional_policy(`
')
optional_policy(`
@@ -20086,21 +20346,25 @@ index e14b961..c464d3b 100644
optional_policy(`
- cvs_exec(sysadm_t)
+ daemonstools_run_start(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
++ dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
optional_policy(`
-@@ -124,6 +164,10 @@ optional_policy(`
+@@ -128,6 +172,10 @@ optional_policy(`
')
optional_policy(`
-+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
++ devicekit_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
- ddcprobe_run(sysadm_t, sysadm_r)
+ dmesg_exec(sysadm_t)
')
-@@ -163,6 +207,13 @@ optional_policy(`
+@@ -163,6 +211,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -20114,7 +20378,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -170,15 +221,20 @@ optional_policy(`
+@@ -170,15 +225,20 @@ optional_policy(`
')
optional_policy(`
@@ -20126,19 +20390,19 @@ index e14b961..c464d3b 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
-+ kudzu_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -198,22 +254,19 @@ optional_policy(`
+@@ -198,22 +258,19 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -20166,7 +20430,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -225,25 +278,47 @@ optional_policy(`
+@@ -225,25 +282,47 @@ optional_policy(`
')
optional_policy(`
@@ -20214,7 +20478,7 @@ index e14b961..c464d3b 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,19 +328,19 @@ optional_policy(`
+@@ -253,19 +332,19 @@ optional_policy(`
')
optional_policy(`
@@ -20238,7 +20502,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -274,10 +349,7 @@ optional_policy(`
+@@ -274,10 +353,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
@@ -20250,7 +20514,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -302,12 +374,18 @@ optional_policy(`
+@@ -302,12 +378,18 @@ optional_policy(`
')
optional_policy(`
@@ -20270,7 +20534,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -332,7 +410,10 @@ optional_policy(`
+@@ -332,7 +414,10 @@ optional_policy(`
')
optional_policy(`
@@ -20282,7 +20546,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -343,19 +424,15 @@ optional_policy(`
+@@ -343,19 +428,15 @@ optional_policy(`
')
optional_policy(`
@@ -20304,7 +20568,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -367,45 +444,45 @@ optional_policy(`
+@@ -367,45 +448,45 @@ optional_policy(`
')
optional_policy(`
@@ -20361,7 +20625,7 @@ index e14b961..c464d3b 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +495,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +499,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20372,7 +20636,7 @@ index e14b961..c464d3b 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +512,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +516,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -20380,7 +20644,7 @@ index e14b961..c464d3b 100644
')
optional_policy(`
-@@ -446,11 +520,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +524,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20395,9 +20659,8 @@ index e14b961..c464d3b 100644
+
+ optional_policy(`
+ mock_admin(sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
@@ -20444,8 +20707,9 @@ index e14b961..c464d3b 100644
+
+ optional_policy(`
+ wireshark_role(sysadm_r, sysadm_t)
-+ ')
-+
+ ')
+-')
+
+ optional_policy(`
+ xserver_role(sysadm_r, sysadm_t)
+ ')
@@ -21159,10 +21423,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..1105ff5
+index 0000000..fcc8949
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,502 @@
+@@ -0,0 +1,503 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -21334,6 +21598,7 @@ index 0000000..1105ff5
+ devicekit_dbus_chat(unconfined_usertype)
+ devicekit_dbus_chat_disk(unconfined_usertype)
+ devicekit_dbus_chat_power(unconfined_usertype)
++ devicekit_filetrans_named_content(unconfined_usertype)
+ ')
+
+ optional_policy(`
@@ -21666,14 +21931,15 @@ index 0000000..1105ff5
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..476f1dc 100644
+index e5bfdd4..e5a8559 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,92 @@ role user_r;
+@@ -12,15 +12,93 @@ role user_r;
userdom_unpriv_user_template(user)
+fs_exec_noxattr(user_t)
++fs_read_hugetlbfs_files(user_usertype)
+
+storage_read_scsi_generic(user_t)
+storage_write_scsi_generic(user_t)
@@ -21762,7 +22028,7 @@ index e5bfdd4..476f1dc 100644
vlock_run(user_t, user_r)
')
-@@ -62,19 +139,11 @@ ifndef(`distro_redhat',`
+@@ -62,19 +140,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21783,7 +22049,7 @@ index e5bfdd4..476f1dc 100644
')
optional_policy(`
-@@ -98,10 +167,6 @@ ifndef(`distro_redhat',`
+@@ -98,10 +168,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21794,7 +22060,7 @@ index e5bfdd4..476f1dc 100644
postgresql_role(user_r, user_t)
')
-@@ -118,11 +183,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +184,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21807,7 +22073,7 @@ index e5bfdd4..476f1dc 100644
')
optional_policy(`
-@@ -157,3 +218,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +219,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -28858,7 +29124,7 @@ index 0000000..1783fe6
+')
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..810b790 100644
+index 74505cc..6ff206b 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -23,6 +23,7 @@ files_type(colord_var_lib_t)
@@ -28879,8 +29145,8 @@ index 74505cc..810b790 100644
kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
+
-+#reads *.ini files
-+corecmd_read_bin_files(colord_t)
++# reads *.ini files
++corecmd_exec_bin(colord_t)
corenet_all_recvfrom_unlabeled(colord_t)
corenet_all_recvfrom_netlabel(colord_t)
@@ -29457,7 +29723,7 @@ index 13d2f63..861fad7 100644
')
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..b0cdf28 100644
+index 2eefc08..6ea5693 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -2,6 +2,7 @@
@@ -29468,7 +29734,7 @@ index 2eefc08..b0cdf28 100644
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-@@ -14,9 +15,10 @@
+@@ -14,14 +15,15 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -29480,6 +29746,12 @@ index 2eefc08..b0cdf28 100644
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+
+-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
+ #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+ /var/spool/cron/[^/]* -- <<none>>
+
@@ -45,3 +47,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -31287,7 +31559,7 @@ index 81eba14..d0ab56c 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..d4357ec 100644
+index 1a1becd..0ca1861 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -31406,7 +31678,7 @@ index 1a1becd..d4357ec 100644
-
- seutil_read_config($1_dbusd_t)
- seutil_read_default_contexts($1_dbusd_t)
--
+
- term_use_all_terms($1_dbusd_t)
-
- userdom_read_user_home_content_files($1_dbusd_t)
@@ -31418,7 +31690,7 @@ index 1a1becd..d4357ec 100644
- optional_policy(`
- hal_dbus_chat($1_dbusd_t)
- ')
-
+-
- optional_policy(`
- xserver_use_xdm_fds($1_dbusd_t)
- xserver_rw_xdm_pipes($1_dbusd_t)
@@ -31578,7 +31850,7 @@ index 1a1becd..d4357ec 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -491,10 +433,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +433,31 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -31592,8 +31864,27 @@ index 1a1becd..d4357ec 100644
- typeattribute $1 dbusd_unconfined;
+ files_search_pids($1)
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
- ')
++')
+
++########################################
++## <summary>
++## Do not audit attempts to connect to
++## session bus types with a unix
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dbus_dontaudit_stream_connect_session_bus',`
++ gen_require(`
++ attribute session_bus_type;
++ ')
++
++ dontaudit $1 session_bus_type:unix_stream_socket connectto;
+ ')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 1bff6ee..9540fee 100644
--- a/policy/modules/services/dbus.te
@@ -32096,7 +32387,7 @@ index 418a5a0..c25fbdc 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..13d3a35 100644
+index f706b99..afb61c9 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -32305,7 +32596,7 @@ index f706b99..13d3a35 100644
## </summary>
## </param>
## <rolecap/>
-@@ -165,21 +308,21 @@ interface(`devicekit_admin',`
+@@ -165,21 +308,39 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -32332,6 +32623,24 @@ index f706b99..13d3a35 100644
admin_pattern($1, devicekit_var_run_t)
- files_search_pids($1)
+ files_list_pids($1)
++')
++
++########################################
++## <summary>
++## Transition to devicekit named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`devicekit_filetrans_named_content',`
++ gen_require(`
++ type devicekit_var_run_t;
++ ')
++
++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f231f17..c5244c8 100644
@@ -34780,7 +35089,7 @@ index 6bef7f8..885cd43 100644
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
-index f28f64b..05784e2 100644
+index f28f64b..9d0a5db 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
@@ -34851,7 +35160,18 @@ index f28f64b..05784e2 100644
files_read_etc_files(exim_t)
files_read_etc_runtime_files(exim_t)
files_getattr_all_mountpoints(exim_t)
-@@ -171,6 +175,10 @@ optional_policy(`
+@@ -162,6 +166,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dovecot_stream_connect(exim_t)
++')
++
++optional_policy(`
+ kerberos_keytab_template(exim, exim_t)
+ ')
+
+@@ -171,6 +179,10 @@ optional_policy(`
')
optional_policy(`
@@ -34862,7 +35182,7 @@ index f28f64b..05784e2 100644
tunable_policy(`exim_can_connect_db',`
mysql_stream_connect(exim_t)
')
-@@ -184,6 +192,7 @@ optional_policy(`
+@@ -184,6 +196,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -41747,7 +42067,7 @@ index 3368699..7a7fc02 100644
#
interface(`modemmanager_domtrans',`
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
-index b3ace16..812a9ff 100644
+index b3ace16..6c9f30c 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
@@ -41760,12 +42080,14 @@ index b3ace16..812a9ff 100644
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -28,13 +29,24 @@ dev_rw_modem(modemmanager_t)
+@@ -28,13 +29,25 @@ dev_rw_modem(modemmanager_t)
files_read_etc_files(modemmanager_t)
+-term_use_unallocated_ttys(modemmanager_t)
+term_use_generic_ptys(modemmanager_t)
- term_use_unallocated_ttys(modemmanager_t)
++term_use_unallocated_ttys(modemmanager_t) # this should be reproduced, might have been mislabelled usbtty_device_t
++term_use_usb_ttys(modemmanager_t)
miscfiles_read_localization(modemmanager_t)
@@ -47480,7 +47802,7 @@ index 46bee12..c22af86 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..ef34196 100644
+index a32c4b3..318ef45 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -47622,7 +47944,7 @@ index a32c4b3..ef34196 100644
+manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
@@ -53210,7 +53532,7 @@ index a07b2f4..ee39810 100644
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
-index 69a6074..c79b415 100644
+index 69a6074..596dbb3 100644
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
@@ -11,6 +11,8 @@
@@ -53222,7 +53544,16 @@ index 69a6074..c79b415 100644
#
# /usr
#
-@@ -51,3 +53,7 @@
+@@ -36,6 +38,8 @@
+
+ /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+
++/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
++
+ /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+@@ -51,3 +55,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
@@ -55865,7 +56196,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..040ec9b 100644
+index 22adaca..8e3e9de 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -56065,7 +56396,7 @@ index 22adaca..040ec9b 100644
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,17 +367,19 @@ template(`ssh_role_template',`
+@@ -327,17 +367,20 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -56076,6 +56407,7 @@ index 22adaca..040ec9b 100644
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
+ allow ssh_t $3:key manage_key_perms;
++ allow $3 ssh_t:key read;
# user can manage the keys and config
manage_files_pattern($3, ssh_home_t, ssh_home_t)
@@ -56086,7 +56418,7 @@ index 22adaca..040ec9b 100644
##############################
#
-@@ -359,7 +401,7 @@ template(`ssh_role_template',`
+@@ -359,7 +402,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -56095,7 +56427,7 @@ index 22adaca..040ec9b 100644
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +423,6 @@ template(`ssh_role_template',`
+@@ -381,7 +424,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -56103,7 +56435,7 @@ index 22adaca..040ec9b 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -393,14 +434,13 @@ template(`ssh_role_template',`
+@@ -393,14 +435,13 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@@ -56121,7 +56453,7 @@ index 22adaca..040ec9b 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +517,27 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +518,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -56150,7 +56482,7 @@ index 22adaca..040ec9b 100644
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +553,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +554,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -56159,7 +56491,7 @@ index 22adaca..040ec9b 100644
')
########################################
-@@ -586,6 +645,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +646,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@@ -56184,7 +56516,7 @@ index 22adaca..040ec9b 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -618,7 +695,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +696,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -56193,7 +56525,7 @@ index 22adaca..040ec9b 100644
files_search_pids($1)
')
-@@ -680,6 +757,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +758,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -56226,7 +56558,7 @@ index 22adaca..040ec9b 100644
########################################
## <summary>
## Read ssh server keys
-@@ -695,7 +798,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +799,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -56235,7 +56567,7 @@ index 22adaca..040ec9b 100644
')
######################################
-@@ -735,3 +838,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +839,81 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -58288,7 +58620,7 @@ index 32a3c13..7baeb6f 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..49d35d3 100644
+index 2124b6a..c60a0e7 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,5 +1,6 @@
@@ -58300,7 +58632,7 @@ index 2124b6a..49d35d3 100644
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,30 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,34 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -58321,11 +58653,14 @@ index 2124b6a..49d35d3 100644
-/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
++/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
++/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
++/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+
@@ -58334,6 +58669,7 @@ index 2124b6a..49d35d3 100644
+/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 7c5d8d8..d711fd5 100644
--- a/policy/modules/services/virt.if
@@ -58880,7 +59216,7 @@ index 7c5d8d8..d711fd5 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..8ae6778 100644
+index 3eca020..52df08a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,74 @@ policy_module(virt, 1.4.0)
@@ -59408,12 +59744,12 @@ index 3eca020..8ae6778 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -59424,7 +59760,7 @@ index 3eca020..8ae6778 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +635,315 @@ optional_policy(`
+@@ -457,8 +635,319 @@ optional_policy(`
')
optional_policy(`
@@ -59504,6 +59840,7 @@ index 3eca020..8ae6778 100644
+optional_policy(`
+ xen_manage_image_dirs(virsh_t)
+ xen_append_log(virsh_t)
++ xen_domtrans(virsh_t)
+ xen_stream_connect(virsh_t)
+ xen_stream_connect_xenstore(virsh_t)
+')
@@ -59567,6 +59904,13 @@ index 3eca020..8ae6778 100644
+manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
+
++manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++
+kernel_read_network_state(virtd_lxc_t)
+kernel_search_network_sysctl(virtd_lxc_t)
+kernel_read_sysctl(virtd_lxc_t)
@@ -59635,17 +59979,13 @@ index 3eca020..8ae6778 100644
+allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+dontaudit svirt_lxc_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
-+manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+
+manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++rw_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++rw_blk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+
+kernel_getattr_proc(svirt_lxc_domain)
@@ -71587,7 +71927,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..2627fa4 100644
+index d88f7c3..e5fef27 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -71666,7 +72006,7 @@ index d88f7c3..2627fa4 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,21 +111,29 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,21 +111,30 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -71678,6 +72018,7 @@ index d88f7c3..2627fa4 100644
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
-files_read_etc_files(udev_t)
++files_read_kernel_modules(udev_t)
+files_read_system_conf_files(udev_t)
+
+# console_init manages files in /etc/sysconfig
@@ -71697,7 +72038,7 @@ index d88f7c3..2627fa4 100644
mcs_ptrace_all(udev_t)
-@@ -143,6 +157,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +158,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -71705,7 +72046,7 @@ index d88f7c3..2627fa4 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -169,6 +184,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +185,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -71714,7 +72055,7 @@ index d88f7c3..2627fa4 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -186,8 +203,9 @@ ifdef(`distro_redhat',`
+@@ -186,8 +204,9 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -71725,7 +72066,7 @@ index d88f7c3..2627fa4 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -216,11 +234,16 @@ optional_policy(`
+@@ -216,11 +235,16 @@ optional_policy(`
')
optional_policy(`
@@ -71743,7 +72084,7 @@ index d88f7c3..2627fa4 100644
')
optional_policy(`
-@@ -230,10 +253,20 @@ optional_policy(`
+@@ -230,10 +254,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -71764,7 +72105,7 @@ index d88f7c3..2627fa4 100644
')
optional_policy(`
-@@ -259,6 +292,10 @@ optional_policy(`
+@@ -259,6 +293,10 @@ optional_policy(`
')
optional_policy(`
@@ -71775,7 +72116,7 @@ index d88f7c3..2627fa4 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +310,11 @@ optional_policy(`
+@@ -273,6 +311,11 @@ optional_policy(`
')
optional_policy(`
@@ -71808,7 +72149,7 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..683497a 100644
+index 416e668..46f9aaf 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,27 +12,29 @@
@@ -71881,10 +72222,21 @@ index 416e668..683497a 100644
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
-@@ -178,412 +192,3 @@ interface(`unconfined_alias_domain',`
- interface(`unconfined_execmem_alias_program',`
- refpolicywarn(`$0($1) has been deprecated.')
+@@ -150,7 +164,7 @@ interface(`unconfined_domain',`
+ ## </param>
+ #
+ interface(`unconfined_alias_domain',`
+- refpolicywarn(`$0($1) has been deprecated.')
++ refpolicywarn(`$0() has been deprecated.')
')
+
+ ########################################
+@@ -176,414 +190,5 @@ interface(`unconfined_alias_domain',`
+ ## </param>
+ #
+ interface(`unconfined_execmem_alias_program',`
+- refpolicywarn(`$0($1) has been deprecated.')
+-')
-
-########################################
-## <summary>
@@ -72293,7 +72645,8 @@ index 416e668..683497a 100644
- ')
-
- allow $1 unconfined_t:dbus acquire_svc;
--')
++ refpolicywarn(`$0() has been deprecated.')
+ ')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index eae5001..71e46b2 100644
--- a/policy/modules/system/unconfined.te
@@ -75995,7 +76348,7 @@ index 4b2878a..e7a65ae 100644
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..5cd0c45 100644
+index 9b4a930..04d748b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -76048,7 +76401,7 @@ index 9b4a930..5cd0c45 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +98,74 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,78 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -76123,6 +76476,10 @@ index 9b4a930..5cd0c45 100644
+')
+
+optional_policy(`
++ telepathy_filetrans_home_content(userdomain)
++')
++
++optional_policy(`
+ xserver_filetrans_home_content(userdomain)
+')
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
More information about the scm-commits
mailing list