[selinux-policy/f16] - Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK) - Make corosy
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Oct 14 13:40:39 UTC 2011
commit af0ca49f561d12719e9ae66360c95879cb8ad902
Author: Miroslav <mgrepl at redhat.com>
Date: Fri Oct 14 15:40:25 2011 +0200
- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
- Make corosync to be able to relabelto cluster lib fies
- Allow samba domains to search /var/run/nmbd
- Allow dirsrv to use pam
- Allow thumb to call getuid
- chrome less likely to get mmap_zero bug so removing dontaudit
- gimp help-browser has built in javascript
- Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t
- Re-write glance policy
modules-mls.conf | 7 -
modules-targeted.conf | 7 -
policy-F16.patch | 584 +++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 13 +-
4 files changed, 408 insertions(+), 203 deletions(-)
---
diff --git a/modules-mls.conf b/modules-mls.conf
index 4286efe..90bc08a 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -619,13 +619,6 @@ gnome = module
gnomeclock = module
# Layer: services
-# Module: hal
-#
-# Hardware abstraction layer
-#
-hal = module
-
-# Layer: services
# Module: plymouthd
#
# Plymouth
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 18d8e85..937665a 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -703,13 +703,6 @@ gnome = module
gnomeclock = module
# Layer: services
-# Module: hal
-#
-# Hardware abstraction layer
-#
-hal = module
-
-# Layer: services
# Module: hddtemp
#
# hddtemp hard disk temperature tool running as a daemon
diff --git a/policy-F16.patch b/policy-F16.patch
index 1eb543f..57b4a25 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -511,7 +511,7 @@ index 7a6f06f..e117271 100644
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
-index 63eb96b..17a9f6d 100644
+index 63eb96b..98307a8 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
@@ -539,6 +539,29 @@ index 63eb96b..17a9f6d 100644
########################################
## <summary>
## Execute bootloader interactively and do
+@@ -128,3 +146,22 @@ interface(`bootloader_create_runtime_file',`
+ allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
+ files_boot_filetrans($1, boot_runtime_t, file)
+ ')
++
++########################################
++## <summary>
++## Type transition files created in /etc
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bootloader_filetrans_config',`
++ gen_require(`
++ type bootloader_etc_t;
++ ')
++
++ files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf")
++ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
++')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index d3da8f2..9e5a1d0 100644
--- a/policy/modules/admin/bootloader.te
@@ -1861,10 +1884,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..a6beb8f
+index 0000000..f0dbe88
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,268 @@
+@@ -0,0 +1,276 @@
+policy_module(permissivedomains,16)
+
+optional_policy(`
@@ -1876,6 +1899,14 @@ index 0000000..a6beb8f
+')
+
+optional_policy(`
++ gen_require(`
++ type pptp_t;
++ ')
++
++ permissive pptp_t;
++')
++
++optional_policy(`
+ gen_require(`
+ type bootloader_t;
+ ')
@@ -2218,7 +2249,7 @@ index 93ec175..0e42018 100644
')
')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..e83b341 100644
+index af55369..ec838bd 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -2260,7 +2291,7 @@ index af55369..e83b341 100644
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
-@@ -98,7 +102,14 @@ libs_delete_lib_symlinks(prelink_t)
+@@ -98,7 +102,15 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
@@ -2269,6 +2300,7 @@ index af55369..e83b341 100644
+userdom_manage_user_home_content(prelink_t)
+userdom_relabel_user_home_files(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
++userdom_exec_user_home_content_files(prelink_t)
+
+systemd_read_unit_files(prelink_t)
+
@@ -2276,7 +2308,7 @@ index af55369..e83b341 100644
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -109,6 +120,15 @@ optional_policy(`
+@@ -109,6 +121,15 @@ optional_policy(`
')
optional_policy(`
@@ -2292,7 +2324,7 @@ index af55369..e83b341 100644
rpm_manage_tmp_files(prelink_t)
')
-@@ -129,6 +149,7 @@ optional_policy(`
+@@ -129,6 +150,7 @@ optional_policy(`
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -2300,7 +2332,7 @@ index af55369..e83b341 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +169,28 @@ optional_policy(`
+@@ -148,17 +170,29 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
@@ -2329,6 +2361,7 @@ index af55369..e83b341 100644
+ optional_policy(`
+ dbus_read_config(prelink_t)
+ ')
++ miscfiles_read_man_pages(prelink_t)
+')
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
index bf75d99..1698e8f 100644
@@ -4624,10 +4657,10 @@ index cd70958..e8c94b1 100644
-')
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644
-index 0000000..6f3570a
+index 0000000..5e09952
--- /dev/null
+++ b/policy/modules/apps/execmem.fc
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,49 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -4663,6 +4696,7 @@ index 0000000..6f3570a
+
+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
++/usr/lib/gimp/[^/]+/plug-ins/help-browser -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
@@ -7504,7 +7538,7 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..83fc139 100644
+index fbb5c5a..6c95832 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -7550,7 +7584,7 @@ index fbb5c5a..83fc139 100644
+ allow $1 mozilla_plugin_t:fd use;
+
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
-+ allow mozilla_plugin_t $1:shm rw_shm_perms;
++ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
+ allow mozilla_plugin_t $1:sem create_sem_perms;
+
+ ps_process_pattern($1, mozilla_plugin_t)
@@ -7650,7 +7684,7 @@ index fbb5c5a..83fc139 100644
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..d1b1280 100644
+index 2e9318b..8768af4 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -7720,10 +7754,12 @@ index 2e9318b..d1b1280 100644
')
optional_policy(`
-@@ -297,15 +306,18 @@ optional_policy(`
+@@ -296,16 +305,19 @@ optional_policy(`
+ # mozilla_plugin local policy
#
- dontaudit mozilla_plugin_t self:capability { sys_ptrace };
+-dontaudit mozilla_plugin_t self:capability { sys_ptrace };
++dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_nice };
+
allow mozilla_plugin_t self:process { setsched signal_perms execmem };
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
@@ -8559,10 +8595,10 @@ index 0000000..1925bd9
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..008fbe3
+index 0000000..f0773b4
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,340 @@
+@@ -0,0 +1,335 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -8773,11 +8809,6 @@ index 0000000..008fbe3
+')
+
+optional_policy(`
-+ pulseaudio_filetrans_admin_home_content(nsplugin_t)
-+ pulseaudio_filetrans_home_content(nsplugin_t)
-+')
-+
-+optional_policy(`
+ unconfined_execmem_signull(nsplugin_t)
+')
+
@@ -9080,7 +9111,7 @@ index 84f23dc..af5b87d 100644
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
-index f40c64d..9a5e99c 100644
+index f40c64d..a08cb82 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -35,6 +35,10 @@ interface(`pulseaudio_role',`
@@ -9094,10 +9125,13 @@ index f40c64d..9a5e99c 100644
allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
-@@ -258,3 +262,63 @@ interface(`pulseaudio_manage_home_files',`
+@@ -257,4 +261,66 @@ interface(`pulseaudio_manage_home_files',`
+ userdom_search_user_home_dirs($1)
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- ')
++ pulseaudio_filetrans_home_content($1)
++ pulseaudio_filetrans_admin_home_content($1)
++')
+
+########################################
+## <summary>
@@ -9157,7 +9191,7 @@ index f40c64d..9a5e99c 100644
+
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
-+')
+ ')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index d1eace5..8522ab4 100644
--- a/policy/modules/apps/pulseaudio.te
@@ -9419,7 +9453,7 @@ index 268d691..da3a26d 100644
+ domain_entry_file($1, qemu_exec_t)
+')
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index 1813e16..83f68f0 100644
+index 1813e16..50a3a34 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -55,6 +55,7 @@ storage_raw_read_removable_device(qemu_t)
@@ -9430,7 +9464,7 @@ index 1813e16..83f68f0 100644
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
-@@ -99,6 +100,18 @@ optional_policy(`
+@@ -99,6 +100,13 @@ optional_policy(`
')
optional_policy(`
@@ -9440,16 +9474,11 @@ index 1813e16..83f68f0 100644
+')
+
+optional_policy(`
-+ pulseaudio_manage_home_files(qemu_t)
-+ pulseaudio_stream_connect(qemu_t)
-+')
-+
-+optional_policy(`
+ virt_manage_home_files(qemu_t)
virt_manage_images(qemu_t)
virt_append_log(qemu_t)
')
-@@ -111,18 +124,3 @@ optional_policy(`
+@@ -111,18 +119,3 @@ optional_policy(`
xserver_read_xdm_pid(qemu_t)
xserver_stream_connect(qemu_t)
')
@@ -11299,10 +11328,10 @@ index 0000000..b78aa77
+
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..cc502a0
+index 0000000..b4001f1
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,73 @@
+@@ -0,0 +1,76 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -11349,6 +11378,8 @@ index 0000000..cc502a0
+files_read_etc_files(thumb_t)
+files_read_usr_files(thumb_t)
+
++auth_use_nsswitch(thumb_t)
++
+miscfiles_read_fonts(thumb_t)
+miscfiles_read_localization(thumb_t)
+
@@ -11357,6 +11388,7 @@ index 0000000..cc502a0
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
+userdom_write_user_tmp_files(thumb_t)
++userdom_read_home_audio_files(thumb_t)
+
+userdom_use_inherited_user_ptys(thumb_t)
+
@@ -11945,7 +11977,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..d653b7f 100644
+index 3fae11a..7bcafea 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
@@ -11978,7 +12010,15 @@ index 3fae11a..d653b7f 100644
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,6 +174,8 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +163,7 @@ ifdef(`distro_gentoo',`
+ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/opt/google/chrome(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+@@ -179,6 +175,8 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -11987,7 +12027,7 @@ index 3fae11a..d653b7f 100644
#
# /usr
#
-@@ -198,48 +195,51 @@ ifdef(`distro_gentoo',`
+@@ -198,48 +196,51 @@ ifdef(`distro_gentoo',`
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
@@ -12081,7 +12121,7 @@ index 3fae11a..d653b7f 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,9 +247,13 @@ ifdef(`distro_gentoo',`
+@@ -247,9 +248,13 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -12096,7 +12136,7 @@ index 3fae11a..d653b7f 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +271,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +272,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -12107,7 +12147,7 @@ index 3fae11a..d653b7f 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,6 +294,7 @@ ifdef(`distro_gentoo',`
+@@ -286,6 +295,7 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -12115,7 +12155,7 @@ index 3fae11a..d653b7f 100644
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -293,8 +302,10 @@ ifdef(`distro_gentoo',`
+@@ -293,8 +303,10 @@ ifdef(`distro_gentoo',`
/usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12127,7 +12167,7 @@ index 3fae11a..d653b7f 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +317,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +318,11 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -12141,7 +12181,7 @@ index 3fae11a..d653b7f 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +331,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +332,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12153,7 +12193,7 @@ index 3fae11a..d653b7f 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +377,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +378,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -12162,7 +12202,7 @@ index 3fae11a..d653b7f 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +389,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +390,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12173,13 +12213,13 @@ index 3fae11a..d653b7f 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +400,4 @@ ifdef(`distro_suse', `
+@@ -385,3 +401,4 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..59c2125 100644
+index 9e9263a..650e796 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -203,7 +203,7 @@ interface(`corecmd_getattr_bin_files',`
@@ -12216,7 +12256,32 @@ index 9e9263a..59c2125 100644
## Read symbolic links in bin directories.
## </summary>
## <param name="domain">
-@@ -1049,6 +1067,7 @@ interface(`corecmd_manage_all_executables',`
+@@ -954,6 +972,24 @@ interface(`corecmd_exec_chroot',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to access check executable files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`corecmd_dontaudit_access_all_executables',`
++ gen_require(`
++ attribute exec_type;
++ ')
++
++ dontaudit $1 exec_type:file audit_access;
++')
++
++########################################
++## <summary>
+ ## Get the attributes of all executable files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1049,6 +1085,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t;
')
@@ -13386,7 +13451,7 @@ index 4f3b542..cf422f4 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..17d942f 100644
+index 99b71cb..740d4b1 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -13553,7 +13618,7 @@ index 99b71cb..17d942f 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,16 +199,25 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +199,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -13580,7 +13645,13 @@ index 99b71cb..17d942f 100644
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -179,30 +235,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+ network_port(postgresql, tcp,5432,s0)
+ network_port(postgrey, tcp,60000,s0)
++network_port(pptp, tcp, 1723,s0, udp, 1723, s0)
+ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+ network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
+ network_port(printer, tcp,515,s0)
+@@ -179,30 +236,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -13620,7 +13691,7 @@ index 99b71cb..17d942f 100644
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -215,7 +276,7 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,7 +277,7 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -13629,7 +13700,7 @@ index 99b71cb..17d942f 100644
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
-@@ -229,6 +290,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +291,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -13637,7 +13708,7 @@ index 99b71cb..17d942f 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +300,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +301,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -13650,7 +13721,7 @@ index 99b71cb..17d942f 100644
########################################
#
-@@ -282,9 +350,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +351,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -13714,10 +13785,16 @@ index 35fed4f..51ad69a 100644
#
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..935a96c 100644
+index 6cf8784..12bd6fc 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -20,6 +20,7 @@
+@@ -15,11 +15,13 @@
+ /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
++/dev/bsr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -13725,7 +13802,7 @@ index 6cf8784..935a96c 100644
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -57,8 +58,10 @@
+@@ -57,8 +59,10 @@
/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -13736,7 +13813,7 @@ index 6cf8784..935a96c 100644
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -126,6 +129,7 @@ ifdef(`distro_suse', `
+@@ -126,6 +130,7 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -13744,7 +13821,7 @@ index 6cf8784..935a96c 100644
/dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-@@ -187,8 +191,6 @@ ifdef(`distro_suse', `
+@@ -187,8 +192,6 @@ ifdef(`distro_suse', `
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -13753,7 +13830,7 @@ index 6cf8784..935a96c 100644
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +198,8 @@ ifdef(`distro_redhat',`
+@@ -196,3 +199,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -15285,7 +15362,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..db2a183 100644
+index fae1ab1..02cf550 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -15378,7 +15455,7 @@ index fae1ab1..db2a183 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +197,118 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,120 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -15497,6 +15574,8 @@ index fae1ab1..db2a183 100644
+optional_policy(`
+ seutil_dontaudit_read_config(domain)
+')
++
++dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c19518a..12e8e9c 100644
--- a/policy/modules/kernel/files.fc
@@ -21628,10 +21707,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..e1113e0
+index 0000000..49f2c54
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,503 @@
+@@ -0,0 +1,504 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -21878,7 +21957,7 @@ index 0000000..e1113e0
+')
+
+optional_policy(`
-+ bootloader_run(unconfined_t, unconfined_r)
++ bootloader_filetrans_config(unconfined_t)
+')
+
+optional_policy(`
@@ -22035,6 +22114,7 @@ index 0000000..e1113e0
+
+optional_policy(`
+ pulseaudio_filetrans_admin_home_content(unconfined_usertype)
++ pulseaudio_filetrans_home_content(unconfined_usertype)
+')
+
+optional_policy(`
@@ -22723,7 +22803,7 @@ index 0b827c5..bfb68b2 100644
+ dontaudit $1 abrt_t:sock_file write;
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..bd5ff95 100644
+index 30861ec..b11c27f 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -22982,7 +23062,7 @@ index 30861ec..bd5ff95 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +315,126 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +315,128 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -22990,7 +23070,7 @@ index 30861ec..bd5ff95 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
-+')
+ ')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -23068,7 +23148,7 @@ index 30861ec..bd5ff95 100644
+
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
- ')
++')
+
+########################################
+#
@@ -23088,6 +23168,8 @@ index 30861ec..bd5ff95 100644
+read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+
++allow abrt_dump_oops_t abrt_etc_t:file read_file_perms;
++
+kernel_read_kernel_sysctls(abrt_dump_oops_t)
+kernel_read_ring_buffer(abrt_dump_oops_t)
+
@@ -29665,10 +29747,18 @@ index 5220c9d..a2e6830 100644
## <summary>
## Allow the specified domain to read corosync's log files.
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 04969e5..0e76440 100644
+index 04969e5..b55d7bf 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
-@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
+@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
+ type corosync_t;
+ type corosync_exec_t;
+ init_daemon_domain(corosync_t, corosync_exec_t)
++domain_obj_id_change_exemption(corosync_t)
+
+ type corosync_initrc_exec_t;
+ init_script_file(corosync_initrc_exec_t)
+@@ -32,8 +33,8 @@ files_pid_file(corosync_var_run_t)
# corosync local policy
#
@@ -29679,7 +29769,7 @@ index 04969e5..0e76440 100644
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
-@@ -41,9 +41,12 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
+@@ -41,9 +42,12 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
@@ -29692,7 +29782,7 @@ index 04969e5..0e76440 100644
manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
-@@ -63,8 +66,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+@@ -63,8 +67,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
kernel_read_system_state(corosync_t)
@@ -29704,7 +29794,7 @@ index 04969e5..0e76440 100644
corenet_udp_bind_netsupport_port(corosync_t)
-@@ -73,6 +79,7 @@ dev_read_urand(corosync_t)
+@@ -73,6 +80,7 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
@@ -29712,7 +29802,7 @@ index 04969e5..0e76440 100644
auth_use_nsswitch(corosync_t)
-@@ -83,19 +90,44 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,19 +91,44 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
@@ -33818,10 +33908,10 @@ index 0000000..6fd8e9f
+')
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
new file mode 100644
-index 0000000..43c82e7
+index 0000000..a5afe38
--- /dev/null
+++ b/policy/modules/services/dirsrv.te
-@@ -0,0 +1,185 @@
+@@ -0,0 +1,187 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -33938,6 +34028,8 @@ index 0000000..43c82e7
+
+fs_getattr_all_fs(dirsrv_t)
+
++auth_use_pam(dirsrv_t)
++
+logging_send_syslog_msg(dirsrv_t)
+
+miscfiles_read_localization(dirsrv_t)
@@ -37541,10 +37633,10 @@ index 0000000..3b1870a
+
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
new file mode 100644
-index 0000000..3d67b98
+index 0000000..45b7469
--- /dev/null
+++ b/policy/modules/services/glance.te
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,104 @@
+policy_module(glance, 1.0.0)
+
+########################################
@@ -37552,7 +37644,9 @@ index 0000000..3d67b98
+# Declarations
+#
+
-+type glance_registry_t;
++attribute glance_domain;
++
++type glance_registry_t, glance_domain;
+type glance_registry_exec_t;
+init_daemon_domain(glance_registry_t, glance_registry_exec_t)
+
@@ -37562,7 +37656,7 @@ index 0000000..3d67b98
+type glance_registry_tmp_t;
+files_tmp_file(glance_registry_tmp_t)
+
-+type glance_api_t;
++type glance_api_t, glance_domain;
+type glance_api_exec_t;
+init_daemon_domain(glance_api_t, glance_api_exec_t)
+
@@ -37581,78 +37675,62 @@ index 0000000..3d67b98
+type glance_var_run_t;
+files_pid_file(glance_var_run_t)
+
-+########################################
++#######################################
+#
-+# glance-registry local policy
++# glance general domain local policy
+#
+
-+allow glance_registry_t self:fifo_file rw_fifo_file_perms;
-+allow glance_registry_t self:unix_stream_socket create_stream_socket_perms;
-+allow glance_registry_t self:tcp_socket create_stream_socket_perms;
++allow glance_domain self:fifo_file rw_fifo_file_perms;
++allow glance_domain self:unix_stream_socket create_stream_socket_perms;
++allow glance_domain self:tcp_socket create_stream_socket_perms;
+
-+manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
-+manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
-+files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
++manage_dirs_pattern(glance_domain, glance_log_t, glance_log_t)
++manage_files_pattern(glance_domain, glance_log_t, glance_log_t)
+
-+manage_dirs_pattern(glance_registry_t, glance_log_t, glance_log_t)
-+manage_files_pattern(glance_registry_t, glance_log_t, glance_log_t)
-+logging_log_filetrans(glance_registry_t, glance_log_t, { dir file })
++manage_dirs_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
++manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+
-+manage_dirs_pattern(glance_registry_t, glance_var_lib_t, glance_var_lib_t)
-+manage_files_pattern(glance_registry_t, glance_var_lib_t, glance_var_lib_t)
-+files_var_lib_filetrans(glance_registry_t, glance_var_lib_t, { dir file })
++manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
++manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
+
-+manage_dirs_pattern(glance_registry_t, glance_var_run_t, glance_var_run_t)
-+manage_files_pattern(glance_registry_t, glance_var_run_t, glance_var_run_t)
-+files_pid_filetrans(glance_registry_t, glance_var_run_t, { dir file })
++kernel_read_system_state(glance_domain)
+
-+kernel_read_system_state(glance_registry_t)
++corecmd_exec_bin(glance_domain)
+
-+corecmd_exec_bin(glance_registry_t)
++dev_read_urand(glance_domain)
+
-+corenet_tcp_bind_generic_node(glance_registry_t)
-+corenet_tcp_bind_glance_registry_port(glance_registry_t)
++files_read_etc_files(glance_domain)
++files_read_usr_files(glance_domain)
++
++miscfiles_read_localization(glance_domain)
+
-+dev_read_urand(glance_registry_t)
++optional_policy(`
++ sysnet_dns_name_resolve(glance_domain)
++')
+
-+domain_use_interactive_fds(glance_registry_t)
++########################################
++#
++# glance-registry local policy
++#
+
-+files_read_etc_files(glance_registry_t)
-+files_read_usr_files(glance_registry_t)
++manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
++manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
++files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
+
-+miscfiles_read_localization(glance_registry_t)
++corenet_tcp_bind_generic_node(glance_registry_t)
++corenet_tcp_bind_glance_registry_port(glance_registry_t)
+
-+sysnet_dns_name_resolve(glance_registry_t)
+
+########################################
+#
+# glance-api local policy
+#
+
-+allow glance_api_t self:fifo_file rw_fifo_file_perms;
-+allow glance_api_t self:unix_stream_socket create_stream_socket_perms;
-+allow glance_api_t self:tcp_socket create_stream_socket_perms;
-+
+manage_dirs_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
+can_exec(glance_api_t, glance_tmp_t)
+
-+manage_dirs_pattern(glance_api_t, glance_log_t, glance_log_t)
-+manage_files_pattern(glance_api_t, glance_log_t, glance_log_t)
-+logging_log_filetrans(glance_api_t, glance_log_t, { dir file })
-+
-+manage_dirs_pattern(glance_api_t, glance_var_lib_t, glance_var_lib_t)
-+manage_files_pattern(glance_api_t, glance_var_lib_t, glance_var_lib_t)
-+files_var_lib_filetrans(glance_api_t, glance_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(glance_api_t, glance_var_run_t, glance_var_run_t)
-+manage_files_pattern(glance_api_t, glance_var_run_t, glance_var_run_t)
-+files_pid_filetrans(glance_api_t, glance_var_run_t, { dir file })
-+
-+kernel_read_system_state(glance_api_t)
-+
-+corecmd_exec_bin(glance_api_t)
+corecmd_exec_shell(glance_api_t)
+
+corenet_tcp_bind_generic_node(glance_api_t)
@@ -37662,20 +37740,7 @@ index 0000000..3d67b98
+
+fs_getattr_xattr_fs(glance_api_t)
+
-+domain_use_interactive_fds(glance_api_t)
-+
-+files_read_etc_files(glance_api_t)
-+files_read_usr_files(glance_api_t)
-+
+libs_exec_ldconfig(glance_api_t)
-+
-+miscfiles_read_localization(glance_api_t)
-+
-+sysnet_read_config(glance_api_t)
-+
-+sysnet_dns_name_resolve(glance_api_t)
-+
-+
diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc
index 462de63..5df751b 100644
--- a/policy/modules/services/gnomeclock.fc
@@ -41046,20 +41111,32 @@ index 0000000..5b84980
+')
diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc
new file mode 100644
-index 0000000..c502d10
+index 0000000..ac84e59
--- /dev/null
+++ b/policy/modules/services/matahari.fc
-@@ -0,0 +1,15 @@
+@@ -0,0 +1,27 @@
+/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+
+/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
+
++/usr/sbin/matahari-dbus-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
++
++/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
++
+/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
+
++/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
++
++/usr/sbin/matahari-qmf-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
++
+/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
+
++/usr/sbin/matahari-dbus-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
++
++/usr/sbin/matahari-qmf-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
++
+/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0)
+
+/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0)
@@ -42881,7 +42958,7 @@ index 343cee3..fff3a52 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..142fbfb 100644
+index 64268e4..4e45f74 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -43119,7 +43196,16 @@ index 64268e4..142fbfb 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -292,3 +314,44 @@ optional_policy(`
+@@ -277,6 +299,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+ # files in an appropriate place for mta_user_agent
+ userdom_read_user_tmp_files(mta_user_agent)
+
++dev_read_sysfs(user_mail_t)
++
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(user_mail_t)
+ fs_manage_cifs_symlinks(user_mail_t)
+@@ -292,3 +316,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -48899,7 +48985,7 @@ index b524673..921a60f 100644
+ ppp_systemctl($1)
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..605815a 100644
+index 2af42e7..399a452 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -49045,13 +49131,16 @@ index 2af42e7..605815a 100644
dev_read_sysfs(pptp_t)
-@@ -266,6 +278,7 @@ corenet_raw_sendrecv_generic_node(pptp_t)
+@@ -265,9 +277,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
+ corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
corenet_tcp_bind_generic_node(pptp_t)
- corenet_tcp_connect_generic_port(pptp_t)
-+corenet_tcp_connect_unreserved_ports(pptp_t)
- corenet_tcp_connect_all_reserved_ports(pptp_t)
+-corenet_tcp_connect_generic_port(pptp_t)
+-corenet_tcp_connect_all_reserved_ports(pptp_t)
corenet_sendrecv_generic_client_packets(pptp_t)
++corenet_tcp_connect_pptp_port(pptp_t)
+
+ files_read_etc_files(pptp_t)
diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
index 2316653..77ef768 100644
@@ -54098,7 +54187,7 @@ index 82cb169..0a29f68 100644
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..49941ec 100644
+index e30bb63..f0f6907 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
@@ -54331,7 +54420,7 @@ index e30bb63..49941ec 100644
allow nmbd_t swat_t:process signal;
-allow swat_t smbd_var_run_t:file { lock unlink };
-+allow swat_t nmbd_var_run_t:file read_file_perms;
++read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
allow swat_t smbd_port_t:tcp_socket name_bind;
@@ -54367,6 +54456,15 @@ index e30bb63..49941ec 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
+@@ -783,7 +803,7 @@ allow winbind_t self:udp_socket create_socket_perms;
+
+ allow winbind_t nmbd_t:process { signal signull };
+
+-allow winbind_t nmbd_var_run_t:file read_file_perms;
++read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
+
+ allow winbind_t samba_etc_t:dir list_dir_perms;
+ read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
@@ -806,15 +826,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -56471,7 +56569,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..8e3e9de 100644
+index 22adaca..be6e1fa 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -56734,7 +56832,7 @@ index 22adaca..8e3e9de 100644
- allow $1 sshd_t:fifo_file { getattr read };
+ allow $1 sshd_t:fifo_file read_fifo_file_perms;
-+')
+ ')
+
+######################################
+## <summary>
@@ -56752,7 +56850,7 @@ index 22adaca..8e3e9de 100644
+ ')
+
+ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
- ')
++')
+
########################################
## <summary>
@@ -56800,7 +56898,32 @@ index 22adaca..8e3e9de 100644
files_search_pids($1)
')
-@@ -680,6 +758,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -643,6 +721,24 @@ interface(`ssh_agent_exec',`
+
+ ########################################
+ ## <summary>
++## Getattr ssh home directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_getattr_user_home_dir',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ allow $1 ssh_home_t:dir getattr;
++')
++
++########################################
++## <summary>
+ ## Read ssh home directory content
+ ## </summary>
+ ## <param name="domain">
+@@ -680,6 +776,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -56833,7 +56956,7 @@ index 22adaca..8e3e9de 100644
########################################
## <summary>
## Read ssh server keys
-@@ -695,7 +799,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +817,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -56842,7 +56965,7 @@ index 22adaca..8e3e9de 100644
')
######################################
-@@ -735,3 +839,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +857,81 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -61971,7 +62094,7 @@ index 130ced9..b6fb17a 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..60e0e2d 100644
+index 143c893..de08586 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -62431,7 +62554,7 @@ index 143c893..60e0e2d 100644
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-+corecmd_dontaudit_access_check_bin(xdm_t)
++corecmd_dontaudit_access_all_executables(xdm_t)
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
@@ -63540,7 +63663,7 @@ index 28ad538..59742f4 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..f05a80f 100644
+index 73554ec..e3720d4 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -63626,7 +63749,7 @@ index 73554ec..f05a80f 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,9 +177,84 @@ interface(`auth_login_pgm_domain',`
+@@ -155,9 +177,83 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -63671,7 +63794,6 @@ index 73554ec..f05a80f 100644
+ optional_policy(`
+ ssh_agent_exec($1)
+ ssh_read_user_home_files($1)
-+ userdom_read_user_home_content_files($1)
+ ')
+')
+
@@ -63713,7 +63835,7 @@ index 73554ec..f05a80f 100644
')
########################################
-@@ -368,13 +465,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -368,13 +464,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -63730,7 +63852,7 @@ index 73554ec..f05a80f 100644
')
########################################
-@@ -421,6 +520,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +519,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -63756,7 +63878,7 @@ index 73554ec..f05a80f 100644
')
########################################
-@@ -736,7 +854,47 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +853,47 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -63805,7 +63927,7 @@ index 73554ec..f05a80f 100644
')
#######################################
-@@ -932,9 +1090,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1089,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -63839,7 +63961,7 @@ index 73554ec..f05a80f 100644
')
########################################
-@@ -1387,6 +1566,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1565,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -63865,7 +63987,7 @@ index 73554ec..f05a80f 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1541,24 +1739,6 @@ interface(`auth_manage_login_records',`
+@@ -1541,24 +1738,6 @@ interface(`auth_manage_login_records',`
########################################
## <summary>
@@ -63890,7 +64012,7 @@ index 73554ec..f05a80f 100644
## Use nsswitch to look up user, password, group, or
## host information.
## </summary>
-@@ -1578,54 +1758,11 @@ interface(`auth_relabel_login_records',`
+@@ -1578,54 +1757,11 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -63948,7 +64070,7 @@ index 73554ec..f05a80f 100644
')
########################################
-@@ -1659,3 +1796,33 @@ interface(`auth_unconfined',`
+@@ -1659,3 +1795,33 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -67520,11 +67642,77 @@ index e5836d3..eae9427 100644
-optional_policy(`
- unconfined_domain(ldconfig_t)
-')
+diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
+index be6a81b..ddae53a 100644
+--- a/policy/modules/system/locallogin.fc
++++ b/policy/modules/system/locallogin.fc
+@@ -1,3 +1,5 @@
++HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
++/root/.\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
+
+ /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+ /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
+index 0e3c2a9..3272623 100644
+--- a/policy/modules/system/locallogin.if
++++ b/policy/modules/system/locallogin.if
+@@ -129,3 +129,41 @@ interface(`locallogin_domtrans_sulogin',`
+
+ domtrans_pattern($1, sulogin_exec_t, sulogin_t)
+ ')
++
++########################################
++## <summary>
++## create local login content in the in the /root directory
++## with an correct label.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`locallogin_filetrans_admin_home_content',`
++ gen_require(`
++ type local_login_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
++')
++
++########################################
++## <summary>
++## Transition to local login named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`locallogin_filetrans_home_content',`
++ gen_require(`
++ type local_login_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
++')
++
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a0b379d..b823395 100644
+index a0b379d..bf90918 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
-@@ -32,9 +32,8 @@ role system_r types sulogin_t;
+@@ -17,6 +17,9 @@ type local_login_tmp_t;
+ files_tmp_file(local_login_tmp_t)
+ files_poly_parent(local_login_tmp_t)
+
++type local_login_home_t;
++userdom_user_home_content(local_login_home_t)
++
+ type sulogin_t;
+ type sulogin_exec_t;
+ domain_obj_id_change_exemption(sulogin_t)
+@@ -32,9 +35,8 @@ role system_r types sulogin_t;
# Local login local policy
#
@@ -67536,7 +67724,16 @@ index a0b379d..b823395 100644
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
-@@ -73,6 +72,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
+@@ -51,6 +53,8 @@ allow local_login_t self:key { search write link };
+ allow local_login_t local_login_lock_t:file manage_file_perms;
+ files_lock_filetrans(local_login_t, local_login_lock_t, file)
+
++allow local_login_t local_login_home_t:file read_file_perms;
++
+ allow local_login_t local_login_tmp_t:dir manage_dir_perms;
+ allow local_login_t local_login_tmp_t:file manage_file_perms;
+ files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
+@@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
@@ -67545,7 +67742,7 @@ index a0b379d..b823395 100644
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
-@@ -123,8 +124,10 @@ auth_rw_faillog(local_login_t)
+@@ -123,8 +129,10 @@ auth_rw_faillog(local_login_t)
auth_manage_pam_pid(local_login_t)
auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)
@@ -67556,7 +67753,7 @@ index a0b379d..b823395 100644
miscfiles_read_localization(local_login_t)
-@@ -156,6 +159,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -156,6 +164,12 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(local_login_t)
')
@@ -67569,7 +67766,7 @@ index a0b379d..b823395 100644
optional_policy(`
alsa_domtrans(local_login_t)
')
-@@ -177,14 +186,6 @@ optional_policy(`
+@@ -177,14 +191,6 @@ optional_policy(`
')
optional_policy(`
@@ -67584,7 +67781,7 @@ index a0b379d..b823395 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,6 +216,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,6 +221,7 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -67592,7 +67789,7 @@ index a0b379d..b823395 100644
kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +225,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+@@ -223,13 +230,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -67610,7 +67807,7 @@ index a0b379d..b823395 100644
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
-@@ -238,14 +244,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +249,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -67637,7 +67834,7 @@ index a0b379d..b823395 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +272,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +277,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -71188,10 +71385,10 @@ index 0000000..9eaa38e
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..764084e
+index 0000000..f642930
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,477 @@
+@@ -0,0 +1,478 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -71240,6 +71437,7 @@ index 0000000..764084e
+ can_exec($1, systemd_systemctl_exec_t)
+
+ systemd_list_unit_dirs($1)
++ init_list_pid_dirs($1)
+ init_read_state($1)
+ init_stream_send($1)
+')
@@ -71671,10 +71869,10 @@ index 0000000..764084e
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..3790267
+index 0000000..3e5e632
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,370 @@
+@@ -0,0 +1,371 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -71753,6 +71951,7 @@ index 0000000..3790267
+dev_read_sysfs(systemd_logind_t)
+dev_setattr_input_dev(systemd_logind_t)
+dev_setattr_mouse_dev(systemd_logind_t)
++dev_write_kmsg(systemd_logind_t)
+
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
@@ -77189,9 +77388,18 @@ index bdd500c..4719351 100644
define(`admin_pattern',`
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
-index 22ca011..823794e 100644
+index 22ca011..18e1b2f 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
+@@ -4,7 +4,7 @@
+ define(`domain_transition_pattern',`
+ allow $1 $2:file { getattr open read execute };
+ allow $1 $3:process transition;
+- dontaudit $1 $3:process { noatsecure siginh rlimitinh };
++# dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+ ')
+
+ # compatibility:
@@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',`
domain_transition_pattern($1,$2,$3)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a04d0c0..53c071e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 39%{?dist}
+Release: 40%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Oct 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-40
+- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
+- Make corosync to be able to relabelto cluster lib fies
+- Allow samba domains to search /var/run/nmbd
+- Allow dirsrv to use pam
+- Allow thumb to call getuid
+- chrome less likely to get mmap_zero bug so removing dontaudit
+- gimp help-browser has built in javascript
+- Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t
+- Re-write glance policy
+
* Mon Oct 10 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-39
- Fixes for bootloader policy
- $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore
More information about the scm-commits
mailing list