[selinux-policy] +- Allow collectd to read hardware state information +- Add loop_control_device_t +- Allow mdadm to
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Sep 13 14:17:36 UTC 2011
commit e8563b32458817a361fceffe7df68b9536e82c8d
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Sep 13 16:17:16 2011 +0200
+- Allow collectd to read hardware state information
+- Add loop_control_device_t
+- Allow mdadm to request kernel to load module
+- Allow domains that start other domains via systemctl to search unit dir
+- systemd_tmpfiles, needs to list any file systems mounted on /tmp
+- No one can explain why radius is listing the contents of /tmp, so we will dontaudit
+- If I can manage etc_runtime files, I should be able to read the links
+- Dontaudit hostname writing to mock library chr_files
+- Have gdm_t setup labeling correctly in users home dir
+- Label content unde /var/run/user/NAME/dconf as config_home_t
+- Allow sa-update to execute shell
+- Make ssh-keygen working with fips_enabled
+- Make mock work for staff_t user
+- Tighten security on mock_t
policy-F16.patch | 874 ++++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 18 +-
2 files changed, 636 insertions(+), 256 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 7a1c25d..0baf745 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4634,10 +4634,10 @@ index 6e4add5..10a2ce4 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(giftd_t)
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
-index 00a19e3..d5acf98 100644
+index 00a19e3..9f6139c 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
-@@ -1,9 +1,43 @@
+@@ -1,9 +1,45 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
@@ -4653,6 +4653,8 @@ index 00a19e3..d5acf98 100644
+HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
++/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++
+/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
@@ -6946,10 +6948,10 @@ index b2e27ec..c324f94 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te
-index a0be4ef..9c2c8d8 100644
+index a0be4ef..9fcc9df 100644
--- a/policy/modules/apps/livecd.te
+++ b/policy/modules/apps/livecd.te
-@@ -21,15 +21,36 @@ files_tmp_file(livecd_tmp_t)
+@@ -21,15 +21,32 @@ files_tmp_file(livecd_tmp_t)
dontaudit livecd_t self:capability2 mac_admin;
domain_ptrace_all_domains(livecd_t)
@@ -6963,11 +6965,7 @@ index a0be4ef..9c2c8d8 100644
+storage_filetrans_all_named_dev(livecd_t)
+term_filetrans_all_named_dev(livecd_t)
+
-+sysnet_etc_filetrans_config(livecd_t, "resolv.conf")
-+sysnet_etc_filetrans_config(livecd_t, "denyhosts")
-+sysnet_etc_filetrans_config(livecd_t, "hosts")
-+sysnet_etc_filetrans_config(livecd_t, "ethers")
-+sysnet_etc_filetrans_config(livecd_t, "yp.conf")
++sysnet_filetrans_named_content(livecd_t)
+
+optional_policy(`
+ ssh_filetrans_admin_home_content(livecd_t)
@@ -10469,7 +10467,7 @@ index e70b0e8..cd83b89 100644
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
-index ced285a..ff11b08 100644
+index ced285a..8895098 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
@@ -10509,7 +10507,7 @@ index ced285a..ff11b08 100644
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
-@@ -256,3 +248,65 @@ interface(`userhelper_exec',`
+@@ -256,3 +248,69 @@ interface(`userhelper_exec',`
can_exec($1, userhelper_exec_t)
')
@@ -10571,15 +10569,19 @@ index ced285a..ff11b08 100644
+ ')
+
+ optional_policy(`
++ mock_run($1_consolehelper_t, $2)
++ ')
++
++ optional_policy(`
+ xserver_run_xauth($1_consolehelper_t, $2)
+ xserver_read_xdm_pid($1_consolehelper_t)
+ ')
+')
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
-index 13b2cea..0ba6b25 100644
+index 13b2cea..dd2f4e2 100644
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
-@@ -6,9 +6,65 @@ policy_module(userhelper, 1.6.0)
+@@ -6,9 +6,71 @@ policy_module(userhelper, 1.6.0)
#
attribute userhelper_type;
@@ -10602,6 +10604,7 @@ index 13b2cea..0ba6b25 100644
+allow consolehelper_domain self:shm create_shm_perms;
+allow consolehelper_domain self:capability { setgid setuid };
+
++allow consolehelper_domain userhelper_conf_t:file audit_access;
+dontaudit consolehelper_domain userhelper_conf_t:file write;
+read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t)
+
@@ -10618,10 +10621,15 @@ index 13b2cea..0ba6b25 100644
+corecmd_exec_bin(consolehelper_domain)
+
+dev_getattr_all_chr_files(consolehelper_domain)
++dev_dontaudit_list_all_dev_nodes(consolehelper_domain)
++dev_dontaudit_getattr_all(consolehelper_domain)
++fs_getattr_all_dirs(consolehelper_domain)
+
+files_read_config_files(consolehelper_domain)
+files_read_usr_files(consolehelper_domain)
+
++term_list_ptys(consolehelper_domain)
++
+auth_search_pam_console_data(consolehelper_domain)
+auth_read_pam_pid(consolehelper_domain)
+
@@ -12637,7 +12645,7 @@ index 35fed4f..49f27ca 100644
type $1_server_packet_t, packet_type, server_packet_type;
declare_ports($1_port_t,shift($*))dnl
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..5b25039 100644
+index 6cf8784..a9038b9 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -20,6 +20,7 @@
@@ -12648,7 +12656,15 @@ index 6cf8784..5b25039 100644
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -187,8 +188,6 @@ ifdef(`distro_suse', `
+@@ -57,6 +58,7 @@
+ /dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
+ /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
+ /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+ /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+@@ -187,8 +189,6 @@ ifdef(`distro_suse', `
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -12657,7 +12673,7 @@ index 6cf8784..5b25039 100644
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +195,8 @@ ifdef(`distro_redhat',`
+@@ -196,3 +196,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -12667,7 +12683,7 @@ index 6cf8784..5b25039 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..ea13c2c 100644
+index f820f3b..2429787 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -12959,7 +12975,106 @@ index f820f3b..ea13c2c 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -2681,7 +2827,7 @@ interface(`dev_write_misc',`
+@@ -2358,7 +2504,97 @@ interface(`dev_filetrans_lirc',`
+
+ ########################################
+ ## <summary>
+-## Get the attributes of the lvm comtrol device.
++## Get the attributes of the loop comtrol device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_getattr_loop_control',`
++ gen_require(`
++ type device_t, loop_control_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++## <summary>
++## Read the loop comtrol device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_loop_control',`
++ gen_require(`
++ type device_t, loop_control_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++## <summary>
++## Read and write the loop control device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_loop_control',`
++ gen_require(`
++ type device_t, loop_control_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read and write loop control device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_rw_loop_control',`
++ gen_require(`
++ type loop_control_device_t;
++ ')
++
++ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
++')
++
++########################################
++## <summary>
++## Delete the loop control device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_delete_loop_control_dev',`
++ gen_require(`
++ type device_t, loop_control_device_t;
++ ')
++
++ delete_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++## <summary>
++## Get the attributes of the loop comtrol device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2681,7 +2917,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -12968,7 +13083,7 @@ index f820f3b..ea13c2c 100644
## </summary>
## </param>
#
-@@ -3210,24 +3356,6 @@ interface(`dev_rw_printer',`
+@@ -3210,24 +3446,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -12993,7 +13108,7 @@ index f820f3b..ea13c2c 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3811,6 +3939,42 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3811,6 +4029,42 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -13036,7 +13151,7 @@ index f820f3b..ea13c2c 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3902,25 +4066,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3902,25 +4156,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -13062,7 +13177,7 @@ index f820f3b..ea13c2c 100644
## Read hardware state information.
## </summary>
## <desc>
-@@ -3972,6 +4117,42 @@ interface(`dev_rw_sysfs',`
+@@ -3972,6 +4207,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -13105,7 +13220,7 @@ index f820f3b..ea13c2c 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4069,6 +4250,25 @@ interface(`dev_write_urand',`
+@@ -4069,6 +4340,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -13131,7 +13246,7 @@ index f820f3b..ea13c2c 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4495,6 +4695,24 @@ interface(`dev_rw_vhost',`
+@@ -4495,6 +4785,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -13156,7 +13271,7 @@ index f820f3b..ea13c2c 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4784,3 +5002,772 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5092,772 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -13930,7 +14045,7 @@ index f820f3b..ea13c2c 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 08f01e7..95a6de8 100644
+index 08f01e7..1c2562c 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -108,6 +108,7 @@ dev_node(ksm_device_t)
@@ -13941,7 +14056,20 @@ index 08f01e7..95a6de8 100644
#
# Type for /dev/lirc
-@@ -265,6 +266,7 @@ dev_node(v4l_device_t)
+@@ -118,6 +119,12 @@ dev_node(lirc_device_t)
+ #
+ # Type for /dev/mapper/control
+ #
++type loop_control_device_t;
++dev_node(loop_control_device_t)
++
++#
++# Type for /dev/mapper/control
++#
+ type lvm_control_t;
+ dev_node(lvm_control_t)
+
+@@ -265,6 +272,7 @@ dev_node(v4l_device_t)
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -13949,7 +14077,7 @@ index 08f01e7..95a6de8 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -310,5 +312,5 @@ files_associate_tmp(device_node)
+@@ -310,5 +318,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -14308,7 +14436,7 @@ index c19518a..12e8e9c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..9a8a169 100644
+index ff006ea..4262f4a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -14608,7 +14736,15 @@ index ff006ea..9a8a169 100644
')
########################################
-@@ -3364,7 +3505,7 @@ interface(`files_home_filetrans',`
+@@ -2796,6 +2937,7 @@ interface(`files_manage_etc_runtime_files',`
+ ')
+
+ manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
++ read_lnk_files_pattern($1, etc_t, etc_runtime_t)
+ ')
+
+ ########################################
+@@ -3364,7 +3506,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -14617,7 +14753,7 @@ index ff006ea..9a8a169 100644
')
########################################
-@@ -3502,20 +3643,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3644,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -14661,7 +14797,7 @@ index ff006ea..9a8a169 100644
')
########################################
-@@ -3900,6 +4059,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +4060,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -14761,7 +14897,7 @@ index ff006ea..9a8a169 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3945,7 +4197,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4198,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -14770,7 +14906,7 @@ index ff006ea..9a8a169 100644
## </summary>
## </param>
#
-@@ -4017,7 +4269,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4270,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -14779,7 +14915,7 @@ index ff006ea..9a8a169 100644
## </summary>
## </param>
#
-@@ -4029,6 +4281,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4282,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -14804,7 +14940,7 @@ index ff006ea..9a8a169 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4085,6 +4355,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4356,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -14837,7 +14973,7 @@ index ff006ea..9a8a169 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4139,7 +4435,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,7 +4436,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -14846,7 +14982,7 @@ index ff006ea..9a8a169 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4147,17 +4443,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4147,17 +4444,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -14868,7 +15004,7 @@ index ff006ea..9a8a169 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4165,34 +4461,70 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4165,33 +4462,69 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -14904,7 +15040,6 @@ index ff006ea..9a8a169 100644
')
- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ allow $1 tmpfile:dir { search_dir_perms setattr };
+')
+
@@ -14945,11 +15080,10 @@ index ff006ea..9a8a169 100644
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
')
- ########################################
-@@ -4202,7 +4534,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4535,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -14958,7 +15092,7 @@ index ff006ea..9a8a169 100644
## </summary>
## </param>
#
-@@ -4262,7 +4594,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4595,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -14967,7 +15101,7 @@ index ff006ea..9a8a169 100644
## </summary>
## </param>
#
-@@ -4318,7 +4650,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4651,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -14976,7 +15110,7 @@ index ff006ea..9a8a169 100644
')
########################################
-@@ -4342,6 +4674,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4675,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -14993,7 +15127,7 @@ index ff006ea..9a8a169 100644
')
########################################
-@@ -4681,7 +5023,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5024,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -15002,7 +15136,7 @@ index ff006ea..9a8a169 100644
')
########################################
-@@ -5084,7 +5426,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5427,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -15011,7 +15145,7 @@ index ff006ea..9a8a169 100644
')
########################################
-@@ -5219,7 +5561,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5562,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -15020,7 +15154,7 @@ index ff006ea..9a8a169 100644
')
########################################
-@@ -5304,6 +5646,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5647,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -15046,7 +15180,7 @@ index ff006ea..9a8a169 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5678,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5679,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -15055,7 +15189,7 @@ index ff006ea..9a8a169 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5699,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5700,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -15071,7 +15205,7 @@ index ff006ea..9a8a169 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5714,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5715,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -15083,8 +15217,7 @@ index ff006ea..9a8a169 100644
+ files_search_locks($1)
+ allow $1 var_lock_t:dir create_dir_perms;
+')
-
-- list_dirs_pattern($1, var_t, var_lock_t)
++
+########################################
+## <summary>
+## Set the attributes of the /var/lock directory.
@@ -15099,12 +15232,13 @@ index ff006ea..9a8a169 100644
+ gen_require(`
+ type var_lock_t;
+ ')
-+
+
+- list_dirs_pattern($1, var_t, var_lock_t)
+ allow $1 var_lock_t:dir setattr;
')
########################################
-@@ -5373,6 +5756,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5757,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -15112,7 +15246,7 @@ index ff006ea..9a8a169 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5769,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5770,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -15120,7 +15254,7 @@ index ff006ea..9a8a169 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5795,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5796,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -15129,7 +15263,7 @@ index ff006ea..9a8a169 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5811,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5812,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -15146,7 +15280,7 @@ index ff006ea..9a8a169 100644
')
########################################
-@@ -5452,7 +5835,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5836,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -15155,7 +15289,7 @@ index ff006ea..9a8a169 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5876,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5877,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -15164,7 +15298,7 @@ index ff006ea..9a8a169 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5898,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5899,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -15173,7 +15307,7 @@ index ff006ea..9a8a169 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +5930,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +5931,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -15184,7 +15318,7 @@ index ff006ea..9a8a169 100644
')
########################################
-@@ -5608,6 +5991,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +5992,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -15228,7 +15362,7 @@ index ff006ea..9a8a169 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5629,6 +6049,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,6 +6050,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -15254,7 +15388,7 @@ index ff006ea..9a8a169 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -5736,7 +6175,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6176,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -15263,7 +15397,7 @@ index ff006ea..9a8a169 100644
')
########################################
-@@ -5815,29 +6254,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6255,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -15297,7 +15431,7 @@ index ff006ea..9a8a169 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5845,42 +6280,35 @@ interface(`files_read_all_pids',`
+@@ -5845,42 +6281,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -15347,7 +15481,7 @@ index ff006ea..9a8a169 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5888,20 +6316,17 @@ interface(`files_delete_all_pids',`
+@@ -5888,20 +6317,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -15371,7 +15505,7 @@ index ff006ea..9a8a169 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5909,56 +6334,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5909,56 +6335,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
@@ -15447,7 +15581,7 @@ index ff006ea..9a8a169 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5966,18 +6394,17 @@ interface(`files_list_spool',`
+@@ -5966,18 +6395,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -15470,7 +15604,7 @@ index ff006ea..9a8a169 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5985,19 +6412,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -5985,19 +6413,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -15495,7 +15629,7 @@ index ff006ea..9a8a169 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6005,50 +6431,61 @@ interface(`files_read_generic_spool',`
+@@ -6005,50 +6432,61 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -15576,7 +15710,7 @@ index ff006ea..9a8a169 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6056,23 +6493,275 @@ interface(`files_spool_filetrans',`
+@@ -6056,23 +6494,275 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -15597,12 +15731,13 @@ index ff006ea..9a8a169 100644
-
- # Need to give access to the directories to be polyinstantiated
- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
++
+########################################
+## <summary>
+## Make the specified type a file
@@ -15865,7 +16000,7 @@ index ff006ea..9a8a169 100644
# Need to give access to parent directories where original
# is remounted for polyinstantiation aware programs (like gdm)
-@@ -6117,3 +6806,284 @@ interface(`files_unconfined',`
+@@ -6117,3 +6807,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -17221,7 +17356,7 @@ index 7be4ddf..4d4c577 100644
-# This module currently does not have any file contexts.
+/selinux -l gen_context(system_u:object_r:security_t,s0)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index ca7e808..f155e92 100644
+index ca7e808..ccb32a0 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
@@ -17330,17 +17465,15 @@ index ca7e808..f155e92 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
-@@ -308,21 +342,13 @@ interface(`selinux_set_enforce_mode',`
+@@ -308,21 +342,9 @@ interface(`selinux_set_enforce_mode',`
gen_require(`
type security_t;
attribute can_setenforce;
- bool secure_mode_policyload;
')
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+- allow $1 security_t:dir list_dir_perms;
+- allow $1 security_t:file rw_file_perms;
typeattribute $1 can_setenforce;
-
- if(!secure_mode_policyload) {
@@ -17354,7 +17487,7 @@ index ca7e808..f155e92 100644
')
########################################
-@@ -339,21 +365,13 @@ interface(`selinux_load_policy',`
+@@ -339,21 +361,13 @@ interface(`selinux_load_policy',`
gen_require(`
type security_t;
attribute can_load_policy;
@@ -17378,7 +17511,7 @@ index ca7e808..f155e92 100644
')
########################################
-@@ -371,6 +389,8 @@ interface(`selinux_read_policy',`
+@@ -371,6 +385,8 @@ interface(`selinux_read_policy',`
type security_t;
')
@@ -17387,7 +17520,7 @@ index ca7e808..f155e92 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
allow $1 security_t:security read_policy;
-@@ -433,20 +453,14 @@ interface(`selinux_set_boolean',`
+@@ -433,20 +449,14 @@ interface(`selinux_set_boolean',`
interface(`selinux_set_generic_booleans',`
gen_require(`
type security_t;
@@ -17412,7 +17545,7 @@ index ca7e808..f155e92 100644
')
########################################
-@@ -475,20 +489,15 @@ interface(`selinux_set_all_booleans',`
+@@ -475,20 +485,15 @@ interface(`selinux_set_all_booleans',`
gen_require(`
type security_t;
attribute boolean_type;
@@ -17438,7 +17571,7 @@ index ca7e808..f155e92 100644
')
########################################
-@@ -519,6 +528,8 @@ interface(`selinux_set_parameters',`
+@@ -519,6 +524,8 @@ interface(`selinux_set_parameters',`
attribute can_setsecparam;
')
@@ -17447,7 +17580,7 @@ index ca7e808..f155e92 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
-@@ -542,6 +553,8 @@ interface(`selinux_validate_context',`
+@@ -542,6 +549,8 @@ interface(`selinux_validate_context',`
type security_t;
')
@@ -17456,7 +17589,7 @@ index ca7e808..f155e92 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security check_context;
-@@ -584,6 +597,8 @@ interface(`selinux_compute_access_vector',`
+@@ -584,6 +593,8 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
@@ -17465,7 +17598,7 @@ index ca7e808..f155e92 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
-@@ -605,6 +620,8 @@ interface(`selinux_compute_create_context',`
+@@ -605,6 +616,8 @@ interface(`selinux_compute_create_context',`
type security_t;
')
@@ -17474,7 +17607,7 @@ index ca7e808..f155e92 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
-@@ -626,6 +643,8 @@ interface(`selinux_compute_member',`
+@@ -626,6 +639,8 @@ interface(`selinux_compute_member',`
type security_t;
')
@@ -17483,7 +17616,7 @@ index ca7e808..f155e92 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
-@@ -655,6 +674,8 @@ interface(`selinux_compute_relabel_context',`
+@@ -655,6 +670,8 @@ interface(`selinux_compute_relabel_context',`
type security_t;
')
@@ -17492,7 +17625,7 @@ index ca7e808..f155e92 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
-@@ -675,6 +696,8 @@ interface(`selinux_compute_user_contexts',`
+@@ -675,6 +692,8 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
@@ -17501,14 +17634,15 @@ index ca7e808..f155e92 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
-@@ -696,4 +719,28 @@ interface(`selinux_unconfined',`
+@@ -696,4 +715,29 @@ interface(`selinux_unconfined',`
')
typeattribute $1 selinux_unconfined_type;
+ selinux_set_all_booleans($1)
+ selinux_load_policy($1)
+ selinux_set_parameters($1)
-+')
++ selinux_set_enforce_mode($1)
+ ')
+
+########################################
+## <summary>
@@ -17528,10 +17662,10 @@ index ca7e808..f155e92 100644
+ type $1, boolean_type;
+ fs_type($1)
+ mls_trusted_object($1)
- ')
++')
+
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
-index d70e0b3..97b254e 100644
+index d70e0b3..99ff2ac 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -1,5 +1,14 @@
@@ -17576,13 +17710,17 @@ index d70e0b3..97b254e 100644
########################################
#
-@@ -41,11 +52,24 @@ allow selinux_unconfined_type boolean_type:file read_file_perms;
+@@ -41,11 +52,28 @@ allow selinux_unconfined_type boolean_type:file read_file_perms;
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
if(!secure_mode_policyload) {
- allow selinux_unconfined_type boolean_type:file rw_file_perms;
- allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+ allow can_setenforce security_t:security setenforce;
++ dev_getattr_sysfs_fs(can_setenforce)
++ dev_search_sysfs(can_setenforce)
++ allow can_setenforce security_t:dir list_dir_perms;
++ allow can_setenforce security_t:file rw_file_perms;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
@@ -19014,10 +19152,10 @@ index 2be17d2..afb3532 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..ba7c72e 100644
+index e14b961..483aea4 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -24,20 +24,55 @@ ifndef(`enable_mls',`
+@@ -24,20 +24,51 @@ ifndef(`enable_mls',`
#
# Local policy
#
@@ -19052,11 +19190,7 @@ index e14b961..ba7c72e 100644
+
+miscfiles_read_hwdata(sysadm_t)
+
-+sysnet_etc_filetrans_config(sysadm_t, "resolv.conf")
-+sysnet_etc_filetrans_config(sysadm_t, "denyhosts")
-+sysnet_etc_filetrans_config(sysadm_t, "hosts")
-+sysnet_etc_filetrans_config(sysadm_t, "ethers")
-+sysnet_etc_filetrans_config(sysadm_t, "yp.conf")
++sysnet_filetrans_named_content(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
@@ -19073,7 +19207,7 @@ index e14b961..ba7c72e 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,6 +90,7 @@ ifndef(`enable_mls',`
+@@ -55,6 +86,7 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@@ -19081,7 +19215,7 @@ index e14b961..ba7c72e 100644
')
tunable_policy(`allow_ptrace',`
-@@ -67,9 +103,9 @@ optional_policy(`
+@@ -67,9 +99,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -19092,7 +19226,7 @@ index e14b961..ba7c72e 100644
')
optional_policy(`
-@@ -98,6 +134,10 @@ optional_policy(`
+@@ -98,6 +130,10 @@ optional_policy(`
')
optional_policy(`
@@ -19103,7 +19237,7 @@ index e14b961..ba7c72e 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -114,7 +154,7 @@ optional_policy(`
+@@ -114,7 +150,7 @@ optional_policy(`
')
optional_policy(`
@@ -19112,7 +19246,7 @@ index e14b961..ba7c72e 100644
')
optional_policy(`
-@@ -124,6 +164,10 @@ optional_policy(`
+@@ -124,6 +160,10 @@ optional_policy(`
')
optional_policy(`
@@ -19123,7 +19257,7 @@ index e14b961..ba7c72e 100644
ddcprobe_run(sysadm_t, sysadm_r)
')
-@@ -163,6 +207,13 @@ optional_policy(`
+@@ -163,6 +203,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -19137,7 +19271,7 @@ index e14b961..ba7c72e 100644
')
optional_policy(`
-@@ -170,15 +221,20 @@ optional_policy(`
+@@ -170,15 +217,20 @@ optional_policy(`
')
optional_policy(`
@@ -19149,19 +19283,19 @@ index e14b961..ba7c72e 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
++ kudzu_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -198,22 +254,19 @@ optional_policy(`
+@@ -198,22 +250,19 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -19189,7 +19323,7 @@ index e14b961..ba7c72e 100644
')
optional_policy(`
-@@ -225,21 +278,37 @@ optional_policy(`
+@@ -225,21 +274,37 @@ optional_policy(`
')
optional_policy(`
@@ -19227,7 +19361,7 @@ index e14b961..ba7c72e 100644
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
-@@ -253,19 +322,19 @@ optional_policy(`
+@@ -253,19 +318,19 @@ optional_policy(`
')
optional_policy(`
@@ -19251,7 +19385,7 @@ index e14b961..ba7c72e 100644
')
optional_policy(`
-@@ -274,10 +343,7 @@ optional_policy(`
+@@ -274,10 +339,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
@@ -19263,7 +19397,7 @@ index e14b961..ba7c72e 100644
')
optional_policy(`
-@@ -302,12 +368,18 @@ optional_policy(`
+@@ -302,12 +364,18 @@ optional_policy(`
')
optional_policy(`
@@ -19283,7 +19417,7 @@ index e14b961..ba7c72e 100644
')
optional_policy(`
-@@ -332,7 +404,10 @@ optional_policy(`
+@@ -332,7 +400,10 @@ optional_policy(`
')
optional_policy(`
@@ -19295,7 +19429,7 @@ index e14b961..ba7c72e 100644
')
optional_policy(`
-@@ -343,19 +418,15 @@ optional_policy(`
+@@ -343,19 +414,15 @@ optional_policy(`
')
optional_policy(`
@@ -19317,7 +19451,7 @@ index e14b961..ba7c72e 100644
')
optional_policy(`
-@@ -367,45 +438,45 @@ optional_policy(`
+@@ -367,45 +434,45 @@ optional_policy(`
')
optional_policy(`
@@ -19374,7 +19508,7 @@ index e14b961..ba7c72e 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,6 +510,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +506,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -19382,7 +19516,7 @@ index e14b961..ba7c72e 100644
')
optional_policy(`
-@@ -446,11 +518,62 @@ ifndef(`distro_redhat',`
+@@ -446,11 +514,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19396,14 +19530,17 @@ index e14b961..ba7c72e 100644
+ ')
+
+ optional_policy(`
++ mock_admin(sysadm_t)
++ ')
++
++ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ pyzor_role(sysadm_r, sysadm_t)
+ ')
@@ -19418,8 +19555,9 @@ index e14b961..ba7c72e 100644
+
+ optional_policy(`
+ spamassassin_role(sysadm_r, sysadm_t)
-+ ')
-+
+ ')
+-')
+
+ optional_policy(`
+ thunderbird_role(sysadm_r, sysadm_t)
+ ')
@@ -20157,10 +20295,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..e3db8d4
+index 0000000..90243b0
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,507 @@
+@@ -0,0 +1,503 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -20250,11 +20388,7 @@ index 0000000..e3db8d4
+
+authlogin_filetrans_named_content(unconfined_t)
+
-+sysnet_etc_filetrans_config(unconfined_t, "resolv.conf")
-+sysnet_etc_filetrans_config(unconfined_t, "denyhosts")
-+sysnet_etc_filetrans_config(unconfined_t, "hosts")
-+sysnet_etc_filetrans_config(unconfined_t, "ethers")
-+sysnet_etc_filetrans_config(unconfined_t, "yp.conf")
++sysnet_filetrans_named_content(unconfined_t)
+
+optional_policy(`
+ ssh_filetrans_admin_home_content(unconfined_t)
@@ -21028,7 +21162,7 @@ index 1bd5812..0d7d8d1 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..e03a970 100644
+index 0b827c5..bfb68b2 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@@ -21111,7 +21245,7 @@ index 0b827c5..e03a970 100644
#####################################
## <summary>
## All of the rules required to administrate
-@@ -286,18 +341,98 @@ interface(`abrt_admin',`
+@@ -286,18 +341,116 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
@@ -21215,6 +21349,24 @@ index 0b827c5..e03a970 100644
+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
++
++########################################
++## <summary>
++## Do not audit attempts to write abrt sock files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`abrt_dontaudit_write_sock_file',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ dontaudit $1 abrt_t:sock_file write;
++')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index 30861ec..ee2d7f1 100644
--- a/policy/modules/services/abrt.te
@@ -26378,7 +26530,7 @@ index fd8cd0b..3d61138 100644
+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..6a9d3d8 100644
+index 9a0da94..8fb526a 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -26406,7 +26558,7 @@ index 9a0da94..6a9d3d8 100644
####################################
## <summary>
## Execute chronyd
-@@ -56,6 +74,122 @@ interface(`chronyd_read_log',`
+@@ -56,6 +74,123 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
@@ -26484,6 +26636,7 @@ index 9a0da94..6a9d3d8 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
+ allow $1 chronyd_unit_t:file read_file_perms;
+ allow $1 chronyd_unit_t:service all_service_perms;
+')
@@ -26529,7 +26682,7 @@ index 9a0da94..6a9d3d8 100644
####################################
## <summary>
## All of the rules required to administrate
-@@ -75,9 +209,9 @@ interface(`chronyd_read_log',`
+@@ -75,9 +210,9 @@ interface(`chronyd_read_log',`
#
interface(`chronyd_admin',`
gen_require(`
@@ -26542,7 +26695,7 @@ index 9a0da94..6a9d3d8 100644
')
allow $1 chronyd_t:process { ptrace signal_perms };
-@@ -88,18 +222,19 @@ interface(`chronyd_admin',`
+@@ -88,18 +223,19 @@ interface(`chronyd_admin',`
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
@@ -27605,10 +27758,10 @@ index 0000000..ed13d1e
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..207f706
+index 0000000..1783fe6
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,61 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -27651,9 +27804,13 @@ index 0000000..207f706
+kernel_read_network_state(collectd_t)
+kernel_read_system_state(collectd_t)
+
++dev_read_sysfs(collectd_t)
++
+files_read_etc_files(collectd_t)
+files_read_usr_files(collectd_t)
+
++fs_getattr_all_fs(collectd_t)
++
+miscfiles_read_localization(collectd_t)
+
+logging_send_syslog_msg(collectd_t)
@@ -39599,10 +39756,10 @@ index 0000000..8d0e473
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
new file mode 100644
-index 0000000..ec2832c
+index 0000000..0615cc5
--- /dev/null
+++ b/policy/modules/services/mock.if
-@@ -0,0 +1,272 @@
+@@ -0,0 +1,306 @@
+## <summary>policy for mock</summary>
+
+########################################
@@ -39756,6 +39913,24 @@ index 0000000..ec2832c
+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
++########################################
++## <summary>
++## Manage mock lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mock_dontaudit_write_lib_chr_files',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ dontaudit $1 mock_var_lib_t:chr_file write;
++')
++
+#######################################
+## <summary>
+## Dontaudit read and write an leaked file descriptors
@@ -39794,10 +39969,16 @@ index 0000000..ec2832c
+interface(`mock_run',`
+ gen_require(`
+ type mock_t;
++ type mock_build_t;
+ ')
+
+ mock_domtrans($1)
+ role $2 types mock_t;
++ role $2 types mock_build_t;
++
++ optional_policy(`
++ mount_run(mock_t, $2)
++ ')
+')
+
+########################################
@@ -39823,7 +40004,7 @@ index 0000000..ec2832c
+
+ role $1 types mock_t;
+
-+ mock_domtrans($2)
++ mock_run($2, $1)
+
+ ps_process_pattern($2, mock_t)
+ allow $2 mock_t:process { ptrace signal_perms };
@@ -39867,20 +40048,30 @@ index 0000000..ec2832c
+interface(`mock_admin',`
+ gen_require(`
+ type mock_t, mock_var_lib_t;
++ type mock_build_t, mock_etc_t, mock_tmp_t;
+ ')
+
+ allow $1 mock_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mock_t)
+
++ allow $1 mock_build_t:process { ptrace signal_perms };
++ ps_process_pattern($1, mock_build_t)
++
+ files_list_var_lib($1)
+ admin_pattern($1, mock_var_lib_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, mock_tmp_t)
++
++ files_search_etc($1)
++ admin_pattern($1, mock_etc_t)
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..d4b0e18
+index 0000000..773bc00
--- /dev/null
+++ b/policy/modules/services/mock.te
-@@ -0,0 +1,136 @@
+@@ -0,0 +1,240 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -39902,6 +40093,11 @@ index 0000000..d4b0e18
+domain_system_change_exemption(mock_t)
+role system_r types mock_t;
+
++type mock_build_t;
++type mock_build_exec_t;
++application_domain(mock_build_t, mock_build_exec_t)
++role system_r types mock_build_t;
++
+type mock_cache_t;
+files_type(mock_cache_t)
+
@@ -39911,13 +40107,16 @@ index 0000000..d4b0e18
+type mock_var_lib_t;
+files_type(mock_var_lib_t)
+
++type mock_etc_t;
++files_config_file(mock_etc_t)
++
+########################################
+#
+# mock local policy
+#
+
+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
-+allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
++allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
+# Needed because mock can run java and mono withing build environment
+allow mock_t self:process { execmem execstack };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
@@ -39930,10 +40129,12 @@ index 0000000..d4b0e18
+manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
+
++read_files_pattern(mock_t, mock_etc_t, mock_etc_t)
++read_lnk_files_pattern(mock_t, mock_etc_t, mock_etc_t)
++
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file })
-+can_exec(mock_t, mock_tmp_t)
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
@@ -39941,7 +40142,6 @@ index 0000000..d4b0e18
+manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
-+can_exec(mock_t, mock_var_lib_t)
+allow mock_t mock_var_lib_t:dir mounton;
+allow mock_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_t mock_var_lib_t:file relabel_file_perms;
@@ -39953,12 +40153,15 @@ index 0000000..d4b0e18
+kernel_read_kernel_sysctls(mock_t)
+kernel_request_load_module(mock_t)
+kernel_dontaudit_setattr_proc_dirs(mock_t)
++kernel_read_fs_sysctls(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
+corecmd_dontaudit_exec_all_executables(mock_t)
+
+corenet_tcp_connect_http_port(mock_t)
++corenet_tcp_connect_ftp_port(mock_t)
++corenet_tcp_connect_all_unreserved_ports(mock_t)
+
+dev_read_urand(mock_t)
+dev_read_sysfs(mock_t)
@@ -39972,16 +40175,20 @@ index 0000000..d4b0e18
+files_dontaudit_list_boot(mock_t)
+
+fs_getattr_all_fs(mock_t)
++fs_search_all(mock_t)
+fs_manage_cgroup_dirs(mock_t)
-+
++files_list_isid_type_dirs(mock_t)
++
+selinux_get_enforce_mode(mock_t)
+
++term_search_ptys(mock_t)
++
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
+init_dontaudit_stream_connect(mock_t)
+
-+libs_domtrans_ldconfig(mock_t)
++libs_exec_ldconfig(mock_t)
+
+logging_send_audit_msgs(mock_t)
+logging_send_syslog_msg(mock_t)
@@ -39991,7 +40198,7 @@ index 0000000..d4b0e18
+userdom_use_user_ptys(mock_t)
+
+tunable_policy(`mock_enable_homedirs',`
-+ userdom_read_user_home_content_files(mock_t)
++ userdom_manage_user_home_content_files(mock_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
@@ -40002,21 +40209,109 @@ index 0000000..d4b0e18
+optional_policy(`
+ abrt_read_spool_retrace(mock_t)
+ abrt_read_cache_retrace(mock_t)
++ abrt_stream_connect(mock_t)
+')
+
+optional_policy(`
-+ mount_domtrans(mock_t)
++ rpm_exec(mock_t)
+')
+
+optional_policy(`
-+ rpm_exec(mock_t)
-+ rpm_manage_db(mock_t)
-+ rpm_entry_type(mock_t)
++ mount_domtrans(mock_t)
+')
+
+optional_policy(`
+ apache_read_sys_content_rw_files(mock_t)
+')
++
++########################################
++#
++# mock_build local policy
++#
++allow mock_build_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
++dontaudit mock_build_t self:capability audit_write;
++allow mock_build_t self:process { fork setsched setpgid signal_perms };
++allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
++# Needed because mock can run java and mono withing build environment
++allow mock_build_t self:process { execmem execstack };
++dontaudit mock_build_t self:process { siginh noatsecure rlimitinh };
++allow mock_build_t self:fifo_file manage_fifo_file_perms;
++allow mock_build_t self:unix_stream_socket create_stream_socket_perms;
++allow mock_build_t self:unix_dgram_socket create_socket_perms;
++allow mock_build_t self:dir list_dir_perms;
++allow mock_build_t self:dir read_file_perms;
++
++ps_process_pattern(mock_t, mock_build_t)
++allow mock_t mock_build_t:process signal_perms;
++domtrans_pattern(mock_t, mock_build_exec_t, mock_build_t)
++domtrans_pattern(mock_t, mock_tmp_t, mock_build_t)
++domain_entry_file(mock_build_t, mock_tmp_t)
++domtrans_pattern(mock_t, mock_var_lib_t, mock_build_t)
++domain_entry_file(mock_build_t, mock_var_lib_t)
++
++manage_dirs_pattern(mock_build_t, mock_cache_t, mock_cache_t)
++manage_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
++manage_lnk_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
++files_var_filetrans(mock_build_t, mock_cache_t, { dir file } )
++
++manage_dirs_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
++manage_files_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
++files_tmp_filetrans(mock_build_t, mock_tmp_t, { dir file })
++can_exec(mock_build_t, mock_tmp_t)
++
++manage_dirs_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
++manage_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
++manage_lnk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
++manage_blk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
++manage_chr_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
++files_var_lib_filetrans(mock_build_t, mock_var_lib_t, { dir file })
++can_exec(mock_build_t, mock_var_lib_t)
++allow mock_build_t mock_var_lib_t:dir mounton;
++allow mock_build_t mock_var_lib_t:dir relabel_dir_perms;
++allow mock_build_t mock_var_lib_t:file relabel_file_perms;
++
++kernel_list_proc(mock_build_t)
++kernel_read_irq_sysctls(mock_build_t)
++kernel_read_system_state(mock_build_t)
++kernel_read_network_state(mock_build_t)
++kernel_read_kernel_sysctls(mock_build_t)
++kernel_request_load_module(mock_build_t)
++kernel_dontaudit_setattr_proc_dirs(mock_build_t)
++
++corecmd_exec_bin(mock_build_t)
++corecmd_exec_shell(mock_build_t)
++corecmd_dontaudit_exec_all_executables(mock_build_t)
++
++dev_getattr_all_chr_files(mock_build_t)
++dev_dontaudit_list_all_dev_nodes(mock_build_t)
++dev_dontaudit_getattr_all(mock_build_t)
++fs_getattr_all_dirs(mock_build_t)
++dev_read_sysfs(mock_build_t)
++
++domain_dontaudit_read_all_domains_state(mock_build_t)
++domain_use_interactive_fds(mock_build_t)
++
++files_read_etc_files(mock_build_t)
++files_read_usr_files(mock_build_t)
++files_dontaudit_list_boot(mock_build_t)
++
++fs_getattr_all_fs(mock_build_t)
++fs_manage_cgroup_dirs(mock_build_t)
++
++selinux_get_enforce_mode(mock_build_t)
++
++auth_use_nsswitch(mock_build_t)
++
++init_exec(mock_build_t)
++init_dontaudit_stream_connect(mock_build_t)
++
++libs_exec_ldconfig(mock_build_t)
++
++miscfiles_read_localization(mock_build_t)
++
++tunable_policy(`mock_enable_homedirs',`
++ userdom_read_user_home_content_files(mock_build_t)
++')
diff --git a/policy/modules/services/modemmanager.if b/policy/modules/services/modemmanager.if
index 3368699..7a7fc02 100644
--- a/policy/modules/services/modemmanager.if
@@ -42180,7 +42475,7 @@ index 15448d5..b6b42c1 100644
+/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
+/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..fe15a7d 100644
+index abe3f7f..6314fa6 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
@@ -42234,7 +42529,7 @@ index abe3f7f..fe15a7d 100644
## Read ypserv configuration files.
## </summary>
## <param name="domain">
-@@ -337,6 +318,46 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -337,6 +318,48 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
## <summary>
@@ -42252,6 +42547,7 @@ index abe3f7f..fe15a7d 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
+ allow $1 ypbind_unit_t:file read_file_perms;
+ allow $1 ypbind_unit_t:service all_service_perms;
+')
@@ -42272,6 +42568,7 @@ index abe3f7f..fe15a7d 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
+ allow $1 nis_unit_t:file read_file_perms;
+ allow $1 nis_unit_t:service all_service_perms;
+')
@@ -42281,7 +42578,7 @@ index abe3f7f..fe15a7d 100644
## All of the rules required to administrate
## an nis environment
## </summary>
-@@ -354,10 +375,10 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -354,10 +377,10 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -42294,7 +42591,7 @@ index abe3f7f..fe15a7d 100644
')
allow $1 ypbind_t:process { ptrace signal_perms };
-@@ -384,6 +405,7 @@ interface(`nis_admin',`
+@@ -384,6 +407,7 @@ interface(`nis_admin',`
files_list_pids($1)
admin_pattern($1, ypbind_var_run_t)
@@ -42302,7 +42599,7 @@ index abe3f7f..fe15a7d 100644
admin_pattern($1, yppasswdd_var_run_t)
-@@ -393,4 +415,5 @@ interface(`nis_admin',`
+@@ -393,4 +417,5 @@ interface(`nis_admin',`
admin_pattern($1, ypserv_tmp_t)
admin_pattern($1, ypserv_var_run_t)
@@ -42621,10 +42918,10 @@ index e79dccc..50202ef 100644
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..aaa2e79 100644
+index e80f8c0..e3d6ebb 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
-@@ -98,6 +98,45 @@ interface(`ntp_initrc_domtrans',`
+@@ -98,6 +98,46 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
@@ -42663,6 +42960,7 @@ index e80f8c0..aaa2e79 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
+ allow $1 ntpd_unit_t:file read_file_perms;
+ allow $1 ntpd_unit_t:service all_service_perms;
+')
@@ -42670,7 +42968,7 @@ index e80f8c0..aaa2e79 100644
########################################
## <summary>
## Read and write ntpd shared memory.
-@@ -122,6 +161,25 @@ interface(`ntp_rw_shm',`
+@@ -122,6 +162,25 @@ interface(`ntp_rw_shm',`
########################################
## <summary>
@@ -42696,7 +42994,7 @@ index e80f8c0..aaa2e79 100644
## All of the rules required to administrate
## an ntp environment
## </summary>
-@@ -140,11 +198,10 @@ interface(`ntp_rw_shm',`
+@@ -140,11 +199,10 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -42710,7 +43008,7 @@ index e80f8c0..aaa2e79 100644
ps_process_pattern($1, ntpd_t)
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
-@@ -162,4 +219,6 @@ interface(`ntp_admin',`
+@@ -162,4 +220,6 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -47773,10 +48071,18 @@ index cb7ecb5..3df1532 100644
+ matahari_manage_pid_files(qpidd_t)
+')
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
-index b1ed1bf..21e2d95 100644
+index b1ed1bf..124971d 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
-@@ -77,6 +77,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
+@@ -62,6 +62,7 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+ manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+ manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+ files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
++files_dontaudit_list_tmp(radiusd_t)
+
+ kernel_read_kernel_sysctls(radiusd_t)
+ kernel_read_system_state(radiusd_t)
+@@ -77,6 +78,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_generic_node(radiusd_t)
corenet_udp_bind_radacct_port(radiusd_t)
corenet_udp_bind_radius_port(radiusd_t)
@@ -52702,7 +53008,7 @@ index c954f31..c7cadcb 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..659d854 100644
+index ec1eb1e..f056f5f 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0)
@@ -53107,7 +53413,7 @@ index ec1eb1e..659d854 100644
')
optional_policy(`
-@@ -451,3 +558,43 @@ optional_policy(`
+@@ -451,3 +558,44 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -53130,6 +53436,7 @@ index ec1eb1e..659d854 100644
+manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+
+corecmd_exec_bin(spamd_update_t)
++corecmd_exec_shell(spamd_update_t)
+
+dev_read_urand(spamd_update_t)
+
@@ -53664,7 +53971,7 @@ index 22adaca..ba5d941 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..be7b7a3 100644
+index 2dad3c8..24f8d90 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -54014,7 +54321,7 @@ index 2dad3c8..be7b7a3 100644
') dnl endif TODO
########################################
-@@ -322,19 +371,25 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +371,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -54032,6 +54339,7 @@ index 2dad3c8..be7b7a3 100644
+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+
++kernel_read_system_state(ssh_keygen_t)
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
@@ -54041,7 +54349,7 @@ index 2dad3c8..be7b7a3 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,10 +406,7 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,10 +407,7 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -58361,7 +58669,7 @@ index 130ced9..b6fb17a 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..453a478 100644
+index 143c893..60e0e2d 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -59011,7 +59319,7 @@ index 143c893..453a478 100644
')
optional_policy(`
-@@ -519,12 +749,62 @@ optional_policy(`
+@@ -519,12 +749,63 @@ optional_policy(`
')
optional_policy(`
@@ -59064,6 +59372,7 @@ index 143c893..453a478 100644
+ gnome_exec_keyringd(xdm_t)
+ gnome_manage_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t)
++ gnome_filetrans_home_content(xdm_t)
+ gnome_read_config(xdm_t)
+ gnome_read_usr_config(xdm_t)
+ gnome_read_gconf_config(xdm_t)
@@ -59074,7 +59383,7 @@ index 143c893..453a478 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +822,69 @@ optional_policy(`
+@@ -542,28 +823,69 @@ optional_policy(`
')
optional_policy(`
@@ -59153,7 +59462,7 @@ index 143c893..453a478 100644
')
optional_policy(`
-@@ -575,6 +896,14 @@ optional_policy(`
+@@ -575,6 +897,14 @@ optional_policy(`
')
optional_policy(`
@@ -59168,7 +59477,7 @@ index 143c893..453a478 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +928,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +929,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -59177,7 +59486,7 @@ index 143c893..453a478 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +942,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +943,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -59193,7 +59502,7 @@ index 143c893..453a478 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +969,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +970,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -59215,7 +59524,7 @@ index 143c893..453a478 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +989,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +990,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -59223,7 +59532,7 @@ index 143c893..453a478 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,7 +1016,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,7 +1017,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -59231,7 +59540,7 @@ index 143c893..453a478 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -682,11 +1025,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -682,11 +1026,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -59249,7 +59558,7 @@ index 143c893..453a478 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1046,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1047,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -59263,7 +59572,7 @@ index 143c893..453a478 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1065,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1066,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -59272,7 +59581,7 @@ index 143c893..453a478 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1072,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1073,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -59287,7 +59596,7 @@ index 143c893..453a478 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1131,40 @@ optional_policy(`
+@@ -778,16 +1132,40 @@ optional_policy(`
')
optional_policy(`
@@ -59329,7 +59638,7 @@ index 143c893..453a478 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1173,10 @@ optional_policy(`
+@@ -796,6 +1174,10 @@ optional_policy(`
')
optional_policy(`
@@ -59340,7 +59649,7 @@ index 143c893..453a478 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1192,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1193,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -59354,7 +59663,7 @@ index 143c893..453a478 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1203,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1204,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -59363,7 +59672,7 @@ index 143c893..453a478 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,6 +1216,9 @@ init_use_fds(xserver_t)
+@@ -835,6 +1217,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -59373,7 +59682,7 @@ index 143c893..453a478 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -842,6 +1226,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -842,6 +1227,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -59385,7 +59694,7 @@ index 143c893..453a478 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -850,11 +1239,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -850,11 +1240,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -59402,7 +59711,7 @@ index 143c893..453a478 100644
')
optional_policy(`
-@@ -862,6 +1254,10 @@ optional_policy(`
+@@ -862,6 +1255,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -59413,7 +59722,7 @@ index 143c893..453a478 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1301,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1302,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -59422,7 +59731,7 @@ index 143c893..453a478 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1355,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1356,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -59454,7 +59763,7 @@ index 143c893..453a478 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1401,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1402,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -60766,7 +61075,7 @@ index ede3231..c8c15bd 100644
')
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index c310775..4eb1a02 100644
+index c310775..d172193 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -23,29 +23,34 @@ dontaudit hostname_t self:capability sys_tty_config;
@@ -60806,6 +61115,17 @@ index c310775..4eb1a02 100644
logging_send_syslog_msg(hostname_t)
+@@ -55,6 +60,10 @@ sysnet_read_config(hostname_t)
+ sysnet_dns_name_resolve(hostname_t)
+
+ optional_policy(`
++ mock_dontaudit_write_lib_chr_files(hostname_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(hostname_t)
+ ')
+
diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
index 40eb10c..2a0a32c 100644
--- a/policy/modules/system/hotplug.if
@@ -61771,7 +62091,7 @@ index 94fd8dd..3e8f08e 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..0635313 100644
+index 29a9565..7902fbb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -62349,7 +62669,7 @@ index 29a9565..0635313 100644
')
optional_policy(`
-@@ -531,10 +783,26 @@ ifdef(`distro_redhat',`
+@@ -531,10 +783,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -62364,11 +62684,7 @@ index 29a9565..0635313 100644
+ sysnet_relabelfrom_dhcpc_state(initrc_t)
+ sysnet_relabelfrom_net_conf(initrc_t)
+ sysnet_relabelto_net_conf(initrc_t)
-+ sysnet_etc_filetrans_config(initrc_t, "resolv.conf")
-+ sysnet_etc_filetrans_config(initrc_t, "denyhosts")
-+ sysnet_etc_filetrans_config(initrc_t, "hosts")
-+ sysnet_etc_filetrans_config(initrc_t, "ethers")
-+ sysnet_etc_filetrans_config(initrc_t, "yp.conf")
++ sysnet_filetrans_named_content(initrc_t)
+ ')
+
+ optional_policy(`
@@ -62376,7 +62692,7 @@ index 29a9565..0635313 100644
')
optional_policy(`
-@@ -549,6 +817,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +813,39 @@ ifdef(`distro_suse',`
')
')
@@ -62416,7 +62732,7 @@ index 29a9565..0635313 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +862,8 @@ optional_policy(`
+@@ -561,6 +858,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -62425,7 +62741,7 @@ index 29a9565..0635313 100644
')
optional_policy(`
-@@ -577,6 +880,7 @@ optional_policy(`
+@@ -577,6 +876,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -62433,7 +62749,7 @@ index 29a9565..0635313 100644
')
optional_policy(`
-@@ -589,6 +893,17 @@ optional_policy(`
+@@ -589,6 +889,17 @@ optional_policy(`
')
optional_policy(`
@@ -62451,7 +62767,7 @@ index 29a9565..0635313 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +920,13 @@ optional_policy(`
+@@ -605,9 +916,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -62465,7 +62781,7 @@ index 29a9565..0635313 100644
')
optional_policy(`
-@@ -632,6 +951,10 @@ optional_policy(`
+@@ -632,6 +947,10 @@ optional_policy(`
')
optional_policy(`
@@ -62476,7 +62792,7 @@ index 29a9565..0635313 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +972,11 @@ optional_policy(`
+@@ -649,6 +968,11 @@ optional_policy(`
')
optional_policy(`
@@ -62488,7 +62804,7 @@ index 29a9565..0635313 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1017,7 @@ optional_policy(`
+@@ -689,6 +1013,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -62496,7 +62812,7 @@ index 29a9565..0635313 100644
')
optional_policy(`
-@@ -706,7 +1035,13 @@ optional_policy(`
+@@ -706,7 +1031,13 @@ optional_policy(`
')
optional_policy(`
@@ -62510,7 +62826,7 @@ index 29a9565..0635313 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1064,10 @@ optional_policy(`
+@@ -729,6 +1060,10 @@ optional_policy(`
')
optional_policy(`
@@ -62521,7 +62837,7 @@ index 29a9565..0635313 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1077,20 @@ optional_policy(`
+@@ -738,10 +1073,20 @@ optional_policy(`
')
optional_policy(`
@@ -62542,7 +62858,7 @@ index 29a9565..0635313 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1099,10 @@ optional_policy(`
+@@ -750,6 +1095,10 @@ optional_policy(`
')
optional_policy(`
@@ -62553,7 +62869,7 @@ index 29a9565..0635313 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1124,6 @@ optional_policy(`
+@@ -771,8 +1120,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -62562,7 +62878,7 @@ index 29a9565..0635313 100644
')
optional_policy(`
-@@ -790,10 +1141,12 @@ optional_policy(`
+@@ -790,10 +1137,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -62575,7 +62891,7 @@ index 29a9565..0635313 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1158,6 @@ optional_policy(`
+@@ -805,7 +1154,6 @@ optional_policy(`
')
optional_policy(`
@@ -62583,7 +62899,7 @@ index 29a9565..0635313 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1167,24 @@ optional_policy(`
+@@ -815,11 +1163,24 @@ optional_policy(`
')
optional_policy(`
@@ -62609,7 +62925,7 @@ index 29a9565..0635313 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1194,25 @@ optional_policy(`
+@@ -829,6 +1190,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -62635,7 +62951,7 @@ index 29a9565..0635313 100644
')
optional_policy(`
-@@ -844,6 +1228,10 @@ optional_policy(`
+@@ -844,6 +1224,10 @@ optional_policy(`
')
optional_policy(`
@@ -62646,7 +62962,7 @@ index 29a9565..0635313 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1242,149 @@ optional_policy(`
+@@ -854,3 +1238,149 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -65737,7 +66053,7 @@ index b1a85b5..db0d815 100644
## </summary>
## <desc>
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index a19ecea..63c3936 100644
+index a19ecea..99c4da1 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -65754,7 +66070,7 @@ index a19ecea..63c3936 100644
########################################
#
-@@ -23,15 +21,15 @@ files_pid_file(mdadm_var_run_t)
+@@ -23,18 +21,19 @@ files_pid_file(mdadm_var_run_t)
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
@@ -65776,7 +66092,11 @@ index a19ecea..63c3936 100644
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
-@@ -52,13 +50,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
++kernel_request_load_module(mdadm_t)
+ kernel_rw_software_raid_state(mdadm_t)
+ kernel_getattr_core_if(mdadm_t)
+
+@@ -52,13 +51,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# unfortunately needed for DMI decoding:
dev_read_raw_memory(mdadm_t)
@@ -65794,7 +66114,7 @@ index a19ecea..63c3936 100644
fs_dontaudit_list_tmpfs(mdadm_t)
mls_file_read_all_levels(mdadm_t)
-@@ -68,6 +69,7 @@ mls_file_write_all_levels(mdadm_t)
+@@ -68,6 +70,7 @@ mls_file_write_all_levels(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_dev_filetrans_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
@@ -65802,7 +66122,7 @@ index a19ecea..63c3936 100644
term_dontaudit_list_ptys(mdadm_t)
-@@ -84,6 +86,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
+@@ -84,6 +87,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
mta_send_mail(mdadm_t)
optional_policy(`
@@ -66810,7 +67130,7 @@ index 694fd94..334e80e 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index ff80d0a..752e031 100644
+index ff80d0a..b1395dc 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
@@ -66997,7 +67317,7 @@ index ff80d0a..752e031 100644
')
########################################
-@@ -731,3 +850,49 @@ interface(`sysnet_use_portmap',`
+@@ -731,3 +850,72 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -67047,8 +67367,31 @@ index ff80d0a..752e031 100644
+
+ role_transition $1 dhcpc_exec_t system_r;
+')
++
++########################################
++## <summary>
++## Transition to sysnet named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysnet_filetrans_named_content',`
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
++ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
++ files_etc_filetrans($1, net_conf_t, file, "hosts")
++ files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
++ files_etc_filetrans($1, net_conf_t, file, "ethers")
++ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
++')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..ac52258 100644
+index 34d0ec5..2c1578e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -67158,11 +67501,12 @@ index 34d0ec5..ac52258 100644
userdom_use_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-@@ -155,6 +173,15 @@ optional_policy(`
+@@ -155,6 +173,16 @@ optional_policy(`
')
optional_policy(`
+ chronyd_initrc_domtrans(dhcpc_t)
++ chronyd_systemctl(dhcpc_t)
+')
+
+optional_policy(`
@@ -67174,7 +67518,7 @@ index 34d0ec5..ac52258 100644
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
-@@ -171,6 +198,8 @@ optional_policy(`
+@@ -171,6 +199,8 @@ optional_policy(`
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -67183,7 +67527,7 @@ index 34d0ec5..ac52258 100644
')
optional_policy(`
-@@ -192,7 +221,19 @@ optional_policy(`
+@@ -192,7 +222,19 @@ optional_policy(`
')
optional_policy(`
@@ -67203,7 +67547,7 @@ index 34d0ec5..ac52258 100644
')
optional_policy(`
-@@ -213,6 +254,11 @@ optional_policy(`
+@@ -213,6 +255,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -67215,7 +67559,7 @@ index 34d0ec5..ac52258 100644
')
optional_policy(`
-@@ -255,6 +301,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +302,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -67223,7 +67567,7 @@ index 34d0ec5..ac52258 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +323,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +324,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -67235,7 +67579,7 @@ index 34d0ec5..ac52258 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -301,11 +351,12 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +352,12 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -67250,7 +67594,7 @@ index 34d0ec5..ac52258 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +365,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +366,18 @@ ifdef(`distro_ubuntu',`
')
')
@@ -67269,7 +67613,7 @@ index 34d0ec5..ac52258 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +387,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +388,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -67284,7 +67628,7 @@ index 34d0ec5..ac52258 100644
')
optional_policy(`
-@@ -335,6 +403,18 @@ optional_policy(`
+@@ -335,6 +404,18 @@ optional_policy(`
')
optional_policy(`
@@ -67303,7 +67647,7 @@ index 34d0ec5..ac52258 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -356,3 +436,9 @@ optional_policy(`
+@@ -356,3 +437,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -67340,10 +67684,10 @@ index 0000000..9eaa38e
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..42276b7
+index 0000000..fc8cac1
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,416 @@
+@@ -0,0 +1,435 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -67413,6 +67757,25 @@ index 0000000..42276b7
+
+######################################
+## <summary>
++## Allow domain to search systemd unit dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_search_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:dir search_dir_perms;
++')
++
++######################################
++## <summary>
+## Allow domain to read all systemd unit files.
+## </summary>
+## <param name="domain">
@@ -67762,10 +68125,10 @@ index 0000000..42276b7
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..1a24c0a
+index 0000000..3b03294
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,352 @@
+@@ -0,0 +1,353 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -67961,6 +68324,7 @@ index 0000000..1a24c0a
+# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
+fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
++fs_list_all(systemd_tmpfiles_t)
+
+files_read_etc_files(systemd_tmpfiles_t)
+files_getattr_all_dirs(systemd_tmpfiles_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d93f627..8e66361 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 26%{?dist}
+Release: 27%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,22 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Sep 13 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-27
+- Allow collectd to read hardware state information
+- Add loop_control_device_t
+- Allow mdadm to request kernel to load module
+- Allow domains that start other domains via systemctl to search unit dir
+- systemd_tmpfiles, needs to list any file systems mounted on /tmp
+- No one can explain why radius is listing the contents of /tmp, so we will dontaudit
+- If I can manage etc_runtime files, I should be able to read the links
+- Dontaudit hostname writing to mock library chr_files
+- Have gdm_t setup labeling correctly in users home dir
+- Label content unde /var/run/user/NAME/dconf as config_home_t
+- Allow sa-update to execute shell
+- Make ssh-keygen working with fips_enabled
+- Make mock work for staff_t user
+- Tighten security on mock_t
+
* Fri Sep 9 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-26
- removing unconfined_notrans_t no longer necessary
- Clean up handling of secure_mode_insmod and secure_mode_policyload
More information about the scm-commits
mailing list