[selinux-policy] +- Change screen to use screen_domain attribute and allow screen_domains to read all process domain
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Sep 23 11:58:09 UTC 2011
commit f9c350238c584ef18ce20b336a4e66d496de6e15
Author: Miroslav <mgrepl at redhat.com>
Date: Fri Sep 23 13:57:44 2011 +0200
+- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
+- Add SELinux support for ssh pre-auth net process in F17
+- Add logging_syslogd_can_sendmail boolean
policy-F16.patch | 1064 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 7 +-
2 files changed, 803 insertions(+), 268 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 4ff9a1d..ce2d8d9 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1048,10 +1048,18 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..6eac7b9 100644
+index 7090dae..c4bbe69 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
-@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+@@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
+ allow logrotate_t self:process setfscreate;
+
+ allow logrotate_t self:fd use;
++allow logrotate_t self:key manage_key_perms;
+ allow logrotate_t self:fifo_file rw_fifo_file_perms;
+ allow logrotate_t self:unix_dgram_socket create_socket_perms;
+ allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
+@@ -61,6 +62,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
# for /var/lib/logrotate.status and /var/lib/logcheck
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
@@ -1059,7 +1067,7 @@ index 7090dae..6eac7b9 100644
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
kernel_read_system_state(logrotate_t)
-@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t)
+@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t)
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -1067,7 +1075,7 @@ index 7090dae..6eac7b9 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -116,17 +118,15 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +119,15 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
@@ -1090,7 +1098,7 @@ index 7090dae..6eac7b9 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -162,10 +162,20 @@ optional_policy(`
+@@ -162,10 +163,20 @@ optional_policy(`
')
optional_policy(`
@@ -1111,7 +1119,7 @@ index 7090dae..6eac7b9 100644
cups_domtrans(logrotate_t)
')
-@@ -203,7 +213,6 @@ optional_policy(`
+@@ -203,7 +214,6 @@ optional_policy(`
psad_domtrans(logrotate_t)
')
@@ -1119,7 +1127,7 @@ index 7090dae..6eac7b9 100644
optional_policy(`
samba_exec_log(logrotate_t)
')
-@@ -228,3 +237,14 @@ optional_policy(`
+@@ -228,3 +238,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -1655,10 +1663,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..bb587b1
+index 0000000..3008c85
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,228 @@
+@@ -0,0 +1,236 @@
+policy_module(permissivedomains,16)
+
+optional_policy(`
@@ -1758,6 +1766,14 @@ index 0000000..bb587b1
+')
+
+optional_policy(`
++ gen_require(`
++ type sshd_sandbox_t;
++ ')
++
++ permissive sshd_sandbox_t;
++')
++
++optional_policy(`
+ gen_require(`
+ type fail2ban_client_t;
+ ')
@@ -2283,18 +2299,20 @@ index b4ac57e..ef944a4 100644
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index b206bf6..b11df05 100644
+index b206bf6..de6d89b 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
-@@ -7,6 +7,7 @@
+@@ -6,7 +6,9 @@
+ /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -24,9 +25,14 @@ ifdef(`distro_redhat', `
+@@ -24,9 +26,14 @@ ifdef(`distro_redhat', `
/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -2309,7 +2327,7 @@ index b206bf6..b11df05 100644
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-@@ -36,6 +42,8 @@ ifdef(`distro_redhat', `
+@@ -36,6 +43,8 @@ ifdef(`distro_redhat', `
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
@@ -3641,7 +3659,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..d3dd0b9 100644
+index 441cf22..4779a8d 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -79,18 +79,17 @@ selinux_compute_create_context(chfn_t)
@@ -3688,7 +3706,15 @@ index 441cf22..d3dd0b9 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -291,17 +293,18 @@ selinux_compute_create_context(passwd_t)
+@@ -277,6 +279,7 @@ kernel_read_kernel_sysctls(passwd_t)
+
+ # for SSP
+ dev_read_urand(passwd_t)
++dev_dontaudit_getattr_all(passwd_t)
+
+ fs_getattr_xattr_fs(passwd_t)
+ fs_search_auto_mountpoints(passwd_t)
+@@ -291,17 +294,18 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -3711,7 +3737,16 @@ index 441cf22..d3dd0b9 100644
domain_use_interactive_fds(passwd_t)
-@@ -323,7 +326,7 @@ miscfiles_read_localization(passwd_t)
+@@ -311,6 +315,8 @@ files_search_var(passwd_t)
+ files_dontaudit_search_pids(passwd_t)
+ files_relabel_etc_files(passwd_t)
+
++term_search_ptys(passwd_t)
++
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it. Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(passwd_t)
+@@ -323,7 +329,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -3720,7 +3755,7 @@ index 441cf22..d3dd0b9 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +338,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3728,7 +3763,7 @@ index 441cf22..d3dd0b9 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,8 +385,7 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,8 +388,7 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3738,7 +3773,7 @@ index 441cf22..d3dd0b9 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
-@@ -426,7 +429,7 @@ optional_policy(`
+@@ -426,7 +432,7 @@ optional_policy(`
# Useradd local policy
#
@@ -3747,7 +3782,7 @@ index 441cf22..d3dd0b9 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,8 +451,12 @@ corecmd_exec_shell(useradd_t)
+@@ -448,8 +454,12 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3760,7 +3795,7 @@ index 441cf22..d3dd0b9 100644
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -460,6 +467,7 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,6 +470,7 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -3768,7 +3803,7 @@ index 441cf22..d3dd0b9 100644
# Allow access to context for shadow file
selinux_get_fs_mount(useradd_t)
-@@ -469,8 +477,7 @@ selinux_compute_create_context(useradd_t)
+@@ -469,8 +480,7 @@ selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
@@ -3778,15 +3813,15 @@ index 441cf22..d3dd0b9 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,21 +505,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,21 +508,11 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
@@ -4357,10 +4392,10 @@ index 0000000..6f3570a
+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
-index 0000000..e455bba
+index 0000000..fc9014f
--- /dev/null
+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,133 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -4429,6 +4464,10 @@ index 0000000..e455bba
+
+ files_execmod_tmp($1_execmem_t)
+
++ optional_policy(`
++ execmem_execmod($1_execmem_t)
++ ')
++
+ # needed by plasma-desktop
+ optional_policy(`
+ gnome_read_usr_config($1_execmem_t)
@@ -4487,7 +4526,7 @@ index 0000000..e455bba
+ type execmem_exec_t;
+ ')
+
-+ allow $1 execmem_exec_t:chr_file execmod;
++ allow $1 execmem_exec_t:file execmod;
+')
+
diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
@@ -9982,17 +10021,61 @@ index c8254dd..340a2d7 100644
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index a57e81e..57519a4 100644
+index a57e81e..f9fbc60 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
-@@ -68,15 +68,16 @@ template(`screen_role_template',`
- manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
- manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
- userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
-+ userdom_admin_home_dir_filetrans($1_screen_t, screen_home_t, dir)
- read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
- read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+@@ -25,6 +25,7 @@ template(`screen_role_template',`
+ gen_require(`
+ type screen_exec_t, screen_tmp_t;
+ type screen_home_t, screen_var_run_t;
++ attribute screen_domain;
+ ')
+
+ ########################################
+@@ -32,51 +33,18 @@ template(`screen_role_template',`
+ # Declarations
+ #
+- type $1_screen_t;
++ type $1_screen_t, screen_domain;
+ application_domain($1_screen_t, screen_exec_t)
+ domain_interactive_fd($1_screen_t)
+ ubac_constrained($1_screen_t)
+ role $2 types $1_screen_t;
+
+- ########################################
+- #
+- # Local policy
+- #
+-
+- allow $1_screen_t self:capability { setuid setgid fsetid };
+- allow $1_screen_t self:process signal_perms;
+- allow $1_screen_t self:fifo_file rw_fifo_file_perms;
+- allow $1_screen_t self:tcp_socket create_stream_socket_perms;
+- allow $1_screen_t self:udp_socket create_socket_perms;
+- # Internal screen networking
+- allow $1_screen_t self:fd use;
+- allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
+- allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+-
+- manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+- manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+- manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+- files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir })
+-
+- # Create fifo
+- manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+- manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+- manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+- files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
+-
+- allow $1_screen_t screen_home_t:dir list_dir_perms;
+- manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
+- manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+- userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
+- read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+- read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+-
- allow $1_screen_t $3:process signal;
-
domtrans_pattern($3, screen_exec_t, $1_screen_t)
@@ -10004,7 +10087,7 @@ index a57e81e..57519a4 100644
manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_home_t, screen_home_t)
-@@ -87,8 +88,6 @@ template(`screen_role_template',`
+@@ -87,77 +55,22 @@ template(`screen_role_template',`
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -10012,15 +10095,191 @@ index a57e81e..57519a4 100644
- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
- kernel_read_system_state($1_screen_t)
-@@ -118,6 +117,7 @@ template(`screen_role_template',`
- # for SSP
- dev_read_urand($1_screen_t)
+- kernel_read_system_state($1_screen_t)
+- kernel_read_kernel_sysctls($1_screen_t)
+-
+- corecmd_list_bin($1_screen_t)
+- corecmd_read_bin_files($1_screen_t)
+- corecmd_read_bin_symlinks($1_screen_t)
+- corecmd_read_bin_pipes($1_screen_t)
+- corecmd_read_bin_sockets($1_screen_t)
+ # Revert to the user domain when a shell is executed.
+ corecmd_shell_domtrans($1_screen_t, $3)
+ corecmd_bin_domtrans($1_screen_t, $3)
+
+- corenet_all_recvfrom_unlabeled($1_screen_t)
+- corenet_all_recvfrom_netlabel($1_screen_t)
+- corenet_tcp_sendrecv_generic_if($1_screen_t)
+- corenet_udp_sendrecv_generic_if($1_screen_t)
+- corenet_tcp_sendrecv_generic_node($1_screen_t)
+- corenet_udp_sendrecv_generic_node($1_screen_t)
+- corenet_tcp_sendrecv_all_ports($1_screen_t)
+- corenet_udp_sendrecv_all_ports($1_screen_t)
+- corenet_tcp_connect_all_ports($1_screen_t)
+-
+- dev_dontaudit_getattr_all_chr_files($1_screen_t)
+- dev_dontaudit_getattr_all_blk_files($1_screen_t)
+- # for SSP
+- dev_read_urand($1_screen_t)
+-
+- domain_use_interactive_fds($1_screen_t)
+-
+- files_search_tmp($1_screen_t)
+- files_search_home($1_screen_t)
+- files_list_home($1_screen_t)
+- files_read_usr_files($1_screen_t)
+- files_read_etc_files($1_screen_t)
+-
+- fs_search_auto_mountpoints($1_screen_t)
+- fs_getattr_xattr_fs($1_screen_t)
+-
+ auth_domtrans_chk_passwd($1_screen_t)
+ auth_use_nsswitch($1_screen_t)
+- auth_dontaudit_read_shadow($1_screen_t)
+- auth_dontaudit_exec_utempter($1_screen_t)
+-
+- # Write to utmp.
+- init_rw_utmp($1_screen_t)
+-
+- logging_send_syslog_msg($1_screen_t)
+-
+- miscfiles_read_localization($1_screen_t)
+-
+- seutil_read_config($1_screen_t)
-+ domain_sigchld_interactive_fds($1_screen_t)
- domain_use_interactive_fds($1_screen_t)
+- userdom_use_user_terminals($1_screen_t)
+- userdom_create_user_pty($1_screen_t)
+ userdom_user_home_domtrans($1_screen_t, $3)
+- userdom_setattr_user_ptys($1_screen_t)
+- userdom_setattr_user_ttys($1_screen_t)
- files_search_tmp($1_screen_t)
+ tunable_policy(`use_samba_home_dirs',`
+ fs_cifs_domtrans($1_screen_t, $3)
+- fs_read_cifs_symlinks($1_screen_t)
+- fs_list_cifs($1_screen_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_nfs_domtrans($1_screen_t, $3)
+- fs_list_nfs($1_screen_t)
+- fs_read_nfs_symlinks($1_screen_t)
+ ')
+ ')
+diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
+index 553bc73..b3b144c 100644
+--- a/policy/modules/apps/screen.te
++++ b/policy/modules/apps/screen.te
+@@ -5,6 +5,8 @@ policy_module(screen, 2.3.1)
+ # Declarations
+ #
+
++attribute screen_domain;
++
+ type screen_exec_t;
+ application_executable_file(screen_exec_t)
+
+@@ -24,3 +26,101 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t
+ typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
+ files_pid_file(screen_var_run_t)
+ ubac_constrained(screen_var_run_t)
++
++########################################
++#
++# Local policy
++#
++
++allow screen_domain self:capability { setuid setgid fsetid };
++allow screen_domain self:process signal_perms;
++allow screen_domain self:fifo_file rw_fifo_file_perms;
++allow screen_domain self:tcp_socket create_stream_socket_perms;
++allow screen_domain self:udp_socket create_socket_perms;
++# Internal screen networking
++allow screen_domain self:fd use;
++allow screen_domain self:unix_stream_socket { create_socket_perms connectto };
++allow screen_domain self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
++manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
++manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
++files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
++
++# Create fifo
++manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
++manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
++manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
++files_pid_filetrans(screen_domain, screen_var_run_t, dir)
++
++allow screen_domain screen_home_t:dir list_dir_perms;
++manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
++manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
++userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
++userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
++read_files_pattern(screen_domain, screen_home_t, screen_home_t)
++read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t)
++
++kernel_read_system_state(screen_domain)
++kernel_read_kernel_sysctls(screen_domain)
++
++corecmd_list_bin(screen_domain)
++corecmd_read_bin_files(screen_domain)
++corecmd_read_bin_symlinks(screen_domain)
++corecmd_read_bin_pipes(screen_domain)
++corecmd_read_bin_sockets(screen_domain)
++
++corenet_all_recvfrom_unlabeled(screen_domain)
++corenet_all_recvfrom_netlabel(screen_domain)
++corenet_tcp_sendrecv_generic_if(screen_domain)
++corenet_udp_sendrecv_generic_if(screen_domain)
++corenet_tcp_sendrecv_generic_node(screen_domain)
++corenet_udp_sendrecv_generic_node(screen_domain)
++corenet_tcp_sendrecv_all_ports(screen_domain)
++corenet_udp_sendrecv_all_ports(screen_domain)
++corenet_tcp_connect_all_ports(screen_domain)
++
++dev_dontaudit_getattr_all_chr_files(screen_domain)
++dev_dontaudit_getattr_all_blk_files(screen_domain)
++# for SSP
++dev_read_urand(screen_domain)
++
++domain_sigchld_interactive_fds(screen_domain)
++domain_use_interactive_fds(screen_domain)
++domain_read_all_domains_state(screen_domain)
++
++files_search_tmp(screen_domain)
++files_search_home(screen_domain)
++files_list_home(screen_domain)
++files_read_usr_files(screen_domain)
++files_read_etc_files(screen_domain)
++
++fs_search_auto_mountpoints(screen_domain)
++fs_getattr_xattr_fs(screen_domain)
++
++auth_dontaudit_read_shadow(screen_domain)
++auth_dontaudit_exec_utempter(screen_domain)
++
++# Write to utmp.
++init_rw_utmp(screen_domain)
++
++logging_send_syslog_msg(screen_domain)
++
++miscfiles_read_localization(screen_domain)
++
++seutil_read_config(screen_domain)
++
++userdom_use_user_terminals(screen_domain)
++userdom_create_user_pty(screen_domain)
++userdom_setattr_user_ptys(screen_domain)
++userdom_setattr_user_ttys(screen_domain)
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_symlinks(screen_domain)
++ fs_list_cifs(screen_domain)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs(screen_domain)
++ fs_read_nfs_symlinks(screen_domain)
++')
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85..a01511f 100644
--- a/policy/modules/apps/seunshare.if
@@ -12389,7 +12648,7 @@ index 4f3b542..5a41e58 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..9a30b71 100644
+index 99b71cb..5287f7a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,14 @@ attribute netif_type;
@@ -12506,13 +12765,11 @@ index 99b71cb..9a30b71 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -114,12 +148,13 @@ network_port(hadoop_namenode, tcp,8020,s0)
- network_port(hddtemp, tcp,7634,s0)
+@@ -115,11 +149,12 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
--network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+ network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
-network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
-+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,18001,s0) #8443 is mod_nss default port #18001 is used for jboss
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
@@ -12530,7 +12787,7 @@ index 99b71cb..9a30b71 100644
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(jabber_router, tcp,5347,s0)
-+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0)
++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 18001, s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
@@ -12551,7 +12808,11 @@ index 99b71cb..9a30b71 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -155,13 +195,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+@@ -152,16 +192,25 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+ network_port(nessus, tcp,1241,s0)
+ network_port(netport, tcp,3129,s0, udp,3129,s0)
+ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
++network_port(nfs, tcp,2049,s0, udp,2049,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
@@ -12574,7 +12835,7 @@ index 99b71cb..9a30b71 100644
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -179,30 +227,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,30 +228,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -12614,7 +12875,7 @@ index 99b71cb..9a30b71 100644
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -215,7 +268,7 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,7 +269,7 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -12623,7 +12884,7 @@ index 99b71cb..9a30b71 100644
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
-@@ -229,6 +282,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +283,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -12631,7 +12892,7 @@ index 99b71cb..9a30b71 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +292,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +293,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -12640,7 +12901,7 @@ index 99b71cb..9a30b71 100644
########################################
#
-@@ -282,9 +338,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +339,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -18164,10 +18425,15 @@ index 1700ef2..6b7eabb 100644
+ dev_filetrans($1, removable_device_t, chr_file, "rio500")
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 7d45d15..6727eb7 100644
+index 7d45d15..6d27fb3 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -19,6 +19,7 @@
+@@ -14,11 +14,11 @@
+ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
+-/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
+ /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -18175,7 +18441,7 @@ index 7d45d15..6727eb7 100644
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -41,3 +42,5 @@ ifdef(`distro_gentoo',`
+@@ -41,3 +41,5 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
@@ -21416,7 +21682,7 @@ index 0b827c5..bfb68b2 100644
+ dontaudit $1 abrt_t:sock_file write;
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..ee2d7f1 100644
+index 30861ec..bd5ff95 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -21513,15 +21779,17 @@ index 30861ec..ee2d7f1 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -69,6 +119,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +118,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+ # abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
++manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +134,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -21533,7 +21801,7 @@ index 30861ec..ee2d7f1 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +154,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +155,7 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -21541,7 +21809,7 @@ index 30861ec..ee2d7f1 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +164,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -21551,7 +21819,7 @@ index 30861ec..ee2d7f1 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +173,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -21560,7 +21828,7 @@ index 30861ec..ee2d7f1 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,15 +185,23 @@ fs_read_nfs_files(abrt_t)
+@@ -131,15 +186,23 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -21587,7 +21855,7 @@ index 30861ec..ee2d7f1 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +212,11 @@ optional_policy(`
+@@ -150,6 +213,11 @@ optional_policy(`
')
optional_policy(`
@@ -21599,7 +21867,7 @@ index 30861ec..ee2d7f1 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +234,7 @@ optional_policy(`
+@@ -167,6 +235,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -21607,7 +21875,7 @@ index 30861ec..ee2d7f1 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +246,35 @@ optional_policy(`
+@@ -178,12 +247,35 @@ optional_policy(`
')
optional_policy(`
@@ -21644,7 +21912,7 @@ index 30861ec..ee2d7f1 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +291,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +292,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -21673,7 +21941,7 @@ index 30861ec..ee2d7f1 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +314,126 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +315,126 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -22248,7 +22516,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..d7a8d41 100644
+index 9e39aa5..83dbd34 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
@@ -22330,7 +22598,7 @@ index 9e39aa5..d7a8d41 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,8 +85,10 @@ ifdef(`distro_suse', `
+@@ -73,20 +85,25 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -22342,7 +22610,11 @@ index 9e39aa5..d7a8d41 100644
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -84,9 +98,10 @@ ifdef(`distro_suse', `
+ /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
++/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+ /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
@@ -22354,7 +22626,7 @@ index 9e39aa5..d7a8d41 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -105,7 +120,27 @@ ifdef(`distro_debian', `
+@@ -105,7 +122,27 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -22383,7 +22655,7 @@ index 9e39aa5..d7a8d41 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..6a02978 100644
+index 6480167..1b928cb 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -22715,7 +22987,7 @@ index 6480167..6a02978 100644
')
########################################
-@@ -802,6 +880,24 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -802,6 +880,43 @@ interface(`apache_domtrans_rotatelogs',`
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
@@ -22737,10 +23009,29 @@ index 6480167..6a02978 100644
+ can_exec($1, httpd_rotatelogs_exec_t)
+')
+
++#######################################
++## <summary>
++## Execute httpd system scripts in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`apache_exec_sys_script',`
++ gen_require(`
++ type httpd_sys_script_exec_t;
++ ')
++
++ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
++ can_exec($1, httpd_sys_script_exec_t;
++')
++
########################################
## <summary>
## Allow the specified domain to list
-@@ -819,6 +915,7 @@ interface(`apache_list_sys_content',`
+@@ -819,6 +934,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -22748,7 +23039,7 @@ index 6480167..6a02978 100644
files_search_var($1)
')
-@@ -846,6 +943,74 @@ interface(`apache_manage_sys_content',`
+@@ -846,6 +962,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -22823,7 +23114,7 @@ index 6480167..6a02978 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -862,7 +1027,12 @@ interface(`apache_manage_sys_content',`
+@@ -862,7 +1046,12 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -22837,7 +23128,7 @@ index 6480167..6a02978 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1091,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -921,9 +1110,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@@ -22849,7 +23140,7 @@ index 6480167..6a02978 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -950,7 +1121,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -950,7 +1140,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -22858,7 +23149,7 @@ index 6480167..6a02978 100644
')
########################################
-@@ -1091,6 +1262,25 @@ interface(`apache_read_tmp_files',`
+@@ -1091,6 +1281,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -22884,7 +23175,7 @@ index 6480167..6a02978 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1107,7 +1297,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1107,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -22893,7 +23184,7 @@ index 6480167..6a02978 100644
')
########################################
-@@ -1150,12 +1340,6 @@ interface(`apache_cgi_domain',`
+@@ -1150,12 +1359,6 @@ interface(`apache_cgi_domain',`
## <summary>
## All of the rules required to administrate an apache environment
## </summary>
@@ -22906,7 +23197,7 @@ index 6480167..6a02978 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1170,17 +1354,15 @@ interface(`apache_cgi_domain',`
+@@ -1170,17 +1373,15 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -22929,7 +23220,7 @@ index 6480167..6a02978 100644
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1191,10 +1373,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1392,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -22942,7 +23233,7 @@ index 6480167..6a02978 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1387,69 @@ interface(`apache_admin',`
+@@ -1205,14 +1406,69 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -30227,7 +30518,7 @@ index 25546bc..4def4f7 100644
/var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
-index a01be9d..f82c32f 100644
+index a01be9d..01f2f23 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -30239,7 +30530,15 @@ index a01be9d..f82c32f 100644
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
-@@ -119,6 +119,10 @@ optional_policy(`
+@@ -73,6 +73,7 @@ corenet_udp_sendrecv_all_ports(cyrus_t)
+ corenet_tcp_bind_generic_node(cyrus_t)
+ corenet_tcp_bind_mail_port(cyrus_t)
+ corenet_tcp_bind_lmtp_port(cyrus_t)
++corenet_tcp_bind_innd_port(cyrus_t)
+ corenet_tcp_bind_pop_port(cyrus_t)
+ corenet_tcp_bind_sieve_port(cyrus_t)
+ corenet_tcp_connect_all_ports(cyrus_t)
+@@ -119,6 +120,10 @@ optional_policy(`
')
optional_policy(`
@@ -30250,7 +30549,7 @@ index a01be9d..f82c32f 100644
kerberos_keytab_template(cyrus, cyrus_t)
')
-@@ -135,6 +139,7 @@ optional_policy(`
+@@ -135,6 +140,7 @@ optional_policy(`
')
optional_policy(`
@@ -30592,7 +30891,7 @@ index 1a1becd..d4357ec 100644
')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..c6db074 100644
+index 1bff6ee..fbfc5db 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -30674,7 +30973,7 @@ index 1bff6ee..c6db074 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +171,156 @@ optional_policy(`
+@@ -151,12 +171,166 @@ optional_policy(`
')
optional_policy(`
@@ -30695,7 +30994,7 @@ index 1bff6ee..c6db074 100644
#
-# Unconfined access to this module
+# system_bus_type rules
- #
++#
+role system_r types system_bus_type;
+
+fs_search_all(system_bus_type)
@@ -30707,7 +31006,7 @@ index 1bff6ee..c6db074 100644
+init_dgram_send(system_bus_type)
+init_use_fds(system_bus_type)
+init_rw_stream_sockets(system_bus_type)
-
++
+ps_process_pattern(system_dbusd_t, system_bus_type)
+
+userdom_dontaudit_search_admin_dir(system_bus_type)
@@ -30732,7 +31031,7 @@ index 1bff6ee..c6db074 100644
+########################################
+#
+# session_bus_type rules
-+#
+ #
+dontaudit session_bus_type self:capability sys_resource;
+allow session_bus_type self:process { getattr sigkill signal };
+dontaudit session_bus_type self:process { ptrace setrlimit };
@@ -30808,6 +31107,16 @@ index 1bff6ee..c6db074 100644
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
+
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(session_bus_type)
++ fs_manage_nfs_files(session_bus_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(session_bus_type)
++ fs_manage_cifs_files(session_bus_type)
++')
+
+optional_policy(`
+ gnome_read_gconf_home_files(session_bus_type)
+')
@@ -33534,7 +33843,7 @@ index 298f066..b54de69 100644
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
-index 6bef7f8..464669c 100644
+index 6bef7f8..885cd43 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -5,9 +5,9 @@
@@ -33549,10 +33858,35 @@ index 6bef7f8..464669c 100644
## </param>
#
interface(`exim_domtrans',`
-@@ -20,6 +20,24 @@ interface(`exim_domtrans',`
+@@ -20,6 +20,49 @@ interface(`exim_domtrans',`
########################################
## <summary>
++## Execute the mailman program in the mailman domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to allow the mailman domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`exim_run',`
++ gen_require(`
++ type exim_t;
++ ')
++
++ exim_domtrans($1)
++ role $2 types exim_t;
++')
++
++########################################
++## <summary>
+## Execute exim in the exim domain.
+## </summary>
+## <param name="domain">
@@ -33574,7 +33908,7 @@ index 6bef7f8..464669c 100644
## Do not audit attempts to read,
## exim tmp files
## </summary>
-@@ -101,9 +119,9 @@ interface(`exim_read_log',`
+@@ -101,9 +144,9 @@ interface(`exim_read_log',`
## exim log files.
## </summary>
## <param name="domain">
@@ -33586,7 +33920,7 @@ index 6bef7f8..464669c 100644
## </param>
#
interface(`exim_append_log',`
-@@ -194,3 +212,46 @@ interface(`exim_manage_spool_files',`
+@@ -194,3 +237,46 @@ interface(`exim_manage_spool_files',`
manage_files_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
')
@@ -34674,10 +35008,10 @@ index 99a94de..6dbc203 100644
files_search_etc(gatekeeper_t)
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
-index 54f0737..2b552c5 100644
+index 54f0737..44a9663 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
-@@ -1,3 +1,13 @@
+@@ -1,3 +1,17 @@
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
@@ -34688,10 +35022,14 @@ index 54f0737..2b552c5 100644
+
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
++/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
++
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
++
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
-+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++/var/www/git/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++/var/www/gitweb-caching/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 458aac6..8e83609 100644
--- a/policy/modules/services/git.if
@@ -38926,7 +39264,7 @@ index 14ad189..2b8efd8 100644
/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
')
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
-index 67c7fdd..84b7626 100644
+index 67c7fdd..d7338be 100644
--- a/policy/modules/services/mailman.if
+++ b/policy/modules/services/mailman.if
@@ -16,7 +16,7 @@
@@ -38947,6 +39285,38 @@ index 67c7fdd..84b7626 100644
files_list_var(mailman_$1_t)
files_list_var_lib(mailman_$1_t)
files_read_var_lib_symlinks(mailman_$1_t)
+@@ -108,6 +108,31 @@ interface(`mailman_domtrans',`
+ domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
+ ')
+
++########################################
++## <summary>
++## Execute the mailman program in the mailman domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to allow the mailman domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mailman_run',`
++ gen_require(`
++ type mailman_mail_t;
++ ')
++
++ mailman_domtrans($1)
++ role $2 types mailman_mail_t;
++')
++
+ #######################################
+ ## <summary>
+ ## Execute mailman CGI scripts in the
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index af4d572..cea085e 100644
--- a/policy/modules/services/mailman.te
@@ -40632,7 +41002,7 @@ index 256166a..6321a93 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..f8c4fb6 100644
+index 343cee3..f6c92f9 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -40662,7 +41032,7 @@ index 343cee3..f8c4fb6 100644
#
interface(`mta_role',`
gen_require(`
-@@ -169,7 +171,7 @@ interface(`mta_role',`
+@@ -169,11 +171,19 @@ interface(`mta_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
@@ -40671,7 +41041,19 @@ index 343cee3..f8c4fb6 100644
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
-@@ -220,6 +222,25 @@ interface(`mta_agent_executable',`
+ allow mta_user_agent $2:fifo_file { read write };
++
++ optional_policy(`
++ exim_run($2, $1)
++ ')
++
++ optional_policy(`
++ mailman_run(mta_user_agent, $1)
++ ')
+ ')
+
+ ########################################
+@@ -220,6 +230,25 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
@@ -40697,7 +41079,7 @@ index 343cee3..f8c4fb6 100644
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -306,7 +327,6 @@ interface(`mta_mailserver_sender',`
+@@ -306,7 +335,6 @@ interface(`mta_mailserver_sender',`
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
@@ -40705,7 +41087,7 @@ index 343cee3..f8c4fb6 100644
')
typeattribute $1 mailserver_delivery;
-@@ -330,12 +350,6 @@ interface(`mta_mailserver_user_agent',`
+@@ -330,12 +358,6 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
@@ -40718,7 +41100,7 @@ index 343cee3..f8c4fb6 100644
')
########################################
-@@ -350,9 +364,8 @@ interface(`mta_mailserver_user_agent',`
+@@ -350,9 +372,8 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
@@ -40729,7 +41111,7 @@ index 343cee3..f8c4fb6 100644
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -391,12 +404,17 @@ interface(`mta_send_mail',`
+@@ -391,12 +412,17 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -40749,7 +41131,7 @@ index 343cee3..f8c4fb6 100644
')
########################################
-@@ -409,7 +427,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +435,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -40757,7 +41139,7 @@ index 343cee3..f8c4fb6 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +437,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +445,24 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -40782,7 +41164,7 @@ index 343cee3..f8c4fb6 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -438,6 +473,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +481,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
@@ -40809,7 +41191,7 @@ index 343cee3..f8c4fb6 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -474,7 +529,8 @@ interface(`mta_write_config',`
+@@ -474,7 +537,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -40819,7 +41201,7 @@ index 343cee3..f8c4fb6 100644
')
########################################
-@@ -494,6 +550,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +558,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -40827,7 +41209,7 @@ index 343cee3..f8c4fb6 100644
')
########################################
-@@ -532,7 +589,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +597,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -40836,7 +41218,7 @@ index 343cee3..f8c4fb6 100644
')
########################################
-@@ -552,7 +609,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +617,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -40845,7 +41227,7 @@ index 343cee3..f8c4fb6 100644
')
#######################################
-@@ -646,8 +703,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +711,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -40856,7 +41238,7 @@ index 343cee3..f8c4fb6 100644
')
#######################################
-@@ -697,8 +754,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +762,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -40867,7 +41249,7 @@ index 343cee3..f8c4fb6 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +895,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +903,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -40876,7 +41258,7 @@ index 343cee3..f8c4fb6 100644
')
########################################
-@@ -899,3 +956,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +964,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -42732,7 +43114,7 @@ index abe3f7f..2de87de 100644
+ nis_systemctl($1)
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
-index 4876cae..5f29ad9 100644
+index 4876cae..dccdc78 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t)
@@ -42783,7 +43165,18 @@ index 4876cae..5f29ad9 100644
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -224,8 +231,8 @@ optional_policy(`
+@@ -211,6 +218,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mta_send_mail(yppasswdd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(yppasswdd_t)
+ ')
+
+@@ -224,8 +235,8 @@ optional_policy(`
#
dontaudit ypserv_t self:capability sys_tty_config;
@@ -50680,7 +51073,7 @@ index cda37bb..484e552 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..fb0f852 100644
+index b1468ed..4bd5e3c 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -50758,7 +51151,7 @@ index b1468ed..fb0f852 100644
########################################
#
# NFSD local policy
-@@ -120,6 +133,9 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,9 +133,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -50768,7 +51161,12 @@ index b1468ed..fb0f852 100644
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -148,6 +164,8 @@ storage_raw_read_removable_device(nfsd_t)
++corenet_tcp_bind_nfs_port(nfsd_t)
++corenet_udp_bind_nfs_port(nfsd_t)
+
+ dev_dontaudit_getattr_all_blk_files(nfsd_t)
+ dev_dontaudit_getattr_all_chr_files(nfsd_t)
+@@ -148,6 +166,8 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
@@ -50777,7 +51175,7 @@ index b1468ed..fb0f852 100644
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
-@@ -158,7 +176,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -158,7 +178,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -50785,7 +51183,7 @@ index b1468ed..fb0f852 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +187,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +189,7 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -50795,7 +51193,7 @@ index b1468ed..fb0f852 100644
')
########################################
-@@ -181,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +199,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
@@ -50804,7 +51202,7 @@ index b1468ed..fb0f852 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +215,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -50812,7 +51210,7 @@ index b1468ed..fb0f852 100644
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +227,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -50829,7 +51227,7 @@ index b1468ed..fb0f852 100644
')
optional_policy(`
-@@ -229,6 +246,10 @@ optional_policy(`
+@@ -229,6 +248,10 @@ optional_policy(`
')
optional_policy(`
@@ -52393,7 +52791,7 @@ index 7e94c7c..5700fb8 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
-index 22dac1f..c3cf42a 100644
+index 22dac1f..1c27bd6 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@@ -52432,7 +52830,17 @@ index 22dac1f..c3cf42a 100644
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -149,7 +150,9 @@ optional_policy(`
+@@ -129,6 +130,9 @@ optional_policy(`
+
+ optional_policy(`
+ exim_domtrans(sendmail_t)
++ exim_manage_spool_files(sendmail_t)
++ exim_manage_spool_dirs(sendmail_t)
++ exim_read_log(sendmail_t)
+ ')
+
+ optional_policy(`
+@@ -149,7 +153,9 @@ optional_policy(`
')
optional_policy(`
@@ -52442,7 +52850,7 @@ index 22dac1f..c3cf42a 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,20 +171,13 @@ optional_policy(`
+@@ -168,20 +174,13 @@ optional_policy(`
')
optional_policy(`
@@ -52824,7 +53232,7 @@ index 275f9fb..4f4a192 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..633e4ce 100644
+index 3d8d1b3..9509742 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -52865,7 +53273,11 @@ index 3d8d1b3..633e4ce 100644
kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
-@@ -97,12 +100,15 @@ fs_search_auto_mountpoints(snmpd_t)
+@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
+ fs_getattr_all_dirs(snmpd_t)
+ fs_getattr_all_fs(snmpd_t)
+ fs_search_auto_mountpoints(snmpd_t)
++files_search_all_mountpoints(snmpd_t)
storage_dontaudit_read_fixed_disk(snmpd_t)
storage_dontaudit_read_removable_device(snmpd_t)
@@ -52882,7 +53294,7 @@ index 3d8d1b3..633e4ce 100644
logging_send_syslog_msg(snmpd_t)
-@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t)
+@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
@@ -53773,7 +54185,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..d9c1d90 100644
+index 22adaca..3b7fec1 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -53835,7 +54247,37 @@ index 22adaca..d9c1d90 100644
dev_read_urand($1_ssh_t)
-@@ -168,7 +166,7 @@ template(`ssh_basic_client_template',`
+@@ -148,6 +146,29 @@ template(`ssh_basic_client_template',`
+ ')
+ ')
+
++######################################
++## <summary>
++## The template to define a domain to which sshd dyntransition.
++## </summary>
++## <param name="domain">
++## <summary>
++## The prefix of the dyntransition domain
++## </summary>
++## </param>
++#
++template(`ssh_dyntransition_domain_template',`
++ gen_require(`
++ attribute ssh_dyntransition_domain;
++ ')
++
++ type $1, ssh_dyntransition_domain;
++ domain_type($1)
++ role system_r types $1;
++
++ optional_policy(`
++ ssh_dyntransition_to($1)
++ ')
++')
+ #######################################
+ ## <summary>
+ ## The template to define a ssh server.
+@@ -168,7 +189,7 @@ template(`ssh_basic_client_template',`
## </summary>
## </param>
#
@@ -53844,7 +54286,7 @@ index 22adaca..d9c1d90 100644
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
-@@ -181,16 +179,18 @@ template(`ssh_server_template', `
+@@ -181,16 +202,18 @@ template(`ssh_server_template', `
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -53866,15 +54308,15 @@ index 22adaca..d9c1d90 100644
term_create_pty($1_t, $1_devpts_t)
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-@@ -206,6 +206,7 @@ template(`ssh_server_template', `
+@@ -206,6 +229,7 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
kernel_read_network_state($1_t)
-+ kernel_request_load_module(ssh_t)
++ kernel_request_load_module($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
-@@ -220,8 +221,11 @@ template(`ssh_server_template', `
+@@ -220,8 +244,11 @@ template(`ssh_server_template', `
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
@@ -53887,7 +54329,7 @@ index 22adaca..d9c1d90 100644
fs_dontaudit_getattr_all_fs($1_t)
-@@ -234,6 +238,7 @@ template(`ssh_server_template', `
+@@ -234,6 +261,7 @@ template(`ssh_server_template', `
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
@@ -53895,7 +54337,7 @@ index 22adaca..d9c1d90 100644
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -243,13 +248,17 @@ template(`ssh_server_template', `
+@@ -243,13 +271,17 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
@@ -53915,7 +54357,7 @@ index 22adaca..d9c1d90 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
fs_read_nfs_symlinks($1_t)
-@@ -268,6 +277,14 @@ template(`ssh_server_template', `
+@@ -268,6 +300,14 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
@@ -53930,7 +54372,7 @@ index 22adaca..d9c1d90 100644
')
########################################
-@@ -290,11 +307,11 @@ template(`ssh_server_template', `
+@@ -290,11 +330,11 @@ template(`ssh_server_template', `
## User domain for the role
## </summary>
## </param>
@@ -53943,7 +54385,7 @@ index 22adaca..d9c1d90 100644
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,7 +344,7 @@ template(`ssh_role_template',`
+@@ -327,7 +367,7 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -53952,7 +54394,7 @@ index 22adaca..d9c1d90 100644
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
-@@ -338,6 +355,7 @@ template(`ssh_role_template',`
+@@ -338,6 +378,7 @@ template(`ssh_role_template',`
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
@@ -53960,7 +54402,7 @@ index 22adaca..d9c1d90 100644
##############################
#
-@@ -359,7 +377,7 @@ template(`ssh_role_template',`
+@@ -359,7 +400,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -53969,7 +54411,7 @@ index 22adaca..d9c1d90 100644
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +399,6 @@ template(`ssh_role_template',`
+@@ -381,7 +422,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -53977,7 +54419,7 @@ index 22adaca..d9c1d90 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -393,14 +410,13 @@ template(`ssh_role_template',`
+@@ -393,14 +433,13 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@@ -53995,13 +54437,13 @@ index 22adaca..d9c1d90 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +493,27 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +516,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
- allow $1 sshd_t:fifo_file { getattr read };
+ allow $1 sshd_t:fifo_file read_fifo_file_perms;
- ')
++')
+
+######################################
+## <summary>
@@ -54019,12 +54461,12 @@ index 22adaca..d9c1d90 100644
+ ')
+
+ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
-+')
+ ')
+
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +529,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +552,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -54033,7 +54475,7 @@ index 22adaca..d9c1d90 100644
')
########################################
-@@ -586,6 +621,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +644,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@@ -54058,7 +54500,7 @@ index 22adaca..d9c1d90 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -618,7 +671,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +694,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -54067,7 +54509,7 @@ index 22adaca..d9c1d90 100644
files_search_pids($1)
')
-@@ -680,6 +733,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +756,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -54100,7 +54542,7 @@ index 22adaca..d9c1d90 100644
########################################
## <summary>
## Read ssh server keys
-@@ -695,7 +774,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +797,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -54109,7 +54551,7 @@ index 22adaca..d9c1d90 100644
')
######################################
-@@ -735,3 +814,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +837,81 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -54142,13 +54584,13 @@ index 22adaca..d9c1d90 100644
+## </summary>
+## </param>
+#
-+interface(`ssh_dyntransition_chroot_user',`
++interface(`ssh_dyntransition_to',`
+ gen_require(`
-+ type chroot_user_t;
++ type sshd_t;
+ ')
+
-+ allow $1 chroot_user_t:process dyntransition;
-+ allow chroot_user_t $1:process sigchld;
++ allow sshd_t $1:process dyntransition;
++ allow $1 sshd_t:process sigchld;
+')
+
+########################################
@@ -54192,7 +54634,7 @@ index 22adaca..d9c1d90 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..28ef6ae 100644
+index 2dad3c8..a6e2e1e 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
@@ -54232,12 +54674,12 @@ index 2dad3c8..28ef6ae 100644
-gen_tunable(ssh_sysadm_login, false)
+gen_tunable(ssh_chroot_rw_homedirs, false)
++attribute ssh_dyntransition_domain;
attribute ssh_server;
attribute ssh_agent_type;
-+type chroot_user_t;
-+domain_type(chroot_user_t)
-+role system_r types chroot_user_t;
++ssh_dyntransition_domain_template(chroot_user_t)
++ssh_dyntransition_domain_template(sshd_sandbox_t)
+
type ssh_keygen_t;
type ssh_keygen_exec_t;
@@ -54492,14 +54934,10 @@ index 2dad3c8..28ef6ae 100644
')
optional_policy(`
-@@ -284,6 +337,19 @@ optional_policy(`
+@@ -284,6 +337,15 @@ optional_policy(`
')
optional_policy(`
-+ ssh_dyntransition_chroot_user(sshd_t)
-+')
-+
-+optional_policy(`
+ systemd_exec_systemctl(sshd_t)
+')
+
@@ -54512,7 +54950,7 @@ index 2dad3c8..28ef6ae 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +358,26 @@ optional_policy(`
+@@ -292,26 +354,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -54558,7 +54996,7 @@ index 2dad3c8..28ef6ae 100644
') dnl endif TODO
########################################
-@@ -322,19 +388,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +384,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -54586,7 +55024,7 @@ index 2dad3c8..28ef6ae 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,15 +424,63 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,15 +420,83 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -54600,16 +55038,39 @@ index 2dad3c8..28ef6ae 100644
optional_policy(`
- seutil_sigchld_newrole(ssh_keygen_t)
+ udev_read_db(ssh_keygen_t)
+ ')
+
++####################################
++#
++# ssh_dyntransition domain local policy
++#
++
++allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
++
++allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
++
+ optional_policy(`
+- udev_read_db(ssh_keygen_t)
++ ssh_rw_stream_sockets(ssh_dyntransition_domain)
++ ssh_rw_tcp_sockets(ssh_dyntransition_domain)
+')
+
++#####################################
++#
++# ssh_sandbox local policy
++#
++
++allow sshd_t sshd_sandbox_t:process signal;
++
++init_ioctl_stream_sockets(sshd_sandbox_t)
++
++logging_send_audit_msgs(sshd_sandbox_t)
++
+######################################
+#
+# chroot_user_t local policy
+#
+
-+allow chroot_user_t self:capability { setuid sys_chroot setgid };
-+
-+allow chroot_user_t self:fifo_file rw_fifo_file_perms;
+
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
@@ -54645,12 +55106,9 @@ index 2dad3c8..28ef6ae 100644
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(chroot_user_t)
+ fs_read_nfs_symlinks(chroot_user_t)
- ')
-
- optional_policy(`
-- udev_read_db(ssh_keygen_t)
-+ ssh_rw_stream_sockets(chroot_user_t)
-+ ssh_rw_tcp_sockets(chroot_user_t)
++')
++
++optional_policy(`
+ ssh_rw_dgram_sockets(chroot_user_t)
')
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
@@ -54711,7 +55169,7 @@ index 941380a..6dbfc01 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..69e86c3 100644
+index 8ffa257..7d5a298 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -54737,7 +55195,7 @@ index 8ffa257..69e86c3 100644
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,8 +50,12 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,11 +50,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -54750,7 +55208,11 @@ index 8ffa257..69e86c3 100644
corecmd_exec_bin(sssd_t)
dev_read_urand(sssd_t)
-@@ -60,6 +66,7 @@ domain_obj_id_change_exemption(sssd_t)
++dev_read_sysfs(sssd_t)
+
+ domain_read_all_domains_state(sssd_t)
+ domain_obj_id_change_exemption(sssd_t)
+@@ -60,6 +67,7 @@ domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
@@ -54758,7 +55220,7 @@ index 8ffa257..69e86c3 100644
fs_list_inotifyfs(sssd_t)
-@@ -69,7 +76,7 @@ seutil_read_file_contexts(sssd_t)
+@@ -69,7 +77,7 @@ seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
@@ -54767,7 +55229,7 @@ index 8ffa257..69e86c3 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
-@@ -79,6 +86,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +87,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -54780,7 +55242,7 @@ index 8ffa257..69e86c3 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +100,28 @@ optional_policy(`
+@@ -87,4 +101,28 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -56667,7 +57129,7 @@ index 7c5d8d8..72e3065 100644
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..c0d1ec6 100644
+index 3eca020..1eb165e 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,74 @@ policy_module(virt, 1.4.0)
@@ -57037,9 +57499,9 @@ index 3eca020..c0d1ec6 100644
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -57193,7 +57655,7 @@ index 3eca020..c0d1ec6 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +624,177 @@ optional_policy(`
+@@ -457,8 +624,188 @@ optional_policy(`
')
optional_policy(`
@@ -57317,11 +57779,12 @@ index 3eca020..c0d1ec6 100644
+#
+# virt_lxc local policy
+#
-+allow virt_lxc_t self:capability { net_admin setpcap chown sys_admin };
++allow virt_lxc_t self:capability { net_admin net_raw setpcap chown sys_admin };
+allow virt_lxc_t self:process { setsched getcap setcap signal_perms };
+allow virt_lxc_t self:fifo_file rw_fifo_file_perms;
+allow virt_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virt_lxc_t self:unix_stream_socket create_stream_socket_perms;
++allow virt_lxc_t self:packet_socket create_socket_perms;
+
+allow virt_lxc_t virt_image_type:dir mounton;
+
@@ -57337,6 +57800,7 @@ index 3eca020..c0d1ec6 100644
+
+kernel_read_network_state(virt_lxc_t)
+kernel_search_network_sysctl(virt_lxc_t)
++kernel_read_sysctl(virt_lxc_t)
+
+dev_read_sysfs(virt_lxc_t)
+
@@ -57346,12 +57810,14 @@ index 3eca020..c0d1ec6 100644
+files_mounton_all_mountpoints(virt_lxc_t)
+files_mount_all_file_type_fs(virt_lxc_t)
+files_unmount_all_file_type_fs(virt_lxc_t)
++files_list_isid_type_dirs(virt_lxc_t)
+
+fs_manage_tmpfs_dirs(virt_lxc_t)
+fs_manage_tmpfs_chr_files(virt_lxc_t)
+fs_manage_tmpfs_symlinks(virt_lxc_t)
+fs_manage_cgroup_dirs(virt_lxc_t)
+fs_rw_cgroup_files(virt_lxc_t)
++fs_remount_all_fs(virt_lxc_t)
+
+selinux_mount_fs(virt_lxc_t)
+selinux_unmount_fs(virt_lxc_t)
@@ -57365,7 +57831,14 @@ index 3eca020..c0d1ec6 100644
+
+miscfiles_read_localization(virt_lxc_t)
+
-+sysnet_exec_ifconfig(virt_lxc_t)
++sysnet_domtrans_ifconfig(virt_lxc_t)
++
++type lxc_t;
++domain_type(lxc_t);
++
++optional_policy(`
++ unconfined_domain(lxc_t)
++')
+
+optional_policy(`
+ unconfined_shell_domtrans(virt_lxc_t)
@@ -61517,10 +61990,10 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..6794869 100644
+index 94fd8dd..b5e5c70 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
-@@ -79,6 +79,42 @@ interface(`init_script_domain',`
+@@ -79,6 +79,44 @@ interface(`init_script_domain',`
domtrans_pattern(init_run_all_scripts_domain, $2, $1)
')
@@ -61555,15 +62028,17 @@ index 94fd8dd..6794869 100644
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow init_t $1:unix_dgram_socket create_socket_perms;
-+ allow $1 init_t:unix_stream_socket ioctl;
++ allow $1 init_t:unix_stream_socket ioctl;
+ allow $1 init_t:unix_dgram_socket sendto;
++ # need write to /var/run/systemd/notify
++ init_write_pid_socket($1)
+ ')
+')
+
########################################
## <summary>
## Create a domain which can be started by init.
-@@ -105,7 +141,11 @@ interface(`init_domain',`
+@@ -105,7 +143,11 @@ interface(`init_domain',`
role system_r types $1;
@@ -61576,7 +62051,7 @@ index 94fd8dd..6794869 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -193,8 +233,10 @@ interface(`init_daemon_domain',`
+@@ -193,8 +235,10 @@ interface(`init_daemon_domain',`
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
@@ -61587,7 +62062,7 @@ index 94fd8dd..6794869 100644
')
typeattribute $1 daemon;
-@@ -202,39 +244,20 @@ interface(`init_daemon_domain',`
+@@ -202,39 +246,20 @@ interface(`init_daemon_domain',`
domain_type($1)
domain_entry_file($1, $2)
@@ -61613,17 +62088,17 @@ index 94fd8dd..6794869 100644
typeattribute $2 direct_init_entry;
- userdom_dontaudit_use_user_terminals($1)
-- ')
--
++# userdom_dontaudit_use_user_terminals($1)
+ ')
+
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
-+# userdom_dontaudit_use_user_terminals($1)
- ')
-
+- ')
+-
- optional_policy(`
- nscd_socket_use($1)
+ tunable_policy(`init_upstart || init_systemd',`
@@ -61632,7 +62107,7 @@ index 94fd8dd..6794869 100644
')
')
-@@ -283,17 +306,20 @@ interface(`init_daemon_domain',`
+@@ -283,17 +308,20 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
@@ -61654,7 +62129,7 @@ index 94fd8dd..6794869 100644
')
')
-@@ -336,22 +362,23 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,22 +364,23 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -61685,7 +62160,7 @@ index 94fd8dd..6794869 100644
')
')
-@@ -401,20 +428,41 @@ interface(`init_system_domain',`
+@@ -401,20 +430,41 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -61727,7 +62202,7 @@ index 94fd8dd..6794869 100644
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition.
-@@ -451,6 +499,10 @@ interface(`init_exec',`
+@@ -451,6 +501,10 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -61738,7 +62213,7 @@ index 94fd8dd..6794869 100644
')
########################################
-@@ -509,6 +561,24 @@ interface(`init_sigchld',`
+@@ -509,6 +563,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -61763,7 +62238,7 @@ index 94fd8dd..6794869 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -519,10 +589,66 @@ interface(`init_sigchld',`
+@@ -519,10 +591,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -61832,7 +62307,7 @@ index 94fd8dd..6794869 100644
')
########################################
-@@ -688,19 +814,25 @@ interface(`init_telinit',`
+@@ -688,19 +816,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -61859,7 +62334,7 @@ index 94fd8dd..6794869 100644
')
')
-@@ -730,7 +862,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +864,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -61868,7 +62343,7 @@ index 94fd8dd..6794869 100644
## </summary>
## </param>
#
-@@ -773,18 +905,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -61892,7 +62367,7 @@ index 94fd8dd..6794869 100644
')
')
-@@ -800,19 +933,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -61938,7 +62413,7 @@ index 94fd8dd..6794869 100644
')
########################################
-@@ -868,9 +1023,14 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -61953,7 +62428,7 @@ index 94fd8dd..6794869 100644
files_search_etc($1)
')
-@@ -1079,6 +1239,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1241,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -61978,7 +62453,7 @@ index 94fd8dd..6794869 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1308,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1310,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -61992,7 +62467,7 @@ index 94fd8dd..6794869 100644
')
########################################
-@@ -1375,6 +1548,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1550,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -62020,7 +62495,7 @@ index 94fd8dd..6794869 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1655,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1657,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -62046,7 +62521,7 @@ index 94fd8dd..6794869 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1732,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1734,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -62071,7 +62546,7 @@ index 94fd8dd..6794869 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1586,6 +1817,24 @@ interface(`init_read_utmp',`
+@@ -1586,6 +1819,24 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -62096,7 +62571,7 @@ index 94fd8dd..6794869 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1674,7 +1923,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1925,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -62105,7 +62580,7 @@ index 94fd8dd..6794869 100644
')
########################################
-@@ -1715,6 +1964,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1966,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -62234,7 +62709,7 @@ index 94fd8dd..6794869 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2120,175 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2122,194 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -62291,6 +62766,25 @@ index 94fd8dd..6794869 100644
+ init_dontaudit_use_script_fds($1)
+')
+
++#######################################
++## <summary>
++## Allow the specified domain to ioctl an
++## init with a unix domain stream sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_ioctl_stream_sockets',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:unix_stream_socket ioctl;
++')
++
+########################################
+## <summary>
+## Allow the specified domain to read/write to
@@ -64778,10 +65272,24 @@ index 831b909..efe1038 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..0c27f81 100644
+index b6ec597..5684c8a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -20,6 +20,7 @@ files_security_file(auditd_log_t)
+@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2)
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow syslogd daemon to send mail
++## </p>
++## </desc>
++gen_tunable(logging_syslogd_can_sendmail, false)
++
+ attribute logfile;
+
+ type auditctl_t;
+@@ -20,6 +27,7 @@ files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
type audit_spool_t;
@@ -64789,7 +65297,7 @@ index b6ec597..0c27f81 100644
files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t)
-@@ -64,6 +65,7 @@ files_config_file(syslog_conf_t)
+@@ -64,6 +72,7 @@ files_config_file(syslog_conf_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -64797,7 +65305,7 @@ index b6ec597..0c27f81 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -111,7 +113,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +120,7 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -64806,7 +65314,7 @@ index b6ec597..0c27f81 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -183,16 +185,19 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +192,19 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -64827,7 +65335,7 @@ index b6ec597..0c27f81 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,10 +242,17 @@ corecmd_exec_shell(audisp_t)
+@@ -237,10 +249,17 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -64845,7 +65353,7 @@ index b6ec597..0c27f81 100644
logging_send_syslog_msg(audisp_t)
-@@ -250,6 +262,10 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -250,6 +269,10 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -64856,7 +65364,7 @@ index b6ec597..0c27f81 100644
')
########################################
-@@ -280,11 +296,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,11 +303,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -64877,7 +65385,7 @@ index b6ec597..0c27f81 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -354,11 +379,12 @@ optional_policy(`
+@@ -354,11 +386,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -64892,7 +65400,7 @@ index b6ec597..0c27f81 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -376,6 +402,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -376,6 +409,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -64900,7 +65408,7 @@ index b6ec597..0c27f81 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -385,9 +412,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -385,9 +419,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -64916,8 +65424,15 @@ index b6ec597..0c27f81 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -428,8 +461,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -426,10 +466,20 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+ corenet_sendrecv_postgresql_client_packets(syslogd_t)
+ corenet_sendrecv_mysqld_client_packets(syslogd_t)
++tunable_policy(`logging_syslogd_can_sendmail',`
++ # support for ommail module to send logs via mail
++ corenet_tcp_connect_smtp_port(syslogd_t)
++')
++
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
+dev_read_rand(syslogd_t)
@@ -64930,7 +65445,7 @@ index b6ec597..0c27f81 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -448,6 +486,7 @@ term_write_console(syslogd_t)
+@@ -448,6 +498,7 @@ term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -64938,7 +65453,7 @@ index b6ec597..0c27f81 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -459,6 +498,7 @@ init_use_fds(syslogd_t)
+@@ -459,6 +510,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -64946,7 +65461,7 @@ index b6ec597..0c27f81 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +536,20 @@ optional_policy(`
+@@ -496,11 +548,20 @@ optional_policy(`
')
optional_policy(`
@@ -66947,7 +67462,7 @@ index 170e2c7..b85fc73 100644
+ ')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..4e8cb38 100644
+index 7ed9819..f2b7643 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -67218,17 +67733,17 @@ index 7ed9819..4e8cb38 100644
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+-
+-allow semanage_t policy_config_t:file rw_file_perms;
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--allow semanage_t policy_config_t:file rw_file_perms;
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
@@ -67257,13 +67772,13 @@ index 7ed9819..4e8cb38 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
-
+-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
--
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -67280,7 +67795,20 @@ index 7ed9819..4e8cb38 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -487,118 +498,72 @@ ifdef(`distro_debian',`
+@@ -482,123 +493,85 @@ seutil_manage_default_contexts(semanage_t)
+ userdom_read_user_home_content_files(semanage_t)
+ userdom_read_user_tmp_files(semanage_t)
+
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(semanage_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(semanage_t)
++')
++
+ ifdef(`distro_debian',`
+ files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
')
@@ -67345,23 +67873,23 @@ index 7ed9819..4e8cb38 100644
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
--term_use_all_ttys(setfiles_t)
--term_use_all_ptys(setfiles_t)
--term_use_unallocated_ttys(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
+-term_use_all_ttys(setfiles_t)
+-term_use_all_ptys(setfiles_t)
+-term_use_unallocated_ttys(setfiles_t)
+-
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-
@@ -68475,10 +69003,10 @@ index 0000000..eb3673d
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..e50a989
+index 0000000..411793e
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,359 @@
+@@ -0,0 +1,360 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -68584,6 +69112,7 @@ index 0000000..e50a989
+# /run/user/.*
+# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
+auth_manage_var_auth(systemd_logind_t)
++auth_use_nsswitch(systemd_logind_t)
+
+authlogin_read_state(systemd_logind_t)
+
@@ -73444,7 +73973,7 @@ index 4b2878a..fe5913a 100644
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..02686f5 100644
+index 9b4a930..5cd0c45 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -73497,7 +74026,7 @@ index 9b4a930..02686f5 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +98,73 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,74 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -73554,6 +74083,7 @@ index 9b4a930..02686f5 100644
+
+# Nautilus causes this avc
+dontaudit unpriv_userdomain self:dir setattr;
++allow unpriv_userdomain self:key manage_key_perms;
+
+optional_policy(`
+ alsa_read_rw_config(unpriv_userdomain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2fc698e..7c548ce 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 31.1%{?dist}
+Release: 33%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -468,6 +468,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Sep 23 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-33
+- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
+- Add SELinux support for ssh pre-auth net process in F17
+- Add logging_syslogd_can_sendmail boolean
+
* Wed Sep 20 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-31.1
- Add definition for ephemeral ports
- Define user_tty_device_t as a customizable_type
More information about the scm-commits
mailing list