[selinux-policy/f18] - Label /var/lib/pgsql/.ssh as ssh_home_t - Add labeling for /usr/bin/pg_ctl - Allow systemd-logind
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Dec 10 12:16:11 UTC 2012
commit 2f1f8cd3e04bdf7742b5e9eae28db6c07ff7b54c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Dec 10 13:14:48 2012 +0100
- Label /var/lib/pgsql/.ssh as ssh_home_t
- Add labeling for /usr/bin/pg_ctl
- Allow systemd-logind to manage keyring user tmp dirs
- Add support for 7389/tcp port
- gems seems to be placed in lots of places
- Since xdm is running a full session, it seems to be trying to execute lots
- Add back tcp/8123 port as http_cache port
- Add ovirt-guest-agent\.pid labeling
- Allow xend to run scsi_id
- Allow rhsmcertd-worker to read "physical_package_id"
- Allow pki_tomcat to connect to ldap port
- Allow lpr to read /usr/share/fonts
- Allow open file from CD/DVD drive on domU
- Allow munin services plugins to talk to SSSD
- Allow all samba domains to create samba directory in var_t directories
- Take away svirt_t ability to use nsswitch
- Dontaudit attempts by openshift to read apache logs
- Allow apache to create as well as append _ra_content_t
- Dontaudit sendmail_t reading a leaked file descriptor
- Add interface to have admin transition /etc/prelink.cache to the proper la
- Add sntp support to ntp policy
- Allow firewalld to dbus chat with devicekit_power
- Allow tuned to call lsblk
- Allow tor to read /proc/sys/kernel/random/uuid
- Add tor_can_network_relay boolean
policy-rawhide.patch | 243 +++++++++++++---------
policy_contrib-rawhide.patch | 463 ++++++++++++++++++++++++++++--------------
selinux-policy.spec | 29 +++-
3 files changed, 486 insertions(+), 249 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index e97a802..70a2712 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -112385,7 +112385,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..62de080 100644
+index db981df..e2c87b3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -112605,7 +112605,7 @@ index db981df..62de080 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,6 +319,10 @@ ifdef(`distro_gentoo',`
+@@ -271,10 +319,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -112616,7 +112616,12 @@ index db981df..62de080 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -289,16 +341,21 @@ ifdef(`distro_gentoo',`
+ /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/gitolite3/commands(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
+@@ -289,16 +342,21 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -112640,7 +112645,7 @@ index db981df..62de080 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +371,12 @@ ifdef(`distro_redhat', `
+@@ -314,8 +372,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -112653,7 +112658,7 @@ index db981df..62de080 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +386,11 @@ ifdef(`distro_redhat', `
+@@ -325,9 +387,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112665,7 +112670,7 @@ index db981df..62de080 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +439,14 @@ ifdef(`distro_suse', `
+@@ -376,11 +440,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -112677,11 +112682,12 @@ index db981df..62de080 100644
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +456,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +458,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -114348,7 +114354,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index fe2ee5e..7369e6c 100644
+index fe2ee5e..5a58a39 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0)
@@ -114496,7 +114502,7 @@ index fe2ee5e..7369e6c 100644
-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
+network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port
-+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
++network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
@@ -114530,7 +114536,8 @@ index fe2ee5e..7369e6c 100644
+network_port(rtsclient, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
- network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
+-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
++network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0)
network_port(lirc, tcp,8765,s0)
+network_port(luci, tcp,8084,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
@@ -114570,7 +114577,7 @@ index fe2ee5e..7369e6c 100644
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
+network_port(piranha, tcp,3636,s0)
-+network_port(pki_ca, tcp, 7389, s0, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
@@ -117025,7 +117032,7 @@ index 6a1e4d1..eee8419 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..dde12bc 100644
+index cf04cb5..09a61e6 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -117151,7 +117158,7 @@ index cf04cb5..dde12bc 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,274 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,278 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -117265,6 +117272,10 @@ index cf04cb5..dde12bc 100644
+')
+
+optional_policy(`
++ prelink_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ pulseaudio_filetrans_home_content(unconfined_domain_type)
+ pulseaudio_filetrans_admin_home_content(unconfined_domain_type)
+')
@@ -125901,7 +125912,7 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..614f929
+index 0000000..d609f53
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,387 @@
@@ -125948,7 +125959,7 @@ index 0000000..614f929
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-+userdom_unpriv_type(unconfined_r, unconfined_t)
++userdom_unpriv_type(unconfined_t)
+
+type unconfined_exec_t;
+init_system_domain(unconfined_t, unconfined_exec_t)
@@ -126484,10 +126495,18 @@ index 9f6d4c3..23a78b4 100644
+ ')
+')
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index a26f84f..4e52843 100644
+index a26f84f..d3cc612 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
-@@ -28,9 +28,9 @@ ifdef(`distro_redhat', `
+@@ -10,6 +10,7 @@
+ #
+ /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+ /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+ /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+@@ -28,9 +29,9 @@ ifdef(`distro_redhat', `
#
/var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
@@ -126499,7 +126518,7 @@ index a26f84f..4e52843 100644
/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
-@@ -45,4 +45,4 @@ ifdef(`distro_redhat', `
+@@ -45,4 +46,4 @@ ifdef(`distro_redhat', `
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
@@ -126818,10 +126837,10 @@ index 4318f73..e4d0b31 100644
+ ')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..84ad865 100644
+index 078bcd7..613a47e 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
-@@ -1,9 +1,22 @@
+@@ -1,9 +1,23 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+
@@ -126831,6 +126850,7 @@ index 078bcd7..84ad865 100644
+/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+
+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
@@ -126844,7 +126864,7 @@ index 078bcd7..84ad865 100644
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
-@@ -14,3 +27,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+@@ -14,3 +28,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
@@ -129542,7 +129562,7 @@ index 130ced9..a75282a 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..6080063 100644
+index d40f750..6a1f890 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -130221,7 +130241,7 @@ index d40f750..6080063 100644
')
optional_policy(`
-@@ -514,12 +740,74 @@ optional_policy(`
+@@ -514,12 +740,71 @@ optional_policy(`
')
optional_policy(`
@@ -130230,6 +130250,7 @@ index d40f750..6080063 100644
+ dbus_system_bus_client(xdm_dbusd_t)
+ dbus_system_bus_client(xdm_t)
+
++ application_dontaudit_exec(xdm_dbusd_t)
+ #fixes for xfce4-notifyd
+ allow xdm_dbusd_t self:unix_stream_socket connectto;
+ allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;
@@ -130267,10 +130288,6 @@ index d40f750..6080063 100644
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
+ ')
-+
-+ optional_policy(`
-+ telepathy_exec(xdm_dbusd_t)
-+ ')
+')
+
+optional_policy(`
@@ -130296,7 +130313,7 @@ index d40f750..6080063 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +825,74 @@ optional_policy(`
+@@ -537,28 +822,74 @@ optional_policy(`
')
optional_policy(`
@@ -130380,7 +130397,7 @@ index d40f750..6080063 100644
')
optional_policy(`
-@@ -570,6 +904,14 @@ optional_policy(`
+@@ -570,6 +901,14 @@ optional_policy(`
')
optional_policy(`
@@ -130395,7 +130412,7 @@ index d40f750..6080063 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +936,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +933,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -130408,7 +130425,7 @@ index d40f750..6080063 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +953,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -130424,7 +130441,7 @@ index d40f750..6080063 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +980,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -130446,7 +130463,7 @@ index d40f750..6080063 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1000,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +997,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -130460,7 +130477,7 @@ index d40f750..6080063 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1026,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1023,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -130492,7 +130509,7 @@ index d40f750..6080063 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1058,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1055,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -130506,7 +130523,7 @@ index d40f750..6080063 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1077,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1074,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -130530,7 +130547,7 @@ index d40f750..6080063 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1142,40 @@ optional_policy(`
+@@ -775,16 +1139,40 @@ optional_policy(`
')
optional_policy(`
@@ -130572,7 +130589,7 @@ index d40f750..6080063 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1184,10 @@ optional_policy(`
+@@ -793,6 +1181,10 @@ optional_policy(`
')
optional_policy(`
@@ -130583,7 +130600,7 @@ index d40f750..6080063 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1203,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -130597,7 +130614,7 @@ index d40f750..6080063 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1214,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -130606,7 +130623,7 @@ index d40f750..6080063 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1227,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1224,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -130641,7 +130658,7 @@ index d40f750..6080063 100644
')
optional_policy(`
-@@ -859,6 +1249,10 @@ optional_policy(`
+@@ -859,6 +1246,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -130652,7 +130669,7 @@ index d40f750..6080063 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1296,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1293,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -130661,7 +130678,7 @@ index d40f750..6080063 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1350,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1347,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -130693,7 +130710,7 @@ index d40f750..6080063 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1396,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1393,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -130754,7 +130771,7 @@ index d40f750..6080063 100644
+ unconfined_domain(xdm_unconfined_t)
+')
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index 1b6619e..219acba 100644
+index 1b6619e..be02b96 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
@@ -43,6 +43,27 @@ interface(`application_executable_file',`
@@ -130785,7 +130802,7 @@ index 1b6619e..219acba 100644
########################################
## <summary>
## Execute application executables in the caller domain.
-@@ -76,7 +97,6 @@ interface(`application_exec_all',`
+@@ -76,13 +97,30 @@ interface(`application_exec_all',`
corecmd_dontaudit_exec_all_executables($1)
corecmd_exec_bin($1)
corecmd_exec_shell($1)
@@ -130793,7 +130810,31 @@ index 1b6619e..219acba 100644
application_exec($1)
')
-@@ -189,6 +209,24 @@ interface(`application_dontaudit_signal',`
+
+ ########################################
+ ## <summary>
++## Dontaudit execute all executable files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`application_dontaudit_exec',`
++ gen_require(`
++ attribute application_exec_type;
++ ')
++
++ dontaudit $1 application_exec_type:file execute;
++')
++
++########################################
++## <summary>
+ ## Create a domain for applications.
+ ## </summary>
+ ## <desc>
+@@ -189,6 +227,24 @@ interface(`application_dontaudit_signal',`
########################################
## <summary>
@@ -130818,7 +130859,7 @@ index 1b6619e..219acba 100644
## Do not audit attempts to send kill signals
## to all application domains.
## </summary>
-@@ -205,3 +243,21 @@ interface(`application_dontaudit_sigkill',`
+@@ -205,3 +261,21 @@ interface(`application_dontaudit_sigkill',`
dontaudit $1 application_domain_type:process sigkill;
')
@@ -136496,7 +136537,7 @@ index 02f4c97..70248c6 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 321bb13..0c0933b 100644
+index 321bb13..3638d50 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -136517,7 +136558,7 @@ index 321bb13..0c0933b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -496,6 +496,63 @@ interface(`logging_log_filetrans',`
+@@ -496,6 +496,68 @@ interface(`logging_log_filetrans',`
filetrans_pattern($1, var_log_t, $2, $3, $4)
')
@@ -136567,6 +136608,11 @@ index 321bb13..0c0933b 100644
+## The object class of the object being created.
+## </summary>
+## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`logging_log_named_filetrans',`
@@ -136581,24 +136627,17 @@ index 321bb13..0c0933b 100644
########################################
## <summary>
## Send system log messages.
-@@ -530,22 +587,85 @@ interface(`logging_log_filetrans',`
+@@ -530,22 +592,85 @@ interface(`logging_log_filetrans',`
#
interface(`logging_send_syslog_msg',`
gen_require(`
- type syslogd_t, devlog_t;
+ attribute syslog_client_type;
- ')
-
-- allow $1 devlog_t:lnk_file read_lnk_file_perms;
-- allow $1 devlog_t:sock_file write_sock_file_perms;
++ ')
++
+ typeattribute $1 syslog_client_type;
+')
-
-- # the type of socket depends on the syslog daemon
-- allow $1 syslogd_t:unix_dgram_socket sendto;
-- allow $1 syslogd_t:unix_stream_socket connectto;
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 self:unix_stream_socket create_socket_perms;
++
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
@@ -136613,11 +136652,7 @@ index 321bb13..0c0933b 100644
+ gen_require(`
+ type devlog_t;
+ ')
-
-- # If syslog is down, the glibc syslog() function
-- # will write to the console.
-- term_write_console($1)
-- term_dontaudit_read_console($1)
++
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
+ dev_filetrans($1, devlog_t, sock_file)
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
@@ -136654,11 +136689,18 @@ index 321bb13..0c0933b 100644
+interface(`logging_relabel_syslog_pid_socket',`
+ gen_require(`
+ type devlog_t;
-+ ')
-+
+ ')
+
+- allow $1 devlog_t:lnk_file read_lnk_file_perms;
+- allow $1 devlog_t:sock_file write_sock_file_perms;
+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
+')
-+
+
+- # the type of socket depends on the syslog daemon
+- allow $1 syslogd_t:unix_dgram_socket sendto;
+- allow $1 syslogd_t:unix_stream_socket connectto;
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 self:unix_stream_socket create_socket_perms;
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
@@ -136673,13 +136715,17 @@ index 321bb13..0c0933b 100644
+ gen_require(`
+ type syslogd_t, syslogd_var_run_t;
+ ')
-+
+
+- # If syslog is down, the glibc syslog() function
+- # will write to the console.
+- term_write_console($1)
+- term_dontaudit_read_console($1)
+ files_search_pids($1)
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
')
########################################
-@@ -739,7 +859,25 @@ interface(`logging_append_all_logs',`
+@@ -739,7 +864,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -136706,7 +136752,7 @@ index 321bb13..0c0933b 100644
')
########################################
-@@ -822,7 +960,7 @@ interface(`logging_manage_all_logs',`
+@@ -822,7 +965,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -136715,7 +136761,7 @@ index 321bb13..0c0933b 100644
')
########################################
-@@ -848,6 +986,44 @@ interface(`logging_read_generic_logs',`
+@@ -848,6 +991,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
@@ -136760,7 +136806,7 @@ index 321bb13..0c0933b 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -868,6 +1044,24 @@ interface(`logging_write_generic_logs',`
+@@ -868,6 +1049,24 @@ interface(`logging_write_generic_logs',`
########################################
## <summary>
@@ -136785,7 +136831,7 @@ index 321bb13..0c0933b 100644
## Dontaudit Write generic log files.
## </summary>
## <param name="domain">
-@@ -947,11 +1141,16 @@ interface(`logging_admin_audit',`
+@@ -947,11 +1146,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -136803,7 +136849,7 @@ index 321bb13..0c0933b 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -967,6 +1166,33 @@ interface(`logging_admin_audit',`
+@@ -967,6 +1171,33 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -136837,7 +136883,7 @@ index 321bb13..0c0933b 100644
')
########################################
-@@ -995,10 +1221,15 @@ interface(`logging_admin_syslog',`
+@@ -995,10 +1226,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -136855,7 +136901,7 @@ index 321bb13..0c0933b 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1020,6 +1251,8 @@ interface(`logging_admin_syslog',`
+@@ -1020,6 +1256,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -136864,7 +136910,7 @@ index 321bb13..0c0933b 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1048,3 +1281,29 @@ interface(`logging_admin',`
+@@ -1048,3 +1286,29 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -142202,7 +142248,7 @@ index 0000000..5d53f08
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..5b669b8
+index 0000000..9537426
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,450 @@
@@ -142392,7 +142438,7 @@ index 0000000..5b669b8
+ # we label /run/user/$USER/dconf as config_home_t
+ gnome_manage_home_config_dirs(systemd_logind_t)
+ gnome_manage_home_config(systemd_logind_t)
-+ gnome_list_gkeyringd_tmp_dirs(systemd_logind_t)
++ gnome_manage_gkeyringd_tmp_dirs(systemd_logind_t)
+ gnome_manage_gstreamer_home_dirs(systemd_logind_t)
+')
+
@@ -144005,7 +144051,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..69b008a 100644
+index e720dcd..53ea674 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -146743,7 +146789,7 @@ index e720dcd..69b008a 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4153,1361 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4153,1365 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -146799,12 +146845,6 @@ index e720dcd..69b008a 100644
+## <summary>
+## Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
-+## <param name="userdomain_prefix">
-+## <summary>
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+## </summary>
-+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -146815,11 +146855,11 @@ index e720dcd..69b008a 100644
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ ')
-+ typeattribute $2 unpriv_userdomain;
-+ typeattribute $2 userdomain;
++ typeattribute $1 unpriv_userdomain;
++ typeattribute $1 userdomain;
+
-+ auth_use_nsswitch($2)
-+ ubac_constrained($2)
++ auth_use_nsswitch($1)
++ ubac_constrained($1)
+')
+
+########################################
@@ -147159,6 +147199,11 @@ index e720dcd..69b008a 100644
+## The class of the object to be created.
+## </summary>
+## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+#
+interface(`userdom_admin_home_dir_filetrans',`
+ gen_require(`
@@ -148097,6 +148142,11 @@ index e720dcd..69b008a 100644
+## The name of the object being created.
+## </summary>
+## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+#
+interface(`userdom_tmpfs_filetrans_to',`
+ gen_require(`
@@ -148106,7 +148156,7 @@ index e720dcd..69b008a 100644
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 6a4bd85..a8337e2 100644
+index 6a4bd85..4f23ca8 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.0)
@@ -148192,7 +148242,7 @@ index 6a4bd85..a8337e2 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +81,121 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +81,122 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -148247,6 +148297,7 @@ index 6a4bd85..a8337e2 100644
+')
+
+allow userdomain userdomain:process signull;
++allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
+
+# Nautilus causes this avc
+dontaudit unpriv_userdomain self:dir setattr;
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 20d2ada..8f424d4 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -2317,10 +2317,10 @@ index fd9fa07..12398f6 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 6480167..f319eaf 100644
+index 6480167..7b2ad39 100644
--- a/apache.if
+++ b/apache.if
-@@ -13,62 +13,48 @@
+@@ -13,68 +13,55 @@
#
template(`apache_content_template',`
gen_require(`
@@ -2398,7 +2398,14 @@ index 6480167..f319eaf 100644
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
-@@ -86,40 +72,6 @@ template(`apache_content_template',`
+ allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+
+ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
+@@ -86,40 +73,6 @@ template(`apache_content_template',`
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -2439,7 +2446,7 @@ index 6480167..f319eaf 100644
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
-@@ -128,68 +80,25 @@ template(`apache_content_template',`
+@@ -128,68 +81,26 @@ template(`apache_content_template',`
manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -2447,6 +2454,7 @@ index 6480167..f319eaf 100644
+ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
@@ -2513,7 +2521,7 @@ index 6480167..f319eaf 100644
')
')
-@@ -211,9 +120,8 @@ template(`apache_content_template',`
+@@ -211,9 +122,8 @@ template(`apache_content_template',`
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
@@ -2525,7 +2533,7 @@ index 6480167..f319eaf 100644
')
role $1 types httpd_user_script_t;
-@@ -234,6 +142,13 @@ interface(`apache_role',`
+@@ -234,6 +144,13 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@@ -2539,7 +2547,7 @@ index 6480167..f319eaf 100644
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -248,6 +163,9 @@ interface(`apache_role',`
+@@ -248,6 +165,9 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
@@ -2549,7 +2557,7 @@ index 6480167..f319eaf 100644
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -317,6 +235,25 @@ interface(`apache_domtrans',`
+@@ -317,6 +237,25 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -2575,7 +2583,7 @@ index 6480167..f319eaf 100644
#######################################
## <summary>
## Send a generic signal to apache.
-@@ -405,7 +342,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -405,7 +344,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -2584,7 +2592,7 @@ index 6480167..f319eaf 100644
')
########################################
-@@ -487,7 +424,7 @@ interface(`apache_setattr_cache_dirs',`
+@@ -487,7 +426,7 @@ interface(`apache_setattr_cache_dirs',`
type httpd_cache_t;
')
@@ -2593,7 +2601,7 @@ index 6480167..f319eaf 100644
')
########################################
-@@ -531,6 +468,25 @@ interface(`apache_rw_cache_files',`
+@@ -531,6 +470,25 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
## Allow the specified domain to delete
@@ -2619,7 +2627,7 @@ index 6480167..f319eaf 100644
## Apache cache.
## </summary>
## <param name="domain">
-@@ -549,6 +505,26 @@ interface(`apache_delete_cache_files',`
+@@ -549,6 +507,26 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@@ -2646,7 +2654,35 @@ index 6480167..f319eaf 100644
## Allow the specified domain to read
## apache configuration files.
## </summary>
-@@ -683,6 +659,25 @@ interface(`apache_append_log',`
+@@ -641,6 +619,27 @@ interface(`apache_run_helper',`
+
+ ########################################
+ ## <summary>
++## dontaudit attempts to read
++## apache log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_dontaudit_read_log',`
++ gen_require(`
++ type httpd_log_t;
++ ')
++
++ dontaudit $1 httpd_log_t:file read_file_perms;
++ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
++')
++
++########################################
++## <summary>
+ ## Allow the specified domain to read
+ ## apache log files.
+ ## </summary>
+@@ -683,6 +682,25 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
@@ -2672,7 +2708,7 @@ index 6480167..f319eaf 100644
########################################
## <summary>
## Do not audit attempts to append to the
-@@ -699,7 +694,7 @@ interface(`apache_dontaudit_append_log',`
+@@ -699,7 +717,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
@@ -2681,7 +2717,7 @@ index 6480167..f319eaf 100644
')
########################################
-@@ -745,6 +740,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -745,6 +763,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -2707,7 +2743,7 @@ index 6480167..f319eaf 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -761,6 +775,7 @@ interface(`apache_list_modules',`
+@@ -761,6 +798,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -2715,7 +2751,7 @@ index 6480167..f319eaf 100644
')
########################################
-@@ -802,6 +817,43 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -802,6 +840,43 @@ interface(`apache_domtrans_rotatelogs',`
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
@@ -2759,7 +2795,7 @@ index 6480167..f319eaf 100644
########################################
## <summary>
## Allow the specified domain to list
-@@ -819,6 +871,7 @@ interface(`apache_list_sys_content',`
+@@ -819,6 +894,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -2767,7 +2803,7 @@ index 6480167..f319eaf 100644
files_search_var($1)
')
-@@ -846,6 +899,74 @@ interface(`apache_manage_sys_content',`
+@@ -846,6 +922,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -2842,7 +2878,7 @@ index 6480167..f319eaf 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -862,7 +983,12 @@ interface(`apache_manage_sys_content',`
+@@ -862,7 +1006,12 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -2856,7 +2892,7 @@ index 6480167..f319eaf 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1047,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -921,9 +1070,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@@ -2868,7 +2904,7 @@ index 6480167..f319eaf 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -950,7 +1077,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -950,7 +1100,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -2877,7 +2913,7 @@ index 6480167..f319eaf 100644
')
########################################
-@@ -1091,6 +1218,25 @@ interface(`apache_read_tmp_files',`
+@@ -1091,6 +1241,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -2903,7 +2939,7 @@ index 6480167..f319eaf 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1107,7 +1253,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1107,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -2912,7 +2948,7 @@ index 6480167..f319eaf 100644
')
########################################
-@@ -1148,14 +1294,31 @@ interface(`apache_cgi_domain',`
+@@ -1148,14 +1317,31 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@@ -2948,7 +2984,7 @@ index 6480167..f319eaf 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1170,19 +1333,21 @@ interface(`apache_cgi_domain',`
+@@ -1170,19 +1356,21 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -2977,7 +3013,7 @@ index 6480167..f319eaf 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 httpd_initrc_exec_t system_r;
-@@ -1191,10 +1356,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1379,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -2990,7 +3026,7 @@ index 6480167..f319eaf 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1370,106 @@ interface(`apache_admin',`
+@@ -1205,14 +1393,106 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -21161,10 +21197,10 @@ index 0000000..c4c7510
+')
diff --git a/firewalld.te b/firewalld.te
new file mode 100644
-index 0000000..a172e15
+index 0000000..a7fcf3c
--- /dev/null
+++ b/firewalld.te
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,94 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -21240,6 +21276,10 @@ index 0000000..a172e15
+ dbus_system_domain(firewalld_t, firewalld_exec_t)
+
+ optional_policy(`
++ devicekit_dbus_chat_power(firewalld_t)
++ ')
++
++ optional_policy(`
+ policykit_dbus_chat(firewalld_t)
+ ')
+
@@ -23411,10 +23451,10 @@ index 00a19e3..5a2dbfd 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..3105569 100644
+index f5afe78..6d054a2 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,44 +1,1028 @@
+@@ -1,44 +1,1047 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -24103,7 +24143,7 @@ index f5afe78..3105569 100644
+ type gconf_home_t;
+ ')
+
-+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
++ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
+')
+
+########################################
@@ -24265,6 +24305,25 @@ index f5afe78..3105569 100644
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
++#######################################
++## <summary>
++## Manage gkeyringd temporary directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_gkeyringd_tmp_dirs',`
++ gen_require(`
++ type gkeyringd_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++')
++
+########################################
+## <summary>
+## search gconf homedir (.local)
@@ -24461,7 +24520,7 @@ index f5afe78..3105569 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +1030,91 @@ interface(`gnome_role',`
+@@ -46,37 +1049,91 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -24564,7 +24623,7 @@ index f5afe78..3105569 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +1122,107 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +1141,107 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -24683,7 +24742,7 @@ index f5afe78..3105569 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1230,36 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1249,36 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -24724,7 +24783,7 @@ index f5afe78..3105569 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1267,279 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1286,279 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -31741,7 +31800,7 @@ index a4f32f5..628b63c 100644
## in the caller domain.
## </summary>
diff --git a/lpd.te b/lpd.te
-index a03b63a..330ee1d 100644
+index a03b63a..99e8d96 100644
--- a/lpd.te
+++ b/lpd.te
@@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t)
@@ -31844,11 +31903,12 @@ index a03b63a..330ee1d 100644
# for test print
files_read_usr_files(lpr_t)
#Added to cover read_content macro
-@@ -271,23 +266,24 @@ term_use_generic_ptys(lpr_t)
+@@ -271,23 +266,25 @@ term_use_generic_ptys(lpr_t)
auth_use_nsswitch(lpr_t)
-miscfiles_read_localization(lpr_t)
++miscfiles_read_fonts(lpr_t)
userdom_read_user_tmp_symlinks(lpr_t)
# Write to the user domain tty.
@@ -31875,7 +31935,7 @@ index a03b63a..330ee1d 100644
# Send SIGHUP to lpd.
allow lpr_t lpd_t:process signal;
-@@ -305,17 +301,7 @@ tunable_policy(`use_lpd_server',`
+@@ -305,17 +302,7 @@ tunable_policy(`use_lpd_server',`
read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
')
@@ -31894,7 +31954,7 @@ index a03b63a..330ee1d 100644
optional_policy(`
cups_read_config(lpr_t)
-@@ -324,5 +310,13 @@ optional_policy(`
+@@ -324,5 +311,13 @@ optional_policy(`
')
optional_policy(`
@@ -36778,7 +36838,7 @@ index c358d8f..1cc176c 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index f17583b..dad742b 100644
+index f17583b..4188970 100644
--- a/munin.te
+++ b/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -36985,11 +37045,15 @@ index f17583b..dad742b 100644
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +317,14 @@ optional_policy(`
+@@ -286,6 +317,18 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
+optional_policy(`
++ sssd_stream_connect(services_munin_plugin_t)
++')
++
++optional_policy(`
+ varnishd_read_lib_files(services_munin_plugin_t)
+')
+
@@ -37000,7 +37064,7 @@ index f17583b..dad742b 100644
##################################
#
# local policy for system plugins
-@@ -295,12 +334,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,12 +338,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -37016,7 +37080,7 @@ index f17583b..dad742b 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +350,45 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +354,45 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -40876,10 +40940,10 @@ index ded9fb6..6b11681 100644
userdom_dontaudit_use_unpriv_user_fds(ntop_t)
diff --git a/ntp.fc b/ntp.fc
-index e79dccc..e8d3e38 100644
+index e79dccc..2a3c6af 100644
--- a/ntp.fc
+++ b/ntp.fc
-@@ -10,6 +10,8 @@
+@@ -10,10 +10,14 @@
/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
@@ -40887,7 +40951,13 @@ index e79dccc..e8d3e38 100644
+
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
++/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+ /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
++/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+
+ /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+ /var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.if b/ntp.if
index e80f8c0..0044e73 100644
--- a/ntp.if
@@ -40996,7 +41066,7 @@ index e80f8c0..0044e73 100644
+ allow $1 ntpd_unit_file_t:service all_service_perms;
')
diff --git a/ntp.te b/ntp.te
-index c61adc8..374883b 100644
+index c61adc8..cb20a9d 100644
--- a/ntp.te
+++ b/ntp.te
@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t)
@@ -41009,7 +41079,15 @@ index c61adc8..374883b 100644
type ntpd_key_t;
files_type(ntpd_key_t)
-@@ -78,7 +81,6 @@ kernel_read_system_state(ntpd_t)
+@@ -50,6 +53,7 @@ allow ntpd_t self:unix_stream_socket create_socket_perms;
+ allow ntpd_t self:tcp_socket create_stream_socket_perms;
+ allow ntpd_t self:udp_socket create_socket_perms;
+
++manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+
+ can_exec(ntpd_t, ntpd_exec_t)
+@@ -78,7 +82,6 @@ kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
@@ -41017,7 +41095,7 @@ index c61adc8..374883b 100644
corenet_all_recvfrom_netlabel(ntpd_t)
corenet_tcp_sendrecv_generic_if(ntpd_t)
corenet_udp_sendrecv_generic_if(ntpd_t)
-@@ -96,11 +98,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
+@@ -96,11 +99,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
dev_read_sysfs(ntpd_t)
# for SSP
dev_read_urand(ntpd_t)
@@ -41033,7 +41111,7 @@ index c61adc8..374883b 100644
auth_use_nsswitch(ntpd_t)
-@@ -110,7 +116,6 @@ corecmd_exec_shell(ntpd_t)
+@@ -110,7 +117,6 @@ corecmd_exec_shell(ntpd_t)
domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
@@ -41041,7 +41119,7 @@ index c61adc8..374883b 100644
files_read_etc_runtime_files(ntpd_t)
files_read_usr_files(ntpd_t)
files_list_var_lib(ntpd_t)
-@@ -119,7 +124,6 @@ init_exec_script_files(ntpd_t)
+@@ -119,7 +125,6 @@ init_exec_script_files(ntpd_t)
logging_send_syslog_msg(ntpd_t)
@@ -42773,10 +42851,10 @@ index 0000000..6e20e72
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..8ddece6
+index 0000000..a33452e
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,378 @@
+@@ -0,0 +1,379 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -43031,6 +43109,7 @@ index 0000000..8ddece6
+ apache_read_sys_content(openshift_domain)
+ apache_exec_sys_script(openshift_domain)
+ apache_entrypoint(openshift_domain)
++ apache_dontaudit_read_log(openshift_domain)
+')
+
+optional_policy(`
@@ -43323,10 +43402,10 @@ index 0000000..baf8d21
+/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
diff --git a/openvswitch.if b/openvswitch.if
new file mode 100644
-index 0000000..e2c300a
+index 0000000..14f29e4
--- /dev/null
+++ b/openvswitch.if
-@@ -0,0 +1,247 @@
+@@ -0,0 +1,242 @@
+
+## <summary>policy for openvswitch</summary>
+
@@ -43538,11 +43617,6 @@ index 0000000..e2c300a
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
+## <rolecap/>
+#
+interface(`openvswitch_admin',`
@@ -45954,10 +46028,10 @@ index 0000000..83c13cf
+
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..9b7b637
+index 0000000..dfebbd9
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,288 @@
+@@ -0,0 +1,289 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -46074,6 +46148,7 @@ index 0000000..9b7b637
+corenet_tcp_connect_ldap_port(pki_tomcat_t)
+corenet_tcp_connect_smtp_port(pki_tomcat_t)
+corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
++corenet_tcp_connect_ldap_port(pki_tomcat_t)
+
+selinux_get_enforce_mode(pki_tomcat_t)
+
@@ -49436,6 +49511,32 @@ index ec0e76a..62af9a4 100644
/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
+diff --git a/prelink.if b/prelink.if
+index 93ec175..e6605c1 100644
+--- a/prelink.if
++++ b/prelink.if
+@@ -202,3 +202,21 @@ interface(`prelink_relabel_lib',`
+ files_search_var_lib($1)
+ relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+ ')
++
++########################################
++## <summary>
++## Transition to prelink named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`prelink_filetrans_named_content',`
++ gen_require(`
++ type prelink_cache_t;
++ ')
++
++ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
++')
diff --git a/prelink.te b/prelink.te
index af55369..9f1d1b5 100644
--- a/prelink.te
@@ -55268,16 +55369,17 @@ index 93c896a..8aa7362 100644
+')
diff --git a/rhev.fc b/rhev.fc
new file mode 100644
-index 0000000..48beae9
+index 0000000..3edbd2e
--- /dev/null
+++ b/rhev.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,9 @@
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
+/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
+
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
++/var/run/ovirt-guest-agent\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
+
+/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
diff --git a/rhev.if b/rhev.if
@@ -55751,7 +55853,7 @@ index 137605a..fd40b90 100644
+ ')
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 783f678..414434d 100644
+index 783f678..14193ca 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -55764,7 +55866,7 @@ index 783f678..414434d 100644
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -43,17 +46,35 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+@@ -43,17 +46,36 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
@@ -55779,6 +55881,7 @@ index 783f678..414434d 100644
+dev_read_rand(rhsmcertd_t)
dev_read_urand(rhsmcertd_t)
++dev_read_sysfs(rhsmcertd_t)
files_read_etc_files(rhsmcertd_t)
files_read_usr_files(rhsmcertd_t)
@@ -58680,7 +58783,7 @@ index 82cb169..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 905883f..7339ebc 100644
+index 905883f..7e70344 100644
--- a/samba.te
+++ b/samba.te
@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0)
@@ -58727,7 +58830,11 @@ index 905883f..7339ebc 100644
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
-@@ -184,8 +192,8 @@ manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+@@ -181,11 +189,12 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+ manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
+ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
++files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
kernel_read_proc_symlinks(samba_net_t)
kernel_read_system_state(samba_net_t)
@@ -58737,7 +58844,7 @@ index 905883f..7339ebc 100644
corenet_all_recvfrom_netlabel(samba_net_t)
corenet_tcp_sendrecv_generic_if(samba_net_t)
corenet_udp_sendrecv_generic_if(samba_net_t)
-@@ -203,7 +211,6 @@ dev_read_urand(samba_net_t)
+@@ -203,7 +212,6 @@ dev_read_urand(samba_net_t)
domain_use_interactive_fds(samba_net_t)
@@ -58745,7 +58852,7 @@ index 905883f..7339ebc 100644
files_read_usr_symlinks(samba_net_t)
auth_use_nsswitch(samba_net_t)
-@@ -211,15 +218,16 @@ auth_manage_cache(samba_net_t)
+@@ -211,15 +219,16 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -58766,7 +58873,7 @@ index 905883f..7339ebc 100644
')
optional_policy(`
-@@ -228,13 +236,15 @@ optional_policy(`
+@@ -228,13 +237,15 @@ optional_policy(`
optional_policy(`
kerberos_use(samba_net_t)
@@ -58783,7 +58890,7 @@ index 905883f..7339ebc 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -244,6 +254,7 @@ allow smbd_t self:msg { send receive };
+@@ -244,6 +255,7 @@ allow smbd_t self:msg { send receive };
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
@@ -58791,7 +58898,7 @@ index 905883f..7339ebc 100644
allow smbd_t self:sock_file read_sock_file_perms;
allow smbd_t self:tcp_socket create_stream_socket_perms;
allow smbd_t self:udp_socket create_socket_perms;
-@@ -253,6 +264,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -253,6 +265,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow smbd_t nmbd_t:process { signal signull };
allow smbd_t nmbd_var_run_t:file rw_file_perms;
@@ -58799,7 +58906,7 @@ index 905883f..7339ebc 100644
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-@@ -267,12 +279,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -267,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -58810,11 +58917,11 @@ index 905883f..7339ebc 100644
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
-+files_var_filetrans(smbd_t, samba_var_t, dir)
++files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
allow smbd_t smbcontrol_t:process { signal signull };
-@@ -283,7 +296,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -283,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -58823,7 +58930,7 @@ index 905883f..7339ebc 100644
allow smbd_t swat_t:process signal;
-@@ -302,7 +315,6 @@ kernel_read_system_state(smbd_t)
+@@ -302,7 +316,6 @@ kernel_read_system_state(smbd_t)
corecmd_exec_shell(smbd_t)
corecmd_exec_bin(smbd_t)
@@ -58831,7 +58938,7 @@ index 905883f..7339ebc 100644
corenet_all_recvfrom_netlabel(smbd_t)
corenet_tcp_sendrecv_generic_if(smbd_t)
corenet_udp_sendrecv_generic_if(smbd_t)
-@@ -320,6 +332,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
+@@ -320,6 +333,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
@@ -58839,7 +58946,7 @@ index 905883f..7339ebc 100644
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
# For redhat bug 566984
-@@ -327,26 +340,29 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -327,26 +341,29 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -58870,7 +58977,7 @@ index 905883f..7339ebc 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -355,9 +371,10 @@ init_rw_utmp(smbd_t)
+@@ -355,9 +372,10 @@ init_rw_utmp(smbd_t)
logging_search_logs(smbd_t)
logging_send_syslog_msg(smbd_t)
@@ -58882,7 +58989,7 @@ index 905883f..7339ebc 100644
userdom_use_unpriv_users_fds(smbd_t)
userdom_search_user_home_content(smbd_t)
userdom_signal_all_users(smbd_t)
-@@ -372,8 +389,13 @@ ifdef(`hide_broken_symptoms', `
+@@ -372,8 +390,13 @@ ifdef(`hide_broken_symptoms', `
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
')
@@ -58897,7 +59004,7 @@ index 905883f..7339ebc 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -389,12 +411,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -389,12 +412,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -58911,7 +59018,7 @@ index 905883f..7339ebc 100644
')
# Support Samba sharing of NFS mount points
-@@ -415,6 +432,15 @@ tunable_policy(`samba_share_fusefs',`
+@@ -415,6 +433,15 @@ tunable_policy(`samba_share_fusefs',`
')
optional_policy(`
@@ -58927,7 +59034,7 @@ index 905883f..7339ebc 100644
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
-@@ -426,6 +452,7 @@ optional_policy(`
+@@ -426,6 +453,7 @@ optional_policy(`
optional_policy(`
ldap_stream_connect(smbd_t)
@@ -58935,7 +59042,7 @@ index 905883f..7339ebc 100644
')
optional_policy(`
-@@ -452,26 +479,26 @@ optional_policy(`
+@@ -452,26 +480,26 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -58974,7 +59081,7 @@ index 905883f..7339ebc 100644
########################################
#
# nmbd Local policy
-@@ -491,8 +518,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -491,8 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -58987,14 +59094,14 @@ index 905883f..7339ebc 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -501,11 +531,13 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
+@@ -501,11 +532,13 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-+files_var_filetrans(nmbd_t, samba_var_t, dir)
++files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
allow nmbd_t smbcontrol_t:process signal;
@@ -59003,7 +59110,7 @@ index 905883f..7339ebc 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -513,7 +545,6 @@ kernel_read_network_state(nmbd_t)
+@@ -513,7 +546,6 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -59011,7 +59118,7 @@ index 905883f..7339ebc 100644
corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_generic_if(nmbd_t)
corenet_udp_sendrecv_generic_if(nmbd_t)
-@@ -536,7 +567,6 @@ fs_search_auto_mountpoints(nmbd_t)
+@@ -536,7 +568,6 @@ fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
files_read_usr_files(nmbd_t)
@@ -59019,7 +59126,7 @@ index 905883f..7339ebc 100644
files_list_var_lib(nmbd_t)
auth_use_nsswitch(nmbd_t)
-@@ -544,12 +574,14 @@ auth_use_nsswitch(nmbd_t)
+@@ -544,12 +575,14 @@ auth_use_nsswitch(nmbd_t)
logging_search_logs(nmbd_t)
logging_send_syslog_msg(nmbd_t)
@@ -59036,7 +59143,7 @@ index 905883f..7339ebc 100644
seutil_sigchld_newrole(nmbd_t)
')
-@@ -562,18 +594,21 @@ optional_policy(`
+@@ -562,18 +595,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -59062,7 +59169,7 @@ index 905883f..7339ebc 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -581,11 +616,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -581,11 +617,19 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -59070,22 +59177,22 @@ index 905883f..7339ebc 100644
+dev_read_urand(smbcontrol_t)
+
+files_read_usr_files(smbcontrol_t)
++
++term_use_console(smbcontrol_t)
++
++sysnet_use_ldap(smbcontrol_t)
-miscfiles_read_localization(smbcontrol_t)
-+term_use_console(smbcontrol_t)
++userdom_use_inherited_user_terminals(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
-+sysnet_use_ldap(smbcontrol_t)
-+
-+userdom_use_inherited_user_terminals(smbcontrol_t)
-+
+optional_policy(`
+ ctdbd_stream_connect(smbcontrol_t)
+')
########################################
#
-@@ -604,7 +647,7 @@ allow smbmount_t samba_etc_t:file read_file_perms;
+@@ -604,18 +648,20 @@ allow smbmount_t samba_etc_t:file read_file_perms;
can_exec(smbmount_t, smbmount_exec_t)
@@ -59094,7 +59201,13 @@ index 905883f..7339ebc 100644
allow smbmount_t samba_log_t:file manage_file_perms;
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -615,7 +658,6 @@ files_list_var_lib(smbmount_t)
+
++manage_dirs_pattern(smbmount_t, samba_var_t, samba_var_t)
+ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
++files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
++
+ files_list_var_lib(smbmount_t)
kernel_read_system_state(smbmount_t)
@@ -59102,7 +59215,7 @@ index 905883f..7339ebc 100644
corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_generic_if(smbmount_t)
corenet_raw_sendrecv_generic_if(smbmount_t)
-@@ -645,31 +687,32 @@ files_list_mnt(smbmount_t)
+@@ -645,31 +691,32 @@ files_list_mnt(smbmount_t)
files_mounton_mnt(smbmount_t)
files_manage_etc_runtime_files(smbmount_t)
files_etc_filetrans_etc_runtime(smbmount_t, file)
@@ -59140,7 +59253,7 @@ index 905883f..7339ebc 100644
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -684,7 +727,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -684,7 +731,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -59150,10 +59263,13 @@ index 905883f..7339ebc 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -699,12 +743,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -698,13 +746,17 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
++manage_dirs_pattern(swat_t, samba_var_t, samba_var_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
++files_var_filetrans(swat_t, samba_var_t, dir, "samba")
+files_list_var_lib(swat_t)
allow swat_t smbd_exec_t:file mmap_file_perms ;
@@ -59165,7 +59281,7 @@ index 905883f..7339ebc 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -717,6 +763,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -717,6 +769,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -59173,7 +59289,7 @@ index 905883f..7339ebc 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -726,7 +773,6 @@ kernel_read_network_state(swat_t)
+@@ -726,7 +779,6 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -59181,7 +59297,7 @@ index 905883f..7339ebc 100644
corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
-@@ -744,7 +790,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
+@@ -744,7 +796,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
dev_read_urand(swat_t)
files_list_var_lib(swat_t)
@@ -59189,7 +59305,7 @@ index 905883f..7339ebc 100644
files_search_home(swat_t)
files_read_usr_files(swat_t)
fs_getattr_xattr_fs(swat_t)
-@@ -759,7 +804,10 @@ logging_send_syslog_msg(swat_t)
+@@ -759,7 +810,10 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -59201,7 +59317,7 @@ index 905883f..7339ebc 100644
optional_policy(`
cups_read_rw_config(swat_t)
-@@ -790,7 +838,8 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -790,7 +844,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -59211,7 +59327,16 @@ index 905883f..7339ebc 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -813,21 +862,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,6 +861,8 @@ manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
+ manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
+ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
++manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
++files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+ files_list_var_lib(winbind_t)
+
+ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -813,21 +870,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -59245,7 +59370,7 @@ index 905883f..7339ebc 100644
corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_generic_if(winbind_t)
corenet_udp_sendrecv_generic_if(winbind_t)
-@@ -840,12 +894,15 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -840,12 +902,15 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -59261,7 +59386,7 @@ index 905883f..7339ebc 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -855,12 +912,14 @@ auth_manage_cache(winbind_t)
+@@ -855,12 +920,14 @@ auth_manage_cache(winbind_t)
domain_use_interactive_fds(winbind_t)
@@ -59278,7 +59403,7 @@ index 905883f..7339ebc 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -871,6 +930,15 @@ userdom_manage_user_home_content_sockets(winbind_t)
+@@ -871,6 +938,15 @@ userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -59294,7 +59419,7 @@ index 905883f..7339ebc 100644
kerberos_use(winbind_t)
')
-@@ -909,9 +977,7 @@ auth_use_nsswitch(winbind_helper_t)
+@@ -909,9 +985,7 @@ auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
@@ -59305,7 +59430,7 @@ index 905883f..7339ebc 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -929,19 +995,34 @@ optional_policy(`
+@@ -929,19 +1003,34 @@ optional_policy(`
#
optional_policy(`
@@ -61428,7 +61553,7 @@ index 7e94c7c..ca74cd9 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/sendmail.te b/sendmail.te
-index 22dac1f..8bc4eff 100644
+index 22dac1f..a536819 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@@ -61471,7 +61596,7 @@ index 22dac1f..8bc4eff 100644
auth_use_nsswitch(sendmail_t)
-@@ -100,10 +99,9 @@ logging_send_syslog_msg(sendmail_t)
+@@ -100,10 +99,10 @@ logging_send_syslog_msg(sendmail_t)
logging_dontaudit_write_generic_logs(sendmail_t)
miscfiles_read_generic_certs(sendmail_t)
@@ -61480,10 +61605,11 @@ index 22dac1f..8bc4eff 100644
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
-userdom_dontaudit_search_user_home_dirs(sendmail_t)
+userdom_read_user_home_content_files(sendmail_t)
++userdom_dontaudit_list_user_home_dirs(sendmail_t)
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -115,6 +113,10 @@ mta_manage_spool(sendmail_t)
+@@ -115,6 +114,10 @@ mta_manage_spool(sendmail_t)
mta_sendmail_exec(sendmail_t)
optional_policy(`
@@ -61494,7 +61620,7 @@ index 22dac1f..8bc4eff 100644
cron_read_pipes(sendmail_t)
')
-@@ -128,7 +130,14 @@ optional_policy(`
+@@ -128,7 +131,14 @@ optional_policy(`
')
optional_policy(`
@@ -61509,7 +61635,7 @@ index 22dac1f..8bc4eff 100644
')
optional_policy(`
-@@ -149,7 +158,14 @@ optional_policy(`
+@@ -149,7 +159,14 @@ optional_policy(`
')
optional_policy(`
@@ -61524,7 +61650,7 @@ index 22dac1f..8bc4eff 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,20 +184,13 @@ optional_policy(`
+@@ -168,20 +185,13 @@ optional_policy(`
')
optional_policy(`
@@ -68088,10 +68214,24 @@ index 904f13e..5801347 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index c842cad..a0c42c1 100644
+index c842cad..a655e4c 100644
--- a/tor.te
+++ b/tor.te
-@@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t)
+@@ -13,6 +13,13 @@ policy_module(tor, 1.8.0)
+ ## </desc>
+ gen_tunable(tor_bind_all_unreserved_ports, false)
+
++## <desc>
++## <p>
++## Allow tor to act as a relay
++## </p>
++## </desc>
++gen_tunable(tor_can_network_relay, false)
++
+ type tor_t;
+ type tor_exec_t;
+ init_daemon_domain(tor_t, tor_exec_t)
+@@ -36,12 +43,16 @@ logging_log_file(tor_var_log_t)
type tor_var_run_t;
files_pid_file(tor_var_run_t)
@@ -68108,18 +68248,19 @@ index c842cad..a0c42c1 100644
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -73,9 +77,9 @@ manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
+@@ -73,9 +84,10 @@ manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
kernel_read_system_state(tor_t)
+kernel_read_net_sysctls(tor_t)
++kernel_read_kernel_sysctls(tor_t)
# networking basics
-corenet_all_recvfrom_unlabeled(tor_t)
corenet_all_recvfrom_netlabel(tor_t)
corenet_tcp_sendrecv_generic_if(tor_t)
corenet_udp_sendrecv_generic_if(tor_t)
-@@ -87,6 +91,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+@@ -87,6 +99,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
corenet_tcp_bind_tor_port(tor_t)
@@ -68127,7 +68268,7 @@ index c842cad..a0c42c1 100644
corenet_udp_bind_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_sendrecv_dns_server_packets(tor_t)
-@@ -95,13 +100,14 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -95,13 +108,14 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
@@ -68143,7 +68284,7 @@ index c842cad..a0c42c1 100644
files_read_etc_runtime_files(tor_t)
files_read_usr_files(tor_t)
-@@ -109,8 +115,6 @@ auth_use_nsswitch(tor_t)
+@@ -109,12 +123,16 @@ auth_use_nsswitch(tor_t)
logging_send_syslog_msg(tor_t)
@@ -68152,6 +68293,16 @@ index c842cad..a0c42c1 100644
tunable_policy(`tor_bind_all_unreserved_ports', `
corenet_tcp_bind_all_unreserved_ports(tor_t)
')
+
++tunable_policy(`tor_can_network_relay',`
++ # allow httpd to work as a relay
++ corenet_tcp_connect_all_ephemeral_ports(tor_t)
++ corenet_tcp_bind_http_port(tor_t)
++')
++
+ optional_policy(`
+ seutil_sigchld_newrole(tor_t)
+ ')
diff --git a/transproxy.te b/transproxy.te
index 95cf0c0..f191f8a 100644
--- a/transproxy.te
@@ -68276,7 +68427,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..6c25856 100644
+index db9d2a5..0c1d7e7 100644
--- a/tuned.te
+++ b/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -68292,7 +68443,7 @@ index db9d2a5..6c25856 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
-@@ -22,43 +28,80 @@ files_pid_file(tuned_var_run_t)
+@@ -22,43 +28,84 @@ files_pid_file(tuned_var_run_t)
#
# tuned local policy
#
@@ -68344,14 +68495,17 @@ index db9d2a5..6c25856 100644
files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t)
+files_list_tmp(tuned_t)
-
--logging_send_syslog_msg(tuned_t)
++
+fs_getattr_all_fs(tuned_t)
+
+auth_use_nsswitch(tuned_t)
+ logging_send_syslog_msg(tuned_t)
+
-miscfiles_read_localization(tuned_t)
-+logging_send_syslog_msg(tuned_t)
++mount_read_pid_files(tuned_t)
++
++udev_read_pid_files(tuned_t)
userdom_dontaudit_search_user_home_dirs(tuned_t)
@@ -69755,7 +69909,7 @@ index 2124b6a..e55e393 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..490101e 100644
+index 6f0736b..2e6c056 100644
--- a/virt.if
+++ b/virt.if
@@ -13,67 +13,30 @@
@@ -69789,16 +69943,16 @@ index 6f0736b..490101e 100644
- type $1_tmpfs_t;
- files_tmpfs_file($1_tmpfs_t)
--
++ auth_read_passwd($1_t)
+
- type $1_image_t, virt_image_type;
- files_type($1_image_t)
- dev_node($1_image_t)
-+ auth_use_nsswitch($1_t)
++ logging_send_syslog_msg($1_t)
- type $1_var_run_t;
- files_pid_file($1_var_run_t)
-+ logging_send_syslog_msg($1_t)
-
+-
- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty($1_t, $1_devpts_t)
@@ -70577,7 +70731,7 @@ index 6f0736b..490101e 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..5dec493 100644
+index 947bbc6..08c7bcb 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
@@ -71171,7 +71325,7 @@ index 947bbc6..5dec493 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -402,35 +567,84 @@ optional_policy(`
+@@ -402,35 +567,85 @@ optional_policy(`
#
# virtual domains common policy
#
@@ -71210,6 +71364,7 @@ index 947bbc6..5dec493 100644
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
+manage_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
++manage_sock_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+manage_fifo_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+read_lnk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+rw_chr_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -71265,7 +71420,7 @@ index 947bbc6..5dec493 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +652,593 @@ dev_write_sound(virt_domain)
+@@ -438,34 +653,593 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -72885,7 +73040,7 @@ index 77d41b6..cc73c96 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index 07033bb..5e3cb73 100644
+index 07033bb..8358a63 100644
--- a/xen.te
+++ b/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.12.0)
@@ -72974,7 +73129,7 @@ index 07033bb..5e3cb73 100644
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
-dontaudit xend_t self:capability { sys_ptrace };
-+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
++allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio };
allow xend_t self:process { signal sigkill };
-dontaudit xend_t self:process ptrace;
+
@@ -73016,17 +73171,21 @@ index 07033bb..5e3cb73 100644
files_read_etc_files(xend_t)
files_read_kernel_symbol_table(xend_t)
-@@ -309,7 +312,9 @@ files_etc_filetrans_etc_runtime(xend_t, file)
+@@ -309,7 +312,13 @@ files_etc_filetrans_etc_runtime(xend_t, file)
files_read_usr_files(xend_t)
files_read_default_symlinks(xend_t)
++fs_read_removable_blk_files(xend_t)
++
++storage_read_scsi_generic(xend_t)
++
+term_setattr_generic_ptys(xend_t)
term_getattr_all_ptys(xend_t)
+term_setattr_all_ptys(xend_t)
term_use_generic_ptys(xend_t)
term_use_ptmx(xend_t)
term_getattr_pty_fs(xend_t)
-@@ -320,13 +325,10 @@ locallogin_dontaudit_use_fds(xend_t)
+@@ -320,13 +329,10 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
@@ -73041,7 +73200,7 @@ index 07033bb..5e3cb73 100644
sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
sysnet_domtrans_ifconfig(xend_t)
-@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+@@ -339,8 +345,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
xen_stream_connect_xenstore(xend_t)
@@ -73050,7 +73209,7 @@ index 07033bb..5e3cb73 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +349,28 @@ optional_policy(`
+@@ -349,6 +353,28 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -73079,7 +73238,7 @@ index 07033bb..5e3cb73 100644
########################################
#
# Xen console local policy
-@@ -359,7 +381,7 @@ allow xenconsoled_t self:process setrlimit;
+@@ -359,7 +385,7 @@ allow xenconsoled_t self:process setrlimit;
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
@@ -73088,7 +73247,7 @@ index 07033bb..5e3cb73 100644
# pid file
manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
-@@ -374,8 +396,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -374,8 +400,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -73097,7 +73256,7 @@ index 07033bb..5e3cb73 100644
files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
-@@ -390,7 +410,7 @@ term_use_console(xenconsoled_t)
+@@ -390,7 +414,7 @@ term_use_console(xenconsoled_t)
init_use_fds(xenconsoled_t)
init_use_script_ptys(xenconsoled_t)
@@ -73106,7 +73265,7 @@ index 07033bb..5e3cb73 100644
xen_manage_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)
-@@ -413,9 +433,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +437,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -73118,7 +73277,7 @@ index 07033bb..5e3cb73 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,111 +463,24 @@ files_read_etc_files(xenstored_t)
+@@ -442,111 +467,24 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -73232,7 +73391,7 @@ index 07033bb..5e3cb73 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +493,4 @@ optional_policy(`
+@@ -559,8 +497,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 09d7359..f92d641 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 60%{?dist}
+Release: 61%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,33 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Dec 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-61
+- Label /var/lib/pgsql/.ssh as ssh_home_t
+- Add labeling for /usr/bin/pg_ctl
+- Allow systemd-logind to manage keyring user tmp dirs
+- Add support for 7389/tcp port
+- gems seems to be placed in lots of places
+- Since xdm is running a full session, it seems to be trying to execute lots of executables via dbus
+- Add back tcp/8123 port as http_cache port
+- Add ovirt-guest-agent\.pid labeling
+- Allow xend to run scsi_id
+- Allow rhsmcertd-worker to read "physical_package_id"
+- Allow pki_tomcat to connect to ldap port
+- Allow lpr to read /usr/share/fonts
+- Allow open file from CD/DVD drive on domU
+- Allow munin services plugins to talk to SSSD
+- Allow all samba domains to create samba directory in var_t directories
+- Take away svirt_t ability to use nsswitch
+- Dontaudit attempts by openshift to read apache logs
+- Allow apache to create as well as append _ra_content_t
+- Dontaudit sendmail_t reading a leaked file descriptor
+- Add interface to have admin transition /etc/prelink.cache to the proper label
+- Add sntp support to ntp policy
+- Allow firewalld to dbus chat with devicekit_power
+- Allow tuned to call lsblk
+- Allow tor to read /proc/sys/kernel/random/uuid
+- Add tor_can_network_relay boolean
+
* Wed Dec 5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-60
- Add openshift_initrc_signal() interface
- Fix typos
More information about the scm-commits
mailing list