[selinux-policy/f16] * Mon Feb 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-76 - Allow denyhosts to read "unix" - Ad
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Feb 20 16:41:28 UTC 2012
commit b962371154bc53b4f036bfc39c79bf985cce5c6d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Feb 20 17:41:17 2012 +0100
* Mon Feb 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-76
- Allow denyhosts to read "unix"
- Add file name transition for locale.conf.new
- Allow boinc projects to gconf config files
- Allow xen to search virt images directories
- Add label for /dev/megaraid_sas_ioctl_node
- kdump_t needs to read /etc/mtab
- If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly
- Allow boinc project to getattr on fs
- Add filename transition also for "event20"
- Allow collectd to ipc_lock
- Allow systemd_tmpfiles_t to delete all file types
- Add lots of rules to fix AVC's when playing with containers
policy-F16.patch | 1281 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 16 +-
2 files changed, 875 insertions(+), 422 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 3d81387..dd8e351 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1237,7 +1237,7 @@ index 4198ff5..a296bfa 100644
## <summary>
## Manage kdump configuration file.
diff --git a/policy/modules/admin/kdump.te b/policy/modules/admin/kdump.te
-index b29d8e2..bcd9273 100644
+index b29d8e2..ed79499 100644
--- a/policy/modules/admin/kdump.te
+++ b/policy/modules/admin/kdump.te
@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
@@ -1250,6 +1250,14 @@ index b29d8e2..bcd9273 100644
#####################################
#
# kdump local policy
+@@ -24,6 +27,7 @@ allow kdump_t self:capability { sys_boot dac_override };
+
+ read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
+
++files_read_etc_files(kdump_t)
+ files_read_etc_runtime_files(kdump_t)
+ files_read_kernel_img(kdump_t)
+
diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te
index 9dd6880..4b7fa27 100644
--- a/policy/modules/admin/kismet.te
@@ -4103,7 +4111,7 @@ index d5aaf0e..6b16aef 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..70d684a 100644
+index 6a5004b..65681da 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -4123,12 +4131,11 @@ index 6a5004b..70d684a 100644
dev_read_urand(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
-@@ -25,11 +28,16 @@ fs_getattr_xattr_fs(tmpreaper_t)
+@@ -25,11 +28,15 @@ fs_getattr_xattr_fs(tmpreaper_t)
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
-+files_delete_usr_dirs(tmpreaper_t)
-+files_delete_usr_files(tmpreaper_t)
++files_delete_all_non_security_files(tmpreaper_t)
# why does it need setattr?
files_setattr_all_tmp_dirs(tmpreaper_t)
+files_setattr_usr_dirs(tmpreaper_t)
@@ -4140,7 +4147,7 @@ index 6a5004b..70d684a 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -38,13 +46,17 @@ logging_send_syslog_msg(tmpreaper_t)
+@@ -38,13 +45,17 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -4162,7 +4169,7 @@ index 6a5004b..70d684a 100644
')
optional_policy(`
-@@ -52,7 +64,9 @@ optional_policy(`
+@@ -52,7 +63,9 @@ optional_policy(`
')
optional_policy(`
@@ -4172,7 +4179,7 @@ index 6a5004b..70d684a 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +80,13 @@ optional_policy(`
+@@ -66,9 +79,13 @@ optional_policy(`
')
optional_policy(`
@@ -7417,7 +7424,7 @@ index 40e0a2a..93d212c 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..401a4ec 100644
+index 9050e8c..52672b6 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -7475,7 +7482,15 @@ index 9050e8c..401a4ec 100644
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
-@@ -123,11 +139,14 @@ logging_send_syslog_msg(gpg_t)
+@@ -84,6 +100,7 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+ domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+
+ allow gpg_t gpg_secret_t:dir create_dir_perms;
++manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+ manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+ manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+ userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+@@ -123,11 +140,14 @@ logging_send_syslog_msg(gpg_t)
miscfiles_read_localization(gpg_t)
@@ -7492,7 +7507,7 @@ index 9050e8c..401a4ec 100644
mta_write_config(gpg_t)
-@@ -142,20 +161,33 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -142,20 +162,33 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -7530,7 +7545,7 @@ index 9050e8c..401a4ec 100644
########################################
#
# GPG helper local policy
-@@ -191,7 +223,7 @@ files_read_etc_files(gpg_helper_t)
+@@ -191,7 +224,7 @@ files_read_etc_files(gpg_helper_t)
auth_use_nsswitch(gpg_helper_t)
@@ -7539,7 +7554,7 @@ index 9050e8c..401a4ec 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -205,11 +237,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -205,15 +238,17 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -7553,7 +7568,12 @@ index 9050e8c..401a4ec 100644
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-@@ -239,19 +272,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
+ manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
++manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+ manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+ manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+@@ -239,19 +274,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
@@ -7576,7 +7596,15 @@ index 9050e8c..401a4ec 100644
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
')
-@@ -332,6 +366,10 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -301,6 +337,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+ # read /proc/meminfo
+ kernel_read_system_state(gpg_pinentry_t)
+
++corecmd_exec_shell(gpg_pinentry_t)
+ corecmd_exec_bin(gpg_pinentry_t)
+
+ corenet_all_recvfrom_netlabel(gpg_pinentry_t)
+@@ -332,6 +369,10 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -7587,7 +7615,7 @@ index 9050e8c..401a4ec 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
-@@ -342,11 +380,21 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -342,11 +383,21 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -7609,7 +7637,7 @@ index 9050e8c..401a4ec 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +404,28 @@ optional_policy(`
+@@ -356,4 +407,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -12777,10 +12805,22 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..a768ca5 100644
+index 3fae11a..b21e0b7 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
-@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
+@@ -71,6 +71,11 @@ ifdef(`distro_redhat',`
+ /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/etc/lxdm/LoginReady -- gen_context(system_u:object_r:bin_t,s0)
++/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0)
++/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0)
++/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -97,8 +102,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -12789,7 +12829,7 @@ index 3fae11a..a768ca5 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -130,18 +128,15 @@ ifdef(`distro_debian',`
+@@ -130,18 +133,15 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -12810,7 +12850,7 @@ index 3fae11a..a768ca5 100644
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +163,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +168,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12818,7 +12858,7 @@ index 3fae11a..a768ca5 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,6 +175,8 @@ ifdef(`distro_gentoo',`
+@@ -179,6 +180,8 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -12827,7 +12867,7 @@ index 3fae11a..a768ca5 100644
#
# /usr
#
-@@ -198,48 +196,51 @@ ifdef(`distro_gentoo',`
+@@ -198,48 +201,51 @@ ifdef(`distro_gentoo',`
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
@@ -12921,7 +12961,7 @@ index 3fae11a..a768ca5 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,9 +248,13 @@ ifdef(`distro_gentoo',`
+@@ -247,9 +253,13 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -12936,7 +12976,7 @@ index 3fae11a..a768ca5 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +272,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +277,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -12947,7 +12987,7 @@ index 3fae11a..a768ca5 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +295,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +300,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -12968,7 +13008,7 @@ index 3fae11a..a768ca5 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +319,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +324,11 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -12982,7 +13022,7 @@ index 3fae11a..a768ca5 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +333,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +338,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12994,7 +13034,7 @@ index 3fae11a..a768ca5 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +379,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +384,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -13003,7 +13043,7 @@ index 3fae11a..a768ca5 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +391,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +396,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13015,7 +13055,7 @@ index 3fae11a..a768ca5 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +402,12 @@ ifdef(`distro_suse', `
+@@ -385,3 +407,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -13027,7 +13067,7 @@ index 3fae11a..a768ca5 100644
+/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..650e796 100644
--- a/policy/modules/kernel/corecommands.if
@@ -14356,7 +14396,7 @@ index 4f3b542..f4e36ee 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..630e5e2 100644
+index 99b71cb..009f8b7 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -14605,7 +14645,7 @@ index 99b71cb..630e5e2 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +280,11 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +280,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -14614,11 +14654,12 @@ index 99b71cb..630e5e2 100644
network_port(wccp, udp,2048,s0)
+network_port(websm, tcp,9090,s0, udp,9090,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
++network_port(winshadow, tcp, 3261, s0, udp, 3261,s0)
+network_port(wsicopy, tcp, 3378, s0, udp, 3378,s0)
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +296,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +297,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14626,7 +14667,7 @@ index 99b71cb..630e5e2 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +306,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +307,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14639,7 +14680,7 @@ index 99b71cb..630e5e2 100644
########################################
#
-@@ -282,9 +356,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +357,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -14767,7 +14808,7 @@ index 6cf8784..fa24001 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..a0e6bde 100644
+index f820f3b..2cad8ee 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -15453,7 +15494,7 @@ index f820f3b..a0e6bde 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4784,3 +5151,822 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5151,843 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -15673,6 +15714,7 @@ index f820f3b..a0e6bde 100644
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event17")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event20")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
@@ -15705,6 +15747,26 @@ index f820f3b..a0e6bde 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "007")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "008")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "009")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "010")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "011")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "012")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "013")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "014")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "015")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "016")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "017")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "018")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "019")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "020")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "021")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "022")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "023")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "024")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "025")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "026")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "027")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "028")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "029")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2")
@@ -16840,7 +16902,7 @@ index c19518a..12e8e9c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..90fa357 100644
+index ff006ea..0f250ab 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -16980,7 +17042,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -1660,6 +1746,24 @@ interface(`files_delete_root_dir_entry',`
+@@ -1660,6 +1746,42 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -17002,10 +17064,28 @@ index ff006ea..90fa357 100644
+
+########################################
+## <summary>
++## Relabel a rootfs filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabel_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:filesystem relabel_file_perms;
++')
++
++########################################
++## <summary>
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -1678,6 +1782,24 @@ interface(`files_unmount_rootfs',`
+@@ -1678,6 +1800,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -17030,7 +17110,7 @@ index ff006ea..90fa357 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -1848,7 +1970,7 @@ interface(`files_boot_filetrans',`
+@@ -1848,7 +1988,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -17039,7 +17119,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -2372,6 +2494,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2512,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -17064,7 +17144,7 @@ index ff006ea..90fa357 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2451,7 +2591,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2609,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -17073,7 +17153,7 @@ index ff006ea..90fa357 100644
## </summary>
## </param>
#
-@@ -2507,6 +2647,25 @@ interface(`files_manage_etc_files',`
+@@ -2507,6 +2665,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -17099,7 +17179,7 @@ index ff006ea..90fa357 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2525,6 +2684,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2702,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -17124,7 +17204,7 @@ index ff006ea..90fa357 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2624,7 +2801,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2819,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -17133,7 +17213,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -2680,24 +2857,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2875,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -17158,7 +17238,7 @@ index ff006ea..90fa357 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2738,6 +2897,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2915,24 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -17183,7 +17263,7 @@ index ff006ea..90fa357 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2775,6 +2952,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +2970,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -17191,7 +17271,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -2796,6 +2974,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -2796,6 +2992,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -17199,7 +17279,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -3364,7 +3543,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3561,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -17208,7 +17288,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -3502,20 +3681,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3699,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -17252,7 +17332,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -3804,7 +4001,7 @@ interface(`files_kernel_modules_filetrans',`
+@@ -3804,7 +4019,7 @@ interface(`files_kernel_modules_filetrans',`
type modules_object_t;
')
@@ -17261,7 +17341,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -3900,6 +4097,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +4115,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -17361,7 +17441,7 @@ index ff006ea..90fa357 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3945,7 +4235,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4253,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -17370,7 +17450,7 @@ index ff006ea..90fa357 100644
## </summary>
## </param>
#
-@@ -4017,7 +4307,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4325,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -17379,12 +17459,14 @@ index ff006ea..90fa357 100644
## </summary>
## </param>
#
-@@ -4029,6 +4319,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,9 +4337,27 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Remove entries from the tmp directory.
+## Allow read and write to the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
@@ -17401,16 +17483,18 @@ index ff006ea..90fa357 100644
+ allow $1 tmp_t:dir rw_dir_perms;
+')
+
- ########################################
- ## <summary>
- ## Remove entries from the tmp directory.
-@@ -4085,17 +4393,43 @@ interface(`files_manage_generic_tmp_dirs',`
++########################################
++## <summary>
++## Remove entries from the tmp directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4085,6 +4411,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
--## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
- ## </summary>
++## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
@@ -17419,16 +17503,14 @@ index ff006ea..90fa357 100644
+## This is added to support java policy.
+## </p>
+## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_tmp_files',`
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_execmod_tmp',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ attribute tmpfile;
+ ')
+
@@ -17437,21 +17519,10 @@ index ff006ea..90fa357 100644
+
+########################################
+## <summary>
-+## Manage temporary files and directories in /tmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_generic_tmp_files',`
-+ gen_require(`
-+ type tmp_t;
- ')
-
- manage_files_pattern($1, tmp_t, tmp_t)
-@@ -4139,6 +4473,42 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+@@ -4139,6 +4491,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -17494,7 +17565,7 @@ index ff006ea..90fa357 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4202,7 +4572,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4590,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -17503,7 +17574,7 @@ index ff006ea..90fa357 100644
## </summary>
## </param>
#
-@@ -4262,7 +4632,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4650,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -17512,7 +17583,7 @@ index ff006ea..90fa357 100644
## </summary>
## </param>
#
-@@ -4318,7 +4688,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4706,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -17521,7 +17592,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -4342,6 +4712,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4730,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -17538,7 +17609,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -4681,7 +5061,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5079,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -17547,7 +17618,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5084,7 +5464,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5482,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -17556,7 +17627,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5219,7 +5599,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5617,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -17565,7 +17636,33 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5304,6 +5684,25 @@ interface(`files_manage_mounttab',`
+@@ -5259,6 +5657,25 @@ interface(`files_read_var_lib_symlinks',`
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
++########################################
++## <summary>
++## manage generic symbolic links
++## in the /var/lib directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_var_lib_symlinks',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
++')
++
+ # cjp: the next two interfaces really need to be fixed
+ # in some way. They really neeed their own types.
+
+@@ -5304,6 +5721,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -17591,7 +17688,7 @@ index ff006ea..90fa357 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5716,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5753,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -17600,7 +17697,7 @@ index ff006ea..90fa357 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5737,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5774,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -17616,7 +17713,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5752,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5789,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -17649,7 +17746,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5373,6 +5794,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5831,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -17657,7 +17754,7 @@ index ff006ea..90fa357 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5807,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5844,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -17665,7 +17762,7 @@ index ff006ea..90fa357 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5833,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5870,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -17674,7 +17771,7 @@ index ff006ea..90fa357 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5849,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5886,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -17691,7 +17788,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5452,7 +5873,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5910,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -17700,7 +17797,7 @@ index ff006ea..90fa357 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5914,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5951,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -17709,7 +17806,7 @@ index ff006ea..90fa357 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5936,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5973,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -17718,7 +17815,7 @@ index ff006ea..90fa357 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +5968,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6005,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -17729,7 +17826,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5608,6 +6029,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6066,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -17773,7 +17870,7 @@ index ff006ea..90fa357 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5629,6 +6087,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,6 +6124,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -17799,7 +17896,7 @@ index ff006ea..90fa357 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -5736,7 +6213,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6250,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -17808,7 +17905,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5815,29 +6292,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6329,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -17842,7 +17939,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5845,42 +6318,35 @@ interface(`files_read_all_pids',`
+@@ -5845,42 +6355,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -17892,7 +17989,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5888,20 +6354,17 @@ interface(`files_delete_all_pids',`
+@@ -5888,20 +6391,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -17916,7 +18013,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5909,56 +6372,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5909,56 +6409,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
@@ -17992,7 +18089,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5966,18 +6432,17 @@ interface(`files_list_spool',`
+@@ -5966,18 +6469,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -18015,7 +18112,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5985,19 +6450,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -5985,19 +6487,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -18040,7 +18137,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6005,50 +6469,61 @@ interface(`files_read_generic_spool',`
+@@ -6005,50 +6506,313 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -18074,73 +18171,71 @@ index ff006ea..90fa357 100644
-## </summary>
-## </param>
-## <param name="class">
-+#
+-## <summary>
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-## </summary>
+-## </param>
+ #
+-interface(`files_spool_filetrans',`
+interface(`files_mounton_all_poly_members',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute polymember;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3)
+ allow $1 polymember:dir mounton;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
+## Delete all process IDs.
+## </summary>
+## <param name="domain">
- ## <summary>
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`files_spool_filetrans',`
++#
+interface(`files_delete_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3)
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
-
- ########################################
- ## <summary>
--## Allow access to manage all polyinstantiated
--## directories on the system.
++')
++
++########################################
++## <summary>
+## Delete all process ID directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6056,16 +6531,268 @@ interface(`files_spool_filetrans',`
- ## </summary>
- ## </param>
- #
--interface(`files_polyinstantiate_all',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_delete_all_pid_dirs',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
++ gen_require(`
+ attribute pidfile;
+ type var_t;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-
-- # Need sys_admin capability for mounting
++
+########################################
+## <summary>
+## Make the specified type a file
@@ -18376,27 +18471,10 @@ index ff006ea..90fa357 100644
+## <summary>
+## Allow access to manage all polyinstantiated
+## directories on the system.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_polyinstantiate_all',`
-+ gen_require(`
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
-+ ')
-+
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
- allow $1 self:capability { chown fsetid sys_admin fowner };
-
- # Need to give access to the directories to be polyinstantiated
-@@ -6117,3 +6844,284 @@ interface(`files_unconfined',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6117,3 +6881,302 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -18681,6 +18759,24 @@ index ff006ea..90fa357 100644
+
+ dontaudit $1 file_type:dir_file_class_set write;
+')
++
++########################################
++## <summary>
++## Allow domain to delete to all files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ allow $1 non_security_file_type:file_class_set unlink;
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 22821ff..20251b0 100644
--- a/policy/modules/kernel/files.te
@@ -20312,20 +20408,21 @@ index d70e0b3..99ff2ac 100644
')
}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 57c4a6a..5e2a7de 100644
+index 57c4a6a..6a19a94 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
-@@ -28,7 +28,7 @@
+@@ -28,7 +28,8 @@
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
++/dev/megaraid_sas_ioctl_node -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/megadev.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..850d168 100644
+index 1700ef2..3e38191 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -20345,7 +20442,7 @@ index 1700ef2..850d168 100644
dev_add_entry_generic_dirs($1)
')
-@@ -808,3 +811,368 @@ interface(`storage_unconfined',`
+@@ -808,3 +811,369 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -20564,6 +20661,7 @@ index 1700ef2..850d168 100644
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
+ dev_filetrans($1, removable_device_t, blk_file, "mcd")
+ dev_filetrans($1, removable_device_t, blk_file, "mcdx")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
@@ -20739,7 +20837,7 @@ index 7d45d15..eeb5889 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 01dd2f1..7a8e118 100644
+index 01dd2f1..c9ac6c7 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -20792,7 +20890,32 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -462,6 +485,24 @@ interface(`term_list_ptys',`
+@@ -384,6 +407,24 @@ interface(`term_getattr_pty_fs',`
+
+ ########################################
+ ## <summary>
++## Relabel a pty filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_relabel_pty_fs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:filesystem relabel_file_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to get the
+ ## attributes of the /dev/pts directory.
+ ## </summary>
+@@ -462,6 +503,24 @@ interface(`term_list_ptys',`
########################################
## <summary>
@@ -20817,7 +20940,7 @@ index 01dd2f1..7a8e118 100644
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
-@@ -616,6 +657,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+@@ -616,6 +675,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
@@ -20825,7 +20948,7 @@ index 01dd2f1..7a8e118 100644
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
-@@ -860,6 +902,26 @@ interface(`term_use_all_ptys',`
+@@ -860,6 +920,26 @@ interface(`term_use_all_ptys',`
########################################
## <summary>
@@ -20852,7 +20975,7 @@ index 01dd2f1..7a8e118 100644
## Do not audit attempts to read or write any ptys.
## </summary>
## <param name="domain">
-@@ -873,7 +935,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -873,7 +953,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -20861,7 +20984,7 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -921,7 +983,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -921,7 +1001,7 @@ interface(`term_getattr_all_user_ptys',`
## </summary>
## <param name="domain">
## <summary>
@@ -20870,7 +20993,7 @@ index 01dd2f1..7a8e118 100644
## </summary>
## </param>
#
-@@ -1240,7 +1302,28 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1240,7 +1320,28 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -20900,7 +21023,7 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -1256,11 +1339,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1256,11 +1357,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -20914,7 +21037,7 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -1277,10 +1362,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1277,10 +1380,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -20927,7 +21050,7 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -1358,7 +1445,27 @@ interface(`term_use_all_ttys',`
+@@ -1358,7 +1463,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -20956,7 +21079,7 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -1377,7 +1484,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1377,7 +1502,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -20965,7 +21088,7 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -1485,7 +1592,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1485,7 +1610,7 @@ interface(`term_use_all_user_ttys',`
## </summary>
## <param name="domain">
## <summary>
@@ -20974,7 +21097,7 @@ index 01dd2f1..7a8e118 100644
## </summary>
## </param>
#
-@@ -1493,3 +1600,426 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1493,3 +1618,426 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -24903,10 +25026,10 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..85ca8ac 100644
+index 9e39aa5..3f8a147 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
-@@ -1,13 +1,18 @@
+@@ -1,21 +1,30 @@
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
@@ -24926,8 +25049,10 @@ index 9e39aa5..85ca8ac 100644
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-@@ -16,6 +21,9 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+ /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
@@ -24936,7 +25061,7 @@ index 9e39aa5..85ca8ac 100644
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -24,16 +32,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+@@ -24,16 +33,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -24961,7 +25086,7 @@ index 9e39aa5..85ca8ac 100644
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-@@ -43,8 +52,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +53,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -24973,7 +25098,7 @@ index 9e39aa5..85ca8ac 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,9 +64,11 @@ ifdef(`distro_suse', `
+@@ -54,9 +65,11 @@ ifdef(`distro_suse', `
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -24985,7 +25110,7 @@ index 9e39aa5..85ca8ac 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,20 +85,26 @@ ifdef(`distro_suse', `
+@@ -73,20 +86,26 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25014,7 +25139,7 @@ index 9e39aa5..85ca8ac 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -105,7 +123,27 @@ ifdef(`distro_debian', `
+@@ -105,7 +124,27 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -25697,7 +25822,7 @@ index 6480167..e12bbc0 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..7770367 100644
+index 3136c6a..4845736 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,225 @@ policy_module(apache, 2.2.1)
@@ -26088,7 +26213,18 @@ index 3136c6a..7770367 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +480,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -339,8 +464,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+ manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
++manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+-files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
++files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
+
+ setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+ manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+@@ -355,6 +481,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -26098,12 +26234,13 @@ index 3136c6a..7770367 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +493,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +494,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
++corenet_udp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
@@ -26115,7 +26252,7 @@ index 3136c6a..7770367 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +510,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +512,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -26131,7 +26268,7 @@ index 3136c6a..7770367 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +523,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +525,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -26139,7 +26276,7 @@ index 3136c6a..7770367 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +535,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +537,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -26243,7 +26380,7 @@ index 3136c6a..7770367 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +642,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +644,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -26301,7 +26438,7 @@ index 3136c6a..7770367 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +700,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +702,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -26318,7 +26455,7 @@ index 3136c6a..7770367 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +724,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +726,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -26339,7 +26476,7 @@ index 3136c6a..7770367 100644
')
optional_policy(`
-@@ -513,7 +748,13 @@ optional_policy(`
+@@ -513,7 +750,13 @@ optional_policy(`
')
optional_policy(`
@@ -26354,7 +26491,7 @@ index 3136c6a..7770367 100644
')
optional_policy(`
-@@ -528,7 +769,19 @@ optional_policy(`
+@@ -528,7 +771,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -26375,7 +26512,7 @@ index 3136c6a..7770367 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +790,13 @@ optional_policy(`
+@@ -537,8 +792,13 @@ optional_policy(`
')
optional_policy(`
@@ -26390,7 +26527,7 @@ index 3136c6a..7770367 100644
')
')
-@@ -556,7 +814,21 @@ optional_policy(`
+@@ -556,7 +816,21 @@ optional_policy(`
')
optional_policy(`
@@ -26412,7 +26549,7 @@ index 3136c6a..7770367 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +839,7 @@ optional_policy(`
+@@ -567,6 +841,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -26420,7 +26557,7 @@ index 3136c6a..7770367 100644
')
optional_policy(`
-@@ -577,6 +850,20 @@ optional_policy(`
+@@ -577,6 +852,20 @@ optional_policy(`
')
optional_policy(`
@@ -26441,7 +26578,7 @@ index 3136c6a..7770367 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +878,11 @@ optional_policy(`
+@@ -591,6 +880,11 @@ optional_policy(`
')
optional_policy(`
@@ -26453,7 +26590,7 @@ index 3136c6a..7770367 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +895,12 @@ optional_policy(`
+@@ -603,6 +897,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -26466,7 +26603,7 @@ index 3136c6a..7770367 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +914,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +916,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -26479,7 +26616,7 @@ index 3136c6a..7770367 100644
########################################
#
-@@ -654,28 +956,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +958,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -26523,7 +26660,7 @@ index 3136c6a..7770367 100644
')
########################################
-@@ -685,6 +989,8 @@ optional_policy(`
+@@ -685,6 +991,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -26532,7 +26669,7 @@ index 3136c6a..7770367 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1005,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1007,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -26558,7 +26695,7 @@ index 3136c6a..7770367 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1051,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1053,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -26591,7 +26728,7 @@ index 3136c6a..7770367 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1098,25 @@ optional_policy(`
+@@ -769,6 +1100,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -26617,7 +26754,7 @@ index 3136c6a..7770367 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1137,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1139,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -26635,7 +26772,7 @@ index 3136c6a..7770367 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1156,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1158,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -26692,7 +26829,7 @@ index 3136c6a..7770367 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1207,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1209,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -26723,7 +26860,7 @@ index 3136c6a..7770367 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1242,20 @@ optional_policy(`
+@@ -842,10 +1244,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -26744,7 +26881,7 @@ index 3136c6a..7770367 100644
')
########################################
-@@ -891,11 +1301,49 @@ optional_policy(`
+@@ -891,11 +1303,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -27955,10 +28092,10 @@ index 0000000..fa9b95a
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..852893d
+index 0000000..8b244be
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,175 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -28019,6 +28156,8 @@ index 0000000..852893d
+files_read_etc_runtime_files(boinc_domain)
+files_read_usr_files(boinc_domain)
+
++fs_getattr_all_fs(boinc_domain)
++
+miscfiles_read_fonts(boinc_domain)
+miscfiles_read_localization(boinc_domain)
+
@@ -28074,8 +28213,6 @@ index 0000000..852893d
+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+
-+fs_getattr_all_fs(boinc_t)
-+
+term_getattr_all_ptys(boinc_t)
+term_getattr_unallocated_ttys(boinc_t)
+
@@ -28128,6 +28265,10 @@ index 0000000..852893d
+files_dontaudit_search_home(boinc_project_t)
+
+optional_policy(`
++ gnome_read_gconf_config(boinc_project_t)
++')
++
++optional_policy(`
+ java_exec(boinc_project_t)
+')
diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
@@ -30113,7 +30254,7 @@ index 0000000..6451167
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..f29cc3a
+index 0000000..54d3487
--- /dev/null
+++ b/policy/modules/services/cloudform.te
@@ -0,0 +1,227 @@
@@ -30270,7 +30411,7 @@ index 0000000..f29cc3a
+# mongod local policy
+#
+
-+allow mongod_t self:process { setsched signal };
++allow mongod_t self:process { execmem setsched signal };
+
+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
@@ -31026,10 +31167,10 @@ index 0000000..ed13d1e
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..ca71d08
+index 0000000..ab1d55b
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,81 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -31062,7 +31203,8 @@ index 0000000..ca71d08
+#
+# collectd local policy
+#
-+allow collectd_t self:process { fork };
++allow collectd_t self:capability ipc_lock;
++allow collectd_t self:process fork;
+
+allow collectd_t self:fifo_file rw_fifo_file_perms;
+allow collectd_t self:unix_stream_socket create_stream_socket_perms;
@@ -31816,7 +31958,7 @@ index 2eefc08..6ea5693 100644
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..445ced4 100644
+index 35241ed..e3c2bf4 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -32061,7 +32203,32 @@ index 35241ed..445ced4 100644
## Inherit and use a file descriptor
## from the cron daemon.
## </summary>
-@@ -377,6 +409,47 @@ interface(`cron_read_pipes',`
+@@ -359,6 +391,24 @@ interface(`cron_sigchld',`
+
+ ########################################
+ ## <summary>
++## Send a generic signal to cron daemon.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cron_signal',`
++ gen_require(`
++ type crond_t;
++ ')
++
++ allow $1 crond_t:process signal;
++')
++
++########################################
++## <summary>
+ ## Read a cron daemon unnamed pipe.
+ ## </summary>
+ ## <param name="domain">
+@@ -377,6 +427,47 @@ interface(`cron_read_pipes',`
########################################
## <summary>
@@ -32109,7 +32276,7 @@ index 35241ed..445ced4 100644
## Do not audit attempts to write cron daemon unnamed pipes.
## </summary>
## <param name="domain">
-@@ -390,6 +463,7 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -390,6 +481,7 @@ interface(`cron_dontaudit_write_pipes',`
type crond_t;
')
@@ -32117,7 +32284,7 @@ index 35241ed..445ced4 100644
dontaudit $1 crond_t:fifo_file write;
')
-@@ -408,7 +482,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +500,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -32162,7 +32329,7 @@ index 35241ed..445ced4 100644
')
########################################
-@@ -468,6 +578,25 @@ interface(`cron_search_spool',`
+@@ -468,6 +596,25 @@ interface(`cron_search_spool',`
########################################
## <summary>
@@ -32188,7 +32355,7 @@ index 35241ed..445ced4 100644
## Manage pid files used by cron
## </summary>
## <param name="domain">
-@@ -481,6 +610,7 @@ interface(`cron_manage_pid_files',`
+@@ -481,6 +628,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -32196,7 +32363,7 @@ index 35241ed..445ced4 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -536,7 +666,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +684,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -32205,7 +32372,7 @@ index 35241ed..445ced4 100644
')
########################################
-@@ -554,7 +684,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +702,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -32214,7 +32381,7 @@ index 35241ed..445ced4 100644
')
########################################
-@@ -587,11 +717,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +735,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -32230,7 +32397,7 @@ index 35241ed..445ced4 100644
')
########################################
-@@ -627,7 +760,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +778,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -34466,7 +34633,7 @@ index 567865f..9c9e65c 100644
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
-index 8ba9425..5aaad2f 100644
+index 8ba9425..fe5c4ba 100644
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
@@ -25,7 +25,9 @@ logging_log_file(denyhosts_var_log_t)
@@ -34480,15 +34647,17 @@ index 8ba9425..5aaad2f 100644
allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
allow denyhosts_t self:tcp_socket create_socket_perms;
allow denyhosts_t self:udp_socket create_socket_perms;
-@@ -45,6 +47,7 @@ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
+@@ -44,7 +46,9 @@ setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
kernel_read_system_state(denyhosts_t)
++kernel_read_network_state(denyhosts_t)
+corecmd_exec_shell(denyhosts_t)
corecmd_exec_bin(denyhosts_t)
corenet_all_recvfrom_unlabeled(denyhosts_t)
-@@ -53,20 +56,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
+@@ -53,20 +57,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
corenet_tcp_bind_generic_node(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
@@ -44641,7 +44810,7 @@ index 256166a..2320c87 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..e5519fd 100644
+index 343cee3..76a7780 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -44655,24 +44824,103 @@ index 343cee3..e5519fd 100644
gen_require(`
attribute user_mail_domain;
type sendmail_exec_t;
-@@ -104,6 +104,7 @@ template(`mta_base_mail_template',`
+@@ -56,92 +56,11 @@ template(`mta_base_mail_template',`
+ type $1_mail_tmp_t;
+ files_tmp_file($1_mail_tmp_t)
- optional_policy(`
- postfix_domtrans_user_mail_handler($1_mail_t)
-+ postfix_rw_master_pipes($1_mail_t)
- ')
+- ##############################
+- #
+- # $1_mail_t local policy
+- #
+-
+- allow $1_mail_t self:capability { setuid setgid chown };
+- allow $1_mail_t self:process { signal_perms setrlimit };
+- allow $1_mail_t self:tcp_socket create_socket_perms;
+-
+- # re-exec itself
+- can_exec($1_mail_t, sendmail_exec_t)
+- allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
+-
+- kernel_read_system_state($1_mail_t)
+- kernel_read_kernel_sysctls($1_mail_t)
+-
+- corenet_all_recvfrom_unlabeled($1_mail_t)
+- corenet_all_recvfrom_netlabel($1_mail_t)
+- corenet_tcp_sendrecv_generic_if($1_mail_t)
+- corenet_tcp_sendrecv_generic_node($1_mail_t)
+- corenet_tcp_sendrecv_all_ports($1_mail_t)
+- corenet_tcp_connect_all_ports($1_mail_t)
+- corenet_tcp_connect_smtp_port($1_mail_t)
+- corenet_sendrecv_smtp_client_packets($1_mail_t)
+-
+- corecmd_exec_bin($1_mail_t)
+-
+- files_read_etc_files($1_mail_t)
+- files_search_spool($1_mail_t)
+- # It wants to check for nscd
+- files_dontaudit_search_pids($1_mail_t)
++ manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
++ manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
++ files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
- optional_policy(`
-@@ -128,6 +129,8 @@ template(`mta_base_mail_template',`
- # Write to /var/spool/mail and /var/spool/mqueue.
- manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
- manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t)
-+ read_lnk_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
-+ read_lnk_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t)
-
- # Check available space.
- fs_getattr_xattr_fs($1_mail_t)
-@@ -158,6 +161,7 @@ template(`mta_base_mail_template',`
+ auth_use_nsswitch($1_mail_t)
+-
+- init_dontaudit_rw_utmp($1_mail_t)
+-
+- logging_send_syslog_msg($1_mail_t)
+-
+- miscfiles_read_localization($1_mail_t)
+-
+- optional_policy(`
+- exim_read_log($1_mail_t)
+- exim_append_log($1_mail_t)
+- exim_manage_spool_files($1_mail_t)
+- ')
+-
+- optional_policy(`
+- postfix_domtrans_user_mail_handler($1_mail_t)
+- ')
+-
+- optional_policy(`
+- procmail_exec($1_mail_t)
+- ')
+-
+- optional_policy(`
+- qmail_domtrans_inject($1_mail_t)
+- ')
+-
+- optional_policy(`
+- gen_require(`
+- type etc_mail_t, mail_spool_t, mqueue_spool_t;
+- ')
+-
+- manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
+- manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
+- files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
+-
+- allow $1_mail_t etc_mail_t:dir search_dir_perms;
+-
+- # Write to /var/spool/mail and /var/spool/mqueue.
+- manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
+- manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t)
+-
+- # Check available space.
+- fs_getattr_xattr_fs($1_mail_t)
+-
+- files_read_etc_runtime_files($1_mail_t)
+-
+- # Write to /var/log/sendmail.st
+- sendmail_manage_log($1_mail_t)
+- sendmail_create_log($1_mail_t)
+- ')
+-
+- optional_policy(`
+- uucp_manage_spool($1_mail_t)
+- ')
+ ')
+
+ ########################################
+@@ -158,6 +77,7 @@ template(`mta_base_mail_template',`
## User domain for the role
## </summary>
## </param>
@@ -44680,7 +44928,7 @@ index 343cee3..e5519fd 100644
#
interface(`mta_role',`
gen_require(`
-@@ -169,11 +173,19 @@ interface(`mta_role',`
+@@ -169,11 +89,19 @@ interface(`mta_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
@@ -44701,7 +44949,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -220,6 +232,25 @@ interface(`mta_agent_executable',`
+@@ -220,6 +148,25 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
@@ -44727,7 +44975,7 @@ index 343cee3..e5519fd 100644
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -306,7 +337,6 @@ interface(`mta_mailserver_sender',`
+@@ -306,7 +253,6 @@ interface(`mta_mailserver_sender',`
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
@@ -44735,7 +44983,7 @@ index 343cee3..e5519fd 100644
')
typeattribute $1 mailserver_delivery;
-@@ -330,12 +360,6 @@ interface(`mta_mailserver_user_agent',`
+@@ -330,12 +276,6 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
@@ -44748,7 +44996,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -350,9 +374,8 @@ interface(`mta_mailserver_user_agent',`
+@@ -350,9 +290,8 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
@@ -44759,7 +45007,7 @@ index 343cee3..e5519fd 100644
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -391,12 +414,17 @@ interface(`mta_send_mail',`
+@@ -391,12 +330,17 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -44779,7 +45027,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -409,7 +437,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +353,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -44787,7 +45035,7 @@ index 343cee3..e5519fd 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +447,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +363,24 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -44812,7 +45060,7 @@ index 343cee3..e5519fd 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -438,6 +483,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +399,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
@@ -44839,7 +45087,7 @@ index 343cee3..e5519fd 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -474,7 +539,8 @@ interface(`mta_write_config',`
+@@ -474,7 +455,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -44849,7 +45097,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -494,6 +560,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +476,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -44857,7 +45105,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -532,7 +599,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +515,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -44866,7 +45114,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -552,7 +619,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +535,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -44875,7 +45123,7 @@ index 343cee3..e5519fd 100644
')
#######################################
-@@ -646,8 +713,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +629,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -44886,7 +45134,7 @@ index 343cee3..e5519fd 100644
')
#######################################
-@@ -677,7 +744,26 @@ interface(`mta_spool_filetrans',`
+@@ -677,7 +660,26 @@ interface(`mta_spool_filetrans',`
')
files_search_spool($1)
@@ -44914,7 +45162,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -697,8 +783,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +699,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -44925,7 +45173,7 @@ index 343cee3..e5519fd 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +924,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +840,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -44934,7 +45182,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -864,6 +950,36 @@ interface(`mta_manage_queue',`
+@@ -864,6 +866,36 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -44971,7 +45219,7 @@ index 343cee3..e5519fd 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -899,3 +1015,114 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +931,114 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -45087,7 +45335,7 @@ index 343cee3..e5519fd 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..59cd713 100644
+index 64268e4..c9c64a6 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -45109,7 +45357,15 @@ index 64268e4..59cd713 100644
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
-@@ -50,22 +52,11 @@ ubac_constrained(user_mail_tmp_t)
+@@ -42,6 +44,7 @@ typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
+ typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
+ ubac_constrained(user_mail_t)
+ ubac_constrained(user_mail_tmp_t)
++userdom_user_tmp_content(user_mail_tmp_t)
+
+ ########################################
+ #
+@@ -50,22 +53,11 @@ ubac_constrained(user_mail_tmp_t)
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
@@ -45133,7 +45389,7 @@ index 64268e4..59cd713 100644
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -79,9 +70,16 @@ selinux_getattr_fs(system_mail_t)
+@@ -79,9 +71,16 @@ selinux_getattr_fs(system_mail_t)
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
@@ -45151,7 +45407,7 @@ index 64268e4..59cd713 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,14 +90,21 @@ optional_policy(`
+@@ -92,14 +91,21 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -45176,7 +45432,7 @@ index 64268e4..59cd713 100644
')
optional_policy(`
-@@ -108,9 +113,15 @@ optional_policy(`
+@@ -108,9 +114,15 @@ optional_policy(`
')
optional_policy(`
@@ -45192,7 +45448,7 @@ index 64268e4..59cd713 100644
')
optional_policy(`
-@@ -124,12 +135,9 @@ optional_policy(`
+@@ -124,12 +136,9 @@ optional_policy(`
')
optional_policy(`
@@ -45207,7 +45463,7 @@ index 64268e4..59cd713 100644
')
optional_policy(`
-@@ -146,6 +154,10 @@ optional_policy(`
+@@ -146,6 +155,10 @@ optional_policy(`
')
optional_policy(`
@@ -45218,7 +45474,7 @@ index 64268e4..59cd713 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,22 +170,13 @@ optional_policy(`
+@@ -158,22 +171,13 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -45244,7 +45500,7 @@ index 64268e4..59cd713 100644
')
optional_policy(`
-@@ -189,6 +192,10 @@ optional_policy(`
+@@ -189,6 +193,10 @@ optional_policy(`
')
optional_policy(`
@@ -45255,7 +45511,7 @@ index 64268e4..59cd713 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,15 +206,16 @@ optional_policy(`
+@@ -199,15 +207,16 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -45276,7 +45532,7 @@ index 64268e4..59cd713 100644
########################################
#
# Mailserver delivery local policy
-@@ -220,7 +228,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +229,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -45286,7 +45542,7 @@ index 64268e4..59cd713 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +251,10 @@ optional_policy(`
+@@ -242,6 +252,10 @@ optional_policy(`
')
optional_policy(`
@@ -45297,7 +45553,7 @@ index 64268e4..59cd713 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +262,25 @@ optional_policy(`
+@@ -249,16 +263,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -45325,7 +45581,7 @@ index 64268e4..59cd713 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -277,6 +299,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+@@ -277,14 +300,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files(mta_user_agent)
@@ -45334,7 +45590,15 @@ index 64268e4..59cd713 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(user_mail_t)
fs_manage_cifs_symlinks(user_mail_t)
-@@ -292,3 +316,49 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- allow user_mail_t self:capability dac_override;
+-
+ # Read user temporary files.
+ # postfix seems to need write access if the file handle is opened read/write
+ userdom_rw_user_tmp_files(user_mail_t)
+@@ -292,3 +315,115 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -45344,6 +45608,9 @@ index 64268e4..59cd713 100644
+# Comman user_mail_domain policy
+#
+
++allow user_mail_domain self:capability { setuid setgid chown };
++allow user_mail_domain self:process { signal_perms setrlimit };
++allow user_mail_domain self:tcp_socket create_socket_perms;
+allow user_mail_domain self:fifo_file rw_fifo_file_perms;
+allow user_mail_domain mta_exec_type:file entrypoint;
+
@@ -45366,6 +45633,53 @@ index 64268e4..59cd713 100644
+
+files_read_usr_files(user_mail_domain)
+
++# Write to /var/spool/mail and /var/spool/mqueue.
++manage_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t)
++manage_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t)
++read_lnk_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t)
++read_lnk_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t)
++
++# re-exec itself
++can_exec(user_mail_domain, sendmail_exec_t)
++allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
++
++kernel_read_system_state(user_mail_domain)
++kernel_read_kernel_sysctls(user_mail_domain)
++
++corenet_all_recvfrom_unlabeled(user_mail_domain)
++corenet_all_recvfrom_netlabel(user_mail_domain)
++corenet_tcp_sendrecv_generic_if(user_mail_domain)
++corenet_tcp_sendrecv_generic_node(user_mail_domain)
++corenet_tcp_sendrecv_all_ports(user_mail_domain)
++corenet_tcp_connect_all_ports(user_mail_domain)
++corenet_tcp_connect_smtp_port(user_mail_domain)
++corenet_sendrecv_smtp_client_packets(user_mail_domain)
++
++corecmd_exec_bin(user_mail_domain)
++
++files_read_etc_files(user_mail_domain)
++files_search_spool(user_mail_domain)
++# It wants to check for nscd
++files_dontaudit_search_pids(user_mail_domain)
++allow user_mail_domain etc_mail_t:dir search_dir_perms;
++
++files_read_etc_runtime_files(user_mail_domain)
++
++# Check available space.
++fs_getattr_xattr_fs(user_mail_domain)
++
++init_dontaudit_rw_utmp(user_mail_domain)
++
++logging_send_syslog_msg(user_mail_domain)
++
++miscfiles_read_localization(user_mail_domain)
++
++optional_policy(`
++ exim_domtrans(user_mail_domain)
++ exim_manage_log(user_mail_domain)
++ exim_manage_spool_files(user_mail_domain)
++')
++
+optional_policy(`
+ # postfix needs this for newaliases
+ files_getattr_tmp_dirs(user_mail_domain)
@@ -45373,6 +45687,8 @@ index 64268e4..59cd713 100644
+ postfix_exec_master(user_mail_domain)
+ postfix_read_config(user_mail_domain)
+ postfix_search_spool(user_mail_domain)
++ postfix_domtrans_user_mail_handler(user_mail_domain)
++ postfix_rw_master_pipes(user_mail_domain)
+
+ ifdef(`distro_redhat',`
+ # compatability for old default main.cf
@@ -45380,9 +45696,23 @@ index 64268e4..59cd713 100644
+ ')
+')
+
++
+optional_policy(`
-+ exim_domtrans(user_mail_domain)
-+ exim_manage_log(user_mail_domain)
++ procmail_exec(user_mail_domain)
++')
++
++optional_policy(`
++ qmail_domtrans_inject(user_mail_domain)
++')
++
++optional_policy(`
++ # Write to /var/log/sendmail.st
++ sendmail_manage_log(user_mail_domain)
++ sendmail_create_log(user_mail_domain)
++')
++
++optional_policy(`
++ uucp_manage_spool(user_mail_domain)
+')
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
index fd71d69..bf90863 100644
@@ -48242,7 +48572,7 @@ index 7f8fdc2..047d985 100644
optional_policy(`
seutil_sigchld_newrole(openct_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..6b73075 100644
+index 8b550f4..117a7ac 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@@ -48326,7 +48656,7 @@ index 8b550f4..6b73075 100644
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
-@@ -112,21 +122,21 @@ sysnet_exec_ifconfig(openvpn_t)
+@@ -112,21 +122,23 @@ sysnet_exec_ifconfig(openvpn_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
@@ -48334,6 +48664,8 @@ index 8b550f4..6b73075 100644
+userdom_use_inherited_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
+userdom_attach_admin_tun_iface(openvpn_t)
++userdom_read_inherited_user_tmp_files(openvpn_t)
++userdom_read_inherited_user_home_content_files(openvpn_t)
tunable_policy(`openvpn_enable_homedirs',`
- userdom_read_user_home_content_files(openvpn_t)
@@ -48356,7 +48688,7 @@ index 8b550f4..6b73075 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +148,7 @@ optional_policy(`
+@@ -138,3 +150,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -48911,10 +49243,10 @@ index 0000000..548d0a2
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..33980a8
+index 0000000..3fbbf184
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,300 @@
+@@ -0,0 +1,302 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -49103,7 +49435,9 @@ index 0000000..33980a8
+
+corecmd_exec_bin(piranha_pulse_t)
+corecmd_exec_shell(piranha_pulse_t)
-+consoletype_exec(piranha_pulse_t)
++optional_policy(`
++ consoletype_exec(piranha_pulse_t)
++')
+
+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
+corenet_udp_bind_cma_port(piranha_pulse_t)
@@ -53544,7 +53878,7 @@ index 5a9630c..c403abc 100644
+ allow $1 qpidd_t:shm rw_shm_perms;
')
diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te
-index cb7ecb5..3df1532 100644
+index cb7ecb5..9095dd4 100644
--- a/policy/modules/services/qpid.te
+++ b/policy/modules/services/qpid.te
@@ -12,12 +12,12 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@@ -53563,7 +53897,7 @@ index cb7ecb5..3df1532 100644
########################################
#
# qpidd local policy
-@@ -30,27 +30,30 @@ allow qpidd_t self:shm create_shm_perms;
+@@ -30,27 +30,31 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket create_stream_socket_perms;
allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
@@ -53590,6 +53924,7 @@ index cb7ecb5..3df1532 100644
-corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_bind_amqp_port(qpidd_t)
+corenet_tcp_bind_matahari_port(qpidd_t)
++corenet_tcp_connect_amqp_port(qpidd_t)
+dev_read_sysfs(qpidd_t)
dev_read_urand(qpidd_t)
@@ -53599,7 +53934,7 @@ index cb7ecb5..3df1532 100644
logging_send_syslog_msg(qpidd_t)
-@@ -61,3 +64,8 @@ sysnet_dns_name_resolve(qpidd_t)
+@@ -61,3 +65,8 @@ sysnet_dns_name_resolve(qpidd_t)
optional_policy(`
corosync_stream_connect(qpidd_t)
')
@@ -58678,7 +59013,7 @@ index 275f9fb..2a0e198 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..8cd0c85 100644
+index 3d8d1b3..dacabe0 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -58759,6 +59094,17 @@ index 3d8d1b3..8cd0c85 100644
optional_policy(`
rpm_read_db(snmpd_t)
rpm_dontaudit_manage_db(snmpd_t)
+@@ -140,6 +147,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ricci_stream_connect_modclusterd(snmpd_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(snmpd_t)
+ ')
+
diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
index c117e8b..88ebedb 100644
--- a/policy/modules/services/snort.if
@@ -62303,7 +62649,7 @@ index 2124b6a..49c15d1 100644
+# support for nova-stack
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..fc6beb9 100644
+index 7c5d8d8..5e7388f 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,44 @@
@@ -62570,7 +62916,33 @@ index 7c5d8d8..fc6beb9 100644
## </param>
#
interface(`virt_append_log',`
-@@ -408,6 +504,7 @@ interface(`virt_read_images',`
+@@ -388,6 +484,25 @@ interface(`virt_manage_log',`
+
+ ########################################
+ ## <summary>
++## Allow domain to search virt image direcories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_search_images',`
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
++ virt_search_lib($1)
++ allow $1 virt_image_type:dir serach_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Allow domain to read virt image files
+ ## </summary>
+ ## <param name="domain">
+@@ -408,6 +523,7 @@ interface(`virt_read_images',`
read_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
read_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -62578,7 +62950,7 @@ index 7c5d8d8..fc6beb9 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -424,6 +521,24 @@ interface(`virt_read_images',`
+@@ -424,6 +540,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -62603,7 +62975,7 @@ index 7c5d8d8..fc6beb9 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +548,15 @@ interface(`virt_read_images',`
+@@ -433,15 +567,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -62624,7 +62996,7 @@ index 7c5d8d8..fc6beb9 100644
')
########################################
-@@ -466,6 +581,7 @@ interface(`virt_manage_images',`
+@@ -466,6 +600,7 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -62632,7 +63004,7 @@ index 7c5d8d8..fc6beb9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
-@@ -500,11 +616,16 @@ interface(`virt_manage_images',`
+@@ -500,11 +635,16 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -62649,7 +63021,7 @@ index 7c5d8d8..fc6beb9 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 virtd_initrc_exec_t system_r;
-@@ -515,4 +636,213 @@ interface(`virt_admin',`
+@@ -515,4 +655,213 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -62657,7 +63029,7 @@ index 7c5d8d8..fc6beb9 100644
+ virt_manage_images($1)
+
+ allow $1 virt_domain:process { ptrace signal_perms };
-+')
+ ')
+
+########################################
+## <summary>
@@ -62687,7 +63059,7 @@ index 7c5d8d8..fc6beb9 100644
+ optional_policy(`
+ ptchown_run(svirt_t, $2)
+ ')
- ')
++')
+
+########################################
+## <summary>
@@ -62864,7 +63236,7 @@ index 7c5d8d8..fc6beb9 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..d19abb5 100644
+index 3eca020..0637dfa 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,81 @@ policy_module(virt, 1.4.0)
@@ -63404,7 +63776,7 @@ index 3eca020..d19abb5 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +618,367 @@ files_search_all(virt_domain)
+@@ -440,25 +618,372 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -63609,6 +63981,7 @@ index 3eca020..d19abb5 100644
+
+files_read_etc_files(virtd_lxc_t)
+files_read_usr_files(virtd_lxc_t)
++files_relabel_rootfs(virtd_lxc_t)
+files_mounton_non_security(virtd_lxc_t)
+files_mount_all_file_type_fs(virtd_lxc_t)
+files_unmount_all_file_type_fs(virtd_lxc_t)
@@ -63627,6 +64000,7 @@ index 3eca020..d19abb5 100644
+
+term_use_generic_ptys(virtd_lxc_t)
+term_use_ptmx(virtd_lxc_t)
++term_relabel_pty_fs(virtd_lxc_t)
+
+auth_use_nsswitch(virtd_lxc_t)
+
@@ -63634,6 +64008,9 @@ index 3eca020..d19abb5 100644
+
+miscfiles_read_localization(virtd_lxc_t)
+
++seutil_domtrans_setfiles(virtd_lxc_t)
++seutil_read_default_contexts(virtd_lxc_t)
++
+sysnet_domtrans_ifconfig(virtd_lxc_t)
+
+optional_policy(`
@@ -63652,12 +64029,12 @@ index 3eca020..d19abb5 100644
+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override };
+dontaudit svirt_lxc_domain self:capability sys_ptrace;
+
++allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_lxc_domain:process { signal_perms };
+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
-+
+allow svirt_lxc_domain virtd_lxc_t:fd use;
+allow svirt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms;
-+dontaudit svirt_lxc_domain virtd_lxc_t:unix_stream_socket { read write };
++allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
+allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid execstack execmem };
+allow svirt_lxc_domain self:fifo_file manage_file_perms;
@@ -66747,7 +67124,7 @@ index 3defaa1..2ad2488 100644
/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
-index 21ae664..3e448dd 100644
+index 21ae664..cb3a098 100644
--- a/policy/modules/services/zarafa.if
+++ b/policy/modules/services/zarafa.if
@@ -42,6 +42,8 @@ template(`zarafa_domain_template',`
@@ -66759,7 +67136,7 @@ index 21ae664..3e448dd 100644
')
######################################
-@@ -118,3 +120,24 @@ interface(`zarafa_stream_connect_server',`
+@@ -118,3 +120,25 @@ interface(`zarafa_stream_connect_server',`
files_search_var_lib($1)
stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
')
@@ -66782,10 +67159,11 @@ index 21ae664..3e448dd 100644
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++ manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..92c156b 100644
+index 9fb4747..bd73b2a 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -66799,7 +67177,7 @@ index 9fb4747..92c156b 100644
zarafa_domain_template(monitor)
zarafa_domain_template(server)
-@@ -57,6 +61,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -57,6 +61,21 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -66816,11 +67194,22 @@ index 9fb4747..92c156b 100644
+
+manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
++manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+
#######################################
#
# zarafa-ical local policy
-@@ -107,7 +125,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
+@@ -93,7 +112,8 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
+
+ manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+ manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+-files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
++manage_lnk_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
++files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file })
+
+ stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
+
+@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
files_read_usr_files(zarafa_server_t)
@@ -66828,7 +67217,7 @@ index 9fb4747..92c156b 100644
logging_send_audit_msgs(zarafa_server_t)
sysnet_dns_name_resolve(zarafa_server_t)
-@@ -138,6 +155,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+@@ -138,6 +157,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
########################################
#
@@ -66861,7 +67250,7 @@ index 9fb4747..92c156b 100644
# zarafa domains local policy
#
-@@ -152,10 +195,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+@@ -152,10 +197,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
@@ -68982,7 +69371,7 @@ index 94fd8dd..f2689e3 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..7d9e51c 100644
+index 29a9565..f87bb28 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -69546,7 +69935,15 @@ index 29a9565..7d9e51c 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +756,34 @@ ifdef(`distro_redhat',`
+@@ -513,6 +747,7 @@ ifdef(`distro_redhat',`
+ miscfiles_rw_localization(initrc_t)
+ miscfiles_setattr_localization(initrc_t)
+ miscfiles_relabel_localization(initrc_t)
++ miscfiles_filetrans_named_content(initrc_t)
+
+ miscfiles_read_fonts(initrc_t)
+ miscfiles_read_hwdata(initrc_t)
+@@ -522,8 +757,34 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -69581,7 +69978,7 @@ index 29a9565..7d9e51c 100644
')
optional_policy(`
-@@ -531,10 +791,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +792,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -69604,7 +70001,7 @@ index 29a9565..7d9e51c 100644
')
optional_policy(`
-@@ -549,6 +821,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +822,39 @@ ifdef(`distro_suse',`
')
')
@@ -69644,7 +70041,7 @@ index 29a9565..7d9e51c 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +866,8 @@ optional_policy(`
+@@ -561,6 +867,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -69653,7 +70050,7 @@ index 29a9565..7d9e51c 100644
')
optional_policy(`
-@@ -577,6 +884,7 @@ optional_policy(`
+@@ -577,6 +885,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -69661,7 +70058,7 @@ index 29a9565..7d9e51c 100644
')
optional_policy(`
-@@ -589,6 +897,17 @@ optional_policy(`
+@@ -589,6 +898,17 @@ optional_policy(`
')
optional_policy(`
@@ -69679,7 +70076,7 @@ index 29a9565..7d9e51c 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +924,13 @@ optional_policy(`
+@@ -605,9 +925,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -69693,7 +70090,7 @@ index 29a9565..7d9e51c 100644
')
optional_policy(`
-@@ -632,6 +955,10 @@ optional_policy(`
+@@ -632,6 +956,10 @@ optional_policy(`
')
optional_policy(`
@@ -69704,7 +70101,7 @@ index 29a9565..7d9e51c 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +976,11 @@ optional_policy(`
+@@ -649,6 +977,11 @@ optional_policy(`
')
optional_policy(`
@@ -69716,7 +70113,7 @@ index 29a9565..7d9e51c 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1021,7 @@ optional_policy(`
+@@ -689,6 +1022,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -69724,7 +70121,7 @@ index 29a9565..7d9e51c 100644
')
optional_policy(`
-@@ -706,7 +1039,13 @@ optional_policy(`
+@@ -706,7 +1040,13 @@ optional_policy(`
')
optional_policy(`
@@ -69738,7 +70135,7 @@ index 29a9565..7d9e51c 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1068,10 @@ optional_policy(`
+@@ -729,6 +1069,10 @@ optional_policy(`
')
optional_policy(`
@@ -69749,7 +70146,7 @@ index 29a9565..7d9e51c 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1081,20 @@ optional_policy(`
+@@ -738,10 +1082,20 @@ optional_policy(`
')
optional_policy(`
@@ -69770,7 +70167,7 @@ index 29a9565..7d9e51c 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1103,10 @@ optional_policy(`
+@@ -750,6 +1104,10 @@ optional_policy(`
')
optional_policy(`
@@ -69781,7 +70178,7 @@ index 29a9565..7d9e51c 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1128,6 @@ optional_policy(`
+@@ -771,8 +1129,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -69790,7 +70187,7 @@ index 29a9565..7d9e51c 100644
')
optional_policy(`
-@@ -790,10 +1145,12 @@ optional_policy(`
+@@ -790,10 +1146,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -69803,7 +70200,7 @@ index 29a9565..7d9e51c 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1162,6 @@ optional_policy(`
+@@ -805,7 +1163,6 @@ optional_policy(`
')
optional_policy(`
@@ -69811,7 +70208,7 @@ index 29a9565..7d9e51c 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1171,26 @@ optional_policy(`
+@@ -815,11 +1172,26 @@ optional_policy(`
')
optional_policy(`
@@ -69839,7 +70236,7 @@ index 29a9565..7d9e51c 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1200,25 @@ optional_policy(`
+@@ -829,6 +1201,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -69865,7 +70262,7 @@ index 29a9565..7d9e51c 100644
')
optional_policy(`
-@@ -844,6 +1234,10 @@ optional_policy(`
+@@ -844,6 +1235,10 @@ optional_policy(`
')
optional_policy(`
@@ -69876,7 +70273,7 @@ index 29a9565..7d9e51c 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1248,157 @@ optional_policy(`
+@@ -854,3 +1249,157 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -70427,18 +70824,24 @@ index f3e1b57..d7fd7fb 100644
')
diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
-index 14d9670..8391e13 100644
+index 14d9670..56960ca 100644
--- a/policy/modules/system/iscsi.fc
+++ b/policy/modules/system/iscsi.fc
-@@ -1,5 +1,6 @@
+@@ -1,7 +1,12 @@
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
++
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
++
+ /var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
++/var/log/iscsiuio\.log.* gen_context(system_u:object_r:iscsi_log_t,s0)
++
+ /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
-index ddbd8be..ac8e814 100644
+index ddbd8be..75e2f9b 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -66,6 +66,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
@@ -70449,7 +70852,11 @@ index ddbd8be..ac8e814 100644
corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -78,6 +79,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
+@@ -75,9 +76,12 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
+ corenet_tcp_connect_http_port(iscsid_t)
+ corenet_tcp_connect_iscsi_port(iscsid_t)
+ corenet_tcp_connect_isns_port(iscsid_t)
++corenet_tcp_connect_winshadow(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -71031,7 +71438,7 @@ index 808ba93..4ff705d 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..eae9427 100644
+index e5836d3..cc8dabb 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -71043,7 +71450,14 @@ index e5836d3..eae9427 100644
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -79,6 +79,7 @@ corecmd_search_bin(ldconfig_t)
+@@ -75,10 +75,14 @@ kernel_read_system_state(ldconfig_t)
+
+ fs_getattr_xattr_fs(ldconfig_t)
+
++files_list_var_lib(ldconfig_t)
++files_manage_var_lib_symlinks(ldconfig_t)
++
+ corecmd_search_bin(ldconfig_t)
domain_use_interactive_fds(ldconfig_t)
@@ -71051,7 +71465,7 @@ index e5836d3..eae9427 100644
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_read_usr_files(ldconfig_t)
-@@ -94,7 +95,8 @@ miscfiles_read_localization(ldconfig_t)
+@@ -94,7 +98,8 @@ miscfiles_read_localization(ldconfig_t)
logging_send_syslog_msg(ldconfig_t)
@@ -71061,7 +71475,7 @@ index e5836d3..eae9427 100644
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
-@@ -103,6 +105,12 @@ ifdef(`distro_ubuntu',`
+@@ -103,6 +108,12 @@ ifdef(`distro_ubuntu',`
')
')
@@ -71074,7 +71488,7 @@ index e5836d3..eae9427 100644
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -114,6 +122,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -114,6 +125,9 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -71084,7 +71498,7 @@ index e5836d3..eae9427 100644
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
-@@ -131,6 +142,10 @@ optional_policy(`
+@@ -131,6 +145,10 @@ optional_policy(`
')
optional_policy(`
@@ -71095,7 +71509,7 @@ index e5836d3..eae9427 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +156,3 @@ optional_policy(`
+@@ -141,6 +159,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -72156,7 +72570,7 @@ index 172287e..88fc786 100644
/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 926ba65..b2d74f7 100644
+index 926ba65..b2a1675 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -582,6 +582,26 @@ interface(`miscfiles_manage_man_pages',`
@@ -72194,7 +72608,7 @@ index 926ba65..b2d74f7 100644
')
########################################
-@@ -769,3 +788,42 @@ interface(`miscfiles_manage_localization',`
+@@ -769,3 +788,43 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -72222,6 +72636,7 @@ index 926ba65..b2d74f7 100644
+
+ files_etc_filetrans($1, locale_t, file, "localtime")
+ files_etc_filetrans($1, locale_t, file, "locale.conf")
++ files_etc_filetrans($1, locale_t, file, "locale.conf.new")
+ files_var_filetrans($1, man_t, dir, "man")
+ files_etc_filetrans($1, locale_t, file, "timezone")
+ files_etc_filetrans($1, locale_t, file, "clock")
@@ -74351,6 +74766,15 @@ index 7ed9819..3ee9ea8 100644
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
')
+diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
+index bea4629..3ebd58b 100644
+--- a/policy/modules/system/setrans.fc
++++ b/policy/modules/system/setrans.fc
+@@ -3,3 +3,4 @@
+ /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+
+ /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
++/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 1447687..cdc0223 100644
--- a/policy/modules/system/setrans.te
@@ -75471,10 +75895,10 @@ index 0000000..1688a39
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..567c78c
+index 0000000..b8c56f1
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,381 @@
+@@ -0,0 +1,379 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -75560,6 +75984,8 @@ index 0000000..567c78c
+dev_setattr_video_dev(systemd_logind_t)
+dev_setattr_all_chr_files(systemd_logind_t)
+
++domain_read_all_domains_state(systemd_logind_t)
++
+# /etc/udev/udev.conf should probably have a private type if only for confined administration
+# /etc/nsswitch.conf
+files_read_etc_files(systemd_logind_t)
@@ -75604,6 +76030,7 @@ index 0000000..567c78c
+optional_policy(`
+ cron_dbus_chat_crond(systemd_logind_t)
+ cron_read_state_crond(systemd_logind_t)
++ cron_signal(systemd_logind_t)
+')
+
+optional_policy(`
@@ -75672,7 +76099,6 @@ index 0000000..567c78c
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_network_state(systemd_tmpfiles_t)
-+files_delete_kernel_modules(systemd_tmpfiles_t)
+
+dev_write_kmsg(systemd_tmpfiles_t)
+
@@ -75693,11 +76119,7 @@ index 0000000..567c78c
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_manage_all_locks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
-+files_delete_all_pid_sockets(systemd_tmpfiles_t)
-+files_delete_all_pid_pipes(systemd_tmpfiles_t)
-+files_delete_boot_flag(systemd_tmpfiles_t)
-+files_delete_usr_dirs(systemd_tmpfiles_t)
-+files_delete_usr_files(systemd_tmpfiles_t)
++files_delete_all_non_security_files(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
@@ -77070,7 +77492,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..38698f3 100644
+index 4b2878a..9e90eb9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -78763,7 +79185,7 @@ index 4b2878a..38698f3 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1698,14 +2197,35 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2197,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -78771,6 +79193,7 @@ index 4b2878a..38698f3 100644
')
- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
+ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
+ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
files_search_home($1)
@@ -78800,7 +79223,7 @@ index 4b2878a..38698f3 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2236,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2237,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -78818,7 +79241,7 @@ index 4b2878a..38698f3 100644
')
########################################
-@@ -1779,6 +2302,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2303,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -78879,7 +79302,7 @@ index 4b2878a..38698f3 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2387,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2388,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -78889,7 +79312,7 @@ index 4b2878a..38698f3 100644
')
########################################
-@@ -1827,20 +2403,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2404,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -78914,7 +79337,7 @@ index 4b2878a..38698f3 100644
########################################
## <summary>
-@@ -1941,6 +2511,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2512,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -78939,7 +79362,7 @@ index 4b2878a..38698f3 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2596,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2597,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -78948,7 +79371,7 @@ index 4b2878a..38698f3 100644
files_search_home($1)
')
-@@ -2039,7 +2627,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2628,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -78957,7 +79380,22 @@ index 4b2878a..38698f3 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2182,7 +2770,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2158,11 +2747,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+ #
+ interface(`userdom_read_user_tmp_files',`
+ gen_require(`
+- type user_tmp_t;
++ attribute user_tmp_type;
+ ')
+
+- read_files_pattern($1, user_tmp_t, user_tmp_t)
+- allow $1 user_tmp_t:dir list_dir_perms;
++ read_files_pattern($1, user_tmp_type, user_tmp_type)
++ allow $1 user_tmp_type:dir list_dir_perms;
+ files_search_tmp($1)
+ ')
+
+@@ -2182,7 +2771,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -78966,7 +79404,7 @@ index 4b2878a..38698f3 100644
')
########################################
-@@ -2390,7 +2978,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2979,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -78975,7 +79413,7 @@ index 4b2878a..38698f3 100644
files_search_tmp($1)
')
-@@ -2419,6 +3007,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3008,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -79001,7 +79439,7 @@ index 4b2878a..38698f3 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3042,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3043,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -79017,7 +79455,7 @@ index 4b2878a..38698f3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3070,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3071,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -79026,7 +79464,7 @@ index 4b2878a..38698f3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,14 +3078,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3079,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -79061,7 +79499,7 @@ index 4b2878a..38698f3 100644
')
########################################
-@@ -2572,7 +3196,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3197,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -79070,7 +79508,7 @@ index 4b2878a..38698f3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,48 +3204,97 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,48 +3205,97 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -79192,7 +79630,7 @@ index 4b2878a..38698f3 100644
')
########################################
-@@ -2640,8 +3313,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,8 +3314,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -79222,7 +79660,7 @@ index 4b2878a..38698f3 100644
')
########################################
-@@ -2713,6 +3405,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3406,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -79247,7 +79685,7 @@ index 4b2878a..38698f3 100644
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2736,24 +3446,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3447,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -79272,7 +79710,7 @@ index 4b2878a..38698f3 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3464,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3465,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -79298,7 +79736,7 @@ index 4b2878a..38698f3 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3525,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3526,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -79307,7 +79745,7 @@ index 4b2878a..38698f3 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3541,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3542,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -79341,7 +79779,7 @@ index 4b2878a..38698f3 100644
')
########################################
-@@ -2972,7 +3629,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3630,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -79350,7 +79788,7 @@ index 4b2878a..38698f3 100644
')
########################################
-@@ -3027,7 +3684,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3685,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -79397,7 +79835,7 @@ index 4b2878a..38698f3 100644
')
########################################
-@@ -3045,7 +3740,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3741,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -79406,7 +79844,7 @@ index 4b2878a..38698f3 100644
')
########################################
-@@ -3064,6 +3759,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3760,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -79414,7 +79852,7 @@ index 4b2878a..38698f3 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3838,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3839,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -79439,7 +79877,7 @@ index 4b2878a..38698f3 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3160,6 +3874,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3875,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -79464,7 +79902,7 @@ index 4b2878a..38698f3 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3926,1165 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3927,1165 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -80869,7 +81307,7 @@ index 77d41b6..7ccb440 100644
files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..e50a784 100644
+index 4350ba0..b82a902 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -80931,7 +81369,7 @@ index 4350ba0..e50a784 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +341,22 @@ optional_policy(`
+@@ -349,6 +341,23 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -80948,13 +81386,14 @@ index 4350ba0..e50a784 100644
+')
+
+optional_policy(`
++ virt_search_images(xend_t)
+ virt_read_config(xend_t)
+')
+
########################################
#
# Xen console local policy
-@@ -413,9 +421,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +422,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -80966,7 +81405,7 @@ index 4350ba0..e50a784 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +451,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +452,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -80978,7 +81417,7 @@ index 4350ba0..e50a784 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -457,96 +468,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +469,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -81075,7 +81514,7 @@ index 4350ba0..e50a784 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +483,4 @@ optional_policy(`
+@@ -559,8 +484,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 433db05..845926b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 75%{?dist}
+Release: 76%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Feb 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-76
+- Allow denyhosts to read "unix"
+- Add file name transition for locale.conf.new
+- Allow boinc projects to gconf config files
+- Allow xen to search virt images directories
+- Add label for /dev/megaraid_sas_ioctl_node
+- kdump_t needs to read /etc/mtab
+- If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly
+- Allow boinc project to getattr on fs
+- Add filename transition also for "event20"
+- Allow collectd to ipc_lock
+- Allow systemd_tmpfiles_t to delete all file types
+- Add lots of rules to fix AVC's when playing with containers
+
* Wed Feb 1 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-75
- Add logging_syslogd_use_tty boolea
- Add polipo_connect_all_unreserved bolean
More information about the scm-commits
mailing list