[selinux-policy] - Fixed destined form libvirt-sandbox - Allow apps that list sysfs to also read sympolicy links in t
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 11 12:13:21 UTC 2012
commit 69a8d0687ae5b8e87aeeb1b467a1339156fabcfc
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Jan 11 13:13:07 2012 +0100
- Fixed destined form libvirt-sandbox
- Allow apps that list sysfs to also read sympolicy links in this filesystem
- Add ubac_constrained rules for chrome_sandbox
- Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra
- Allow postgresql to be executed by the caller
- Standardize interfaces of daemons
- Add new labeling for mm-handler
- Allow all matahari domains to read network state and etc_runtime_t files
policy-F16.patch | 1140 +++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 12 +-
2 files changed, 892 insertions(+), 260 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 6577ce6..1c304f5 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4898,10 +4898,10 @@ index 0000000..1553356
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..aff461c
+index 0000000..bd1abf4
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,184 @@
+@@ -0,0 +1,186 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -4913,6 +4913,7 @@ index 0000000..aff461c
+type chrome_sandbox_exec_t;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+role system_r types chrome_sandbox_t;
++ubac_constrained(chrome_sandbox_t)
+
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
@@ -4925,6 +4926,7 @@ index 0000000..aff461c
+type chrome_sandbox_nacl_exec_t;
+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
+role system_r types chrome_sandbox_nacl_t;
++ubac_constrained(chrome_sandbox_nacl_t)
+
+########################################
+#
@@ -5483,7 +5485,7 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..45580b5 100644
+index f5afe78..242b129 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,880 @@
@@ -6352,7 +6354,7 @@ index f5afe78..45580b5 100644
- ps_process_pattern($2, gconfd_t)
+########################################
+## <summary>
-+## Connect to gnome over an unix stream socket.
++## Connect to gnome over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10585,10 +10587,10 @@ index 0000000..809784d
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..76dbb45
+index 0000000..e8f0ef5
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,501 @@
+@@ -0,0 +1,502 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -10811,6 +10813,7 @@ index 0000000..76dbb45
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+dev_read_sysfs(sandbox_x_domain)
++dev_dontaudit_rw_dri(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_all_mountpoints(sandbox_x_domain)
@@ -14481,7 +14484,7 @@ index 4f3b542..f4e36ee 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..630e5e2 100644
+index 99b71cb..f7cc16e 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -14621,7 +14624,7 @@ index 99b71cb..630e5e2 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +172,26 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +172,27 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -14629,6 +14632,7 @@ index 99b71cb..630e5e2 100644
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(jabber_router, tcp,5347,s0)
++network_port(jboss_debug, tcp,8787,s0)
+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
@@ -14651,7 +14655,7 @@ index 99b71cb..630e5e2 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +201,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +202,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -14684,7 +14688,7 @@ index 99b71cb..630e5e2 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -179,34 +238,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,34 +239,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -14730,7 +14734,7 @@ index 99b71cb..630e5e2 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +280,11 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +281,11 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -14743,7 +14747,7 @@ index 99b71cb..630e5e2 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +296,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +297,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14751,7 +14755,7 @@ index 99b71cb..630e5e2 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +306,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +307,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14764,7 +14768,7 @@ index 99b71cb..630e5e2 100644
########################################
#
-@@ -282,9 +356,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +357,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -14898,7 +14902,7 @@ index 6cf8784..2354089 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..1082bb5 100644
+index f820f3b..d5892cc 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -15404,7 +15408,15 @@ index f820f3b..1082bb5 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3902,21 +4176,26 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3860,6 +4134,7 @@ interface(`dev_list_sysfs',`
+ type sysfs_t;
+ ')
+
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+@@ -3902,21 +4177,26 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -15436,7 +15448,7 @@ index f820f3b..1082bb5 100644
')
########################################
-@@ -3972,6 +4251,42 @@ interface(`dev_rw_sysfs',`
+@@ -3972,6 +4252,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -15479,7 +15491,7 @@ index f820f3b..1082bb5 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4069,6 +4384,25 @@ interface(`dev_write_urand',`
+@@ -4069,6 +4385,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -15505,7 +15517,7 @@ index f820f3b..1082bb5 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4103,6 +4437,24 @@ interface(`dev_setattr_generic_usb_dev',`
+@@ -4103,6 +4438,24 @@ interface(`dev_setattr_generic_usb_dev',`
setattr_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -15530,7 +15542,7 @@ index f820f3b..1082bb5 100644
########################################
## <summary>
## Read generic the USB devices.
-@@ -4495,6 +4847,24 @@ interface(`dev_rw_vhost',`
+@@ -4495,6 +4848,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -15555,7 +15567,7 @@ index f820f3b..1082bb5 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4695,6 +5065,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4695,6 +5066,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -15582,7 +15594,7 @@ index f820f3b..1082bb5 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4784,3 +5174,822 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5175,822 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -17000,7 +17012,7 @@ index c19518a..04ef731 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..90fa357 100644
+index ff006ea..6af09db 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -17707,7 +17719,32 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5084,7 +5464,7 @@ interface(`files_var_filetrans',`
+@@ -4914,6 +5294,24 @@ interface(`files_list_var',`
+
+ ########################################
+ ## <summary>
++## Do not audit listing of the var directory (/var).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_list_var',`
++ gen_require(`
++ type var_t;
++ ')
++
++ dontaudit $1 var_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete directories
+ ## in the /var directory.
+ ## </summary>
+@@ -5084,7 +5482,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -17716,7 +17753,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5219,7 +5599,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5617,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -17725,7 +17762,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5304,6 +5684,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5702,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -17751,7 +17788,7 @@ index ff006ea..90fa357 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5716,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5734,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -17760,7 +17797,7 @@ index ff006ea..90fa357 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5737,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5755,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -17776,7 +17813,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5752,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5770,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -17809,7 +17846,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5373,6 +5794,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5812,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -17817,7 +17854,7 @@ index ff006ea..90fa357 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5807,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5825,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -17825,7 +17862,7 @@ index ff006ea..90fa357 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5833,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5851,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -17834,7 +17871,7 @@ index ff006ea..90fa357 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5849,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5867,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -17851,7 +17888,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5452,7 +5873,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5891,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -17860,7 +17897,7 @@ index ff006ea..90fa357 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5914,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5932,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -17869,7 +17906,7 @@ index ff006ea..90fa357 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5936,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5954,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -17878,7 +17915,7 @@ index ff006ea..90fa357 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +5968,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +5986,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -17889,7 +17926,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5608,6 +6029,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6047,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -17933,7 +17970,7 @@ index ff006ea..90fa357 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5629,6 +6087,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,6 +6105,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -17959,7 +17996,7 @@ index ff006ea..90fa357 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -5736,7 +6213,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6231,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -17968,7 +18005,7 @@ index ff006ea..90fa357 100644
')
########################################
-@@ -5815,29 +6292,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6310,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -18002,7 +18039,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5845,42 +6318,35 @@ interface(`files_read_all_pids',`
+@@ -5845,42 +6336,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -18052,7 +18089,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5888,20 +6354,17 @@ interface(`files_delete_all_pids',`
+@@ -5888,20 +6372,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -18076,7 +18113,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5909,56 +6372,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5909,56 +6390,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
@@ -18152,7 +18189,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5966,18 +6432,17 @@ interface(`files_list_spool',`
+@@ -5966,18 +6450,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -18175,7 +18212,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5985,19 +6450,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -5985,19 +6468,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -18200,7 +18237,7 @@ index ff006ea..90fa357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6005,50 +6469,61 @@ interface(`files_read_generic_spool',`
+@@ -6005,70 +6487,333 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -18234,73 +18271,81 @@ index ff006ea..90fa357 100644
-## </summary>
-## </param>
-## <param name="class">
-+#
-+interface(`files_mounton_all_poly_members',`
-+ gen_require(`
-+ attribute polymember;
-+ ')
-+
-+ allow $1 polymember:dir mounton;
-+')
-+
-+########################################
-+## <summary>
-+## Delete all process IDs.
-+## </summary>
-+## <param name="domain">
- ## <summary>
+-## <summary>
-## Object class(es) (single or set including {}) for which this
-## the transition will occur.
-+## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
+-## </summary>
+-## </param>
#
-interface(`files_spool_filetrans',`
-+interface(`files_delete_all_pids',`
++interface(`files_mounton_all_poly_members',`
gen_require(`
- type var_t, var_spool_t;
-+ attribute pidfile;
-+ type var_t, var_run_t;
++ attribute polymember;
')
- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_t:dir search_dir_perms;
- filetrans_pattern($1, var_spool_t, $2, $3)
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ allow $1 polymember:dir mounton;
')
########################################
## <summary>
-## Allow access to manage all polyinstantiated
-## directories on the system.
-+## Delete all process ID directories.
++## Delete all process IDs.
## </summary>
## <param name="domain">
## <summary>
-@@ -6056,16 +6531,268 @@ interface(`files_spool_filetrans',`
+ ## Domain allowed access.
## </summary>
## </param>
++## <rolecap/>
#
-interface(`files_polyinstantiate_all',`
-+interface(`files_delete_all_pid_dirs',`
++interface(`files_delete_all_pids',`
gen_require(`
- attribute polydir, polymember, polyparent;
- type poly_t;
+ attribute pidfile;
-+ type var_t;
++ type var_t, var_run_t;
')
- # Need to give access to /selinux/member
- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++## Delete all process ID directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ type var_t;
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-
-- # Need sys_admin capability for mounting
++
+########################################
+## <summary>
+## Make the specified type a file
@@ -18553,10 +18598,13 @@ index ff006ea..90fa357 100644
+ selinux_compute_member($1)
+
+ # Need sys_admin capability for mounting
- allow $1 self:capability { chown fsetid sys_admin fowner };
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
- # Need to give access to the directories to be polyinstantiated
-@@ -6117,3 +6844,284 @@ interface(`files_unconfined',`
+ # Need to give access to the polyinstantiated subdirectories
+@@ -6117,3 +6862,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -18916,7 +18964,7 @@ index cda5588..e89e4bf 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..dc65c9c 100644
+index 97fcdac..e8f904f 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -19162,7 +19210,32 @@ index 97fcdac..dc65c9c 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -2025,6 +2167,24 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1582,6 +1724,24 @@ interface(`fs_manage_configfs_files',`
+
+ ########################################
+ ## <summary>
++## Unmount a configfs filesystem
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_unmount_configfs',`
++ gen_require(`
++ type configfs_t;
++ ')
++
++ allow $1 configfs_t:filesystem unmount;
++')
++
++########################################
++## <summary>
+ ## Mount a DOS filesystem, such as
+ ## FAT32 or NTFS.
+ ## </summary>
+@@ -2025,6 +2185,24 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -19187,7 +19260,7 @@ index 97fcdac..dc65c9c 100644
## Get the attributes of an hugetlbfs
## filesystem.
## </summary>
-@@ -2080,6 +2240,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2080,6 +2258,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -19212,7 +19285,7 @@ index 97fcdac..dc65c9c 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,6 +2326,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2344,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -19220,7 +19293,7 @@ index 97fcdac..dc65c9c 100644
')
########################################
-@@ -2480,6 +2659,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2677,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -19228,7 +19301,7 @@ index 97fcdac..dc65c9c 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2698,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2716,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -19236,7 +19309,7 @@ index 97fcdac..dc65c9c 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +2725,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2743,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -19262,7 +19335,7 @@ index 97fcdac..dc65c9c 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2584,6 +2784,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2802,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -19305,7 +19378,7 @@ index 97fcdac..dc65c9c 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2598,7 +2834,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2852,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -19314,7 +19387,7 @@ index 97fcdac..dc65c9c 100644
')
########################################
-@@ -2736,7 +2972,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2990,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -19323,7 +19396,7 @@ index 97fcdac..dc65c9c 100644
## </summary>
## </param>
#
-@@ -2772,7 +3008,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3026,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -19332,7 +19405,7 @@ index 97fcdac..dc65c9c 100644
## </summary>
## </param>
#
-@@ -2965,6 +3201,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3219,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -19340,7 +19413,7 @@ index 97fcdac..dc65c9c 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3242,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3260,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -19348,7 +19421,7 @@ index 97fcdac..dc65c9c 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3283,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3301,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -19356,7 +19429,7 @@ index 97fcdac..dc65c9c 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3258,6 +3497,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3258,6 +3515,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -19381,7 +19454,32 @@ index 97fcdac..dc65c9c 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3958,6 +4215,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3810,6 +4085,24 @@ interface(`fs_unmount_tmpfs',`
+
+ ########################################
+ ## <summary>
++## Mount on tmpfs directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_mounton_tmpfs', `
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:dir mounton;
++')
++
++########################################
++## <summary>
+ ## Get the attributes of a tmpfs
+ ## filesystem.
+ ## </summary>
+@@ -3958,6 +4251,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -19424,7 +19522,41 @@ index 97fcdac..dc65c9c 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4175,6 +4468,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4059,7 +4388,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+ type tmpfs_t;
+ ')
+
+- dontaudit $1 tmpfs_t:file rw_file_perms;
++ dontaudit $1 tmpfs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -4119,6 +4448,24 @@ interface(`fs_rw_tmpfs_files',`
+
+ ########################################
+ ## <summary>
++## Read and write generic tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_rw_inherited_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:file { read write };
++')
++
++########################################
++## <summary>
+ ## Read tmpfs link files.
+ ## </summary>
+ ## <param name="domain">
+@@ -4175,6 +4522,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -19449,7 +19581,7 @@ index 97fcdac..dc65c9c 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4251,6 +4562,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4616,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -19475,7 +19607,7 @@ index 97fcdac..dc65c9c 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4457,6 +4787,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4841,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -19484,7 +19616,7 @@ index 97fcdac..dc65c9c 100644
')
########################################
-@@ -4503,7 +4835,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4889,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -19493,7 +19625,7 @@ index 97fcdac..dc65c9c 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5198,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5252,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -23930,10 +24062,10 @@ index 1bd5812..0d7d8d1 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..d83d4dc 100644
+index 0b827c5..7f57a98 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
-@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
+@@ -71,12 +71,13 @@ interface(`abrt_read_state',`
type abrt_t;
')
@@ -23941,6 +24073,13 @@ index 0b827c5..d83d4dc 100644
ps_process_pattern($1, abrt_t)
')
+ ########################################
+ ## <summary>
+-## Connect to abrt over an unix stream socket.
++## Connect to abrt over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -160,8 +161,45 @@ interface(`abrt_run_helper',`
########################################
@@ -25088,7 +25227,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..c738795 100644
+index 9e39aa5..90a9e33 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
@@ -25172,7 +25311,7 @@ index 9e39aa5..c738795 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,20 +87,26 @@ ifdef(`distro_suse', `
+@@ -73,25 +87,34 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25201,7 +25340,15 @@ index 9e39aa5..c738795 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -104,8 +124,26 @@ ifdef(`distro_debian', `
+ ')
+
++/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++
+ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+@@ -104,8 +127,24 @@ ifdef(`distro_debian', `
/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25215,11 +25362,9 @@ index 9e39aa5..c738795 100644
+
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
-+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
-+/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -27168,7 +27313,7 @@ index d052bf0..3059bd2 100644
mta_system_content(apcupsd_tmp_t)
')
diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if
-index 1ea99b2..9427dd5 100644
+index 1ea99b2..3582863 100644
--- a/policy/modules/services/apm.if
+++ b/policy/modules/services/apm.if
@@ -52,7 +52,8 @@ interface(`apm_write_pipes',`
@@ -27181,7 +27326,7 @@ index 1ea99b2..9427dd5 100644
')
########################################
-@@ -89,7 +90,7 @@ interface(`apm_append_log',`
+@@ -89,12 +90,12 @@ interface(`apm_append_log',`
')
logging_search_logs($1)
@@ -27190,6 +27335,12 @@ index 1ea99b2..9427dd5 100644
')
########################################
+ ## <summary>
+-## Connect to apmd over an unix stream socket.
++## Connect to apmd over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -108,6 +109,5 @@ interface(`apm_stream_connect',`
')
@@ -27466,19 +27617,99 @@ index b3b0176..8e66610 100644
mysql_stream_connect(asterisk_t)
')
+diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc
+deleted file mode 100644
+index 001235e..0000000
+--- a/policy/modules/services/audioentropy.fc
++++ /dev/null
+@@ -1,6 +0,0 @@
+-#
+-# /usr
+-#
+-/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+-
+-/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
+diff --git a/policy/modules/services/audioentropy.if b/policy/modules/services/audioentropy.if
+deleted file mode 100644
+index 67906f0..0000000
+--- a/policy/modules/services/audioentropy.if
++++ /dev/null
+@@ -1 +0,0 @@
+-## <summary>Generate entropy from audio input</summary>
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
-index 2b348c7..b89658c 100644
+deleted file mode 100644
+index 2b348c7..0000000
--- a/policy/modules/services/audioentropy.te
-+++ b/policy/modules/services/audioentropy.te
-@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t)
-
- domain_use_interactive_fds(entropyd_t)
-
-+auth_read_passwd(entropyd_t)
-+
- logging_send_syslog_msg(entropyd_t)
-
- miscfiles_read_localization(entropyd_t)
++++ /dev/null
+@@ -1,68 +0,0 @@
+-policy_module(audioentropy, 1.6.0)
+-
+-########################################
+-#
+-# Declarations
+-#
+-
+-type entropyd_t;
+-type entropyd_exec_t;
+-init_daemon_domain(entropyd_t, entropyd_exec_t)
+-
+-type entropyd_var_run_t;
+-files_pid_file(entropyd_var_run_t)
+-
+-########################################
+-#
+-# Local policy
+-#
+-
+-allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
+-dontaudit entropyd_t self:capability sys_tty_config;
+-allow entropyd_t self:process signal_perms;
+-
+-manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
+-files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
+-
+-kernel_read_kernel_sysctls(entropyd_t)
+-kernel_list_proc(entropyd_t)
+-kernel_read_proc_symlinks(entropyd_t)
+-
+-dev_read_sysfs(entropyd_t)
+-dev_read_urand(entropyd_t)
+-dev_write_urand(entropyd_t)
+-dev_read_rand(entropyd_t)
+-dev_write_rand(entropyd_t)
+-dev_read_sound(entropyd_t)
+-# set sound card parameters such as
+-# sample format, number of channels
+-# and sample rate.
+-dev_write_sound(entropyd_t)
+-
+-files_read_etc_files(entropyd_t)
+-files_read_usr_files(entropyd_t)
+-
+-fs_getattr_all_fs(entropyd_t)
+-fs_search_auto_mountpoints(entropyd_t)
+-
+-domain_use_interactive_fds(entropyd_t)
+-
+-logging_send_syslog_msg(entropyd_t)
+-
+-miscfiles_read_localization(entropyd_t)
+-
+-userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
+-userdom_dontaudit_search_user_home_dirs(entropyd_t)
+-
+-optional_policy(`
+- alsa_read_lib(entropyd_t)
+- alsa_read_rw_config(entropyd_t)
+-')
+-
+-optional_policy(`
+- seutil_sigchld_newrole(entropyd_t)
+-')
+-
+-optional_policy(`
+- udev_read_db(entropyd_t)
+-')
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index d80a16b..4f2a53f 100644
--- a/policy/modules/services/automount.if
@@ -28962,7 +29193,7 @@ index 0000000..3e15c63
+/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0)
diff --git a/policy/modules/services/callweaver.if b/policy/modules/services/callweaver.if
new file mode 100644
-index 0000000..512fcb9
+index 0000000..e07d3b8
--- /dev/null
+++ b/policy/modules/services/callweaver.if
@@ -0,0 +1,362 @@
@@ -29184,7 +29415,7 @@ index 0000000..512fcb9
+
+########################################
+## <summary>
-+## Connect to callweaver over an unix stream socket.
++## Connect to callweaver over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -29466,7 +29697,7 @@ index 8a7177d..bc4f6e7 100644
/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if
-index 6ee2cc8..3105b09 100644
+index 6ee2cc8..b509c40 100644
--- a/policy/modules/services/ccs.if
+++ b/policy/modules/services/ccs.if
@@ -5,9 +5,9 @@
@@ -29481,6 +29712,15 @@ index 6ee2cc8..3105b09 100644
## </param>
#
interface(`ccs_domtrans',`
+@@ -20,7 +20,7 @@ interface(`ccs_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Connect to ccs over an unix stream socket.
++## Connect to ccs over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 4c90b57..418eb6b 100644
--- a/policy/modules/services/ccs.te
@@ -30092,7 +30332,7 @@ index fd8cd0b..c11cd2f 100644
+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..4d21fbd 100644
+index 9a0da94..e3cec85 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -30207,7 +30447,7 @@ index 9a0da94..4d21fbd 100644
+
+########################################
+## <summary>
-+## Connect to chronyd over an unix stream socket.
++## Connect to chronyd over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -32296,7 +32536,7 @@ index 01d31f1..8e2754b 100644
/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
-index 9971337..7481ccc 100644
+index 9971337..db88074 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@@ -90,7 +90,7 @@ template(`courier_domain_template',`
@@ -32314,7 +32554,7 @@ index 9971337..7481ccc 100644
+#######################################
+## <summary>
-+## Connect to courier-authdaemon over an unix stream socket.
++## Connect to courier-authdaemon over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -33464,7 +33704,7 @@ index 0000000..2db6b61
+
diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if
new file mode 100644
-index 0000000..5c1e8b0
+index 0000000..4f7d237
--- /dev/null
+++ b/policy/modules/services/ctdbd.if
@@ -0,0 +1,259 @@
@@ -33665,7 +33905,7 @@ index 0000000..5c1e8b0
+
+#######################################
+## <summary>
-+## Connect to ctdbd over an unix stream socket.
++## Connect to ctdbd over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -33898,7 +34138,7 @@ index 1b492ed..ac5dae0 100644
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
-index 305ddf4..2746e6f 100644
+index 305ddf4..c9de648 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -9,6 +9,11 @@
@@ -33913,6 +34153,15 @@ index 305ddf4..2746e6f 100644
#
interface(`cups_backend',`
gen_require(`
+@@ -47,7 +52,7 @@ interface(`cups_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Connect to cupsd over an unix domain stream socket.
++## Connect to cupsd over a unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -190,10 +195,12 @@ interface(`cups_dbus_chat_config',`
interface(`cups_read_config',`
gen_require(`
@@ -33926,6 +34175,15 @@ index 305ddf4..2746e6f 100644
read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
')
+@@ -277,7 +284,7 @@ interface(`cups_write_log',`
+
+ ########################################
+ ## <summary>
+-## Connect to ptal over an unix domain stream socket.
++## Connect to ptal over a unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -314,16 +321,19 @@ interface(`cups_stream_connect_ptal',`
interface(`cups_admin',`
gen_require(`
@@ -36343,7 +36601,7 @@ index 0000000..3aae725
+/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
diff --git a/policy/modules/services/dirsrv.if b/policy/modules/services/dirsrv.if
new file mode 100644
-index 0000000..6fd8e9f
+index 0000000..b214253
--- /dev/null
+++ b/policy/modules/services/dirsrv.if
@@ -0,0 +1,208 @@
@@ -36445,7 +36703,7 @@ index 0000000..6fd8e9f
+
+########################################
+## <summary>
-+## Connect to dirsrv over an unix stream socket.
++## Connect to dirsrv over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -38055,6 +38313,113 @@ index 0000000..d409571
+ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
+')
+
+diff --git a/policy/modules/services/entropyd.fc b/policy/modules/services/entropyd.fc
+new file mode 100644
+index 0000000..d2d8ce3
+--- /dev/null
++++ b/policy/modules/services/entropyd.fc
+@@ -0,0 +1,8 @@
++#
++# /usr
++#
++/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
++/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
++
++/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
++/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
+diff --git a/policy/modules/services/entropyd.if b/policy/modules/services/entropyd.if
+new file mode 100644
+index 0000000..67906f0
+--- /dev/null
++++ b/policy/modules/services/entropyd.if
+@@ -0,0 +1 @@
++## <summary>Generate entropy from audio input</summary>
+diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te
+new file mode 100644
+index 0000000..b6ac808
+--- /dev/null
++++ b/policy/modules/services/entropyd.te
+@@ -0,0 +1,80 @@
++policy_module(entropyd, 1.7.0)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Allow the use of the audio devices as the source for the entropy feeds
++## </p>
++## </desc>
++gen_tunable(entropyd_use_audio, false)
++
++type entropyd_t;
++type entropyd_exec_t;
++init_daemon_domain(entropyd_t, entropyd_exec_t)
++
++type entropyd_var_run_t;
++files_pid_file(entropyd_var_run_t)
++
++########################################
++#
++# Local policy
++#
++
++allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
++dontaudit entropyd_t self:capability sys_tty_config;
++allow entropyd_t self:process signal_perms;
++allow entropyd_t self:unix_dgram_socket create_socket_perms;
++
++manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
++files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
++
++kernel_rw_kernel_sysctl(entropyd_t)
++kernel_list_proc(entropyd_t)
++kernel_read_proc_symlinks(entropyd_t)
++
++dev_read_sysfs(entropyd_t)
++dev_read_urand(entropyd_t)
++dev_write_urand(entropyd_t)
++dev_read_rand(entropyd_t)
++dev_write_rand(entropyd_t)
++
++files_read_etc_files(entropyd_t)
++files_read_usr_files(entropyd_t)
++
++fs_getattr_all_fs(entropyd_t)
++fs_search_auto_mountpoints(entropyd_t)
++
++domain_use_interactive_fds(entropyd_t)
++
++logging_send_syslog_msg(entropyd_t)
++
++miscfiles_read_localization(entropyd_t)
++
++userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
++userdom_dontaudit_search_user_home_dirs(entropyd_t)
++
++tunable_policy(`entropyd_use_audio',`
++ dev_read_sound(entropyd_t)
++ # set sound card parameters such as sample format, number of channels
++ # and sample rate.
++ dev_write_sound(entropyd_t)
++')
++
++optional_policy(`
++ tunable_policy(`entropyd_use_audio',`
++ alsa_read_lib(entropyd_t)
++ alsa_read_rw_config(entropyd_t)
++ ')
++')
++
++optional_policy(`
++ seutil_sigchld_newrole(entropyd_t)
++')
++
++optional_policy(`
++ udev_read_db(entropyd_t)
++')
diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
index 298f066..b54de69 100644
--- a/policy/modules/services/exim.fc
@@ -38311,7 +38676,7 @@ index 0de2b83..b93171c 100644
/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
-index f590a1f..18bdd33 100644
+index f590a1f..eb6f870 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -5,9 +5,9 @@
@@ -38326,10 +38691,11 @@ index f590a1f..18bdd33 100644
## </param>
#
interface(`fail2ban_domtrans',`
-@@ -40,6 +40,25 @@ interface(`fail2ban_stream_connect',`
+@@ -40,7 +40,26 @@ interface(`fail2ban_stream_connect',`
########################################
## <summary>
+-## Read and write to an fail2ban unix stream socket.
+## Read and write inherited temporary files.
+## </summary>
+## <param name="domain">
@@ -38349,9 +38715,10 @@ index f590a1f..18bdd33 100644
+
+########################################
+## <summary>
- ## Read and write to an fail2ban unix stream socket.
++## Read and write to an fail2ba unix stream socket.
## </summary>
## <param name="domain">
+ ## <summary>
@@ -72,7 +91,7 @@ interface(`fail2ban_read_lib_files',`
')
@@ -40175,7 +40542,7 @@ index 0000000..657d8f5
+/var/run/glance(/.*)? gen_context(system_u:object_r:glance_var_run_t,s0)
diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if
new file mode 100644
-index 0000000..8f0f77b
+index 0000000..ebe1dde
--- /dev/null
+++ b/policy/modules/services/glance.if
@@ -0,0 +1,268 @@
@@ -40184,7 +40551,7 @@ index 0000000..8f0f77b
+
+########################################
+## <summary>
-+## Transition to glance.
++## Transition to glance registry.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -40203,7 +40570,7 @@ index 0000000..8f0f77b
+
+########################################
+## <summary>
-+## Transition to glance.
++## Transition to glance api.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -43067,7 +43434,7 @@ index c62f23e..63e3be1 100644
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
-index 3aa8fa7..21b3ecd 100644
+index 3aa8fa7..436aace 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -1,5 +1,64 @@
@@ -43161,6 +43528,15 @@ index 3aa8fa7..21b3ecd 100644
## Read the OpenLDAP configuration files.
## </summary>
## <param name="domain">
+@@ -55,7 +133,7 @@ interface(`ldap_use',`
+
+ ########################################
+ ## <summary>
+-## Connect to slapd over an unix stream socket.
++## Connect to slapd over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -69,8 +147,7 @@ interface(`ldap_stream_connect',`
')
@@ -43835,13 +44211,16 @@ index 93c14ca..27d96e1 100644
optional_policy(`
cups_read_config(lpr_t)
diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
-index 14ad189..2b8efd8 100644
+index 14ad189..8317f33 100644
--- a/policy/modules/services/mailman.fc
+++ b/policy/modules/services/mailman.fc
-@@ -1,11 +1,11 @@
+@@ -1,11 +1,14 @@
-/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
++/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
@@ -43852,7 +44231,7 @@ index 14ad189..2b8efd8 100644
#
# distro_debian
-@@ -25,10 +25,10 @@ ifdef(`distro_debian', `
+@@ -25,10 +28,10 @@ ifdef(`distro_debian', `
ifdef(`distro_redhat', `
/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
@@ -44455,10 +44834,10 @@ index 0000000..2e8b6d8
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
-index 0000000..4ea6ac3
+index 0000000..8f7cdb0
--- /dev/null
+++ b/policy/modules/services/matahari.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,93 @@
+policy_module(matahari,1.0.0)
+
+########################################
@@ -44486,8 +44865,6 @@ index 0000000..4ea6ac3
+#
+# matahari_hostd local policy
+#
-+kernel_read_network_state(matahari_hostd_t)
-+
+dev_read_sysfs(matahari_hostd_t)
+dev_rw_mtrr(matahari_hostd_t)
+
@@ -44515,14 +44892,10 @@ index 0000000..4ea6ac3
+#
+allow matahari_serviced_t self:process setpgid;
+
-+kernel_read_network_state(matahari_serviced_t)
-+
+dev_read_sysfs(matahari_serviced_t)
+
+domain_use_interactive_fds(matahari_serviced_t)
+
-+files_read_etc_runtime_files(matahari_serviced_t)
-+
+init_domtrans_script(matahari_serviced_t)
+
+systemd_config_all_services(matahari_serviced_t)
@@ -44544,12 +44917,14 @@ index 0000000..4ea6ac3
+allow matahari_domain self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(matahari_domain)
++kernel_read_network_state(matahari_domain)
+
+corenet_tcp_connect_matahari_port(matahari_domain)
+
+dev_read_urand(matahari_domain)
+
+files_read_etc_files(matahari_domain)
++files_read_etc_runtime_files(matahari_domain)
+
+logging_send_syslog_msg(matahari_domain)
+
@@ -46769,7 +47144,7 @@ index f17583b..171ebec 100644
+
+miscfiles_read_localization(munin_plugin_domain)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..ac7e846 100644
+index e9c0982..840e562 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@@ -46778,7 +47153,7 @@ index e9c0982..ac7e846 100644
+######################################
+## <summary>
-+## Execute MySQL in the coller domain.
++## Execute MySQL in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -46851,7 +47226,7 @@ index e9c0982..ac7e846 100644
+######################################
+## <summary>
-+## Execute MySQL_safe in the coller domain.
++## Execute MySQL_safe in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -48691,7 +49066,7 @@ index 7936e09..2f6a98f 100644
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if
-index 23c769c..549d7f8 100644
+index 23c769c..0a334ae 100644
--- a/policy/modules/services/nslcd.if
+++ b/policy/modules/services/nslcd.if
@@ -5,9 +5,9 @@
@@ -48706,6 +49081,15 @@ index 23c769c..549d7f8 100644
## </param>
#
interface(`nslcd_domtrans',`
+@@ -57,7 +57,7 @@ interface(`nslcd_read_pid_files',`
+
+ ########################################
+ ## <summary>
+-## Connect to nslcd over an unix stream socket.
++## Connect to nslcd over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -93,12 +93,15 @@ interface(`nslcd_stream_connect',`
#
interface(`nslcd_admin',`
@@ -49323,7 +49707,7 @@ index 8845174..58148ed 100644
- fs_read_nfs_files(oidentd_t)
-')
diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if
-index 9d0a67b..9197ef0 100644
+index 9d0a67b..351f7c8 100644
--- a/policy/modules/services/openct.if
+++ b/policy/modules/services/openct.if
@@ -23,9 +23,9 @@ interface(`openct_signull',`
@@ -49350,6 +49734,15 @@ index 9d0a67b..9197ef0 100644
## </param>
#
interface(`openct_domtrans',`
+@@ -77,7 +77,7 @@ interface(`openct_read_pid_files',`
+
+ ########################################
+ ## <summary>
+-## Connect to openct over an unix stream socket.
++## Connect to openct over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
index 7f8fdc2..047d985 100644
--- a/policy/modules/services/openct.te
@@ -49624,7 +50017,7 @@ index 87f17e8..63ee18a 100644
/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if
-index 1c2a091..10f264c 100644
+index 1c2a091..6be0b2c 100644
--- a/policy/modules/services/pcscd.if
+++ b/policy/modules/services/pcscd.if
@@ -5,9 +5,9 @@
@@ -49648,6 +50041,15 @@ index 1c2a091..10f264c 100644
')
########################################
+@@ -77,7 +77,7 @@ interface(`pcscd_manage_pub_pipes',`
+
+ ########################################
+ ## <summary>
+-## Connect to pcscd over an unix stream socket.
++## Connect to pcscd over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index ceafba6..9eb6967 100644
--- a/policy/modules/services/pcscd.te
@@ -50872,7 +51274,7 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..c2771dd 100644
+index 1e7169d..a8b2f63 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -5,47 +5,73 @@ policy_module(policykit, 1.1.0)
@@ -50961,7 +51363,7 @@ index 1e7169d..c2771dd 100644
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +82,101 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +82,107 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@@ -50982,14 +51384,14 @@ index 1e7169d..c2771dd 100644
+userdom_getattr_all_users(policykit_t)
+userdom_read_all_users_state(policykit_t)
+userdom_dontaudit_search_admin_dir(policykit_t)
-+
-+optional_policy(`
-+ dbus_system_domain(policykit_t, policykit_exec_t)
-miscfiles_read_localization(policykit_t)
-+ init_dbus_chat(policykit_t)
++optional_policy(`
++ dbus_system_domain(policykit_t, policykit_exec_t)
-userdom_read_all_users_state(policykit_t)
++ init_dbus_chat(policykit_t)
++
+ optional_policy(`
+ consolekit_dbus_chat(policykit_t)
+ ')
@@ -51007,6 +51409,12 @@ index 1e7169d..c2771dd 100644
+optional_policy(`
+ gnome_read_config(policykit_t)
+')
++
++optional_policy(`
++ systemd_read_logind_sessions_files(policykit_t)
++ systemd_login_list_pid_dirs(policykit_t)
++ systemd_login_read_pid_files(policykit_t)
++')
########################################
#
@@ -51075,7 +51483,7 @@ index 1e7169d..c2771dd 100644
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,14 +189,21 @@ optional_policy(`
+@@ -118,14 +195,21 @@ optional_policy(`
hal_read_state(policykit_auth_t)
')
@@ -51099,7 +51507,7 @@ index 1e7169d..c2771dd 100644
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -145,19 +223,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
+@@ -145,19 +229,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
files_read_etc_files(policykit_grant_t)
files_read_usr_files(policykit_grant_t)
@@ -51124,7 +51532,7 @@ index 1e7169d..c2771dd 100644
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,9 +244,8 @@ optional_policy(`
+@@ -167,9 +250,8 @@ optional_policy(`
# polkit_resolve local policy
#
@@ -51136,7 +51544,7 @@ index 1e7169d..c2771dd 100644
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-@@ -185,13 +261,9 @@ corecmd_search_bin(policykit_resolve_t)
+@@ -185,13 +267,9 @@ corecmd_search_bin(policykit_resolve_t)
files_read_etc_files(policykit_resolve_t)
files_read_usr_files(policykit_resolve_t)
@@ -51151,7 +51559,7 @@ index 1e7169d..c2771dd 100644
userdom_read_all_users_state(policykit_resolve_t)
-@@ -207,4 +279,3 @@ optional_policy(`
+@@ -207,4 +285,3 @@ optional_policy(`
kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
@@ -52586,7 +52994,7 @@ index f03fad4..1865d8f 100644
ifdef(`distro_debian', `
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index 09aeffa..d728f3a 100644
+index 09aeffa..e66adbd 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -10,7 +10,7 @@
@@ -52660,7 +53068,32 @@ index 09aeffa..d728f3a 100644
')
########################################
-@@ -395,7 +398,6 @@ interface(`postgresql_tcp_connect',`
+@@ -328,6 +331,24 @@ interface(`postgresql_domtrans',`
+
+ ######################################
+ ## <summary>
++## Execute Postgresql in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postgresql_exec',`
++ gen_require(`
++ type postgresql_exec_t;
++ ')
++
++ can_exec($1, postgresql_exec_t)
++')
++
++######################################
++## <summary>
+ ## Allow domain to signal postgresql
+ ## </summary>
+ ## <param name="domain">
+@@ -395,7 +416,6 @@ interface(`postgresql_tcp_connect',`
## Domain allowed access.
## </summary>
## </param>
@@ -52668,7 +53101,7 @@ index 09aeffa..d728f3a 100644
#
interface(`postgresql_stream_connect',`
gen_require(`
-@@ -403,10 +405,8 @@ interface(`postgresql_stream_connect',`
+@@ -403,10 +423,8 @@ interface(`postgresql_stream_connect',`
')
files_search_pids($1)
@@ -52681,7 +53114,7 @@ index 09aeffa..d728f3a 100644
')
########################################
-@@ -468,6 +468,7 @@ interface(`postgresql_unpriv_client',`
+@@ -468,6 +486,7 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
@@ -52689,7 +53122,7 @@ index 09aeffa..d728f3a 100644
allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
-@@ -492,6 +493,7 @@ interface(`postgresql_unpriv_client',`
+@@ -492,6 +511,7 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
@@ -52697,7 +53130,7 @@ index 09aeffa..d728f3a 100644
')
########################################
-@@ -531,33 +533,38 @@ interface(`postgresql_unconfined',`
+@@ -531,33 +551,38 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
@@ -55751,7 +56184,7 @@ index 3c97ef0..c025d59 100644
/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if
-index 7dc38d1..e3bdea7 100644
+index 7dc38d1..808f9c6 100644
--- a/policy/modules/services/rgmanager.if
+++ b/policy/modules/services/rgmanager.if
@@ -5,9 +5,9 @@
@@ -55766,6 +56199,15 @@ index 7dc38d1..e3bdea7 100644
## </param>
#
interface(`rgmanager_domtrans',`
+@@ -21,7 +21,7 @@ interface(`rgmanager_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Connect to rgmanager over an unix stream socket.
++## Connect to rgmanager over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -75,3 +75,67 @@ interface(`rgmanager_manage_tmpfs_files',`
fs_search_tmpfs($1)
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
@@ -56009,7 +56451,7 @@ index c2ba53b..1f935bf 100644
/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
-index de37806..a21e737 100644
+index de37806..3e870b7 100644
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
@@ -13,7 +13,7 @@
@@ -56082,6 +56524,15 @@ index de37806..a21e737 100644
######################################
## <summary>
## Allow read and write access to fenced semaphores.
+@@ -156,7 +173,7 @@ interface(`rhcs_rw_fenced_semaphores',`
+
+ ######################################
+ ## <summary>
+-## Connect to fenced over an unix domain stream socket.
++## Connect to fenced over a unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -169,9 +186,8 @@ interface(`rhcs_stream_connect_fenced',`
type fenced_var_run_t, fenced_t;
')
@@ -56093,6 +56544,15 @@ index de37806..a21e737 100644
')
#####################################
+@@ -237,7 +253,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
+
+ #####################################
+ ## <summary>
+-## Connect to gfs_controld_t over an unix domain stream socket.
++## Connect to gfs_controld_t over a unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -335,6 +351,65 @@ interface(`rhcs_rw_groupd_shm',`
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
')
@@ -57039,10 +57499,10 @@ index 0000000..6572600
+')
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..c0952a3
+index 0000000..4adb871
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,63 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
@@ -57105,9 +57565,7 @@ index 0000000..c0952a3
+miscfiles_read_localization(rhsmcertd_t)
+miscfiles_read_certs(rhsmcertd_t)
+
-+optional_policy(`
-+ sysnet_dns_name_resolve(rhsmcertd_t)
-+')
++sysnet_dns_name_resolve(rhsmcertd_t)
diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
index 5b08327..ed5dc05 100644
--- a/policy/modules/services/ricci.fc
@@ -57120,7 +57578,7 @@ index 5b08327..ed5dc05 100644
/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if
-index f7826f9..62ccd55 100644
+index f7826f9..23d579c 100644
--- a/policy/modules/services/ricci.if
+++ b/policy/modules/services/ricci.if
@@ -5,9 +5,9 @@
@@ -57170,7 +57628,7 @@ index f7826f9..62ccd55 100644
## </param>
#
interface(`ricci_domtrans_modcluster',`
-@@ -71,7 +89,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
+@@ -71,12 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
type ricci_modcluster_t;
')
@@ -57179,6 +57637,12 @@ index f7826f9..62ccd55 100644
')
########################################
+ ## <summary>
+-## Connect to ricci_modclusterd over an unix stream socket.
++## Connect to ricci_modclusterd over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -90,18 +108,36 @@ interface(`ricci_stream_connect_modclusterd',`
')
@@ -58096,7 +58560,7 @@ index f5c47d6..482b584 100644
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
-index a96249c..b4f950d 100644
+index a96249c..a345080 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -5,9 +5,9 @@
@@ -58111,6 +58575,15 @@ index a96249c..b4f950d 100644
## </param>
#
interface(`rpcbind_domtrans',`
+@@ -20,7 +20,7 @@ interface(`rpcbind_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Connect to rpcbindd over an unix stream socket.
++## Connect to rpcbindd over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',`
')
@@ -59249,7 +59722,7 @@ index 0000000..630960e
+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if
new file mode 100644
-index 0000000..0d53457
+index 0000000..3eb745d
--- /dev/null
+++ b/policy/modules/services/sanlock.if
@@ -0,0 +1,113 @@
@@ -59314,7 +59787,7 @@ index 0000000..0d53457
+
+########################################
+## <summary>
-+## Connect to sanlock over an unix stream socket.
++## Connect to sanlock over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -59571,7 +60044,7 @@ index 0000000..d5c3c3f
+/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if
new file mode 100644
-index 0000000..40d0049
+index 0000000..fe23f5a
--- /dev/null
+++ b/policy/modules/services/sblim.if
@@ -0,0 +1,82 @@
@@ -59588,7 +60061,7 @@ index 0000000..40d0049
+## </summary>
+## </param>
+#
-+interface(`sblim_gatherd_domtrans',`
++interface(`sblim_domtrans_gatherd',`
+ gen_require(`
+ type sblim_gatherd_t, sblim_gatherd_exec_t;
+ ')
@@ -59988,9 +60461,27 @@ index 22dac1f..1c27bd6 100644
+ uucp_domtrans_uux(sendmail_t)
')
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
-index bcdd16c..b1c92f9 100644
+index bcdd16c..039b0c8 100644
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
+@@ -2,7 +2,7 @@
+
+ ########################################
+ ## <summary>
+-## Connect to setroubleshootd over an unix stream socket.
++## Connect to setroubleshootd over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -23,7 +23,7 @@ interface(`setroubleshoot_stream_connect',`
+ ########################################
+ ## <summary>
+ ## Dontaudit attempts to connect to setroubleshootd
+-## over an unix stream socket.
++## over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',`
########################################
@@ -62497,7 +62988,7 @@ index 2dad3c8..12ad27c 100644
+ ssh_rw_dgram_sockets(chroot_user_t)
')
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
-index 941380a..4afc698 100644
+index 941380a..e1095f0 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -5,9 +5,9 @@
@@ -62544,6 +63035,15 @@ index 941380a..4afc698 100644
')
########################################
+@@ -193,7 +195,7 @@ interface(`sssd_dbus_chat',`
+
+ ########################################
+ ## <summary>
+-## Connect to sssd over an unix stream socket.
++## Connect to sssd over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -225,21 +227,18 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
@@ -63489,7 +63989,7 @@ index 0000000..d810232
+/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0)
diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if
new file mode 100644
-index 0000000..adf79eb
+index 0000000..2c30e5b
--- /dev/null
+++ b/policy/modules/services/uuidd.if
@@ -0,0 +1,194 @@
@@ -63630,7 +64130,7 @@ index 0000000..adf79eb
+
+########################################
+## <summary>
-+## Connect to uuidd over an unix stream socket.
++## Connect to uuidd over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -63822,7 +64322,7 @@ index 0000000..2ba852c
+
diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
new file mode 100644
-index 0000000..6467d91
+index 0000000..c6be180
--- /dev/null
+++ b/policy/modules/services/vdagent.if
@@ -0,0 +1,128 @@
@@ -63857,7 +64357,7 @@ index 0000000..6467d91
+## </summary>
+## </param>
+#
-+interface(`vdagent_getattr_exec',`
++interface(`vdagent_getattr_exec_files',`
+ gen_require(`
+ type vdagent_exec_t;
+ ')
@@ -64015,7 +64515,7 @@ index 0000000..4fd2377
+')
+
diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
-index 1f872b5..1250e30 100644
+index 1f872b5..88a8157 100644
--- a/policy/modules/services/vhostmd.if
+++ b/policy/modules/services/vhostmd.if
@@ -5,9 +5,9 @@
@@ -64057,7 +64557,7 @@ index 1f872b5..1250e30 100644
')
########################################
-@@ -146,7 +146,8 @@ interface(`vhostmd_manage_pid_files',`
+@@ -146,12 +146,13 @@ interface(`vhostmd_manage_pid_files',`
type vhostmd_var_run_t;
')
@@ -64067,6 +64567,21 @@ index 1f872b5..1250e30 100644
')
########################################
+ ## <summary>
+-## Connect to vhostmd over an unix domain stream socket.
++## Connect to vhostmd over a unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -171,7 +172,7 @@ interface(`vhostmd_stream_connect',`
+ #######################################
+ ## <summary>
+ ## Dontaudit read and write to vhostmd
+-## over an unix domain stream socket.
++## over a unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -209,8 +210,11 @@ interface(`vhostmd_admin',`
type vhostmd_t, vhostmd_initrc_exec_t;
')
@@ -64182,7 +64697,7 @@ index 2124b6a..49c15d1 100644
+# support for nova-stack
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..3fd8f12 100644
+index 7c5d8d8..e6bb21e 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,45 @@
@@ -64294,7 +64809,7 @@ index 7c5d8d8..3fd8f12 100644
## </param>
#
interface(`virt_domtrans',`
-@@ -114,6 +126,25 @@ interface(`virt_domtrans',`
+@@ -114,9 +126,28 @@ interface(`virt_domtrans',`
domtrans_pattern($1, virtd_exec_t, virtd_t)
')
@@ -64319,7 +64834,11 @@ index 7c5d8d8..3fd8f12 100644
+
#######################################
## <summary>
- ## Connect to virt over an unix domain stream socket.
+-## Connect to virt over an unix domain stream socket.
++## Connect to virt over a unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -164,13 +195,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
@@ -64767,7 +65286,7 @@ index 7c5d8d8..3fd8f12 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..59444ba 100644
+index 3eca020..bc0bf43 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
@@ -65324,7 +65843,7 @@ index 3eca020..59444ba 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +626,359 @@ files_search_all(virt_domain)
+@@ -440,25 +626,365 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -65332,12 +65851,12 @@ index 3eca020..59444ba 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -65480,8 +65999,8 @@ index 3eca020..59444ba 100644
+#
+# virt_lxc local policy
+#
-+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin };
-+allow virtd_lxc_t self:process { setsched getcap setcap signal_perms };
++allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_resource };
++allow virtd_lxc_t self:process { setrlimit setsched getcap setcap signal_perms };
+allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms;
@@ -65517,8 +66036,8 @@ index 3eca020..59444ba 100644
+corecmd_exec_bin(virtd_lxc_t)
+corecmd_exec_shell(virtd_lxc_t)
+
-+dev_read_sysfs(virtd_lxc_t)
+dev_relabel_all_dev_nodes(virtd_lxc_t)
++dev_rw_sysfs(virtd_lxc_t)
+
+domain_use_interactive_fds(virtd_lxc_t)
+
@@ -65529,13 +66048,16 @@ index 3eca020..59444ba 100644
+files_unmount_all_file_type_fs(virtd_lxc_t)
+files_list_isid_type_dirs(virtd_lxc_t)
+
++fs_getattr_all_fs(virtd_lxc_t)
+fs_manage_tmpfs_dirs(virtd_lxc_t)
+fs_manage_tmpfs_chr_files(virtd_lxc_t)
+fs_manage_tmpfs_symlinks(virtd_lxc_t)
+fs_manage_cgroup_dirs(virtd_lxc_t)
-+fs_rw_cgroup_files(virtd_lxc_t)
++fs_mounton_tmpfs(virtd_lxc_t)
+fs_remount_all_fs(virtd_lxc_t)
++fs_rw_cgroup_files(virtd_lxc_t)
+fs_unmount_xattr_fs(virtd_lxc_t)
++fs_unmount_configfs(virtd_lxc_t)
+
+selinux_mount_fs(virtd_lxc_t)
+selinux_unmount_fs(virtd_lxc_t)
@@ -65549,6 +66071,8 @@ index 3eca020..59444ba 100644
+
+miscfiles_read_localization(virtd_lxc_t)
+
++seutil_domtrans_setfiles(virtd_lxc_t)
++
+sysnet_domtrans_ifconfig(virtd_lxc_t)
+
+#optional_policy(`
@@ -65569,7 +66093,7 @@ index 3eca020..59444ba 100644
+allow svirt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms;
+dontaudit svirt_lxc_domain virtd_lxc_t:unix_stream_socket { read write };
+
-+allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid execstack execmem };
++allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+allow svirt_lxc_domain self:fifo_file manage_file_perms;
+allow svirt_lxc_domain self:sem create_sem_perms;
+allow svirt_lxc_domain self:shm create_shm_perms;
@@ -65651,6 +66175,7 @@ index 3eca020..59444ba 100644
+corenet_udp_bind_generic_node(svirt_lxc_net_t)
+
+allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service };
++
+corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
+corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
+corenet_udp_bind_all_ports(svirt_lxc_net_t)
@@ -65790,7 +66315,7 @@ index 0000000..ad47e05
+/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
diff --git a/policy/modules/services/wdmd.if b/policy/modules/services/wdmd.if
new file mode 100644
-index 0000000..955f1ac
+index 0000000..1a04747
--- /dev/null
+++ b/policy/modules/services/wdmd.if
@@ -0,0 +1,114 @@
@@ -65892,7 +66417,7 @@ index 0000000..955f1ac
+
+########################################
+## <summary>
-+## Connect to wdmd over an unix stream socket.
++## Connect to wdmd over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66114,7 +66639,7 @@ index 4966c94..cb2e1a3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..351ed06 100644
+index 130ced9..1cb809b 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -66352,13 +66877,15 @@ index 130ced9..351ed06 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +495,18 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +495,20 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP")
+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority")
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority")
++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l")
++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c")
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc")
@@ -66373,7 +66900,7 @@ index 130ced9..351ed06 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +518,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +520,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -66402,7 +66929,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +571,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -66410,7 +66937,7 @@ index 130ced9..351ed06 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -549,6 +602,24 @@ interface(`xserver_domtrans_xauth',`
+@@ -549,6 +604,24 @@ interface(`xserver_domtrans_xauth',`
########################################
## <summary>
@@ -66435,7 +66962,7 @@ index 130ced9..351ed06 100644
## Create a Xauthority file in the user home directory.
## </summary>
## <param name="domain">
-@@ -598,6 +669,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +671,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -66443,7 +66970,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -615,7 +687,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +689,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -66452,7 +66979,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -638,6 +710,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +712,25 @@ interface(`xserver_rw_console',`
########################################
## <summary>
@@ -66478,7 +67005,7 @@ index 130ced9..351ed06 100644
## Use file descriptors for xdm.
## </summary>
## <param name="domain">
-@@ -651,7 +742,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +744,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -66487,7 +67014,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -670,7 +761,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +763,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -66496,7 +67023,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -688,7 +779,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +781,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -66505,7 +67032,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -703,12 +794,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +796,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -66519,7 +67046,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -724,11 +814,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +816,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -66553,7 +67080,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -752,6 +862,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -752,6 +864,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@@ -66579,7 +67106,7 @@ index 130ced9..351ed06 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -765,7 +894,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +896,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -66588,7 +67115,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -805,7 +934,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +936,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -66616,7 +67143,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -828,6 +976,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +978,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -66641,7 +67168,7 @@ index 130ced9..351ed06 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -897,7 +1063,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1065,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -66650,7 +67177,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -916,7 +1082,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1084,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -66659,7 +67186,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -963,6 +1129,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1131,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -66705,7 +67232,7 @@ index 130ced9..351ed06 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1181,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1183,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -66714,7 +67241,7 @@ index 130ced9..351ed06 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1243,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1245,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -66757,7 +67284,7 @@ index 130ced9..351ed06 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1293,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1295,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -66766,7 +67293,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -1070,8 +1311,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1313,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -66778,7 +67305,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -1185,6 +1428,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1430,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -66788,7 +67315,7 @@ index 130ced9..351ed06 100644
+######################################
+## <summary>
+## Dontaudit attempts to connect to xserver
-+## over an unix stream socket.
++## over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66805,7 +67332,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -1210,7 +1473,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1475,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -66814,7 +67341,7 @@ index 130ced9..351ed06 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1483,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1485,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -66839,7 +67366,7 @@ index 130ced9..351ed06 100644
')
########################################
-@@ -1243,10 +1516,458 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1518,462 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -67261,6 +67788,8 @@ index 130ced9..351ed06 100644
+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l")
++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
@@ -67293,6 +67822,8 @@ index 130ced9..351ed06 100644
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
++ userdom_admin_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l")
++ userdom_admin_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c")
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
@@ -68772,9 +69303,18 @@ index 9fb4747..92c156b 100644
miscfiles_read_localization(zarafa_domain)
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
-index 6b87605..ef64e73 100644
+index 6b87605..c745e03 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
+@@ -24,7 +24,7 @@ interface(`zebra_read_config',`
+
+ ########################################
+ ## <summary>
+-## Connect to zebra over an unix stream socket.
++## Connect to zebra over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
')
@@ -68860,7 +69400,7 @@ index 0000000..b74fadf
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
diff --git a/policy/modules/services/zoneminder.if b/policy/modules/services/zoneminder.if
new file mode 100644
-index 0000000..aadeef3
+index 0000000..d3e6527
--- /dev/null
+++ b/policy/modules/services/zoneminder.if
@@ -0,0 +1,320 @@
@@ -69122,7 +69662,7 @@ index 0000000..aadeef3
+
+########################################
+## <summary>
-+## Connect to zoneminder over an unix stream socket.
++## Connect to zoneminder over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -71766,7 +72306,7 @@ index 94fd8dd..ef5a3c8 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..ddc7143 100644
+index 29a9565..92781d7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -72670,7 +73210,7 @@ index 29a9565..ddc7143 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1251,160 @@ optional_policy(`
+@@ -854,3 +1251,161 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -72725,6 +73265,7 @@ index 29a9565..ddc7143 100644
+ allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+ allow init_t daemon:unix_dgram_socket create_socket_perms;
+ allow init_t daemon:tcp_socket create_stream_socket_perms;
++ allow init_t daemon:udp_socket create_socket_perms;
+ allow daemon init_t:unix_dgram_socket sendto;
+ # need write to /var/run/systemd/notify
+ init_write_pid_socket(daemon)
@@ -74239,9 +74780,27 @@ index 02f4c97..314efca 100644
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 831b909..0410fa3 100644
+index 831b909..9889380 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
+@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
+
+ ########################################
+ ## <summary>
+-## Connect to auditdstored over an unix stream socket.
++## Connect to auditdstored over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -318,7 +318,7 @@ interface(`logging_dispatcher_domain',`
+
+ ########################################
+ ## <summary>
+-## Connect to the audit dispatcher over an unix stream socket.
++## Connect to the audit dispatcher over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -491,6 +491,63 @@ interface(`logging_log_filetrans',`
filetrans_pattern($1, var_log_t, $2, $3)
')
@@ -78036,10 +78595,10 @@ index 0000000..0d3e625
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..1688a39
+index 0000000..75e7f1c
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,504 @@
+@@ -0,0 +1,542 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -78212,6 +78771,25 @@ index 0000000..1688a39
+
+######################################
+## <summary>
++## Read systemd_login PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_login_list_pid_dirs',`
++ gen_require(`
++ type systemd_logind_var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
++')
++
++######################################
++## <summary>
+## Use and and inherited systemd
+## logind file descriptors.
+## </summary>
@@ -78231,6 +78809,25 @@ index 0000000..1688a39
+
+######################################
+## <summary>
++## Read logind sessions files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_read_logind_sessions_files',`
++ gen_require(`
++ type systemd_logind_sessions_t;
++ ')
++
++ init_search_pid_dirs($1)
++ read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t)
++')
++
++######################################
++## <summary>
+## Write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
@@ -80188,7 +80785,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..17cc2fc 100644
+index 4b2878a..330f877 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -81415,7 +82012,7 @@ index 4b2878a..17cc2fc 100644
optional_policy(`
- setroubleshoot_stream_connect($1_t)
+ vdagent_getattr_log($1_t)
-+ vdagent_getattr_exec($1_t)
++ vdagent_getattr_exec_files($1_t)
+ vdagent_stream_connect($1_t)
')
')
@@ -82603,7 +83200,7 @@ index 4b2878a..17cc2fc 100644
+
+########################################
+## <summary>
-+## Connect to users over an unix stream socket.
++## Connect to users over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -83946,7 +84543,7 @@ index a865da7..a5ed06e 100644
')
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
-index 77d41b6..7ccb440 100644
+index 77d41b6..138efd8 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -55,6 +55,26 @@ interface(`xen_dontaudit_use_fds',`
@@ -84003,7 +84600,25 @@ index 77d41b6..7ccb440 100644
interface(`xen_rw_image_files',`
gen_require(`
type xen_image_t, xend_var_lib_t;
-@@ -213,8 +253,9 @@ interface(`xen_stream_connect',`
+@@ -161,7 +201,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
+
+ ########################################
+ ## <summary>
+-## Connect to xenstored over an unix stream socket.
++## Connect to xenstored over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -180,7 +220,7 @@ interface(`xen_stream_connect_xenstore',`
+
+ ########################################
+ ## <summary>
+-## Connect to xend over an unix domain stream socket.
++## Connect to xend over a unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -213,14 +253,15 @@ interface(`xen_stream_connect',`
interface(`xen_domtrans_xm',`
gen_require(`
type xm_t, xm_exec_t;
@@ -84014,6 +84629,13 @@ index 77d41b6..7ccb440 100644
domtrans_pattern($1, xm_exec_t, xm_t)
')
+ ########################################
+ ## <summary>
+-## Connect to xm over an unix stream socket.
++## Connect to xm over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -230,7 +271,7 @@ interface(`xen_domtrans_xm',`
#
interface(`xen_stream_connect_xm',`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3b565bf..c577be1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 72%{?dist}
+Release: 73%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-73
+- Fixed destined form libvirt-sandbox
+- Allow apps that list sysfs to also read sympolicy links in this filesystem
+- Add ubac_constrained rules for chrome_sandbox
+- Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra
+- Allow postgresql to be executed by the caller
+- Standardize interfaces of daemons
+- Add new labeling for mm-handler
+- Allow all matahari domains to read network state and etc_runtime_t files
+
* Wed Jan 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-72
- New fix for seunshare, requires seunshare_domains to be able to mounton /
- Allow systemctl running as logrotate_t to connect to private systemd socket
More information about the scm-commits
mailing list