[selinux-policy] - More /usr move fixes
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 30 20:28:19 UTC 2012
commit fb431d4b292fc0bde67ab01f9ba398bf13553daa
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jan 30 21:28:06 2012 +0100
- More /usr move fixes
policy-F16.patch | 738 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 5 +-
2 files changed, 562 insertions(+), 181 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 804f9ff..98113bd 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1447,7 +1447,7 @@ index 4f7bd3c..9143343 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..078d715 100644
+index 7090dae..2b5c34d 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t)
@@ -1558,7 +1558,18 @@ index 7090dae..078d715 100644
cups_domtrans(logrotate_t)
')
-@@ -200,9 +215,12 @@ optional_policy(`
+@@ -178,6 +193,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ chronyd_read_keys(logrotate_t)
++')
++
++optional_policy(`
+ icecast_signal(logrotate_t)
+ ')
+
+@@ -200,9 +219,12 @@ optional_policy(`
')
optional_policy(`
@@ -1572,7 +1583,7 @@ index 7090dae..078d715 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +246,14 @@ optional_policy(`
+@@ -228,3 +250,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -2137,10 +2148,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..6fff5ef
+index 0000000..35ae1db
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,36 @@
+policy_module(permissivedomains,17)
+
+
@@ -2168,6 +2179,15 @@ index 0000000..6fff5ef
+
+ permissive selinux_munin_plugin_t;
+')
++
++optional_policy(`
++ gen_require(`
++ type dnssec_trigger_t;
++ ')
++
++ permissive dnssec_trigger_t;
++')
++
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -4365,7 +4385,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..a2987d7 100644
+index 441cf22..3a9e8d5 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -4460,7 +4480,15 @@ index 441cf22..a2987d7 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -277,6 +284,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -269,6 +276,7 @@ allow passwd_t self:shm create_shm_perms;
+ allow passwd_t self:sem create_sem_perms;
+ allow passwd_t self:msgq create_msgq_perms;
+ allow passwd_t self:msg { send receive };
++allow passwd_t self:netlink_selinux_socket create_socket_perms;
+
+ allow passwd_t crack_db_t:dir list_dir_perms;
+ read_files_pattern(passwd_t, crack_db_t, crack_db_t)
+@@ -277,6 +285,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -4468,7 +4496,7 @@ index 441cf22..a2987d7 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -291,26 +299,30 @@ selinux_compute_create_context(passwd_t)
+@@ -291,26 +300,30 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -4504,7 +4532,7 @@ index 441cf22..a2987d7 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -323,7 +335,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +336,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -4513,7 +4541,7 @@ index 441cf22..a2987d7 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +344,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +345,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -4521,7 +4549,7 @@ index 441cf22..a2987d7 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,9 +394,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,9 +395,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -4534,7 +4562,7 @@ index 441cf22..a2987d7 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -396,7 +410,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -396,7 +411,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -4542,7 +4570,7 @@ index 441cf22..a2987d7 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -427,6 +440,7 @@ optional_policy(`
+@@ -427,6 +441,7 @@ optional_policy(`
#
allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
@@ -4550,7 +4578,7 @@ index 441cf22..a2987d7 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,10 +462,13 @@ corecmd_exec_shell(useradd_t)
+@@ -448,10 +463,13 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -4565,7 +4593,7 @@ index 441cf22..a2987d7 100644
files_search_var_lib(useradd_t)
files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t)
-@@ -460,17 +477,15 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,17 +478,15 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -4590,7 +4618,7 @@ index 441cf22..a2987d7 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -478,6 +493,7 @@ auth_rw_faillog(useradd_t)
+@@ -478,6 +494,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -4598,7 +4626,7 @@ index 441cf22..a2987d7 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -495,24 +511,19 @@ seutil_read_file_contexts(useradd_t)
+@@ -495,24 +512,19 @@ seutil_read_file_contexts(useradd_t)
seutil_read_default_contexts(useradd_t)
seutil_domtrans_semanage(useradd_t)
seutil_domtrans_setfiles(useradd_t)
@@ -12853,7 +12881,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..ab97bec 100644
+index 3fae11a..68b6a44 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,7 +1,7 @@
@@ -12912,7 +12940,7 @@ index 3fae11a..ab97bec 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,67 +174,91 @@ ifdef(`distro_gentoo',`
+@@ -179,67 +174,92 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -13026,10 +13054,11 @@ index 3fae11a..ab97bec 100644
+/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/usr/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/usr/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
@@ -13049,7 +13078,7 @@ index 3fae11a..ab97bec 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,11 +266,18 @@ ifdef(`distro_gentoo',`
+@@ -247,11 +267,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -13069,7 +13098,7 @@ index 3fae11a..ab97bec 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +293,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +294,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -13080,7 +13109,7 @@ index 3fae11a..ab97bec 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +316,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +317,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -13101,7 +13130,7 @@ index 3fae11a..ab97bec 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +340,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +341,11 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -13115,7 +13144,7 @@ index 3fae11a..ab97bec 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +354,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +355,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13127,7 +13156,7 @@ index 3fae11a..ab97bec 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +400,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +401,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -13136,7 +13165,7 @@ index 3fae11a..ab97bec 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +412,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +413,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13148,7 +13177,7 @@ index 3fae11a..ab97bec 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +423,12 @@ ifdef(`distro_suse', `
+@@ -385,3 +424,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -14500,7 +14529,7 @@ index 4f3b542..f4e36ee 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..58a5523 100644
+index 99b71cb..9399e7e 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -14603,13 +14632,13 @@ index 99b71cb..58a5523 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,14 +134,21 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,14 +134,22 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
--network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(dogtag, tcp,7390,s0)
-+network_port(dns, udp,53,s0, tcp,53,s0, tcp,8953,s0 )
+ network_port(dns, udp,53,s0, tcp,53,s0)
++network_port(dnssec, tcp,8995,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
+network_port(epmd, tcp,4369,s0, udp,4369,s0)
+network_port(festival, tcp,1314,s0)
@@ -14626,7 +14655,7 @@ index 99b71cb..58a5523 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -115,11 +157,13 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -115,11 +158,13 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -14641,7 +14670,7 @@ index 99b71cb..58a5523 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +173,27 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +174,27 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -14672,7 +14701,7 @@ index 99b71cb..58a5523 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +203,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +204,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -14705,7 +14734,7 @@ index 99b71cb..58a5523 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -179,34 +240,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,34 +241,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -14713,8 +14742,9 @@ index 99b71cb..58a5523 100644
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
- network_port(rndc, tcp,953,s0)
+-network_port(rndc, tcp,953,s0)
-network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
++network_port(rndc, tcp,953,s0, tcp,8953,s0)
+network_port(router, udp,520-521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
@@ -14751,7 +14781,7 @@ index 99b71cb..58a5523 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +282,11 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +283,11 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -14764,7 +14794,7 @@ index 99b71cb..58a5523 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +298,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +299,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14772,7 +14802,7 @@ index 99b71cb..58a5523 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +308,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +309,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14785,7 +14815,7 @@ index 99b71cb..58a5523 100644
########################################
#
-@@ -282,9 +358,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +359,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -23362,7 +23392,7 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..692ef0d
+index 0000000..c42d440
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,383 @@
@@ -23390,7 +23420,7 @@ index 0000000..692ef0d
+
+## <desc>
+## <p>
-+## Allow vidio playing tools to tun unconfined
++## Allow vidio playing tools to run unconfined
+## </p>
+## </desc>
+gen_tunable(unconfined_mplayer, false)
@@ -27987,7 +28017,7 @@ index 59aa54f..159f74f 100644
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
-index 44a1e3d..7cc67ec 100644
+index 44a1e3d..776e2ed 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -28029,7 +28059,33 @@ index 44a1e3d..7cc67ec 100644
')
########################################
-@@ -266,7 +289,7 @@ interface(`bind_setattr_pid_dirs',`
+@@ -210,6 +233,25 @@ interface(`bind_manage_config_dirs',`
+
+ ########################################
+ ## <summary>
++## Create, read, write, and delete
++## BIND configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bind_manage_config',`
++ gen_require(`
++ type named_conf_t;
++ ')
++
++ manage_files_pattern($1, named_conf_t, named_conf_t)
++')
++
++########################################
++## <summary>
+ ## Search the BIND cache directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -266,7 +308,7 @@ interface(`bind_setattr_pid_dirs',`
type named_var_run_t;
')
@@ -28038,7 +28094,7 @@ index 44a1e3d..7cc67ec 100644
')
########################################
-@@ -284,7 +307,7 @@ interface(`bind_setattr_zone_dirs',`
+@@ -284,7 +326,7 @@ interface(`bind_setattr_zone_dirs',`
type named_zone_t;
')
@@ -28047,7 +28103,7 @@ index 44a1e3d..7cc67ec 100644
')
########################################
-@@ -308,6 +331,27 @@ interface(`bind_read_zone',`
+@@ -308,6 +350,27 @@ interface(`bind_read_zone',`
########################################
## <summary>
@@ -28075,7 +28131,7 @@ index 44a1e3d..7cc67ec 100644
## Manage BIND zone files.
## </summary>
## <param name="domain">
-@@ -359,18 +403,25 @@ interface(`bind_udp_chat_named',`
+@@ -359,18 +422,25 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
@@ -28107,7 +28163,7 @@ index 44a1e3d..7cc67ec 100644
bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
-@@ -391,9 +442,10 @@ interface(`bind_admin',`
+@@ -391,9 +461,10 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
@@ -28304,7 +28360,7 @@ index de0bd67..1df2048 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
-index f4e7ad3..8ca4f90 100644
+index f4e7ad3..c323651 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
@@ -22,29 +22,47 @@ files_tmp_file(bitlbee_tmp_t)
@@ -28359,15 +28415,17 @@ index f4e7ad3..8ca4f90 100644
kernel_read_system_state(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
-@@ -52,6 +70,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t)
+@@ -52,6 +70,9 @@ corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
+corenet_tcp_bind_generic_node(bitlbee_t)
++corenet_tcp_connect_gatekeeper_port(bitlbee_t)
++corenet_tcp_connect_ircd_port(bitlbee_t)
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
-@@ -69,6 +88,11 @@ corenet_tcp_connect_http_port(bitlbee_t)
+@@ -69,6 +90,11 @@ corenet_tcp_connect_http_port(bitlbee_t)
corenet_tcp_sendrecv_http_port(bitlbee_t)
corenet_tcp_connect_http_cache_port(bitlbee_t)
corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
@@ -37566,6 +37624,155 @@ index fdaeeba..b1ea136 100644
virt_read_pid_files(dnsmasq_t)
+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
+diff --git a/policy/modules/services/dnssec.fc b/policy/modules/services/dnssec.fc
+new file mode 100755
+index 0000000..06b9b19
+--- /dev/null
++++ b/policy/modules/services/dnssec.fc
+@@ -0,0 +1,3 @@
++/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
++
++/var/run/dnssec-triggerd(/.*)? gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
+diff --git a/policy/modules/services/dnssec.if b/policy/modules/services/dnssec.if
+new file mode 100755
+index 0000000..a9dbcf2
+--- /dev/null
++++ b/policy/modules/services/dnssec.if
+@@ -0,0 +1,70 @@
++
++## <summary>policy for dnssec_trigger</summary>
++
++########################################
++## <summary>
++## Transition to dnssec_trigger.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dnssec_trigger_domtrans',`
++ gen_require(`
++ type dnssec_trigger_t, dnssec_trigger_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
++')
++########################################
++## <summary>
++## Read dnssec_trigger PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dnssec_trigger_read_pid_files',`
++ gen_require(`
++ type dnssec_trigger_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 dnssec_trigger_var_run_t:file read_file_perms;
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an dnssec_trigger environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`dnssec_trigger_admin',`
++ gen_require(`
++ type dnssec_trigger_t;
++ type dnssec_trigger_var_run_t;
++ ')
++
++ allow $1 dnssec_trigger_t:process { ptrace signal_perms };
++ ps_process_pattern($1, dnssec_trigger_t)
++
++ files_search_pids($1)
++ admin_pattern($1, dnssec_trigger_var_run_t)
++')
+diff --git a/policy/modules/services/dnssec.te b/policy/modules/services/dnssec.te
+new file mode 100755
+index 0000000..0d3ca7a
+--- /dev/null
++++ b/policy/modules/services/dnssec.te
+@@ -0,0 +1,58 @@
++policy_module(dnssec, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type dnssec_trigger_t;
++type dnssec_trigger_exec_t;
++init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
++
++type dnssec_trigger_var_run_t;
++files_pid_file(dnssec_trigger_var_run_t)
++
++########################################
++#
++# dnssec_trigger local policy
++#
++allow dnssec_trigger_t self:capability linux_immutable;
++allow dnssec_trigger_t self:process signal;
++allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
++allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
++allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms;
++allow dnssec_trigger_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
++
++kernel_read_system_state(dnssec_trigger_t)
++
++corecmd_exec_bin(dnssec_trigger_t)
++corecmd_exec_shell(dnssec_trigger_t)
++
++corenet_tcp_bind_generic_node(dnssec_trigger_t)
++corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
++
++dev_read_urand(dnssec_trigger_t)
++
++domain_use_interactive_fds(dnssec_trigger_t)
++
++files_read_etc_runtime_files(dnssec_trigger_t)
++files_read_etc_files(dnssec_trigger_t)
++
++logging_send_syslog_msg(dnssec_trigger_t)
++
++auth_read_passwd(dnssec_trigger_t)
++
++miscfiles_read_localization(dnssec_trigger_t)
++
++sysnet_dns_name_resolve(dnssec_trigger_t)
++sysnet_manage_config(dnssec_trigger_t)
++
++optional_policy(`
++ bind_read_config(dnssec_trigger_t)
++')
++
++
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
index bfc880b..9a1dcba 100644
--- a/policy/modules/services/dovecot.fc
@@ -49417,6 +49624,135 @@ index 7936e09..2f6a98f 100644
+optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
+diff --git a/policy/modules/services/nsd.fc b/policy/modules/services/nsd.fc
+index 53cc800..5348e92 100644
+--- a/policy/modules/services/nsd.fc
++++ b/policy/modules/services/nsd.fc
+@@ -1,6 +1,6 @@
+
+ /etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
+-/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
++/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_zone_t,s0)
+ /etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+ /etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+
+@@ -10,5 +10,4 @@
+ /usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+
+ /var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+ /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
+diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
+index 4b15536..e9c0f83 100644
+--- a/policy/modules/services/nsd.te
++++ b/policy/modules/services/nsd.te
+@@ -18,15 +18,11 @@ domain_type(nsd_crond_t)
+ domain_entry_file(nsd_crond_t, nsd_exec_t)
+ role system_r types nsd_crond_t;
+
+-# a type for nsd.db
+-type nsd_db_t;
+-files_type(nsd_db_t)
+-
+ type nsd_var_run_t;
+ files_pid_file(nsd_var_run_t)
+
+ # A type for zone files
+-type nsd_zone_t;
++type nsd_zone_t alias nsd_db_t;
+ files_type(nsd_zone_t)
+
+ ########################################
+@@ -34,25 +30,24 @@ files_type(nsd_zone_t)
+ # NSD Local policy
+ #
+
+-allow nsd_t self:capability { dac_override chown setuid setgid };
++allow nsd_t self:capability { chown dac_override kill setgid setuid };
+ dontaudit nsd_t self:capability sys_tty_config;
+ allow nsd_t self:process signal_perms;
+ allow nsd_t self:tcp_socket create_stream_socket_perms;
+ allow nsd_t self:udp_socket create_socket_perms;
++allow nsd_t self:fifo_file rw_fifo_file_perms;
+
+ allow nsd_t nsd_conf_t:dir list_dir_perms;
+ read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+ read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+
+-allow nsd_t nsd_db_t:file manage_file_perms;
+-filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
+-
+ manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
+ files_pid_filetrans(nsd_t, nsd_var_run_t, file)
+
+-allow nsd_t nsd_zone_t:dir list_dir_perms;
+-read_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
+-read_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
++manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
++manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
++manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
++files_var_lib_filetrans(nsd_t, nsd_zone_t, dir)
+
+ can_exec(nsd_t, nsd_exec_t)
+
+@@ -81,24 +76,23 @@ domain_use_interactive_fds(nsd_t)
+
+ files_read_etc_files(nsd_t)
+ files_read_etc_runtime_files(nsd_t)
++files_search_var_lib(nsd_t)
+
+ fs_getattr_all_fs(nsd_t)
+ fs_search_auto_mountpoints(nsd_t)
+
++auth_use_nsswitch(nsd_t)
++
+ logging_send_syslog_msg(nsd_t)
+
+ miscfiles_read_localization(nsd_t)
+
+-sysnet_read_config(nsd_t)
++sysnet_dns_name_resolve(nsd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(nsd_t)
+ userdom_dontaudit_search_user_home_dirs(nsd_t)
+
+ optional_policy(`
+- nis_use_ypbind(nsd_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(nsd_t)
+ ')
+
+@@ -121,8 +115,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms;
+
+ allow nsd_crond_t nsd_conf_t:file read_file_perms;
+
+-allow nsd_crond_t nsd_db_t:file manage_file_perms;
+-filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
+ files_search_var_lib(nsd_crond_t)
+
+ allow nsd_crond_t nsd_t:process signal;
+@@ -157,7 +149,8 @@ domain_dontaudit_read_all_domains_state(nsd_crond_t)
+
+ files_read_etc_files(nsd_crond_t)
+ files_read_etc_runtime_files(nsd_crond_t)
+-files_search_var_lib(nsd_t)
++
++auth_use_nsswitch(nsd_crond_t)
+
+ logging_send_syslog_msg(nsd_crond_t)
+
+@@ -172,9 +165,5 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(nsd_crond_t)
+-')
+-
+-optional_policy(`
+ nscd_read_pid(nsd_crond_t)
+ ')
diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if
index 23c769c..0a334ae 100644
--- a/policy/modules/services/nslcd.if
@@ -49476,7 +49812,7 @@ index 23c769c..0a334ae 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
-index 4e28d58..1835068 100644
+index 4e28d58..bee3070 100644
--- a/policy/modules/services/nslcd.te
+++ b/policy/modules/services/nslcd.te
@@ -16,7 +16,7 @@ type nslcd_var_run_t;
@@ -49497,7 +49833,7 @@ index 4e28d58..1835068 100644
allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
-@@ -37,9 +37,13 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+@@ -37,9 +37,22 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
kernel_read_system_state(nslcd_t)
files_read_etc_files(nslcd_t)
@@ -49511,6 +49847,15 @@ index 4e28d58..1835068 100644
miscfiles_read_localization(nslcd_t)
+
+userdom_read_user_tmp_files(nslcd_t)
++
++optional_policy(`
++ dirsrv_stream_connect(nslcd_t)
++')
++
++optional_policy(`
++ ldap_stream_connect(nslcd_t)
++')
++
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index ded9fb6..9d1e60a 100644
--- a/policy/modules/services/ntop.te
@@ -63568,7 +63913,7 @@ index 941380a..e1095f0 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..b698994 100644
+index 8ffa257..4b21a45 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -63629,7 +63974,7 @@ index 8ffa257..b698994 100644
fs_list_inotifyfs(sssd_t)
-@@ -68,8 +78,11 @@ selinux_validate_context(sssd_t)
+@@ -68,10 +78,14 @@ selinux_validate_context(sssd_t)
seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
@@ -63641,8 +63986,11 @@ index 8ffa257..b698994 100644
+# auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
++auth_manage_cache(sssd_t)
-@@ -79,6 +92,12 @@ logging_send_syslog_msg(sssd_t)
+ init_read_utmp(sssd_t)
+
+@@ -79,6 +93,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -63655,7 +64003,7 @@ index 8ffa257..b698994 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +106,18 @@ optional_policy(`
+@@ -87,4 +107,18 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -67139,7 +67487,7 @@ index 4966c94..cb2e1a3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..a688fb4 100644
+index 130ced9..51e7627 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -67377,12 +67725,14 @@ index 130ced9..a688fb4 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +495,20 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +495,22 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP")
+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority")
++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-c")
++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-n")
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority")
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l")
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c")
@@ -67400,7 +67750,7 @@ index 130ced9..a688fb4 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +520,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +522,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -67429,7 +67779,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -517,6 +571,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +573,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -67437,7 +67787,7 @@ index 130ced9..a688fb4 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -549,6 +604,24 @@ interface(`xserver_domtrans_xauth',`
+@@ -549,6 +606,24 @@ interface(`xserver_domtrans_xauth',`
########################################
## <summary>
@@ -67462,7 +67812,7 @@ index 130ced9..a688fb4 100644
## Create a Xauthority file in the user home directory.
## </summary>
## <param name="domain">
-@@ -598,6 +671,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +673,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -67470,7 +67820,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -615,7 +689,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +691,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -67479,7 +67829,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -638,6 +712,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +714,25 @@ interface(`xserver_rw_console',`
########################################
## <summary>
@@ -67505,7 +67855,7 @@ index 130ced9..a688fb4 100644
## Use file descriptors for xdm.
## </summary>
## <param name="domain">
-@@ -651,7 +744,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +746,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -67514,7 +67864,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -670,7 +763,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +765,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -67523,7 +67873,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -688,7 +781,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +783,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -67532,7 +67882,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -703,12 +796,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +798,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -67546,7 +67896,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -724,11 +816,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +818,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -67580,7 +67930,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -752,6 +864,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -752,6 +866,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@@ -67606,7 +67956,7 @@ index 130ced9..a688fb4 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -765,7 +896,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +898,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -67615,7 +67965,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -805,7 +936,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +938,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -67643,7 +67993,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -828,6 +978,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +980,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -67668,7 +68018,7 @@ index 130ced9..a688fb4 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -897,7 +1065,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1067,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -67677,7 +68027,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -916,7 +1084,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1086,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -67686,7 +68036,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -963,6 +1131,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1133,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -67732,7 +68082,7 @@ index 130ced9..a688fb4 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1183,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1185,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -67741,7 +68091,7 @@ index 130ced9..a688fb4 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1245,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1247,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -67784,7 +68134,7 @@ index 130ced9..a688fb4 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1295,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1297,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -67793,7 +68143,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -1070,8 +1313,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1315,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -67805,7 +68155,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -1185,6 +1430,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1432,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -67832,7 +68182,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -1210,7 +1475,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1477,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -67841,7 +68191,7 @@ index 130ced9..a688fb4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1485,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1487,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -67866,7 +68216,7 @@ index 130ced9..a688fb4 100644
')
########################################
-@@ -1243,10 +1518,462 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1520,462 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -72844,7 +73194,7 @@ index 94fd8dd..5a52670 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..6251491 100644
+index 29a9565..2a26b46 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -73039,7 +73389,7 @@ index 29a9565..6251491 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +252,141 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +252,142 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -73052,6 +73402,7 @@ index 29a9565..6251491 100644
optional_policy(`
+ postfix_exec(init_t)
++ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
+')
+
@@ -73183,7 +73534,7 @@ index 29a9565..6251491 100644
')
optional_policy(`
-@@ -203,6 +394,17 @@ optional_policy(`
+@@ -203,6 +395,17 @@ optional_policy(`
')
optional_policy(`
@@ -73201,7 +73552,7 @@ index 29a9565..6251491 100644
unconfined_domain(init_t)
')
-@@ -212,7 +414,8 @@ optional_policy(`
+@@ -212,7 +415,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -73211,7 +73562,7 @@ index 29a9565..6251491 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +444,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +445,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -73227,7 +73578,7 @@ index 29a9565..6251491 100644
init_write_initctl(initrc_t)
-@@ -258,20 +464,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +465,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -73264,7 +73615,7 @@ index 29a9565..6251491 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +497,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +498,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -73272,7 +73623,7 @@ index 29a9565..6251491 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +508,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +509,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -73283,7 +73634,7 @@ index 29a9565..6251491 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +519,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +520,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -73299,7 +73650,7 @@ index 29a9565..6251491 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +537,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +538,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -73307,7 +73658,7 @@ index 29a9565..6251491 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +545,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +546,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -73319,7 +73670,7 @@ index 29a9565..6251491 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +564,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +565,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -73333,7 +73684,7 @@ index 29a9565..6251491 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,8 +579,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,8 +580,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -73346,7 +73697,7 @@ index 29a9565..6251491 100644
mcs_ptrace_all(initrc_t)
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -363,6 +595,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +596,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -73354,7 +73705,7 @@ index 29a9565..6251491 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +607,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +608,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -73362,7 +73713,7 @@ index 29a9565..6251491 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +628,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +629,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -73384,7 +73735,7 @@ index 29a9565..6251491 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +691,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +692,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -73395,7 +73746,7 @@ index 29a9565..6251491 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +715,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +716,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -73404,7 +73755,7 @@ index 29a9565..6251491 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +730,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +731,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -73412,7 +73763,7 @@ index 29a9565..6251491 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +760,34 @@ ifdef(`distro_redhat',`
+@@ -522,8 +761,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -73421,6 +73772,7 @@ index 29a9565..6251491 100644
+
+ optional_policy(`
bind_manage_config_dirs(initrc_t)
++ bind_manage_config(initrc_t)
bind_write_config(initrc_t)
+ bind_setattr_zone_dirs(initrc_t)
+ ')
@@ -73447,7 +73799,7 @@ index 29a9565..6251491 100644
')
optional_policy(`
-@@ -531,10 +795,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +797,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -73470,7 +73822,7 @@ index 29a9565..6251491 100644
')
optional_policy(`
-@@ -549,6 +825,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +827,39 @@ ifdef(`distro_suse',`
')
')
@@ -73510,7 +73862,7 @@ index 29a9565..6251491 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +870,8 @@ optional_policy(`
+@@ -561,6 +872,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -73519,7 +73871,7 @@ index 29a9565..6251491 100644
')
optional_policy(`
-@@ -577,6 +888,7 @@ optional_policy(`
+@@ -577,6 +890,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -73527,7 +73879,7 @@ index 29a9565..6251491 100644
')
optional_policy(`
-@@ -589,6 +901,17 @@ optional_policy(`
+@@ -589,6 +903,17 @@ optional_policy(`
')
optional_policy(`
@@ -73545,7 +73897,7 @@ index 29a9565..6251491 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +928,13 @@ optional_policy(`
+@@ -605,9 +930,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -73559,7 +73911,7 @@ index 29a9565..6251491 100644
')
optional_policy(`
-@@ -632,6 +959,10 @@ optional_policy(`
+@@ -632,6 +961,10 @@ optional_policy(`
')
optional_policy(`
@@ -73570,7 +73922,7 @@ index 29a9565..6251491 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +980,11 @@ optional_policy(`
+@@ -649,6 +982,11 @@ optional_policy(`
')
optional_policy(`
@@ -73582,7 +73934,7 @@ index 29a9565..6251491 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1025,7 @@ optional_policy(`
+@@ -689,6 +1027,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -73590,7 +73942,7 @@ index 29a9565..6251491 100644
')
optional_policy(`
-@@ -706,7 +1043,13 @@ optional_policy(`
+@@ -706,7 +1045,13 @@ optional_policy(`
')
optional_policy(`
@@ -73604,7 +73956,7 @@ index 29a9565..6251491 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1072,10 @@ optional_policy(`
+@@ -729,6 +1074,10 @@ optional_policy(`
')
optional_policy(`
@@ -73615,7 +73967,7 @@ index 29a9565..6251491 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1085,20 @@ optional_policy(`
+@@ -738,10 +1087,20 @@ optional_policy(`
')
optional_policy(`
@@ -73636,7 +73988,7 @@ index 29a9565..6251491 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1107,10 @@ optional_policy(`
+@@ -750,6 +1109,10 @@ optional_policy(`
')
optional_policy(`
@@ -73647,7 +73999,7 @@ index 29a9565..6251491 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1132,6 @@ optional_policy(`
+@@ -771,8 +1134,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -73656,7 +74008,7 @@ index 29a9565..6251491 100644
')
optional_policy(`
-@@ -781,6 +1140,10 @@ optional_policy(`
+@@ -781,6 +1142,10 @@ optional_policy(`
')
optional_policy(`
@@ -73667,7 +74019,7 @@ index 29a9565..6251491 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -790,10 +1153,12 @@ optional_policy(`
+@@ -790,10 +1155,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -73680,7 +74032,7 @@ index 29a9565..6251491 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1170,6 @@ optional_policy(`
+@@ -805,7 +1172,6 @@ optional_policy(`
')
optional_policy(`
@@ -73688,7 +74040,7 @@ index 29a9565..6251491 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1179,26 @@ optional_policy(`
+@@ -815,11 +1181,26 @@ optional_policy(`
')
optional_policy(`
@@ -73716,7 +74068,7 @@ index 29a9565..6251491 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1208,18 @@ optional_policy(`
+@@ -829,6 +1210,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -73735,7 +74087,7 @@ index 29a9565..6251491 100644
')
optional_policy(`
-@@ -844,6 +1235,10 @@ optional_policy(`
+@@ -844,6 +1237,10 @@ optional_policy(`
')
optional_policy(`
@@ -73746,7 +74098,7 @@ index 29a9565..6251491 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1249,161 @@ optional_policy(`
+@@ -854,3 +1251,161 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -74374,10 +74726,10 @@ index ddbd8be..65b5762 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..39aace9 100644
+index 560dc48..75a2fbd 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
-@@ -28,26 +28,23 @@ ifdef(`distro_redhat',`
+@@ -28,26 +28,24 @@ ifdef(`distro_redhat',`
# /etc
#
/etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
@@ -74392,6 +74744,7 @@ index 560dc48..39aace9 100644
#
-/lib -d gen_context(system_u:object_r:lib_t,s0)
+/lib gen_context(system_u:object_r:lib_t,s0)
++/lib64 gen_context(system_u:object_r:lib_t,s0)
/lib/.* gen_context(system_u:object_r:lib_t,s0)
-/lib64 -d gen_context(system_u:object_r:lib_t,s0)
-/lib64/.* gen_context(system_u:object_r:lib_t,s0)
@@ -74407,7 +74760,7 @@ index 560dc48..39aace9 100644
')
ifdef(`distro_gentoo',`
-@@ -62,7 +59,6 @@ ifdef(`distro_gentoo',`
+@@ -62,7 +60,6 @@ ifdef(`distro_gentoo',`
#
/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -74415,7 +74768,7 @@ index 560dc48..39aace9 100644
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -111,6 +107,12 @@ ifdef(`distro_redhat',`
+@@ -111,6 +108,12 @@ ifdef(`distro_redhat',`
#
# /usr
#
@@ -74428,7 +74781,7 @@ index 560dc48..39aace9 100644
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -119,64 +121,62 @@ ifdef(`distro_redhat',`
+@@ -119,64 +122,62 @@ ifdef(`distro_redhat',`
/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -74527,7 +74880,7 @@ index 560dc48..39aace9 100644
')
ifdef(`distro_gentoo',`
-@@ -195,7 +195,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -195,7 +196,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -74535,7 +74888,7 @@ index 560dc48..39aace9 100644
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -203,86 +202,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -203,86 +203,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -74680,7 +75033,7 @@ index 560dc48..39aace9 100644
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -303,8 +303,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -303,8 +304,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -74690,7 +75043,7 @@ index 560dc48..39aace9 100644
') dnl end distro_redhat
#
-@@ -312,17 +311,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -312,17 +312,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -76012,7 +76365,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index a0a0ebf..5e4149d 100644
+index a0a0ebf..653277a 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -76105,7 +76458,7 @@ index a0a0ebf..5e4149d 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -228,6 +245,7 @@ dev_delete_generic_dirs(lvm_t)
+@@ -228,11 +245,13 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@@ -76113,7 +76466,14 @@ index a0a0ebf..5e4149d 100644
dev_manage_generic_symlinks(lvm_t)
dev_relabel_generic_dev_dirs(lvm_t)
dev_manage_generic_blk_files(lvm_t)
-@@ -244,6 +262,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+ # Read /sys/block. Device mapper metadata is kept there.
+-dev_read_sysfs(lvm_t)
++# cryptsetup writes read_ahead_kb
++dev_rw_sysfs(lvm_t)
+ # cjp: this has no effect since LVM does not
+ # have lnk_file relabelto for anything else.
+ # perhaps this should be blk_files?
+@@ -244,6 +263,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -76121,7 +76481,7 @@ index a0a0ebf..5e4149d 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -253,17 +272,21 @@ files_read_etc_files(lvm_t)
+@@ -253,17 +273,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -76144,7 +76504,7 @@ index a0a0ebf..5e4149d 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -283,7 +306,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -283,7 +307,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -76153,7 +76513,7 @@ index a0a0ebf..5e4149d 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -292,6 +315,8 @@ init_read_script_state(lvm_t)
+@@ -292,6 +316,8 @@ init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
@@ -76162,7 +76522,7 @@ index a0a0ebf..5e4149d 100644
miscfiles_read_localization(lvm_t)
seutil_read_config(lvm_t)
-@@ -299,7 +324,10 @@ seutil_read_file_contexts(lvm_t)
+@@ -299,7 +325,10 @@ seutil_read_file_contexts(lvm_t)
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
@@ -76173,7 +76533,7 @@ index a0a0ebf..5e4149d 100644
ifdef(`distro_redhat',`
# this is from the initrd:
-@@ -311,6 +339,11 @@ ifdef(`distro_redhat',`
+@@ -311,6 +340,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -76185,7 +76545,7 @@ index a0a0ebf..5e4149d 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,14 +364,27 @@ optional_policy(`
+@@ -331,14 +365,27 @@ optional_policy(`
')
optional_policy(`
@@ -80124,20 +80484,22 @@ index 0000000..6677509
+
+miscfiles_read_localization(systemctl_domain)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..0e9e2b6 100644
+index 0291685..741f594 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
-@@ -1,6 +1,6 @@
+@@ -1,6 +1,8 @@
-/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
++/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++
+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
+/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
+/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-@@ -10,6 +10,7 @@
+@@ -10,6 +12,7 @@
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -80145,11 +80507,12 @@ index 0291685..0e9e2b6 100644
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -21,4 +22,17 @@
+@@ -20,5 +23,19 @@
+ /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
-
--/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++
+/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -80160,7 +80523,8 @@ index 0291685..0e9e2b6 100644
+
+/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-+
+
+-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
@@ -80364,7 +80728,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..a22db33 100644
+index d88f7c3..fb3d00c 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -80413,7 +80777,7 @@ index d88f7c3..a22db33 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -62,17 +71,17 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -62,31 +71,34 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -80437,15 +80801,25 @@ index d88f7c3..a22db33 100644
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
-@@ -87,6 +96,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
+ kernel_getattr_core_if(udev_t)
+ kernel_use_fds(udev_t)
+ kernel_read_device_sysctls(udev_t)
++kernel_read_fs_sysctls(udev_t)
+ kernel_read_hotplug_sysctls(udev_t)
+ kernel_read_modprobe_sysctls(udev_t)
+ kernel_read_kernel_sysctls(udev_t)
+ kernel_rw_hotplug_sysctls(udev_t)
+ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
- kernel_signal(udev_t)
+-kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
++kernel_setsched(udev_t)
+kernel_stream_connect(udev_t)
++kernel_signal(udev_t)
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -97,6 +107,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -97,6 +109,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -80453,7 +80827,7 @@ index d88f7c3..a22db33 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,21 +116,30 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,21 +118,31 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -80468,6 +80842,7 @@ index d88f7c3..a22db33 100644
+files_read_kernel_modules(udev_t)
+files_read_system_conf_files(udev_t)
+
++
+# console_init manages files in /etc/sysconfig
+files_manage_etc_files(udev_t)
files_exec_etc_files(udev_t)
@@ -80485,7 +80860,7 @@ index d88f7c3..a22db33 100644
mcs_ptrace_all(udev_t)
-@@ -143,6 +163,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +166,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -80493,7 +80868,7 @@ index d88f7c3..a22db33 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -154,6 +175,8 @@ miscfiles_read_hwdata(udev_t)
+@@ -154,6 +178,8 @@ miscfiles_read_hwdata(udev_t)
modutils_domtrans_insmod(udev_t)
# read modules.inputmap:
modutils_read_module_deps(udev_t)
@@ -80502,7 +80877,7 @@ index d88f7c3..a22db33 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -169,6 +192,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +195,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -80511,7 +80886,7 @@ index d88f7c3..a22db33 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -186,8 +211,9 @@ ifdef(`distro_redhat',`
+@@ -186,8 +214,9 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -80522,7 +80897,7 @@ index d88f7c3..a22db33 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -216,11 +242,16 @@ optional_policy(`
+@@ -216,11 +245,16 @@ optional_policy(`
')
optional_policy(`
@@ -80539,7 +80914,7 @@ index d88f7c3..a22db33 100644
')
optional_policy(`
-@@ -230,10 +261,20 @@ optional_policy(`
+@@ -230,10 +264,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -80560,7 +80935,7 @@ index d88f7c3..a22db33 100644
')
optional_policy(`
-@@ -259,6 +300,10 @@ optional_policy(`
+@@ -259,6 +303,10 @@ optional_policy(`
')
optional_policy(`
@@ -80571,7 +80946,7 @@ index d88f7c3..a22db33 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +318,11 @@ optional_policy(`
+@@ -273,6 +321,11 @@ optional_policy(`
')
optional_policy(`
@@ -80583,7 +80958,7 @@ index d88f7c3..a22db33 100644
unconfined_signal(udev_t)
')
-@@ -285,6 +335,7 @@ optional_policy(`
+@@ -285,6 +338,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -81400,7 +81775,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..43d975f 100644
+index 4b2878a..9fecf40 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -83187,15 +83562,6 @@ index 4b2878a..43d975f 100644
########################################
## <summary>
-@@ -1920,7 +2477,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
- allow $1 user_home_dir_t:dir search_dir_perms;
- files_search_home($1)
- ')
--
-+/
- ########################################
- ## <summary>
- ## Delete symbolic links in a user home directory.
@@ -1941,6 +2498,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
@@ -85727,3 +86093,15 @@ index c4ebc7e..30d6d7a 100644
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --git a/support/Makefile.devel b/support/Makefile.devel
+index c5e3ef3..182eeac 100644
+--- a/support/Makefile.devel
++++ b/support/Makefile.devel
+@@ -26,7 +26,6 @@ XMLLINT := $(BINDIR)/xmllint
+ # set default build options if missing
+ TYPE ?= standard
+ DIRECT_INITRC ?= n
+-POLY ?= n
+ QUIET ?= y
+
+ genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 21d8afa..5dddcb3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 80%{?dist}
+Release: 81%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jan 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-81
+- More /usr move fixes
+
* Thu Jan 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-80
- Add zabbix_can_network boolean
- Add httpd_can_connect_zabbix boolean
More information about the scm-commits
mailing list