[selinux-policy/f17] - Add support for ecryptfs * ecryptfs does not support xattr - Allow lpstat.cups to read fips

Miroslav Grepl mgrepl at fedoraproject.org
Sun Jul 15 20:35:57 UTC 2012


commit 35dca99cf08913ecc52697a9c18de2b2858c528c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Sun Jul 15 22:35:12 2012 +0200

    - Add support for ecryptfs
           * ecryptfs does not support xattr
    - Allow lpstat.cups to read fips_enabled file
    - Allow pyzor running as spamc_t to create /root/.pyzor directory
    - Add labeling for amavisd-snmp init script
    - Add support for amavisd-snmp
    - Allow fprintd sigkill self
    - Allow xend (w/o libvirt) to start virtual machines
    - Allow aiccu to read /etc/passwd
    - accountsd needs to fchown some files/directories
    - Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
    - Allow xend_t to read the /etc/passwd file
    - Allow freshclam to update databases thru HTTP proxy
    - Add init_access_check() interface
    - Allow s-m-config to access check on systemd
    - Allow abrt to read public files by default
    - Fix amavis_create_pid_files() interface
    - Allow tuned sys_nice, sys_admin caps
    - Allow amavisd to execute fsav
    - Allow system_dbusd_t to stream connect to bluetooth, and use its socke

 policy-F16.patch    |  961 ++++++++++++++++++++++++++++++++++++++-------------
 selinux-policy.spec |   24 ++-
 2 files changed, 735 insertions(+), 250 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 3a8069f..6d0b438 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -58217,7 +58217,7 @@ index 111d004..c90e80d 100644
 -## </desc>
 -gen_bool(secure_mode_policyload,false)
 diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab6..0f0bb47 100644
+index 4705ab6..96d561e 100644
 --- a/policy/global_tunables
 +++ b/policy/global_tunables
 @@ -6,6 +6,13 @@
@@ -58276,10 +58276,17 @@ index 4705ab6..0f0bb47 100644
  ## Allow any files/directories to be exported read/write via NFS.
  ## </p>
  ## </desc>
-@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false)
+@@ -105,9 +103,31 @@ gen_tunable(use_samba_home_dirs,false)
  
  ## <desc>
  ## <p>
++## Support ecryptfs home directories
++## </p>
++## </desc>
++gen_tunable(use_ecryptfs_home_dirs,false)
++
++## <desc>
++## <p>
 +## Support fusefs home directories
 +## </p>
 +## </desc>
@@ -60258,10 +60265,18 @@ index c6ca761..46e0767 100644
  ')
  
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..9f49d01 100644
+index e0791b9..98d188e 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
-@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+@@ -41,6 +41,7 @@ allow netutils_t self:packet_socket create_socket_perms;
+ allow netutils_t self:udp_socket create_socket_perms;
+ allow netutils_t self:tcp_socket create_stream_socket_perms;
+ allow netutils_t self:socket create_socket_perms;
++allow netutils_t self:netlink_socket create_socket_perms;
+ 
+ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+@@ -48,6 +49,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
  
  kernel_search_proc(netutils_t)
  kernel_read_all_sysctls(netutils_t)
@@ -60270,7 +60285,7 @@ index e0791b9..9f49d01 100644
  
  corenet_all_recvfrom_unlabeled(netutils_t)
  corenet_all_recvfrom_netlabel(netutils_t)
-@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
+@@ -64,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
  corenet_udp_bind_generic_node(netutils_t)
  
  dev_read_sysfs(netutils_t)
@@ -60280,7 +60295,7 @@ index e0791b9..9f49d01 100644
  
  fs_getattr_xattr_fs(netutils_t)
  
-@@ -83,7 +88,7 @@ logging_send_syslog_msg(netutils_t)
+@@ -83,7 +89,7 @@ logging_send_syslog_msg(netutils_t)
  miscfiles_read_localization(netutils_t)
  
  term_dontaudit_use_console(netutils_t)
@@ -60289,7 +60304,7 @@ index e0791b9..9f49d01 100644
  userdom_use_all_users_fds(netutils_t)
  
  optional_policy(`
-@@ -104,6 +109,8 @@ optional_policy(`
+@@ -104,6 +110,8 @@ optional_policy(`
  #
  
  allow ping_t self:capability { setuid net_raw };
@@ -60298,7 +60313,7 @@ index e0791b9..9f49d01 100644
  dontaudit ping_t self:capability sys_tty_config;
  allow ping_t self:tcp_socket create_socket_perms;
  allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-@@ -134,8 +141,6 @@ logging_send_syslog_msg(ping_t)
+@@ -134,8 +142,6 @@ logging_send_syslog_msg(ping_t)
  
  miscfiles_read_localization(ping_t)
  
@@ -60307,7 +60322,7 @@ index e0791b9..9f49d01 100644
  ifdef(`hide_broken_symptoms',`
  	init_dontaudit_use_fds(ping_t)
  
-@@ -145,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -145,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
  	')
  ')
  
@@ -60333,7 +60348,7 @@ index e0791b9..9f49d01 100644
  	pcmcia_use_cardmgr_fds(ping_t)
  ')
  
-@@ -157,6 +176,10 @@ optional_policy(`
+@@ -157,6 +177,10 @@ optional_policy(`
  	hotplug_use_fds(ping_t)
  ')
  
@@ -60344,7 +60359,7 @@ index e0791b9..9f49d01 100644
  ########################################
  #
  # Traceroute local policy
-@@ -194,6 +217,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +218,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
  domain_use_interactive_fds(traceroute_t)
  
  files_read_etc_files(traceroute_t)
@@ -60352,7 +60367,7 @@ index e0791b9..9f49d01 100644
  files_dontaudit_search_var(traceroute_t)
  
  init_use_fds(traceroute_t)
-@@ -204,9 +228,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +229,16 @@ logging_send_syslog_msg(traceroute_t)
  
  miscfiles_read_localization(traceroute_t)
  
@@ -62694,7 +62709,7 @@ index 74354da..f04565f 100644
 +	modutils_read_module_deps(usbmodules_t)
 +')
 diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index c467144..fb794f9 100644
+index c467144..670479e 100644
 --- a/policy/modules/admin/usermanage.fc
 +++ b/policy/modules/admin/usermanage.fc
 @@ -10,7 +10,7 @@ ifdef(`distro_gentoo',`
@@ -62706,6 +62721,14 @@ index c467144..fb794f9 100644
  
  /usr/sbin/crack_[a-z]*	--	gen_context(system_u:object_r:crack_exec_t,s0)
  /usr/sbin/cracklib-[a-z]* --	gen_context(system_u:object_r:crack_exec_t,s0)
+@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',`
+ /usr/sbin/groupmod	--	gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/sbin/grpconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/grpunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/usr/sbin/newusers	--	gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/sbin/pwconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/pwunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/useradd	--	gen_context(system_u:object_r:useradd_exec_t,s0)
 diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
 index 81fb26f..66cf96c 100644
 --- a/policy/modules/admin/usermanage.if
@@ -67083,7 +67106,7 @@ index 93ac529..82f8e65 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..ce9aee0 100644
+index fbb5c5a..2c0357f 100644
 --- a/policy/modules/apps/mozilla.if
 +++ b/policy/modules/apps/mozilla.if
 @@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -67226,7 +67249,7 @@ index fbb5c5a..ce9aee0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -279,28 +361,98 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +361,100 @@ interface(`mozilla_rw_tcp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -67330,6 +67353,8 @@ index fbb5c5a..ce9aee0 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
++	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
++	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
  ')
 +
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
@@ -68961,6 +68986,35 @@ index ccc15ab..9f88c3a 100644
  allow podsleuth_t self:fifo_file rw_file_perms;
  allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
  allow podsleuth_t self:sem create_sem_perms;
+diff --git a/policy/modules/apps/ptchown.if b/policy/modules/apps/ptchown.if
+index 96cc023..5919bbd 100644
+--- a/policy/modules/apps/ptchown.if
++++ b/policy/modules/apps/ptchown.if
+@@ -18,6 +18,24 @@ interface(`ptchown_domtrans',`
+ 	domtrans_pattern($1, ptchown_exec_t, ptchown_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Execute ptchown in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##  Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ptchown_exec',`
++    gen_require(`
++        type ptchown_exec_t;
++    ')
++
++    can_exec($1, ptchown_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Execute ptchown in the ptchown domain, and
 diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
 index 84f23dc..5be2738 100644
 --- a/policy/modules/apps/pulseaudio.fc
@@ -69578,10 +69632,10 @@ index 4c091ca..a58f123 100644
 +
 +/usr/libexec/rssh_chroot_helper		--	gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
 diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
-index f594e12..e8f731d 100644
+index f594e12..04cc347 100644
 --- a/policy/modules/apps/sambagui.te
 +++ b/policy/modules/apps/sambagui.te
-@@ -27,16 +27,20 @@ corecmd_exec_bin(sambagui_t)
+@@ -27,16 +27,22 @@ corecmd_exec_bin(sambagui_t)
  
  dev_dontaudit_read_urand(sambagui_t)
  
@@ -69592,6 +69646,8 @@ index f594e12..e8f731d 100644
  
  auth_use_nsswitch(sambagui_t)
 +auth_dontaudit_read_shadow(sambagui_t)
++
++init_access_check(sambagui_t)
  
  logging_send_syslog_msg(sambagui_t)
  
@@ -69602,7 +69658,7 @@ index f594e12..e8f731d 100644
  optional_policy(`
  	consoletype_exec(sambagui_t)
  ')
-@@ -56,6 +60,7 @@ optional_policy(`
+@@ -56,6 +62,7 @@ optional_policy(`
  	samba_manage_var_files(sambagui_t)
  	samba_read_secrets(sambagui_t)
  	samba_initrc_domtrans(sambagui_t)
@@ -72376,7 +72432,7 @@ index 223ad43..d95e720 100644
  	rsync_exec(yam_t)
  ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..ee313ec 100644
+index 3fae11a..dab79fa 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -72474,7 +72530,7 @@ index 3fae11a..ee313ec 100644
  
  /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -179,67 +186,93 @@ ifdef(`distro_gentoo',`
+@@ -179,67 +186,94 @@ ifdef(`distro_gentoo',`
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -72495,7 +72551,8 @@ index 3fae11a..ee313ec 100644
 -/usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/bin/mksh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/mountpoint			--	gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/mountpoint		--	gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/pingus			--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/bin/yash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -72613,7 +72670,7 @@ index 3fae11a..ee313ec 100644
  
  /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,11 +280,18 @@ ifdef(`distro_gentoo',`
+@@ -247,11 +281,18 @@ ifdef(`distro_gentoo',`
  
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
@@ -72633,7 +72690,7 @@ index 3fae11a..ee313ec 100644
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +307,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +308,10 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@@ -72644,7 +72701,7 @@ index 3fae11a..ee313ec 100644
  /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +330,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +331,19 @@ ifdef(`distro_gentoo',`
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
@@ -72665,7 +72722,7 @@ index 3fae11a..ee313ec 100644
  
  ifdef(`distro_gentoo', `
  /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +354,12 @@ ifdef(`distro_redhat', `
+@@ -306,10 +355,12 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -72680,7 +72737,7 @@ index 3fae11a..ee313ec 100644
  /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +369,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +370,11 @@ ifdef(`distro_redhat', `
  /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -72692,7 +72749,7 @@ index 3fae11a..ee313ec 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,20 +415,21 @@ ifdef(`distro_redhat', `
+@@ -363,20 +416,21 @@ ifdef(`distro_redhat', `
  ifdef(`distro_suse', `
  /usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
@@ -72718,7 +72775,7 @@ index 3fae11a..ee313ec 100644
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
  /var/qmail/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +438,13 @@ ifdef(`distro_suse', `
+@@ -385,3 +439,13 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -78968,10 +79025,18 @@ index 22821ff..2765a15 100644
  ########################################
  #
 diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index cda5588..e89e4bf 100644
+index cda5588..91d1e25 100644
 --- a/policy/modules/kernel/filesystem.fc
 +++ b/policy/modules/kernel/filesystem.fc
-@@ -14,3 +14,8 @@
+@@ -1,3 +1,7 @@
++# ecryptfs does not support xattr
++HOME_DIR/\.ecryptfs(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
++HOME_DIR/\.Private(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
++
+ /cgroup			-d	gen_context(system_u:object_r:cgroup_t,s0)
+ /cgroup/.*			<<none>>
+ 
+@@ -14,3 +18,8 @@
  # for systemd systems:
  /sys/fs/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
  /sys/fs/cgroup/.*		<<none>>
@@ -78981,7 +79046,7 @@ index cda5588..e89e4bf 100644
 +/usr/lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
 +/usr/lib/udev/devices/shm/.*	<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..cab2348 100644
+index 97fcdac..c812a81 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -79289,10 +79354,132 @@ index 97fcdac..cab2348 100644
  ##	Search dosfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2025,6 +2205,68 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1793,6 +1973,188 @@ interface(`fs_read_eventpollfs',`
+ 	refpolicywarn(`$0($*) has been deprecated.')
+ ')
  
- ########################################
- ## <summary>
++
++#######################################
++## <summary>
++##      Search directories
++##      on a ecrypt filesystem.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`fs_search_ecryptfs',`
++        gen_require(`
++                type fusefs_t;
++        ')
++
++        allow $1 ecryptfs_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete directories
++##	on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_ecryptfs_dirs',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
++	allow $1 ecryptfs_t:dir manage_dir_perms;
++')
++
++#######################################
++## <summary>
++##      Create, read, write, and delete files
++##      on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_read_ecryptfs_files',`
++        gen_require(`
++                type ecryptfs_t;
++        ')
++
++        read_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete files
++##	on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_ecryptfs_files',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to create,
++##	read, write, and delete files
++##	on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_ecryptfs_files',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	dontaudit $1 ecryptfs_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++##	Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_read_ecryptfs_symlinks',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	allow $1 ecryptfs_t:dir list_dir_perms;
++	read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
 +##	Manage symbolic links on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
@@ -79301,12 +79488,12 @@ index 97fcdac..cab2348 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_manage_fusefs_symlinks',`
++interface(`fs_manage_ecryptfs_symlinks',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++	manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
 +')
 +
 +########################################
@@ -79344,21 +79531,108 @@ index 97fcdac..cab2348 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_fusefs_domtrans',`
++interface(`fs_ecryptfs_domtrans',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	allow $1 ecryptfs_t:dir search_dir_perms;
++	domain_auto_transition_pattern($1, ecryptfs_t, $2)
++')
++
+ ########################################
+ ## <summary>
+ ##	Mount a FUSE filesystem.
+@@ -2006,21 +2368,83 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+ 
+ ########################################
+ ## <summary>
+-##	Read symbolic links on a FUSEFS filesystem.
++##	Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_read_fusefs_symlinks',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	allow $1 fusefs_t:dir search_dir_perms;
-+	domain_auto_transition_pattern($1, fusefs_t, $2)
++	allow $1 fusefs_t:dir list_dir_perms;
++	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Get the attributes of an hugetlbfs
- ##	filesystem.
++##	Manage symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_manage_fusefs_symlinks',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
++##	Execute a file on a FUSE filesystem
++##	in the specified domain.
  ## </summary>
-@@ -2080,6 +2322,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
++## <desc>
++##	<p>
++##	Execute a file on a FUSE filesystem
++##	in the specified domain.  This allows
++##	the specified domain to execute any file
++##	on these filesystems in the specified
++##	domain.  This is not suggested.
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++##	<p>
++##	This interface was added to handle
++##	home directories on FUSE filesystems,
++##	in particular used by the ssh-agent policy.
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_read_fusefs_symlinks',`
++interface(`fs_fusefs_domtrans',`
+ 	gen_require(`
+ 		type fusefs_t;
+ 	')
+ 
+-	allow $1 fusefs_t:dir list_dir_perms;
+-	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++	allow $1 fusefs_t:dir search_dir_perms;
++	domain_auto_transition_pattern($1, fusefs_t, $2)
+ ')
+ 
+ ########################################
+@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
  
  ########################################
  ## <summary>
@@ -79383,7 +79657,7 @@ index 97fcdac..cab2348 100644
  ##	Read and write hugetlbfs files.
  ## </summary>
  ## <param name="domain">
-@@ -2148,11 +2408,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',`
  	')
  
  	allow $1 inotifyfs_t:dir list_dir_perms;
@@ -79397,7 +79671,7 @@ index 97fcdac..cab2348 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2480,6 +2741,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2923,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
@@ -79405,7 +79679,7 @@ index 97fcdac..cab2348 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	read_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2518,6 +2780,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2962,7 @@ interface(`fs_write_nfs_files',`
  		type nfs_t;
  	')
  
@@ -79413,7 +79687,7 @@ index 97fcdac..cab2348 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	write_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2544,6 +2807,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2989,25 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -79439,7 +79713,7 @@ index 97fcdac..cab2348 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2564,7 +2846,7 @@ interface(`fs_append_nfs_files',`
+@@ -2564,7 +3028,7 @@ interface(`fs_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -79448,7 +79722,7 @@ index 97fcdac..cab2348 100644
  ##	on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2584,6 +2866,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +3048,42 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -79491,7 +79765,7 @@ index 97fcdac..cab2348 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2598,7 +2916,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +3098,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -79500,7 +79774,7 @@ index 97fcdac..cab2348 100644
  ')
  
  ########################################
-@@ -2622,7 +2940,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2622,7 +3122,7 @@ interface(`fs_read_nfs_symlinks',`
  
  ########################################
  ## <summary>
@@ -79509,7 +79783,7 @@ index 97fcdac..cab2348 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2736,7 +3054,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +3236,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -79518,7 +79792,7 @@ index 97fcdac..cab2348 100644
  ##	</summary>
  ## </param>
  #
-@@ -2772,7 +3090,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3272,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -79527,7 +79801,7 @@ index 97fcdac..cab2348 100644
  ##	</summary>
  ## </param>
  #
-@@ -2965,6 +3283,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3465,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -79535,7 +79809,7 @@ index 97fcdac..cab2348 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3005,6 +3324,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3506,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -79543,7 +79817,7 @@ index 97fcdac..cab2348 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3045,6 +3365,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3547,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -79551,7 +79825,7 @@ index 97fcdac..cab2348 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3258,6 +3579,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3258,6 +3761,24 @@ interface(`fs_getattr_nfsd_files',`
  	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
  ')
  
@@ -79576,7 +79850,7 @@ index 97fcdac..cab2348 100644
  ########################################
  ## <summary>
  ##	Read and write NFS server files.
-@@ -3278,6 +3617,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3278,6 +3799,24 @@ interface(`fs_rw_nfsd_fs',`
  
  ########################################
  ## <summary>
@@ -79601,7 +79875,7 @@ index 97fcdac..cab2348 100644
  ##	Allow the type to associate to ramfs filesystems.
  ## </summary>
  ## <param name="type">
-@@ -3387,7 +3744,7 @@ interface(`fs_search_ramfs',`
+@@ -3387,7 +3926,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
  ## <summary>
@@ -79610,7 +79884,7 @@ index 97fcdac..cab2348 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3424,7 +3781,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3424,7 +3963,7 @@ interface(`fs_manage_ramfs_dirs',`
  
  ########################################
  ## <summary>
@@ -79619,7 +79893,7 @@ index 97fcdac..cab2348 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3442,7 +3799,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3442,7 +3981,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
  
  ########################################
  ## <summary>
@@ -79628,7 +79902,7 @@ index 97fcdac..cab2348 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3810,6 +4167,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3810,6 +4349,24 @@ interface(`fs_unmount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -79653,7 +79927,7 @@ index 97fcdac..cab2348 100644
  ##	Get the attributes of a tmpfs
  ##	filesystem.
  ## </summary>
-@@ -3958,6 +4333,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4515,42 @@ interface(`fs_dontaudit_list_tmpfs',`
  
  ########################################
  ## <summary>
@@ -79696,7 +79970,7 @@ index 97fcdac..cab2348 100644
  ##	Create, read, write, and delete
  ##	tmpfs directories
  ## </summary>
-@@ -4059,7 +4470,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4059,7 +4652,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
  		type tmpfs_t;
  	')
  
@@ -79705,7 +79979,7 @@ index 97fcdac..cab2348 100644
  ')
  
  ########################################
-@@ -4119,6 +4530,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4119,6 +4712,24 @@ interface(`fs_rw_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -79730,7 +80004,7 @@ index 97fcdac..cab2348 100644
  ##	Read tmpfs link files.
  ## </summary>
  ## <param name="domain">
-@@ -4156,7 +4585,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4156,7 +4767,7 @@ interface(`fs_rw_tmpfs_chr_files',`
  
  ########################################
  ## <summary>
@@ -79739,7 +80013,7 @@ index 97fcdac..cab2348 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4175,6 +4604,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4786,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -79782,7 +80056,7 @@ index 97fcdac..cab2348 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4232,6 +4697,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4232,6 +4879,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
  
  ########################################
  ## <summary>
@@ -79807,7 +80081,7 @@ index 97fcdac..cab2348 100644
  ##	Read and write, create and delete generic
  ##	files on tmpfs filesystems.
  ## </summary>
-@@ -4251,6 +4734,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4916,25 @@ interface(`fs_manage_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -79833,7 +80107,7 @@ index 97fcdac..cab2348 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4457,6 +4959,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +5141,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -79842,7 +80116,7 @@ index 97fcdac..cab2348 100644
  ')
  
  ########################################
-@@ -4503,7 +5007,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +5189,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -79851,7 +80125,7 @@ index 97fcdac..cab2348 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4866,3 +5370,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5552,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -84839,7 +85113,7 @@ index 0b827c5..ac79ca6 100644
 +	dontaudit $1 abrt_t:sock_file write;
  ')
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..bb97cc2 100644
+index 30861ec..8d391e2 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
 @@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -85004,7 +85278,7 @@ index 30861ec..bb97cc2 100644
  
  fs_list_inotifyfs(abrt_t)
  fs_getattr_all_fs(abrt_t)
-@@ -131,22 +197,30 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +197,31 @@ fs_read_nfs_files(abrt_t)
  fs_read_nfs_symlinks(abrt_t)
  fs_search_all(abrt_t)
  
@@ -85017,6 +85291,7 @@ index 30861ec..bb97cc2 100644
  
  miscfiles_read_generic_certs(abrt_t)
 -miscfiles_read_localization(abrt_t)
++miscfiles_read_public_files(abrt_t)
  
  userdom_dontaudit_read_user_home_content_files(abrt_t)
 +userdom_dontaudit_read_admin_home_files(abrt_t)
@@ -85040,7 +85315,7 @@ index 30861ec..bb97cc2 100644
  ')
  
  optional_policy(`
-@@ -167,6 +241,7 @@ optional_policy(`
+@@ -167,6 +242,7 @@ optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
  	rpm_manage_cache(abrt_t)
@@ -85048,7 +85323,7 @@ index 30861ec..bb97cc2 100644
  	rpm_manage_pid_files(abrt_t)
  	rpm_read_db(abrt_t)
  	rpm_signull(abrt_t)
-@@ -178,12 +253,35 @@ optional_policy(`
+@@ -178,12 +254,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -85085,7 +85360,7 @@ index 30861ec..bb97cc2 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +298,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +299,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
  read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  
@@ -85114,7 +85389,7 @@ index 30861ec..bb97cc2 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +321,146 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +322,146 @@ ifdef(`hide_broken_symptoms', `
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -85348,7 +85623,7 @@ index c0f858d..10a0cd6 100644
 +	allow $1 accountsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..67cd103 100644
+index 1632f10..1cb95bc 100644
 --- a/policy/modules/services/accountsd.te
 +++ b/policy/modules/services/accountsd.te
 @@ -1,5 +1,9 @@
@@ -85380,7 +85655,7 @@ index 1632f10..67cd103 100644
  #
  
 -allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
-+allow accountsd_t self:capability { dac_override setuid setgid };
++allow accountsd_t self:capability { chown dac_override setuid setgid };
 +allow accountsd_t self:process signal;
  allow accountsd_t self:fifo_file rw_fifo_file_perms;
 +allow accountsd_t self:passwd { rootok passwd chfn chsh };
@@ -85479,7 +85754,7 @@ index 184c9a8..8f77bf5 100644
  	domain_system_change_exemption($1)
  	role_transition $2 aiccu_initrc_exec_t system_r;
 diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
-index 6d685ba..4114d9b 100644
+index 6d685ba..b6f9ba3 100644
 --- a/policy/modules/services/aiccu.te
 +++ b/policy/modules/services/aiccu.te
 @@ -45,9 +45,11 @@ corecmd_exec_shell(aiccu_t)
@@ -85494,6 +85769,15 @@ index 6d685ba..4114d9b 100644
  corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
  corenet_tcp_bind_generic_node(aiccu_t)
  corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+@@ -62,6 +64,8 @@ dev_read_urand(aiccu_t)
+ 
+ files_read_etc_files(aiccu_t)
+ 
++auth_read_passwd(aiccu_t)
++
+ logging_send_syslog_msg(aiccu_t)
+ 
+ miscfiles_read_localization(aiccu_t)
 diff --git a/policy/modules/services/aide.fc b/policy/modules/services/aide.fc
 index 7798464..ff76db7 100644
 --- a/policy/modules/services/aide.fc
@@ -85791,11 +86075,14 @@ index 0000000..3d0fd88
 +')
 +
 diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc
-index d96fdfa..e07158f 100644
+index d96fdfa..75eab43 100644
 --- a/policy/modules/services/amavis.fc
 +++ b/policy/modules/services/amavis.fc
-@@ -4,7 +4,7 @@
+@@ -2,9 +2,10 @@
+ /etc/amavis\.conf		--	gen_context(system_u:object_r:amavis_etc_t,s0)
+ /etc/amavisd(/.*)?			gen_context(system_u:object_r:amavis_etc_t,s0)
  /etc/rc\.d/init\.d/amavis	--	gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/amavisd-snmp   --  gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
  
  /usr/sbin/amavisd.*		--	gen_context(system_u:object_r:amavis_exec_t,s0)
 -/usr/lib(64)?/AntiVir/antivir	--	gen_context(system_u:object_r:amavis_exec_t,s0)
@@ -85804,10 +86091,18 @@ index d96fdfa..e07158f 100644
  ifdef(`distro_debian',`
  /usr/sbin/amavisd-new-cronjob	--	gen_context(system_u:object_r:amavis_exec_t,s0)
 diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
-index e31d92a..e515cb8 100644
+index e31d92a..1aa0718 100644
 --- a/policy/modules/services/amavis.if
 +++ b/policy/modules/services/amavis.if
-@@ -231,9 +231,13 @@ interface(`amavis_admin',`
+@@ -202,6 +202,7 @@ interface(`amavis_create_pid_files',`
+ 		type amavis_var_run_t;
+ 	')
+ 
++	allow $1 amavis_var_run_t:dir rw_dir_perms;
+ 	allow $1 amavis_var_run_t:file create_file_perms;
+ 	files_search_pids($1)
+ ')
+@@ -231,9 +232,13 @@ interface(`amavis_admin',`
  		type amavis_initrc_exec_t;
  	')
  
@@ -85823,7 +86118,7 @@ index e31d92a..e515cb8 100644
   	domain_system_change_exemption($1)
   	role_transition $2 amavis_initrc_exec_t system_r;
 diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index deca9d3..ac92fce 100644
+index deca9d3..e25ae7a 100644
 --- a/policy/modules/services/amavis.te
 +++ b/policy/modules/services/amavis.te
 @@ -38,7 +38,7 @@ type amavis_quarantine_t;
@@ -85835,7 +86130,33 @@ index deca9d3..ac92fce 100644
  
  ########################################
  #
-@@ -128,6 +128,7 @@ corenet_tcp_connect_razor_port(amavis_t)
+@@ -49,7 +49,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid };
+ dontaudit amavis_t self:capability sys_tty_config;
+ allow amavis_t self:process { signal sigchld sigkill signull };
+ allow amavis_t self:fifo_file rw_fifo_file_perms;
+-allow amavis_t self:unix_stream_socket create_stream_socket_perms;
++allow amavis_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow amavis_t self:unix_dgram_socket create_socket_perms;
+ allow amavis_t self:tcp_socket { listen accept };
+ allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -75,9 +75,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
+ files_search_spool(amavis_t)
+ 
+ # tmp files
++manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+ manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
++manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+ allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
+-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
++files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir } )
+ 
+ # var/lib files for amavis
+ manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+@@ -125,9 +127,11 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t)
+ corenet_udp_bind_generic_port(amavis_t)
+ corenet_dontaudit_udp_bind_all_ports(amavis_t)
+ corenet_tcp_connect_razor_port(amavis_t)
++corenet_tcp_connect_agentx_port(amavis_t)
  
  dev_read_rand(amavis_t)
  dev_read_urand(amavis_t)
@@ -85843,15 +86164,18 @@ index deca9d3..ac92fce 100644
  
  domain_use_interactive_fds(amavis_t)
  
-@@ -137,6 +138,7 @@ files_read_usr_files(amavis_t)
+@@ -137,8 +141,10 @@ files_read_usr_files(amavis_t)
  
  fs_getattr_xattr_fs(amavis_t)
  
 +auth_use_nsswitch(amavis_t)
  auth_dontaudit_read_shadow(amavis_t)
  
++init_read_state(amavis_t)
  # uses uptime which reads utmp - redhat bug 561383
-@@ -153,24 +155,28 @@ sysnet_use_ldap(amavis_t)
+ init_read_utmp(amavis_t)
+ init_stream_connect_script(amavis_t)
+@@ -153,29 +159,34 @@ sysnet_use_ldap(amavis_t)
  
  userdom_dontaudit_search_user_home_dirs(amavis_t)
  
@@ -85887,6 +86211,23 @@ index deca9d3..ac92fce 100644
  	nslcd_stream_connect(amavis_t)
  ')
  
+ optional_policy(`
+ 	postfix_read_config(amavis_t)
++	postfix_list_spool(amavis_t)
+ ')
+ 
+ optional_policy(`
+@@ -188,6 +199,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	snmp_manage_var_lib_files(amavis_t)
++')
++
++optional_policy(`
+ 	spamassassin_exec(amavis_t)
+ 	spamassassin_exec_client(amavis_t)
+ 	spamassassin_read_lib_files(amavis_t)
 diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
 index 9e39aa5..0bd78fc 100644
 --- a/policy/modules/services/apache.fc
@@ -92586,7 +92927,7 @@ index 1f11572..87840b4 100644
 +
  ')
 diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..1ae1cef 100644
+index f758323..5207f78 100644
 --- a/policy/modules/services/clamav.te
 +++ b/policy/modules/services/clamav.te
 @@ -1,9 +1,23 @@
@@ -92729,15 +93070,16 @@ index f758323..1ae1cef 100644
  corenet_all_recvfrom_unlabeled(freshclam_t)
  corenet_all_recvfrom_netlabel(freshclam_t)
  corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +228,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +228,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
  corenet_tcp_sendrecv_all_ports(freshclam_t)
  corenet_tcp_sendrecv_clamd_port(freshclam_t)
  corenet_tcp_connect_http_port(freshclam_t)
 +corenet_tcp_connect_clamd_port(freshclam_t)
++corenet_tcp_connect_squid_port(freshclam_t)
  corenet_sendrecv_http_client_packets(freshclam_t)
  
  dev_read_rand(freshclam_t)
-@@ -207,16 +247,22 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +248,22 @@ miscfiles_read_localization(freshclam_t)
  
  clamav_stream_connect(freshclam_t)
  
@@ -92764,7 +93106,7 @@ index f758323..1ae1cef 100644
  ########################################
  #
  # clamscam local policy
-@@ -242,15 +288,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +289,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
  manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
  allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
  
@@ -92800,7 +93142,7 @@ index f758323..1ae1cef 100644
  
  files_read_etc_files(clamscan_t)
  files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +330,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +331,15 @@ miscfiles_read_public_files(clamscan_t)
  
  clamav_stream_connect(clamscan_t)
  
@@ -92870,10 +93212,10 @@ index 6077339..d10acd2 100644
  dev_manage_generic_blk_files(clogd_t)
 diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
 new file mode 100644
-index 0000000..7182054
+index 0000000..e59cc85
 --- /dev/null
 +++ b/policy/modules/services/cloudform.fc
-@@ -0,0 +1,19 @@
+@@ -0,0 +1,20 @@
 +/etc/rc\.d/init\.d/iwhd --      gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
 +
@@ -92889,6 +93231,7 @@ index 0000000..7182054
 +/var/log/deltacloud-core(/.*)?	gen_context(system_u:object_r:deltacloudd_log_t,s0)
 +/var/log/iwhd\.log		--		gen_context(system_u:object_r:iwhd_log_t,s0)
 +/var/log/mongodb(/.*)?		gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/aeolus-conductor/dbomatic\.log	--	gen_context(system_u:object_r:mongod_log_t,s0)
 +
 +/var/run/mongodb(/.*)?		gen_context(system_u:object_r:mongod_var_run_t,s0)
 +/var/run/aeolus/dbomatic\.pid   --  gen_context(system_u:object_r:mongod_var_run_t,s0)
@@ -92941,10 +93284,10 @@ index 0000000..7f55959
 +')
 diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
 new file mode 100644
-index 0000000..e0716d7
+index 0000000..ebf11b1
 --- /dev/null
 +++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,197 @@
+@@ -0,0 +1,198 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -93105,6 +93448,7 @@ index 0000000..e0716d7
 +
 +manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
 +manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
++logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
 +
 +manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
 +manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
@@ -98379,7 +98723,7 @@ index 1a1becd..115133d 100644
 +	dontaudit $1 session_bus_type:dbus send_msg;
  ')
 diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..a3267cd 100644
+index 1bff6ee..cdf9fb7 100644
 --- a/policy/modules/services/dbus.te
 +++ b/policy/modules/services/dbus.te
 @@ -10,6 +10,7 @@ gen_require(`
@@ -98450,7 +98794,7 @@ index 1bff6ee..a3267cd 100644
  
  logging_send_audit_msgs(system_dbusd_t)
  logging_send_syslog_msg(system_dbusd_t)
-@@ -136,11 +145,27 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -136,11 +145,31 @@ seutil_sigchld_newrole(system_dbusd_t)
  userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
  userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
  
@@ -98461,6 +98805,10 @@ index 1bff6ee..a3267cd 100644
  ')
  
  optional_policy(`
++	bluetooth_stream_connect(system_dbusd_t)
++')
++
++optional_policy(`
 +	gnome_exec_gconf(system_dbusd_t)
 +	gnome_read_inherited_home_icc_data_files(system_dbusd_t)
 +')
@@ -98478,7 +98826,7 @@ index 1bff6ee..a3267cd 100644
  	policykit_dbus_chat(system_dbusd_t)
  	policykit_domtrans_auth(system_dbusd_t)
  	policykit_search_lib(system_dbusd_t)
-@@ -151,12 +176,160 @@ optional_policy(`
+@@ -151,12 +180,160 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -98499,7 +98847,7 @@ index 1bff6ee..a3267cd 100644
  #
 -# Unconfined access to this module
 +# system_bus_type rules
-+#
+ #
 +role system_r types system_bus_type;
 +
 +fs_search_all(system_bus_type)
@@ -98520,7 +98868,7 @@ index 1bff6ee..a3267cd 100644
 +optional_policy(`
 +	abrt_stream_connect(system_bus_type)
 +')
-+
+ 
 +optional_policy(`
 +	rpm_script_dbus_chat(system_bus_type)
 +')
@@ -98536,7 +98884,7 @@ index 1bff6ee..a3267cd 100644
 +########################################
 +#
 +# session_bus_type rules
- #
++#
 +dontaudit session_bus_type self:capability sys_resource;
 +allow session_bus_type self:process { getattr sigkill signal };
 +dontaudit session_bus_type self:process setrlimit;
@@ -98615,7 +98963,7 @@ index 1bff6ee..a3267cd 100644
 +optional_policy(`
 +	gnome_read_gconf_home_files(session_bus_type)
 +')
- 
++
 +optional_policy(`
 +	hal_dbus_chat(session_bus_type)
 +')
@@ -103095,7 +103443,7 @@ index ebad8c4..eeddf7b 100644
  ')
 -
 diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
-index 7df52c7..26422af 100644
+index 7df52c7..efdd053 100644
 --- a/policy/modules/services/fprintd.te
 +++ b/policy/modules/services/fprintd.te
 @@ -8,6 +8,7 @@ policy_module(fprintd, 1.1.0)
@@ -103115,7 +103463,7 @@ index 7df52c7..26422af 100644
 +
  allow fprintd_t self:fifo_file rw_fifo_file_perms;
 -allow fprintd_t self:process { getsched signal };
-+allow fprintd_t self:process { getsched setsched signal };
++allow fprintd_t self:process { getsched setsched signal sigkill };
  
  manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
  manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
@@ -109031,7 +109379,7 @@ index a4f32f5..628b63c 100644
  ##	in the caller domain.
  ## </summary>
 diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
-index 93c14ca..00cd4a4 100644
+index 93c14ca..e66a1b9 100644
 --- a/policy/modules/services/lpd.te
 +++ b/policy/modules/services/lpd.te
 @@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
@@ -109094,7 +109442,15 @@ index 93c14ca..00cd4a4 100644
  
  # Write to /var/spool/lpd.
  manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
-@@ -277,19 +278,21 @@ miscfiles_read_localization(lpr_t)
+@@ -238,6 +239,7 @@ can_exec(lpr_t, lpr_exec_t)
+ # Allow lpd to read, rename, and unlink spool files.
+ allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
+ 
++kernel_read_system_state(lpr_t)
+ kernel_read_kernel_sysctls(lpr_t)
+ 
+ corenet_all_recvfrom_unlabeled(lpr_t)
+@@ -277,19 +279,21 @@ miscfiles_read_localization(lpr_t)
  
  userdom_read_user_tmp_symlinks(lpr_t)
  # Write to the user domain tty.
@@ -109121,7 +109477,7 @@ index 93c14ca..00cd4a4 100644
  	# Send SIGHUP to lpd.
  	allow lpr_t lpd_t:process signal;
  
-@@ -307,17 +310,7 @@ tunable_policy(`use_lpd_server',`
+@@ -307,17 +311,7 @@ tunable_policy(`use_lpd_server',`
  	read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
  ')
  
@@ -109140,7 +109496,7 @@ index 93c14ca..00cd4a4 100644
  
  optional_policy(`
  	cups_read_config(lpr_t)
-@@ -326,5 +319,13 @@ optional_policy(`
+@@ -326,5 +320,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -129292,7 +129648,7 @@ index c954f31..82fc7f6 100644
 +	admin_pattern($1, spamd_var_run_t)
  ')
 diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..1ee5862 100644
+index ec1eb1e..bdab717 100644
 --- a/policy/modules/services/spamassassin.te
 +++ b/policy/modules/services/spamassassin.te
 @@ -6,56 +6,41 @@ policy_module(spamassassin, 2.4.0)
@@ -129517,7 +129873,7 @@ index ec1eb1e..1ee5862 100644
  ')
  
  ########################################
-@@ -206,15 +269,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +269,36 @@ allow spamc_t self:unix_stream_socket connectto;
  allow spamc_t self:tcp_socket create_stream_socket_perms;
  allow spamc_t self:udp_socket create_socket_perms;
  
@@ -129534,6 +129890,9 @@ index ec1eb1e..1ee5862 100644
 +manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
 +userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
 +userdom_append_user_home_content_files(spamc_t)
++# for /root/.pyzor
++allow spamc_t self:capability dac_override;
++userdom_admin_home_dir_filetrans(spamc_t, spamc_home_t , dir, ".pyzor")
 +
 +list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
 +read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -129542,6 +129901,7 @@ index ec1eb1e..1ee5862 100644
  allow spamc_t spamd_t:unix_stream_socket connectto;
  allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
 +spamd_stream_connect(spamc_t)
++allow spamc_t spamd_tmp_t:file read_inherited_file_perms;
  
  kernel_read_kernel_sysctls(spamc_t)
 +kernel_read_system_state(spamc_t)
@@ -129550,7 +129910,7 @@ index ec1eb1e..1ee5862 100644
  
  corenet_all_recvfrom_unlabeled(spamc_t)
  corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +306,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -226,6 +310,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
  corenet_udp_sendrecv_all_ports(spamc_t)
  corenet_tcp_connect_all_ports(spamc_t)
  corenet_sendrecv_all_client_packets(spamc_t)
@@ -129558,7 +129918,7 @@ index ec1eb1e..1ee5862 100644
  
  fs_search_auto_mountpoints(spamc_t)
  
-@@ -244,9 +325,14 @@ files_read_usr_files(spamc_t)
+@@ -244,9 +329,14 @@ files_read_usr_files(spamc_t)
  files_dontaudit_search_var(spamc_t)
  # cjp: this may be removable:
  files_list_home(spamc_t)
@@ -129573,7 +129933,7 @@ index ec1eb1e..1ee5862 100644
  miscfiles_read_localization(spamc_t)
  
  # cjp: this should probably be removed:
-@@ -254,27 +340,35 @@ seutil_read_config(spamc_t)
+@@ -254,27 +344,35 @@ seutil_read_config(spamc_t)
  
  sysnet_read_config(spamc_t)
  
@@ -129615,7 +129975,7 @@ index ec1eb1e..1ee5862 100644
  ')
  
  ########################################
-@@ -286,7 +380,7 @@ optional_policy(`
+@@ -286,7 +384,7 @@ optional_policy(`
  # setuids to the user running spamc.  Comment this if you are not
  # using this ability.
  
@@ -129624,7 +129984,7 @@ index ec1eb1e..1ee5862 100644
  dontaudit spamd_t self:capability sys_tty_config;
  allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow spamd_t self:fd use;
-@@ -302,10 +396,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +400,17 @@ allow spamd_t self:unix_dgram_socket sendto;
  allow spamd_t self:unix_stream_socket connectto;
  allow spamd_t self:tcp_socket create_stream_socket_perms;
  allow spamd_t self:udp_socket create_socket_perms;
@@ -129643,7 +130003,7 @@ index ec1eb1e..1ee5862 100644
  files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
  
  manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +415,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +419,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
  
  # var/lib files for spamd
  allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -129661,7 +130021,7 @@ index ec1eb1e..1ee5862 100644
  
  kernel_read_all_sysctls(spamd_t)
  kernel_read_system_state(spamd_t)
-@@ -367,23 +472,23 @@ files_read_var_lib_files(spamd_t)
+@@ -367,23 +476,23 @@ files_read_var_lib_files(spamd_t)
  
  init_dontaudit_rw_utmp(spamd_t)
  
@@ -129693,7 +130053,7 @@ index ec1eb1e..1ee5862 100644
  ')
  
  optional_policy(`
-@@ -399,7 +504,9 @@ optional_policy(`
+@@ -399,7 +508,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -129703,7 +130063,7 @@ index ec1eb1e..1ee5862 100644
  	dcc_stream_connect_dccifd(spamd_t)
  ')
  
-@@ -408,25 +515,17 @@ optional_policy(`
+@@ -408,25 +519,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -129731,7 +130091,7 @@ index ec1eb1e..1ee5862 100644
  	postgresql_stream_connect(spamd_t)
  ')
  
-@@ -437,6 +536,10 @@ optional_policy(`
+@@ -437,6 +540,10 @@ optional_policy(`
  
  optional_policy(`
  	razor_domtrans(spamd_t)
@@ -129742,7 +130102,7 @@ index ec1eb1e..1ee5862 100644
  ')
  
  optional_policy(`
-@@ -444,6 +547,7 @@ optional_policy(`
+@@ -444,6 +551,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -129750,7 +130110,7 @@ index ec1eb1e..1ee5862 100644
  	sendmail_stub(spamd_t)
  	mta_read_config(spamd_t)
  ')
-@@ -451,3 +555,51 @@ optional_policy(`
+@@ -451,3 +559,51 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(spamd_t)
  ')
@@ -132884,7 +133244,7 @@ index 54b8605..a04f013 100644
  	admin_pattern($1, tuned_var_run_t)
  ')
 diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
-index db9d2a5..c7b09c0 100644
+index db9d2a5..346d4d7 100644
 --- a/policy/modules/services/tuned.te
 +++ b/policy/modules/services/tuned.te
 @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -132900,13 +133260,14 @@ index db9d2a5..c7b09c0 100644
  type tuned_log_t;
  logging_log_file(tuned_log_t)
  
-@@ -23,23 +29,39 @@ files_pid_file(tuned_var_run_t)
+@@ -22,24 +28,39 @@ files_pid_file(tuned_var_run_t)
+ #
  # tuned local policy
  #
- 
-+allow tuned_t self:process signal;
-+
+-
++allow tuned_t self:capability { sys_admin sys_nice };
  dontaudit tuned_t self:capability { dac_override sys_tty_config };
++allow tuned_t self:process signal;
 +allow tuned_t self:fifo_file rw_fifo_file_perms;
 +allow tuned_t self:udp_socket create_socket_perms;
 +
@@ -132944,7 +133305,7 @@ index db9d2a5..c7b09c0 100644
  # to allow cpu tuning
  dev_rw_netcontrol(tuned_t)
  
-@@ -47,6 +69,10 @@ files_read_etc_files(tuned_t)
+@@ -47,6 +68,10 @@ files_read_etc_files(tuned_t)
  files_read_usr_files(tuned_t)
  files_dontaudit_search_home(tuned_t)
  
@@ -132955,7 +133316,7 @@ index db9d2a5..c7b09c0 100644
  logging_send_syslog_msg(tuned_t)
  
  miscfiles_read_localization(tuned_t)
-@@ -58,6 +84,14 @@ optional_policy(`
+@@ -58,6 +83,14 @@ optional_policy(`
  	fstools_domtrans(tuned_t)
  ')
  
@@ -135922,7 +136283,7 @@ index aa6e5a8..42a0efb 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 4966c94..c628935 100644
+index 4966c94..c231dab 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
 @@ -2,13 +2,35 @@
@@ -136049,11 +136410,11 @@ index 4966c94..c628935 100644
  
 -/var/log/[kw]dm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
 -/var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/[mkwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/[mkwx]dm\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
 +/var/log/lightdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/lxdm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/[mg]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/slim\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/lxdm\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/[mg]dm(/.*)?		gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/slim\.log	--	gen_context(system_u:object_r:xdm_log_t,s0)
  /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
  /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
 +/var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
@@ -136086,7 +136447,7 @@ index 4966c94..c628935 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..d1576ab 100644
+index 130ced9..3024c40 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -136853,7 +137214,7 @@ index 130ced9..d1576ab 100644
  ')
  
  ########################################
-@@ -1243,10 +1558,536 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1558,533 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -137357,9 +137718,6 @@ index 130ced9..d1576ab 100644
 +	userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
 +	userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
 +	userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
-+	optional_policy(`
-+		gnome_cache_filetrans($1, xdm_home_t, dir, "gdm")
-+	')
 +')
 +
 +########################################
@@ -139766,7 +140124,7 @@ index 28ad538..82def3d 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..c71cf8e 100644
+index 73554ec..358cf75 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -139849,7 +140207,7 @@ index 73554ec..c71cf8e 100644
  	manage_files_pattern($1, var_auth_t, var_auth_t)
  
  	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -120,16 +146,29 @@ interface(`auth_login_pgm_domain',`
+@@ -120,16 +146,31 @@ interface(`auth_login_pgm_domain',`
  	manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
  	files_var_filetrans($1, auth_cache_t, dir)
  
@@ -139877,10 +140235,12 @@ index 73554ec..c71cf8e 100644
  	fs_list_auto_mountpoints($1)
 +	fs_manage_cgroup_dirs($1)
 +	fs_manage_cgroup_files($1)
++	fs_read_ecryptfs_symlinks($1)
++	fs_read_ecryptfs_files($1)
  
  	selinux_get_fs_mount($1)
  	selinux_validate_context($1)
-@@ -145,6 +184,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +186,8 @@ interface(`auth_login_pgm_domain',`
  	mls_process_set_level($1)
  	mls_fd_share_all_levels($1)
  
@@ -139889,7 +140249,7 @@ index 73554ec..c71cf8e 100644
  	auth_use_pam($1)
  
  	init_rw_utmp($1)
-@@ -155,13 +196,92 @@ interface(`auth_login_pgm_domain',`
+@@ -155,13 +198,93 @@ interface(`auth_login_pgm_domain',`
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
@@ -139925,6 +140285,7 @@ index 73554ec..c71cf8e 100644
 +		corecmd_exec_bin($1)
 +		storage_getattr_fixed_disk_dev($1)
 +		mount_domtrans($1)
++		mount_domtrans_ecryptmount($1)
 +	')
 +
 +	optional_policy(`
@@ -139984,7 +140345,7 @@ index 73554ec..c71cf8e 100644
  ##	Use the login program as an entry point program.
  ## </summary>
  ## <param name="domain">
-@@ -368,13 +488,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -368,13 +491,15 @@ interface(`auth_domtrans_chk_passwd',`
  	')
  
  	optional_policy(`
@@ -140001,7 +140362,7 @@ index 73554ec..c71cf8e 100644
  ')
  
  ########################################
-@@ -421,6 +543,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +546,25 @@ interface(`auth_run_chk_passwd',`
  
  	auth_domtrans_chk_passwd($1)
  	role $2 types chkpwd_t;
@@ -140027,7 +140388,7 @@ index 73554ec..c71cf8e 100644
  ')
  
  ########################################
-@@ -440,7 +581,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -440,7 +584,6 @@ interface(`auth_domtrans_upd_passwd',`
  
  	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
  	auth_dontaudit_read_shadow($1)
@@ -140035,7 +140396,7 @@ index 73554ec..c71cf8e 100644
  ')
  
  ########################################
-@@ -637,6 +777,10 @@ interface(`auth_manage_shadow',`
+@@ -637,6 +780,10 @@ interface(`auth_manage_shadow',`
  
  	allow $1 shadow_t:file manage_file_perms;
  	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -140046,7 +140407,7 @@ index 73554ec..c71cf8e 100644
  ')
  
  #######################################
-@@ -736,7 +880,50 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +883,50 @@ interface(`auth_rw_faillog',`
  	')
  
  	logging_search_logs($1)
@@ -140098,7 +140459,7 @@ index 73554ec..c71cf8e 100644
  ')
  
  #######################################
-@@ -932,9 +1119,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1122,30 @@ interface(`auth_manage_var_auth',`
  	')
  
  	files_search_var($1)
@@ -140132,7 +140493,7 @@ index 73554ec..c71cf8e 100644
  ')
  
  ########################################
-@@ -1013,6 +1221,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1013,6 +1224,10 @@ interface(`auth_manage_pam_pid',`
  	files_search_pids($1)
  	allow $1 pam_var_run_t:dir manage_dir_perms;
  	allow $1 pam_var_run_t:file manage_file_perms;
@@ -140143,7 +140504,7 @@ index 73554ec..c71cf8e 100644
  ')
  
  ########################################
-@@ -1130,6 +1342,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1130,6 +1345,7 @@ interface(`auth_manage_pam_console_data',`
  	files_search_pids($1)
  	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
  	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -140151,7 +140512,7 @@ index 73554ec..c71cf8e 100644
  ')
  
  #######################################
-@@ -1387,6 +1600,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1603,25 @@ interface(`auth_setattr_login_records',`
  
  ########################################
  ## <summary>
@@ -140177,7 +140538,7 @@ index 73554ec..c71cf8e 100644
  ##	Read login records files (/var/log/wtmp).
  ## </summary>
  ## <param name="domain">
-@@ -1537,37 +1769,49 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1772,49 @@ interface(`auth_manage_login_records',`
  
  	logging_rw_generic_log_dirs($1)
  	allow $1 wtmp_t:file manage_file_perms;
@@ -140237,7 +140598,7 @@ index 73554ec..c71cf8e 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -1575,87 +1819,206 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1822,206 @@ interface(`auth_relabel_login_records',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -140495,7 +140856,7 @@ index 73554ec..c71cf8e 100644
 +	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
  ')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..b2a6592 100644
+index b7a5f00..d0c3808 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,22 +5,42 @@ policy_module(authlogin, 2.2.1)
@@ -140604,7 +140965,7 @@ index b7a5f00..b2a6592 100644
  # Allow utemper to write to /tmp/.xses-*
  userdom_write_user_tmp_files(utempter_t)
  
-@@ -388,10 +416,75 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',`
  ')
  
  optional_policy(`
@@ -140625,7 +140986,6 @@ index b7a5f00..b2a6592 100644
 +	')
 +')
 +
-+
 +auth_read_passwd(nsswitch_domain)
 +
 +# read /etc/nsswitch.conf
@@ -141191,7 +141551,7 @@ index 354ce93..abe4723 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..5f91350 100644
+index 94fd8dd..09f0ac4 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -141289,17 +141649,17 @@ index 94fd8dd..5f91350 100644
  		typeattribute $2 direct_init_entry;
  
 -		userdom_dontaudit_use_user_terminals($1)
-+#		userdom_dontaudit_use_user_terminals($1)
- 	')
- 
+-	')
+-
 -	ifdef(`hide_broken_symptoms',`
 -		# RHEL4 systems seem to have a stray
 -		# fds open from the initrd
 -		ifdef(`distro_rhel4',`
 -			kernel_dontaudit_use_fds($1)
 -		')
--	')
--
++#		userdom_dontaudit_use_user_terminals($1)
+ 	')
+ 
 -	optional_policy(`
 -		nscd_socket_use($1)
 +	tunable_policy(`init_upstart || init_systemd',`
@@ -141411,7 +141771,7 @@ index 94fd8dd..5f91350 100644
  #
  interface(`init_exec',`
  	gen_require(`
-@@ -451,6 +500,29 @@ interface(`init_exec',`
+@@ -451,6 +500,48 @@ interface(`init_exec',`
  
  	corecmd_search_bin($1)
  	can_exec($1, init_exec_t)
@@ -141423,6 +141783,25 @@ index 94fd8dd..5f91350 100644
 +
 +#######################################
 +## <summary>
++##  Check access to the init/systemd executable.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`init_access_check',`
++    gen_require(`
++        type init_exec_t;
++    ')
++
++    corecmd_search_bin($1)
++    allow $1 init_exec_t:file { getattr_file_perms execute };
++')
++
++#######################################
++## <summary>
 +##  Dontaudit getattr on the init program.
 +## </summary>
 +## <param name="domain">
@@ -141441,7 +141820,7 @@ index 94fd8dd..5f91350 100644
  ')
  
  ########################################
-@@ -509,6 +581,24 @@ interface(`init_sigchld',`
+@@ -509,6 +600,24 @@ interface(`init_sigchld',`
  
  ########################################
  ## <summary>
@@ -141466,7 +141845,7 @@ index 94fd8dd..5f91350 100644
  ##	Connect to init with a unix socket.
  ## </summary>
  ## <param name="domain">
-@@ -519,10 +609,66 @@ interface(`init_sigchld',`
+@@ -519,10 +628,66 @@ interface(`init_sigchld',`
  #
  interface(`init_stream_connect',`
  	gen_require(`
@@ -141535,7 +141914,7 @@ index 94fd8dd..5f91350 100644
  ')
  
  ########################################
-@@ -688,19 +834,25 @@ interface(`init_telinit',`
+@@ -688,19 +853,25 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -141562,7 +141941,7 @@ index 94fd8dd..5f91350 100644
  	')
  ')
  
-@@ -730,7 +882,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +901,7 @@ interface(`init_rw_initctl',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -141571,7 +141950,7 @@ index 94fd8dd..5f91350 100644
  ##	</summary>
  ## </param>
  #
-@@ -773,18 +925,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +944,19 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -141595,7 +141974,7 @@ index 94fd8dd..5f91350 100644
  	')
  ')
  
-@@ -800,19 +953,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +972,45 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -141618,11 +141997,11 @@ index 94fd8dd..5f91350 100644
  	ifdef(`enable_mls',`
 -		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+	')
-+')
-+
-+########################################
-+## <summary>
+ 	')
+ ')
+ 
+ ########################################
+ ## <summary>
 +##	Execute a file in a bin directory
 +##	in the initrc_t domain 
 +## </summary>
@@ -141635,13 +142014,17 @@ index 94fd8dd..5f91350 100644
 +interface(`init_bin_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
- 	')
++	')
 +
 +	corecmd_bin_domtrans($1, initrc_t)
- ')
- 
- ########################################
-@@ -868,9 +1043,14 @@ interface(`init_script_file_domtrans',`
++')
++
++########################################
++## <summary>
+ ##	Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -868,9 +1062,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -141656,7 +142039,7 @@ index 94fd8dd..5f91350 100644
  	files_search_etc($1)
  ')
  
-@@ -961,7 +1141,9 @@ interface(`init_ptrace',`
+@@ -961,7 +1160,9 @@ interface(`init_ptrace',`
  		type init_t;
  	')
  
@@ -141667,7 +142050,7 @@ index 94fd8dd..5f91350 100644
  ')
  
  ########################################
-@@ -1079,6 +1261,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1280,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -141692,7 +142075,7 @@ index 94fd8dd..5f91350 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1130,12 +1330,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1349,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -141706,7 +142089,7 @@ index 94fd8dd..5f91350 100644
  ')
  
  ########################################
-@@ -1375,6 +1570,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1589,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -141734,7 +142117,7 @@ index 94fd8dd..5f91350 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1461,6 +1677,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1696,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -141760,7 +142143,7 @@ index 94fd8dd..5f91350 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1519,6 +1754,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1773,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -141785,7 +142168,7 @@ index 94fd8dd..5f91350 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1586,6 +1839,43 @@ interface(`init_read_utmp',`
+@@ -1586,6 +1858,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -141829,7 +142212,7 @@ index 94fd8dd..5f91350 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1674,7 +1964,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1983,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -141838,7 +142221,7 @@ index 94fd8dd..5f91350 100644
  ')
  
  ########################################
-@@ -1715,6 +2005,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +2024,128 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file)
  ')
  
@@ -141967,7 +142350,7 @@ index 94fd8dd..5f91350 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2161,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2180,284 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -146421,10 +146804,10 @@ index a0eef20..3cd6b11 100644
  
  ifdef(`distro_gentoo',`
 diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..fa210cd 100644
+index 72c746e..f035d9f 100644
 --- a/policy/modules/system/mount.fc
 +++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,21 @@
+@@ -1,4 +1,26 @@
 +/bin/fusermount    		--      gen_context(system_u:object_r:fusermount_exec_t,s0)
  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
@@ -146447,8 +146830,13 @@ index 72c746e..fa210cd 100644
 +/var/cache/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/mount(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
++
++/usr/sbin/mount\.ecryptfs_private 	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/mount\.ecryptfs	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs_private	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..da41726 100644
+index 8b5c196..03bc7d7 100644
 --- a/policy/modules/system/mount.if
 +++ b/policy/modules/system/mount.if
 @@ -16,6 +16,12 @@ interface(`mount_domtrans',`
@@ -146464,7 +146852,7 @@ index 8b5c196..da41726 100644
  ')
  
  ########################################
-@@ -45,12 +51,77 @@ interface(`mount_run',`
+@@ -45,8 +51,73 @@ interface(`mount_run',`
  	role $2 types mount_t;
  
  	optional_policy(`
@@ -146487,11 +146875,11 @@ index 8b5c196..da41726 100644
 +
 +	optional_policy(`
 +		samba_run_smbmount(mount_t, $2)
- 	')
- ')
- 
- ########################################
- ## <summary>
++	')
++')
++
++########################################
++## <summary>
 +##	Execute fusermount in the mount domain, and
 +##	allow the specified role the mount domain,
 +##	and use the caller's terminal.
@@ -146511,7 +146899,7 @@ index 8b5c196..da41726 100644
 +interface(`mount_run_fusermount',`
 +	gen_require(`
 +		type mount_t;
-+	')
+ 	')
 +
 +	mount_domtrans_fusermount($1)
 +	role $2 types mount_t;
@@ -146536,13 +146924,9 @@ index 8b5c196..da41726 100644
 +
 +	allow $1 mount_var_run_t:file read_file_perms;
 +	files_search_pids($1)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute mount in the caller domain.
- ## </summary>
- ## <param name="domain">
+ ')
+ 
+ ########################################
 @@ -95,7 +166,7 @@ interface(`mount_signal',`
  ## </summary>
  ## <param name="domain">
@@ -146552,7 +146936,7 @@ index 8b5c196..da41726 100644
  ##	</summary>
  ## </param>
  #
-@@ -135,45 +206,119 @@ interface(`mount_send_nfs_client_request',`
+@@ -135,45 +206,138 @@ interface(`mount_send_nfs_client_request',`
  
  ########################################
  ## <summary>
@@ -146612,14 +146996,19 @@ index 8b5c196..da41726 100644
  ##	<summary>
 -##	Role allowed access.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`mount_run_unconfined',`
 +interface(`mount_exec_fusermount',`
-+	gen_require(`
+ 	gen_require(`
+-		type unconfined_mount_t;
 +		type fusermount_exec_t;
-+	')
-+
+ 	')
+ 
+-	mount_domtrans_unconfined($1)
+-	role $2 types unconfined_mount_t;
 +	can_exec($1, fusermount_exec_t)
 +')
 +
@@ -146630,19 +147019,14 @@ index 8b5c196..da41726 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`mount_run_unconfined',`
++##	</summary>
++## </param>
++#
 +interface(`mount_dontaudit_exec_fusermount',`
- 	gen_require(`
--		type unconfined_mount_t;
++	gen_require(`
 +		type fusermount_exec_t;
- 	')
- 
--	mount_domtrans_unconfined($1)
--	role $2 types unconfined_mount_t;
++	')
++
 +	dontaudit $1 fusermount_exec_t:file exec_file_perms;
 +')
 +
@@ -146687,12 +147071,31 @@ index 8b5c196..da41726 100644
 +
 +    mount_domtrans_showmount($1)
 +    role $2 types showmount_t;
++')
++
++#######################################
++## <summary>
++##      Transition to ecryptmount.
++## </summary>
++## <param name="domain">
++## <summary>
++##      Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mount_domtrans_ecryptmount',`
++        gen_require(`
++                type mount_ecryptfs_t, mount_ecryptfs_exec_t;
++        ')
++
++        corecmd_search_bin($1)
++        domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..ce3806c 100644
+index 15832c7..ac650d3 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
-@@ -17,17 +17,29 @@ type mount_exec_t;
+@@ -17,17 +17,37 @@ type mount_exec_t;
  init_system_domain(mount_t, mount_exec_t)
  role system_r types mount_t;
  
@@ -146724,10 +147127,18 @@ index 15832c7..ce3806c 100644
 +type showmount_exec_t;
 +application_domain(showmount_t, showmount_exec_t)
 +role system_r types showmount_t;
++
++type mount_ecryptfs_t;
++type mount_ecryptfs_exec_t;
++application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t)
++role system_r types mount_ecryptfs_t;
++
++type mount_ecryptfs_tmpfs_t;
++files_tmpfs_file(mount_ecryptfs_tmpfs_t)
  
  ########################################
  #
-@@ -35,7 +47,11 @@ application_domain(unconfined_mount_t, mount_exec_t)
+@@ -35,7 +55,11 @@ application_domain(unconfined_mount_t, mount_exec_t)
  #
  
  # setuid/setgid needed to mount cifs 
@@ -146740,7 +147151,7 @@ index 15832c7..ce3806c 100644
  
  allow mount_t mount_loopback_t:file read_file_perms;
  
-@@ -46,9 +62,24 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,9 +70,24 @@ can_exec(mount_t, mount_exec_t)
  
  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
  
@@ -146766,7 +147177,7 @@ index 15832c7..ce3806c 100644
  kernel_dontaudit_write_debugfs_dirs(mount_t)
  kernel_dontaudit_write_proc_dirs(mount_t)
  # To load binfmt_misc kernel module
-@@ -57,65 +88,94 @@ kernel_request_load_module(mount_t)
+@@ -57,65 +96,94 @@ kernel_request_load_module(mount_t)
  # required for mount.smbfs
  corecmd_exec_bin(mount_t)
  
@@ -146870,7 +147281,7 @@ index 15832c7..ce3806c 100644
  
  logging_send_syslog_msg(mount_t)
  
-@@ -126,6 +186,9 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +194,9 @@ sysnet_use_portmap(mount_t)
  seutil_read_config(mount_t)
  
  userdom_use_all_users_fds(mount_t)
@@ -146880,7 +147291,7 @@ index 15832c7..ce3806c 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -141,26 +204,28 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +212,28 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -146919,7 +147330,7 @@ index 15832c7..ce3806c 100644
  	corenet_tcp_bind_generic_port(mount_t)
  	corenet_udp_bind_generic_port(mount_t)
  	corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +239,8 @@ optional_policy(`
+@@ -174,6 +247,8 @@ optional_policy(`
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -146928,7 +147339,7 @@ index 15832c7..ce3806c 100644
  ')
  
  optional_policy(`
-@@ -181,6 +248,28 @@ optional_policy(`
+@@ -181,6 +256,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -146957,7 +147368,7 @@ index 15832c7..ce3806c 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,21 +277,88 @@ optional_policy(`
+@@ -188,21 +285,116 @@ optional_policy(`
  	')
  ')
  
@@ -147052,6 +147463,34 @@ index 15832c7..ce3806c 100644
 +sysnet_dns_name_resolve(showmount_t)
 +
 +userdom_use_inherited_user_terminals(showmount_t)
++
++#######################################
++#
++# mount_ecryptfs local policy
++#
++
++domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t)
++
++allow mount_ecryptfs_t self:capability setgid;
++allow mount_ecryptfs_t self:capability { setuid sys_admin };
++allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms;
++allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
++userdom_rw_user_tmpfs_files(mount_ecryptfs_t)
++
++domain_use_interactive_fds(mount_ecryptfs_t)
++
++files_read_etc_files(mount_ecryptfs_t)
++
++fs_read_ecryptfs_symlinks(mount_ecryptfs_t)
++fs_read_ecryptfs_files(mount_ecryptfs_t)
++
++auth_use_nsswitch(mount_ecryptfs_t)
++
++miscfiles_read_localization(mount_ecryptfs_t)
 diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
 index b263a8a..9348c8c 100644
 --- a/policy/modules/system/netlabel.fc
@@ -155224,7 +155663,7 @@ index 4b2878a..7ec3343 100644
 +	typeattribute $1 userdom_home_manager_type;
 +')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..26e8127 100644
+index 9b4a930..ed716be 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -155287,7 +155726,7 @@ index 9b4a930..26e8127 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -71,26 +102,112 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +102,121 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -155383,6 +155822,10 @@ index 9b4a930..26e8127 100644
 +    fs_read_fusefs_files(userdom_home_reader_type)
 +')
 +
++tunable_policy(`use_ecryptfs_home_dirs',`
++        fs_read_ecryptfs_files(userdom_home_reader_type)
++')
++
 +tunable_policy(`use_nfs_home_dirs',`
 +    fs_list_auto_mountpoints(userdom_home_manager_type)
 +    fs_manage_nfs_dirs(userdom_home_manager_type)
@@ -155402,6 +155845,11 @@ index 9b4a930..26e8127 100644
 +    fs_manage_fusefs_symlinks(userdom_home_manager_type)
 +')
 +
++tunable_policy(`use_ecryptfs_home_dirs',`
++	fs_manage_ecryptfs_dirs(userdom_home_manager_type)
++	fs_manage_ecryptfs_files(userdom_home_manager_type)
++	fs_manage_ecryptfs_files(userdom_home_manager_type)
++')
 diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
 index a865da7..f22f770 100644
 --- a/policy/modules/system/xen.fc
@@ -155558,7 +156006,7 @@ index 77d41b6..cc73c96 100644
  
  	files_search_pids($1)
 diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..b1de3a5 100644
+index 4350ba0..48f2468 100644
 --- a/policy/modules/system/xen.te
 +++ b/policy/modules/system/xen.te
 @@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -155640,12 +156088,23 @@ index 4350ba0..b1de3a5 100644
  
  files_read_etc_files(xend_t)
  files_read_kernel_symbol_table(xend_t)
-@@ -320,13 +326,9 @@ locallogin_dontaudit_use_fds(xend_t)
+@@ -309,7 +315,9 @@ files_etc_filetrans_etc_runtime(xend_t, file)
+ files_read_usr_files(xend_t)
+ files_read_default_symlinks(xend_t)
+ 
++term_setattr_generic_ptys(xend_t)
+ term_getattr_all_ptys(xend_t)
++term_setattr_all_ptys(xend_t)
+ term_use_generic_ptys(xend_t)
+ term_use_ptmx(xend_t)
+ term_getattr_pty_fs(xend_t)
+@@ -320,13 +328,11 @@ locallogin_dontaudit_use_fds(xend_t)
  
  logging_send_syslog_msg(xend_t)
  
 -lvm_domtrans(xend_t)
--
++auth_read_passwd(xend_t)
+ 
  miscfiles_read_localization(xend_t)
  miscfiles_read_hwdata(xend_t)
  
@@ -155654,7 +156113,7 @@ index 4350ba0..b1de3a5 100644
  sysnet_domtrans_dhcpc(xend_t)
  sysnet_signal_dhcpc(xend_t)
  sysnet_domtrans_ifconfig(xend_t)
-@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+@@ -339,8 +345,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
  
  xen_stream_connect_xenstore(xend_t)
  
@@ -155663,7 +156122,7 @@ index 4350ba0..b1de3a5 100644
  optional_policy(`
  	brctl_domtrans(xend_t)
  ')
-@@ -349,6 +349,23 @@ optional_policy(`
+@@ -349,6 +353,27 @@ optional_policy(`
  	consoletype_exec(xend_t)
  ')
  
@@ -155680,6 +156139,10 @@ index 4350ba0..b1de3a5 100644
 +')
 +
 +optional_policy(`
++	ptchown_exec(xend_t)
++')
++
++optional_policy(`
 +	virt_search_images(xend_t)
 +	virt_read_config(xend_t)
 +')
@@ -155687,7 +156150,7 @@ index 4350ba0..b1de3a5 100644
  ########################################
  #
  # Xen console local policy
-@@ -374,8 +391,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -374,8 +399,6 @@ dev_rw_xen(xenconsoled_t)
  dev_filetrans_xen(xenconsoled_t)
  dev_rw_sysfs(xenconsoled_t)
  
@@ -155696,7 +156159,7 @@ index 4350ba0..b1de3a5 100644
  files_read_etc_files(xenconsoled_t)
  files_read_usr_files(xenconsoled_t)
  
-@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +436,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
  files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
  
  # pid file
@@ -155708,7 +156171,7 @@ index 4350ba0..b1de3a5 100644
  
  # log files
  manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +466,11 @@ files_read_etc_files(xenstored_t)
  
  files_read_usr_files(xenstored_t)
  
@@ -155720,7 +156183,7 @@ index 4350ba0..b1de3a5 100644
  
  init_use_fds(xenstored_t)
  init_use_script_ptys(xenstored_t)
-@@ -457,96 +475,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +483,9 @@ xen_append_log(xenstored_t)
  
  ########################################
  #
@@ -155817,7 +156280,7 @@ index 4350ba0..b1de3a5 100644
  	#Should have a boolean wrapping these
  	fs_list_auto_mountpoints(xend_t)
  	files_search_mnt(xend_t)
-@@ -559,8 +490,4 @@ optional_policy(`
+@@ -559,8 +498,4 @@ optional_policy(`
  		fs_manage_nfs_files(xend_t)
  		fs_read_nfs_symlinks(xend_t)
  	')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4fe8d59..d732ae3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 138%{?dist}
+Release: 139%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,28 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Sun Jul 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-139
+- Add support for ecryptfs
+	* ecryptfs does not support xattr
+- Allow lpstat.cups to read fips_enabled file
+- Allow pyzor running as spamc_t to create /root/.pyzor directory
+- Add labeling for amavisd-snmp init script
+- Add support for amavisd-snmp
+- Allow fprintd sigkill self
+- Allow xend (w/o libvirt) to start virtual machines
+- Allow aiccu to read /etc/passwd
+- accountsd needs to fchown some files/directories
+- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
+- Allow xend_t to read the /etc/passwd file
+- Allow freshclam to update databases thru HTTP proxy
+- Add init_access_check() interface
+- Allow s-m-config to access check on systemd
+- Allow abrt to read public files by default
+- Fix amavis_create_pid_files() interface
+- Allow tuned sys_nice, sys_admin caps
+- Allow amavisd to execute fsav
+- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
+
 * Tue Jul 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-138
 - Add labeling for aeolus-configserver-thinwrapper
 - Allow thin domains to execute shell


More information about the scm-commits mailing list