[selinux-policy/f17] - Add support for ecryptfs * ecryptfs does not support xattr - Allow lpstat.cups to read fips
Miroslav Grepl
mgrepl at fedoraproject.org
Sun Jul 15 20:35:57 UTC 2012
commit 35dca99cf08913ecc52697a9c18de2b2858c528c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Sun Jul 15 22:35:12 2012 +0200
- Add support for ecryptfs
* ecryptfs does not support xattr
- Allow lpstat.cups to read fips_enabled file
- Allow pyzor running as spamc_t to create /root/.pyzor directory
- Add labeling for amavisd-snmp init script
- Add support for amavisd-snmp
- Allow fprintd sigkill self
- Allow xend (w/o libvirt) to start virtual machines
- Allow aiccu to read /etc/passwd
- accountsd needs to fchown some files/directories
- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
- Allow xend_t to read the /etc/passwd file
- Allow freshclam to update databases thru HTTP proxy
- Add init_access_check() interface
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Allow tuned sys_nice, sys_admin caps
- Allow amavisd to execute fsav
- Allow system_dbusd_t to stream connect to bluetooth, and use its socke
policy-F16.patch | 961 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 24 ++-
2 files changed, 735 insertions(+), 250 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 3a8069f..6d0b438 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -58217,7 +58217,7 @@ index 111d004..c90e80d 100644
-## </desc>
-gen_bool(secure_mode_policyload,false)
diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab6..0f0bb47 100644
+index 4705ab6..96d561e 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -6,6 +6,13 @@
@@ -58276,10 +58276,17 @@ index 4705ab6..0f0bb47 100644
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
-@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false)
+@@ -105,9 +103,31 @@ gen_tunable(use_samba_home_dirs,false)
## <desc>
## <p>
++## Support ecryptfs home directories
++## </p>
++## </desc>
++gen_tunable(use_ecryptfs_home_dirs,false)
++
++## <desc>
++## <p>
+## Support fusefs home directories
+## </p>
+## </desc>
@@ -60258,10 +60265,18 @@ index c6ca761..46e0767 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..9f49d01 100644
+index e0791b9..98d188e 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
-@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+@@ -41,6 +41,7 @@ allow netutils_t self:packet_socket create_socket_perms;
+ allow netutils_t self:udp_socket create_socket_perms;
+ allow netutils_t self:tcp_socket create_stream_socket_perms;
+ allow netutils_t self:socket create_socket_perms;
++allow netutils_t self:netlink_socket create_socket_perms;
+
+ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+@@ -48,6 +49,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
kernel_read_all_sysctls(netutils_t)
@@ -60270,7 +60285,7 @@ index e0791b9..9f49d01 100644
corenet_all_recvfrom_unlabeled(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t)
-@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
+@@ -64,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
dev_read_sysfs(netutils_t)
@@ -60280,7 +60295,7 @@ index e0791b9..9f49d01 100644
fs_getattr_xattr_fs(netutils_t)
-@@ -83,7 +88,7 @@ logging_send_syslog_msg(netutils_t)
+@@ -83,7 +89,7 @@ logging_send_syslog_msg(netutils_t)
miscfiles_read_localization(netutils_t)
term_dontaudit_use_console(netutils_t)
@@ -60289,7 +60304,7 @@ index e0791b9..9f49d01 100644
userdom_use_all_users_fds(netutils_t)
optional_policy(`
-@@ -104,6 +109,8 @@ optional_policy(`
+@@ -104,6 +110,8 @@ optional_policy(`
#
allow ping_t self:capability { setuid net_raw };
@@ -60298,7 +60313,7 @@ index e0791b9..9f49d01 100644
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-@@ -134,8 +141,6 @@ logging_send_syslog_msg(ping_t)
+@@ -134,8 +142,6 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
@@ -60307,7 +60322,7 @@ index e0791b9..9f49d01 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -145,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -145,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -60333,7 +60348,7 @@ index e0791b9..9f49d01 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -157,6 +176,10 @@ optional_policy(`
+@@ -157,6 +177,10 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -60344,7 +60359,7 @@ index e0791b9..9f49d01 100644
########################################
#
# Traceroute local policy
-@@ -194,6 +217,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +218,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -60352,7 +60367,7 @@ index e0791b9..9f49d01 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -204,9 +228,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +229,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
@@ -62694,7 +62709,7 @@ index 74354da..f04565f 100644
+ modutils_read_module_deps(usbmodules_t)
+')
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index c467144..fb794f9 100644
+index c467144..670479e 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -10,7 +10,7 @@ ifdef(`distro_gentoo',`
@@ -62706,6 +62721,14 @@ index c467144..fb794f9 100644
/usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
/usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
+@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',`
+ /usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/usr/sbin/newusers -- gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 81fb26f..66cf96c 100644
--- a/policy/modules/admin/usermanage.if
@@ -67083,7 +67106,7 @@ index 93ac529..82f8e65 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..ce9aee0 100644
+index fbb5c5a..2c0357f 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -67226,7 +67249,7 @@ index fbb5c5a..ce9aee0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +361,98 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +361,100 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -67330,6 +67353,8 @@ index fbb5c5a..ce9aee0 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
@@ -68961,6 +68986,35 @@ index ccc15ab..9f88c3a 100644
allow podsleuth_t self:fifo_file rw_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
+diff --git a/policy/modules/apps/ptchown.if b/policy/modules/apps/ptchown.if
+index 96cc023..5919bbd 100644
+--- a/policy/modules/apps/ptchown.if
++++ b/policy/modules/apps/ptchown.if
+@@ -18,6 +18,24 @@ interface(`ptchown_domtrans',`
+ domtrans_pattern($1, ptchown_exec_t, ptchown_t)
+ ')
+
++#######################################
++## <summary>
++## Execute ptchown in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ptchown_exec',`
++ gen_require(`
++ type ptchown_exec_t;
++ ')
++
++ can_exec($1, ptchown_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute ptchown in the ptchown domain, and
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
index 84f23dc..5be2738 100644
--- a/policy/modules/apps/pulseaudio.fc
@@ -69578,10 +69632,10 @@ index 4c091ca..a58f123 100644
+
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
-index f594e12..e8f731d 100644
+index f594e12..04cc347 100644
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
-@@ -27,16 +27,20 @@ corecmd_exec_bin(sambagui_t)
+@@ -27,16 +27,22 @@ corecmd_exec_bin(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
@@ -69592,6 +69646,8 @@ index f594e12..e8f731d 100644
auth_use_nsswitch(sambagui_t)
+auth_dontaudit_read_shadow(sambagui_t)
++
++init_access_check(sambagui_t)
logging_send_syslog_msg(sambagui_t)
@@ -69602,7 +69658,7 @@ index f594e12..e8f731d 100644
optional_policy(`
consoletype_exec(sambagui_t)
')
-@@ -56,6 +60,7 @@ optional_policy(`
+@@ -56,6 +62,7 @@ optional_policy(`
samba_manage_var_files(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
@@ -72376,7 +72432,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..ee313ec 100644
+index 3fae11a..dab79fa 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -72474,7 +72530,7 @@ index 3fae11a..ee313ec 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,67 +186,93 @@ ifdef(`distro_gentoo',`
+@@ -179,67 +186,94 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -72495,7 +72551,8 @@ index 3fae11a..ee313ec 100644
-/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/pingus -- gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -72613,7 +72670,7 @@ index 3fae11a..ee313ec 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,11 +280,18 @@ ifdef(`distro_gentoo',`
+@@ -247,11 +281,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -72633,7 +72690,7 @@ index 3fae11a..ee313ec 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +307,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +308,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -72644,7 +72701,7 @@ index 3fae11a..ee313ec 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +330,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +331,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -72665,7 +72722,7 @@ index 3fae11a..ee313ec 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +354,12 @@ ifdef(`distro_redhat', `
+@@ -306,10 +355,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -72680,7 +72737,7 @@ index 3fae11a..ee313ec 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +369,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +370,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -72692,7 +72749,7 @@ index 3fae11a..ee313ec 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,20 +415,21 @@ ifdef(`distro_redhat', `
+@@ -363,20 +416,21 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -72718,7 +72775,7 @@ index 3fae11a..ee313ec 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +438,13 @@ ifdef(`distro_suse', `
+@@ -385,3 +439,13 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -78968,10 +79025,18 @@ index 22821ff..2765a15 100644
########################################
#
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index cda5588..e89e4bf 100644
+index cda5588..91d1e25 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
-@@ -14,3 +14,8 @@
+@@ -1,3 +1,7 @@
++# ecryptfs does not support xattr
++HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
++HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
++
+ /cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+ /cgroup/.* <<none>>
+
+@@ -14,3 +18,8 @@
# for systemd systems:
/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup/.* <<none>>
@@ -78981,7 +79046,7 @@ index cda5588..e89e4bf 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..cab2348 100644
+index 97fcdac..c812a81 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -79289,10 +79354,132 @@ index 97fcdac..cab2348 100644
## Search dosfs filesystem.
## </summary>
## <param name="domain">
-@@ -2025,6 +2205,68 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1793,6 +1973,188 @@ interface(`fs_read_eventpollfs',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
- ########################################
- ## <summary>
++
++#######################################
++## <summary>
++## Search directories
++## on a ecrypt filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_search_ecryptfs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete directories
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_ecryptfs_dirs',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
++ allow $1 ecryptfs_t:dir manage_dir_perms;
++')
++
++#######################################
++## <summary>
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_read_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ read_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to create,
++## read, write, and delete files
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ dontaudit $1 ecryptfs_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_ecryptfs_symlinks',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
+## Manage symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
@@ -79301,12 +79488,12 @@ index 97fcdac..cab2348 100644
+## </summary>
+## </param>
+#
-+interface(`fs_manage_fusefs_symlinks',`
++interface(`fs_manage_ecryptfs_symlinks',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
-+ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
+')
+
+########################################
@@ -79344,21 +79531,108 @@ index 97fcdac..cab2348 100644
+## </summary>
+## </param>
+#
-+interface(`fs_fusefs_domtrans',`
++interface(`fs_ecryptfs_domtrans',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, ecryptfs_t, $2)
++')
++
+ ########################################
+ ## <summary>
+ ## Mount a FUSE filesystem.
+@@ -2006,21 +2368,83 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+
+ ########################################
+ ## <summary>
+-## Read symbolic links on a FUSEFS filesystem.
++## Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_fusefs_symlinks',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
-+ allow $1 fusefs_t:dir search_dir_perms;
-+ domain_auto_transition_pattern($1, fusefs_t, $2)
++ allow $1 fusefs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
- ## Get the attributes of an hugetlbfs
- ## filesystem.
++## Manage symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_manage_fusefs_symlinks',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
++## Execute a file on a FUSE filesystem
++## in the specified domain.
## </summary>
-@@ -2080,6 +2322,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
++## <desc>
++## <p>
++## Execute a file on a FUSE filesystem
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain. This is not suggested.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## <p>
++## This interface was added to handle
++## home directories on FUSE filesystems,
++## in particular used by the ssh-agent policy.
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_read_fusefs_symlinks',`
++interface(`fs_fusefs_domtrans',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- allow $1 fusefs_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ allow $1 fusefs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, fusefs_t, $2)
+ ')
+
+ ########################################
+@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -79383,7 +79657,7 @@ index 97fcdac..cab2348 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,11 +2408,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -79397,7 +79671,7 @@ index 97fcdac..cab2348 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2480,6 +2741,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2923,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -79405,7 +79679,7 @@ index 97fcdac..cab2348 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2780,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2962,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -79413,7 +79687,7 @@ index 97fcdac..cab2348 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +2807,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2989,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -79439,7 +79713,7 @@ index 97fcdac..cab2348 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2564,7 +2846,7 @@ interface(`fs_append_nfs_files',`
+@@ -2564,7 +3028,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@@ -79448,7 +79722,7 @@ index 97fcdac..cab2348 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
-@@ -2584,6 +2866,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +3048,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -79491,7 +79765,7 @@ index 97fcdac..cab2348 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2598,7 +2916,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +3098,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -79500,7 +79774,7 @@ index 97fcdac..cab2348 100644
')
########################################
-@@ -2622,7 +2940,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2622,7 +3122,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -79509,7 +79783,7 @@ index 97fcdac..cab2348 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2736,7 +3054,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +3236,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -79518,7 +79792,7 @@ index 97fcdac..cab2348 100644
## </summary>
## </param>
#
-@@ -2772,7 +3090,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3272,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -79527,7 +79801,7 @@ index 97fcdac..cab2348 100644
## </summary>
## </param>
#
-@@ -2965,6 +3283,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3465,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -79535,7 +79809,7 @@ index 97fcdac..cab2348 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3324,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3506,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -79543,7 +79817,7 @@ index 97fcdac..cab2348 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3365,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3547,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -79551,7 +79825,7 @@ index 97fcdac..cab2348 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3258,6 +3579,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3258,6 +3761,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -79576,7 +79850,7 @@ index 97fcdac..cab2348 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3278,6 +3617,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3278,6 +3799,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@@ -79601,7 +79875,7 @@ index 97fcdac..cab2348 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
-@@ -3387,7 +3744,7 @@ interface(`fs_search_ramfs',`
+@@ -3387,7 +3926,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -79610,7 +79884,7 @@ index 97fcdac..cab2348 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3424,7 +3781,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3424,7 +3963,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -79619,7 +79893,7 @@ index 97fcdac..cab2348 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3442,7 +3799,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3442,7 +3981,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -79628,7 +79902,7 @@ index 97fcdac..cab2348 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3810,6 +4167,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3810,6 +4349,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -79653,7 +79927,7 @@ index 97fcdac..cab2348 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3958,6 +4333,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4515,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -79696,7 +79970,7 @@ index 97fcdac..cab2348 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4059,7 +4470,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4059,7 +4652,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -79705,7 +79979,7 @@ index 97fcdac..cab2348 100644
')
########################################
-@@ -4119,6 +4530,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4119,6 +4712,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -79730,7 +80004,7 @@ index 97fcdac..cab2348 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4156,7 +4585,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4156,7 +4767,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -79739,7 +80013,7 @@ index 97fcdac..cab2348 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4175,6 +4604,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4786,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -79782,7 +80056,7 @@ index 97fcdac..cab2348 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4232,6 +4697,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4232,6 +4879,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -79807,7 +80081,7 @@ index 97fcdac..cab2348 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4251,6 +4734,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4916,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -79833,7 +80107,7 @@ index 97fcdac..cab2348 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4457,6 +4959,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +5141,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -79842,7 +80116,7 @@ index 97fcdac..cab2348 100644
')
########################################
-@@ -4503,7 +5007,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +5189,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -79851,7 +80125,7 @@ index 97fcdac..cab2348 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5370,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5552,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -84839,7 +85113,7 @@ index 0b827c5..ac79ca6 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..bb97cc2 100644
+index 30861ec..8d391e2 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -85004,7 +85278,7 @@ index 30861ec..bb97cc2 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +197,30 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +197,31 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -85017,6 +85291,7 @@ index 30861ec..bb97cc2 100644
miscfiles_read_generic_certs(abrt_t)
-miscfiles_read_localization(abrt_t)
++miscfiles_read_public_files(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
@@ -85040,7 +85315,7 @@ index 30861ec..bb97cc2 100644
')
optional_policy(`
-@@ -167,6 +241,7 @@ optional_policy(`
+@@ -167,6 +242,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -85048,7 +85323,7 @@ index 30861ec..bb97cc2 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +253,35 @@ optional_policy(`
+@@ -178,12 +254,35 @@ optional_policy(`
')
optional_policy(`
@@ -85085,7 +85360,7 @@ index 30861ec..bb97cc2 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +298,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +299,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -85114,7 +85389,7 @@ index 30861ec..bb97cc2 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +321,146 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +322,146 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -85348,7 +85623,7 @@ index c0f858d..10a0cd6 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..67cd103 100644
+index 1632f10..1cb95bc 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -1,5 +1,9 @@
@@ -85380,7 +85655,7 @@ index 1632f10..67cd103 100644
#
-allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
-+allow accountsd_t self:capability { dac_override setuid setgid };
++allow accountsd_t self:capability { chown dac_override setuid setgid };
+allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
+allow accountsd_t self:passwd { rootok passwd chfn chsh };
@@ -85479,7 +85754,7 @@ index 184c9a8..8f77bf5 100644
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
-index 6d685ba..4114d9b 100644
+index 6d685ba..b6f9ba3 100644
--- a/policy/modules/services/aiccu.te
+++ b/policy/modules/services/aiccu.te
@@ -45,9 +45,11 @@ corecmd_exec_shell(aiccu_t)
@@ -85494,6 +85769,15 @@ index 6d685ba..4114d9b 100644
corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
corenet_tcp_bind_generic_node(aiccu_t)
corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+@@ -62,6 +64,8 @@ dev_read_urand(aiccu_t)
+
+ files_read_etc_files(aiccu_t)
+
++auth_read_passwd(aiccu_t)
++
+ logging_send_syslog_msg(aiccu_t)
+
+ miscfiles_read_localization(aiccu_t)
diff --git a/policy/modules/services/aide.fc b/policy/modules/services/aide.fc
index 7798464..ff76db7 100644
--- a/policy/modules/services/aide.fc
@@ -85791,11 +86075,14 @@ index 0000000..3d0fd88
+')
+
diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc
-index d96fdfa..e07158f 100644
+index d96fdfa..75eab43 100644
--- a/policy/modules/services/amavis.fc
+++ b/policy/modules/services/amavis.fc
-@@ -4,7 +4,7 @@
+@@ -2,9 +2,10 @@
+ /etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
+ /etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0)
/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
-/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
@@ -85804,10 +86091,18 @@ index d96fdfa..e07158f 100644
ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
-index e31d92a..e515cb8 100644
+index e31d92a..1aa0718 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
-@@ -231,9 +231,13 @@ interface(`amavis_admin',`
+@@ -202,6 +202,7 @@ interface(`amavis_create_pid_files',`
+ type amavis_var_run_t;
+ ')
+
++ allow $1 amavis_var_run_t:dir rw_dir_perms;
+ allow $1 amavis_var_run_t:file create_file_perms;
+ files_search_pids($1)
+ ')
+@@ -231,9 +232,13 @@ interface(`amavis_admin',`
type amavis_initrc_exec_t;
')
@@ -85823,7 +86118,7 @@ index e31d92a..e515cb8 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index deca9d3..ac92fce 100644
+index deca9d3..e25ae7a 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -38,7 +38,7 @@ type amavis_quarantine_t;
@@ -85835,7 +86130,33 @@ index deca9d3..ac92fce 100644
########################################
#
-@@ -128,6 +128,7 @@ corenet_tcp_connect_razor_port(amavis_t)
+@@ -49,7 +49,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid };
+ dontaudit amavis_t self:capability sys_tty_config;
+ allow amavis_t self:process { signal sigchld sigkill signull };
+ allow amavis_t self:fifo_file rw_fifo_file_perms;
+-allow amavis_t self:unix_stream_socket create_stream_socket_perms;
++allow amavis_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow amavis_t self:unix_dgram_socket create_socket_perms;
+ allow amavis_t self:tcp_socket { listen accept };
+ allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -75,9 +75,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
+ files_search_spool(amavis_t)
+
+ # tmp files
++manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+ manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
++manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+ allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
+-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
++files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir } )
+
+ # var/lib files for amavis
+ manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+@@ -125,9 +127,11 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t)
+ corenet_udp_bind_generic_port(amavis_t)
+ corenet_dontaudit_udp_bind_all_ports(amavis_t)
+ corenet_tcp_connect_razor_port(amavis_t)
++corenet_tcp_connect_agentx_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_urand(amavis_t)
@@ -85843,15 +86164,18 @@ index deca9d3..ac92fce 100644
domain_use_interactive_fds(amavis_t)
-@@ -137,6 +138,7 @@ files_read_usr_files(amavis_t)
+@@ -137,8 +141,10 @@ files_read_usr_files(amavis_t)
fs_getattr_xattr_fs(amavis_t)
+auth_use_nsswitch(amavis_t)
auth_dontaudit_read_shadow(amavis_t)
++init_read_state(amavis_t)
# uses uptime which reads utmp - redhat bug 561383
-@@ -153,24 +155,28 @@ sysnet_use_ldap(amavis_t)
+ init_read_utmp(amavis_t)
+ init_stream_connect_script(amavis_t)
+@@ -153,29 +159,34 @@ sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
@@ -85887,6 +86211,23 @@ index deca9d3..ac92fce 100644
nslcd_stream_connect(amavis_t)
')
+ optional_policy(`
+ postfix_read_config(amavis_t)
++ postfix_list_spool(amavis_t)
+ ')
+
+ optional_policy(`
+@@ -188,6 +199,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ snmp_manage_var_lib_files(amavis_t)
++')
++
++optional_policy(`
+ spamassassin_exec(amavis_t)
+ spamassassin_exec_client(amavis_t)
+ spamassassin_read_lib_files(amavis_t)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 9e39aa5..0bd78fc 100644
--- a/policy/modules/services/apache.fc
@@ -92586,7 +92927,7 @@ index 1f11572..87840b4 100644
+
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..1ae1cef 100644
+index f758323..5207f78 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,23 @@
@@ -92729,15 +93070,16 @@ index f758323..1ae1cef 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +228,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +228,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_connect_clamd_port(freshclam_t)
++corenet_tcp_connect_squid_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +247,22 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +248,22 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -92764,7 +93106,7 @@ index f758323..1ae1cef 100644
########################################
#
# clamscam local policy
-@@ -242,15 +288,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +289,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -92800,7 +93142,7 @@ index f758323..1ae1cef 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +330,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +331,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -92870,10 +93212,10 @@ index 6077339..d10acd2 100644
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
new file mode 100644
-index 0000000..7182054
+index 0000000..e59cc85
--- /dev/null
+++ b/policy/modules/services/cloudform.fc
-@@ -0,0 +1,19 @@
+@@ -0,0 +1,20 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
@@ -92889,6 +93231,7 @@ index 0000000..7182054
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/aeolus-conductor/dbomatic\.log -- gen_context(system_u:object_r:mongod_log_t,s0)
+
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
@@ -92941,10 +93284,10 @@ index 0000000..7f55959
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..e0716d7
+index 0000000..ebf11b1
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,197 @@
+@@ -0,0 +1,198 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -93105,6 +93448,7 @@ index 0000000..e0716d7
+
+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
++logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
+
+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
@@ -98379,7 +98723,7 @@ index 1a1becd..115133d 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..a3267cd 100644
+index 1bff6ee..cdf9fb7 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -98450,7 +98794,7 @@ index 1bff6ee..a3267cd 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -136,11 +145,27 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -136,11 +145,31 @@ seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
@@ -98461,6 +98805,10 @@ index 1bff6ee..a3267cd 100644
')
optional_policy(`
++ bluetooth_stream_connect(system_dbusd_t)
++')
++
++optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
@@ -98478,7 +98826,7 @@ index 1bff6ee..a3267cd 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +176,160 @@ optional_policy(`
+@@ -151,12 +180,160 @@ optional_policy(`
')
optional_policy(`
@@ -98499,7 +98847,7 @@ index 1bff6ee..a3267cd 100644
#
-# Unconfined access to this module
+# system_bus_type rules
-+#
+ #
+role system_r types system_bus_type;
+
+fs_search_all(system_bus_type)
@@ -98520,7 +98868,7 @@ index 1bff6ee..a3267cd 100644
+optional_policy(`
+ abrt_stream_connect(system_bus_type)
+')
-+
+
+optional_policy(`
+ rpm_script_dbus_chat(system_bus_type)
+')
@@ -98536,7 +98884,7 @@ index 1bff6ee..a3267cd 100644
+########################################
+#
+# session_bus_type rules
- #
++#
+dontaudit session_bus_type self:capability sys_resource;
+allow session_bus_type self:process { getattr sigkill signal };
+dontaudit session_bus_type self:process setrlimit;
@@ -98615,7 +98963,7 @@ index 1bff6ee..a3267cd 100644
+optional_policy(`
+ gnome_read_gconf_home_files(session_bus_type)
+')
-
++
+optional_policy(`
+ hal_dbus_chat(session_bus_type)
+')
@@ -103095,7 +103443,7 @@ index ebad8c4..eeddf7b 100644
')
-
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
-index 7df52c7..26422af 100644
+index 7df52c7..efdd053 100644
--- a/policy/modules/services/fprintd.te
+++ b/policy/modules/services/fprintd.te
@@ -8,6 +8,7 @@ policy_module(fprintd, 1.1.0)
@@ -103115,7 +103463,7 @@ index 7df52c7..26422af 100644
+
allow fprintd_t self:fifo_file rw_fifo_file_perms;
-allow fprintd_t self:process { getsched signal };
-+allow fprintd_t self:process { getsched setsched signal };
++allow fprintd_t self:process { getsched setsched signal sigkill };
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
@@ -109031,7 +109379,7 @@ index a4f32f5..628b63c 100644
## in the caller domain.
## </summary>
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
-index 93c14ca..00cd4a4 100644
+index 93c14ca..e66a1b9 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
@@ -109094,7 +109442,15 @@ index 93c14ca..00cd4a4 100644
# Write to /var/spool/lpd.
manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
-@@ -277,19 +278,21 @@ miscfiles_read_localization(lpr_t)
+@@ -238,6 +239,7 @@ can_exec(lpr_t, lpr_exec_t)
+ # Allow lpd to read, rename, and unlink spool files.
+ allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
+
++kernel_read_system_state(lpr_t)
+ kernel_read_kernel_sysctls(lpr_t)
+
+ corenet_all_recvfrom_unlabeled(lpr_t)
+@@ -277,19 +279,21 @@ miscfiles_read_localization(lpr_t)
userdom_read_user_tmp_symlinks(lpr_t)
# Write to the user domain tty.
@@ -109121,7 +109477,7 @@ index 93c14ca..00cd4a4 100644
# Send SIGHUP to lpd.
allow lpr_t lpd_t:process signal;
-@@ -307,17 +310,7 @@ tunable_policy(`use_lpd_server',`
+@@ -307,17 +311,7 @@ tunable_policy(`use_lpd_server',`
read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
')
@@ -109140,7 +109496,7 @@ index 93c14ca..00cd4a4 100644
optional_policy(`
cups_read_config(lpr_t)
-@@ -326,5 +319,13 @@ optional_policy(`
+@@ -326,5 +320,13 @@ optional_policy(`
')
optional_policy(`
@@ -129292,7 +129648,7 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..1ee5862 100644
+index ec1eb1e..bdab717 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,56 +6,41 @@ policy_module(spamassassin, 2.4.0)
@@ -129517,7 +129873,7 @@ index ec1eb1e..1ee5862 100644
')
########################################
-@@ -206,15 +269,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +269,36 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -129534,6 +129890,9 @@ index ec1eb1e..1ee5862 100644
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
+userdom_append_user_home_content_files(spamc_t)
++# for /root/.pyzor
++allow spamc_t self:capability dac_override;
++userdom_admin_home_dir_filetrans(spamc_t, spamc_home_t , dir, ".pyzor")
+
+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -129542,6 +129901,7 @@ index ec1eb1e..1ee5862 100644
allow spamc_t spamd_t:unix_stream_socket connectto;
allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+spamd_stream_connect(spamc_t)
++allow spamc_t spamd_tmp_t:file read_inherited_file_perms;
kernel_read_kernel_sysctls(spamc_t)
+kernel_read_system_state(spamc_t)
@@ -129550,7 +129910,7 @@ index ec1eb1e..1ee5862 100644
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +306,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -226,6 +310,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
@@ -129558,7 +129918,7 @@ index ec1eb1e..1ee5862 100644
fs_search_auto_mountpoints(spamc_t)
-@@ -244,9 +325,14 @@ files_read_usr_files(spamc_t)
+@@ -244,9 +329,14 @@ files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -129573,7 +129933,7 @@ index ec1eb1e..1ee5862 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -254,27 +340,35 @@ seutil_read_config(spamc_t)
+@@ -254,27 +344,35 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
@@ -129615,7 +129975,7 @@ index ec1eb1e..1ee5862 100644
')
########################################
-@@ -286,7 +380,7 @@ optional_policy(`
+@@ -286,7 +384,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -129624,7 +129984,7 @@ index ec1eb1e..1ee5862 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -302,10 +396,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +400,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -129643,7 +130003,7 @@ index ec1eb1e..1ee5862 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +415,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +419,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -129661,7 +130021,7 @@ index ec1eb1e..1ee5862 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,23 +472,23 @@ files_read_var_lib_files(spamd_t)
+@@ -367,23 +476,23 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -129693,7 +130053,7 @@ index ec1eb1e..1ee5862 100644
')
optional_policy(`
-@@ -399,7 +504,9 @@ optional_policy(`
+@@ -399,7 +508,9 @@ optional_policy(`
')
optional_policy(`
@@ -129703,7 +130063,7 @@ index ec1eb1e..1ee5862 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -408,25 +515,17 @@ optional_policy(`
+@@ -408,25 +519,17 @@ optional_policy(`
')
optional_policy(`
@@ -129731,7 +130091,7 @@ index ec1eb1e..1ee5862 100644
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +536,10 @@ optional_policy(`
+@@ -437,6 +540,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -129742,7 +130102,7 @@ index ec1eb1e..1ee5862 100644
')
optional_policy(`
-@@ -444,6 +547,7 @@ optional_policy(`
+@@ -444,6 +551,7 @@ optional_policy(`
')
optional_policy(`
@@ -129750,7 +130110,7 @@ index ec1eb1e..1ee5862 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -451,3 +555,51 @@ optional_policy(`
+@@ -451,3 +559,51 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -132884,7 +133244,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
-index db9d2a5..c7b09c0 100644
+index db9d2a5..346d4d7 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -132900,13 +133260,14 @@ index db9d2a5..c7b09c0 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
-@@ -23,23 +29,39 @@ files_pid_file(tuned_var_run_t)
+@@ -22,24 +28,39 @@ files_pid_file(tuned_var_run_t)
+ #
# tuned local policy
#
-
-+allow tuned_t self:process signal;
-+
+-
++allow tuned_t self:capability { sys_admin sys_nice };
dontaudit tuned_t self:capability { dac_override sys_tty_config };
++allow tuned_t self:process signal;
+allow tuned_t self:fifo_file rw_fifo_file_perms;
+allow tuned_t self:udp_socket create_socket_perms;
+
@@ -132944,7 +133305,7 @@ index db9d2a5..c7b09c0 100644
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
-@@ -47,6 +69,10 @@ files_read_etc_files(tuned_t)
+@@ -47,6 +68,10 @@ files_read_etc_files(tuned_t)
files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t)
@@ -132955,7 +133316,7 @@ index db9d2a5..c7b09c0 100644
logging_send_syslog_msg(tuned_t)
miscfiles_read_localization(tuned_t)
-@@ -58,6 +84,14 @@ optional_policy(`
+@@ -58,6 +83,14 @@ optional_policy(`
fstools_domtrans(tuned_t)
')
@@ -135922,7 +136283,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 4966c94..c628935 100644
+index 4966c94..c231dab 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -136049,11 +136410,11 @@ index 4966c94..c628935 100644
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -136086,7 +136447,7 @@ index 4966c94..c628935 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..d1576ab 100644
+index 130ced9..3024c40 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -136853,7 +137214,7 @@ index 130ced9..d1576ab 100644
')
########################################
-@@ -1243,10 +1558,536 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1558,533 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -137357,9 +137718,6 @@ index 130ced9..d1576ab 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
+ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
-+ optional_policy(`
-+ gnome_cache_filetrans($1, xdm_home_t, dir, "gdm")
-+ ')
+')
+
+########################################
@@ -139766,7 +140124,7 @@ index 28ad538..82def3d 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..c71cf8e 100644
+index 73554ec..358cf75 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -139849,7 +140207,7 @@ index 73554ec..c71cf8e 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -120,16 +146,29 @@ interface(`auth_login_pgm_domain',`
+@@ -120,16 +146,31 @@ interface(`auth_login_pgm_domain',`
manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
files_var_filetrans($1, auth_cache_t, dir)
@@ -139877,10 +140235,12 @@ index 73554ec..c71cf8e 100644
fs_list_auto_mountpoints($1)
+ fs_manage_cgroup_dirs($1)
+ fs_manage_cgroup_files($1)
++ fs_read_ecryptfs_symlinks($1)
++ fs_read_ecryptfs_files($1)
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -145,6 +184,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +186,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -139889,7 +140249,7 @@ index 73554ec..c71cf8e 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,13 +196,92 @@ interface(`auth_login_pgm_domain',`
+@@ -155,13 +198,93 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -139925,6 +140285,7 @@ index 73554ec..c71cf8e 100644
+ corecmd_exec_bin($1)
+ storage_getattr_fixed_disk_dev($1)
+ mount_domtrans($1)
++ mount_domtrans_ecryptmount($1)
+ ')
+
+ optional_policy(`
@@ -139984,7 +140345,7 @@ index 73554ec..c71cf8e 100644
## Use the login program as an entry point program.
## </summary>
## <param name="domain">
-@@ -368,13 +488,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -368,13 +491,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -140001,7 +140362,7 @@ index 73554ec..c71cf8e 100644
')
########################################
-@@ -421,6 +543,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +546,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -140027,7 +140388,7 @@ index 73554ec..c71cf8e 100644
')
########################################
-@@ -440,7 +581,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -440,7 +584,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -140035,7 +140396,7 @@ index 73554ec..c71cf8e 100644
')
########################################
-@@ -637,6 +777,10 @@ interface(`auth_manage_shadow',`
+@@ -637,6 +780,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -140046,7 +140407,7 @@ index 73554ec..c71cf8e 100644
')
#######################################
-@@ -736,7 +880,50 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +883,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -140098,7 +140459,7 @@ index 73554ec..c71cf8e 100644
')
#######################################
-@@ -932,9 +1119,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1122,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -140132,7 +140493,7 @@ index 73554ec..c71cf8e 100644
')
########################################
-@@ -1013,6 +1221,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1013,6 +1224,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -140143,7 +140504,7 @@ index 73554ec..c71cf8e 100644
')
########################################
-@@ -1130,6 +1342,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1130,6 +1345,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -140151,7 +140512,7 @@ index 73554ec..c71cf8e 100644
')
#######################################
-@@ -1387,6 +1600,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1603,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -140177,7 +140538,7 @@ index 73554ec..c71cf8e 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1537,37 +1769,49 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1772,49 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -140237,7 +140598,7 @@ index 73554ec..c71cf8e 100644
## </p>
## </desc>
## <param name="domain">
-@@ -1575,87 +1819,206 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1822,206 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
## </summary>
## </param>
@@ -140495,7 +140856,7 @@ index 73554ec..c71cf8e 100644
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..b2a6592 100644
+index b7a5f00..d0c3808 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,22 +5,42 @@ policy_module(authlogin, 2.2.1)
@@ -140604,7 +140965,7 @@ index b7a5f00..b2a6592 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -388,10 +416,75 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -140625,7 +140986,6 @@ index b7a5f00..b2a6592 100644
+ ')
+')
+
-+
+auth_read_passwd(nsswitch_domain)
+
+# read /etc/nsswitch.conf
@@ -141191,7 +141551,7 @@ index 354ce93..abe4723 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..5f91350 100644
+index 94fd8dd..09f0ac4 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -141289,17 +141649,17 @@ index 94fd8dd..5f91350 100644
typeattribute $2 direct_init_entry;
- userdom_dontaudit_use_user_terminals($1)
-+# userdom_dontaudit_use_user_terminals($1)
- ')
-
+- ')
+-
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
-- ')
--
++# userdom_dontaudit_use_user_terminals($1)
+ ')
+
- optional_policy(`
- nscd_socket_use($1)
+ tunable_policy(`init_upstart || init_systemd',`
@@ -141411,7 +141771,7 @@ index 94fd8dd..5f91350 100644
#
interface(`init_exec',`
gen_require(`
-@@ -451,6 +500,29 @@ interface(`init_exec',`
+@@ -451,6 +500,48 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -141423,6 +141783,25 @@ index 94fd8dd..5f91350 100644
+
+#######################################
+## <summary>
++## Check access to the init/systemd executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_access_check',`
++ gen_require(`
++ type init_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 init_exec_t:file { getattr_file_perms execute };
++')
++
++#######################################
++## <summary>
+## Dontaudit getattr on the init program.
+## </summary>
+## <param name="domain">
@@ -141441,7 +141820,7 @@ index 94fd8dd..5f91350 100644
')
########################################
-@@ -509,6 +581,24 @@ interface(`init_sigchld',`
+@@ -509,6 +600,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -141466,7 +141845,7 @@ index 94fd8dd..5f91350 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -519,10 +609,66 @@ interface(`init_sigchld',`
+@@ -519,10 +628,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -141535,7 +141914,7 @@ index 94fd8dd..5f91350 100644
')
########################################
-@@ -688,19 +834,25 @@ interface(`init_telinit',`
+@@ -688,19 +853,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -141562,7 +141941,7 @@ index 94fd8dd..5f91350 100644
')
')
-@@ -730,7 +882,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +901,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -141571,7 +141950,7 @@ index 94fd8dd..5f91350 100644
## </summary>
## </param>
#
-@@ -773,18 +925,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +944,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -141595,7 +141974,7 @@ index 94fd8dd..5f91350 100644
')
')
-@@ -800,19 +953,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +972,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -141618,11 +141997,11 @@ index 94fd8dd..5f91350 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -141635,13 +142014,17 @@ index 94fd8dd..5f91350 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -868,9 +1043,14 @@ interface(`init_script_file_domtrans',`
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -868,9 +1062,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -141656,7 +142039,7 @@ index 94fd8dd..5f91350 100644
files_search_etc($1)
')
-@@ -961,7 +1141,9 @@ interface(`init_ptrace',`
+@@ -961,7 +1160,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -141667,7 +142050,7 @@ index 94fd8dd..5f91350 100644
')
########################################
-@@ -1079,6 +1261,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1280,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -141692,7 +142075,7 @@ index 94fd8dd..5f91350 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1330,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1349,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -141706,7 +142089,7 @@ index 94fd8dd..5f91350 100644
')
########################################
-@@ -1375,6 +1570,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1589,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -141734,7 +142117,7 @@ index 94fd8dd..5f91350 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1677,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1696,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -141760,7 +142143,7 @@ index 94fd8dd..5f91350 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1754,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1773,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -141785,7 +142168,7 @@ index 94fd8dd..5f91350 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1586,6 +1839,43 @@ interface(`init_read_utmp',`
+@@ -1586,6 +1858,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -141829,7 +142212,7 @@ index 94fd8dd..5f91350 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1674,7 +1964,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1983,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -141838,7 +142221,7 @@ index 94fd8dd..5f91350 100644
')
########################################
-@@ -1715,6 +2005,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +2024,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -141967,7 +142350,7 @@ index 94fd8dd..5f91350 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2161,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2180,284 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -146421,10 +146804,10 @@ index a0eef20..3cd6b11 100644
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..fa210cd 100644
+index 72c746e..f035d9f 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,21 @@
+@@ -1,4 +1,26 @@
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -146447,8 +146830,13 @@ index 72c746e..fa210cd 100644
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++
++/usr/sbin/mount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/mount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..da41726 100644
+index 8b5c196..03bc7d7 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,12 @@ interface(`mount_domtrans',`
@@ -146464,7 +146852,7 @@ index 8b5c196..da41726 100644
')
########################################
-@@ -45,12 +51,77 @@ interface(`mount_run',`
+@@ -45,8 +51,73 @@ interface(`mount_run',`
role $2 types mount_t;
optional_policy(`
@@ -146487,11 +146875,11 @@ index 8b5c196..da41726 100644
+
+ optional_policy(`
+ samba_run_smbmount(mount_t, $2)
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Execute fusermount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
@@ -146511,7 +146899,7 @@ index 8b5c196..da41726 100644
+interface(`mount_run_fusermount',`
+ gen_require(`
+ type mount_t;
-+ ')
+ ')
+
+ mount_domtrans_fusermount($1)
+ role $2 types mount_t;
@@ -146536,13 +146924,9 @@ index 8b5c196..da41726 100644
+
+ allow $1 mount_var_run_t:file read_file_perms;
+ files_search_pids($1)
-+')
-+
-+########################################
-+## <summary>
- ## Execute mount in the caller domain.
- ## </summary>
- ## <param name="domain">
+ ')
+
+ ########################################
@@ -95,7 +166,7 @@ interface(`mount_signal',`
## </summary>
## <param name="domain">
@@ -146552,7 +146936,7 @@ index 8b5c196..da41726 100644
## </summary>
## </param>
#
-@@ -135,45 +206,119 @@ interface(`mount_send_nfs_client_request',`
+@@ -135,45 +206,138 @@ interface(`mount_send_nfs_client_request',`
########################################
## <summary>
@@ -146612,14 +146996,19 @@ index 8b5c196..da41726 100644
## <summary>
-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`mount_run_unconfined',`
+interface(`mount_exec_fusermount',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_mount_t;
+ type fusermount_exec_t;
-+ ')
-+
+ ')
+
+- mount_domtrans_unconfined($1)
+- role $2 types unconfined_mount_t;
+ can_exec($1, fusermount_exec_t)
+')
+
@@ -146630,19 +147019,14 @@ index 8b5c196..da41726 100644
+## <param name="domain">
+## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`mount_run_unconfined',`
++## </summary>
++## </param>
++#
+interface(`mount_dontaudit_exec_fusermount',`
- gen_require(`
-- type unconfined_mount_t;
++ gen_require(`
+ type fusermount_exec_t;
- ')
-
-- mount_domtrans_unconfined($1)
-- role $2 types unconfined_mount_t;
++ ')
++
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
+')
+
@@ -146687,12 +147071,31 @@ index 8b5c196..da41726 100644
+
+ mount_domtrans_showmount($1)
+ role $2 types showmount_t;
++')
++
++#######################################
++## <summary>
++## Transition to ecryptmount.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mount_domtrans_ecryptmount',`
++ gen_require(`
++ type mount_ecryptfs_t, mount_ecryptfs_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..ce3806c 100644
+index 15832c7..ac650d3 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -17,17 +17,29 @@ type mount_exec_t;
+@@ -17,17 +17,37 @@ type mount_exec_t;
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -146724,10 +147127,18 @@ index 15832c7..ce3806c 100644
+type showmount_exec_t;
+application_domain(showmount_t, showmount_exec_t)
+role system_r types showmount_t;
++
++type mount_ecryptfs_t;
++type mount_ecryptfs_exec_t;
++application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t)
++role system_r types mount_ecryptfs_t;
++
++type mount_ecryptfs_tmpfs_t;
++files_tmpfs_file(mount_ecryptfs_tmpfs_t)
########################################
#
-@@ -35,7 +47,11 @@ application_domain(unconfined_mount_t, mount_exec_t)
+@@ -35,7 +55,11 @@ application_domain(unconfined_mount_t, mount_exec_t)
#
# setuid/setgid needed to mount cifs
@@ -146740,7 +147151,7 @@ index 15832c7..ce3806c 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,9 +62,24 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,9 +70,24 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -146766,7 +147177,7 @@ index 15832c7..ce3806c 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -57,65 +88,94 @@ kernel_request_load_module(mount_t)
+@@ -57,65 +96,94 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -146870,7 +147281,7 @@ index 15832c7..ce3806c 100644
logging_send_syslog_msg(mount_t)
-@@ -126,6 +186,9 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +194,9 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -146880,7 +147291,7 @@ index 15832c7..ce3806c 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -141,26 +204,28 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +212,28 @@ ifdef(`distro_ubuntu',`
')
')
@@ -146919,7 +147330,7 @@ index 15832c7..ce3806c 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +239,8 @@ optional_policy(`
+@@ -174,6 +247,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -146928,7 +147339,7 @@ index 15832c7..ce3806c 100644
')
optional_policy(`
-@@ -181,6 +248,28 @@ optional_policy(`
+@@ -181,6 +256,28 @@ optional_policy(`
')
optional_policy(`
@@ -146957,7 +147368,7 @@ index 15832c7..ce3806c 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,21 +277,88 @@ optional_policy(`
+@@ -188,21 +285,116 @@ optional_policy(`
')
')
@@ -147052,6 +147463,34 @@ index 15832c7..ce3806c 100644
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_inherited_user_terminals(showmount_t)
++
++#######################################
++#
++# mount_ecryptfs local policy
++#
++
++domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t)
++
++allow mount_ecryptfs_t self:capability setgid;
++allow mount_ecryptfs_t self:capability { setuid sys_admin };
++allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms;
++allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
++userdom_rw_user_tmpfs_files(mount_ecryptfs_t)
++
++domain_use_interactive_fds(mount_ecryptfs_t)
++
++files_read_etc_files(mount_ecryptfs_t)
++
++fs_read_ecryptfs_symlinks(mount_ecryptfs_t)
++fs_read_ecryptfs_files(mount_ecryptfs_t)
++
++auth_use_nsswitch(mount_ecryptfs_t)
++
++miscfiles_read_localization(mount_ecryptfs_t)
diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
index b263a8a..9348c8c 100644
--- a/policy/modules/system/netlabel.fc
@@ -155224,7 +155663,7 @@ index 4b2878a..7ec3343 100644
+ typeattribute $1 userdom_home_manager_type;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..26e8127 100644
+index 9b4a930..ed716be 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -155287,7 +155726,7 @@ index 9b4a930..26e8127 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +102,112 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +102,121 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -155383,6 +155822,10 @@ index 9b4a930..26e8127 100644
+ fs_read_fusefs_files(userdom_home_reader_type)
+')
+
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(userdom_home_reader_type)
++')
++
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(userdom_home_manager_type)
+ fs_manage_nfs_dirs(userdom_home_manager_type)
@@ -155402,6 +155845,11 @@ index 9b4a930..26e8127 100644
+ fs_manage_fusefs_symlinks(userdom_home_manager_type)
+')
+
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_manage_ecryptfs_dirs(userdom_home_manager_type)
++ fs_manage_ecryptfs_files(userdom_home_manager_type)
++ fs_manage_ecryptfs_files(userdom_home_manager_type)
++')
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
index a865da7..f22f770 100644
--- a/policy/modules/system/xen.fc
@@ -155558,7 +156006,7 @@ index 77d41b6..cc73c96 100644
files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..b1de3a5 100644
+index 4350ba0..48f2468 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -155640,12 +156088,23 @@ index 4350ba0..b1de3a5 100644
files_read_etc_files(xend_t)
files_read_kernel_symbol_table(xend_t)
-@@ -320,13 +326,9 @@ locallogin_dontaudit_use_fds(xend_t)
+@@ -309,7 +315,9 @@ files_etc_filetrans_etc_runtime(xend_t, file)
+ files_read_usr_files(xend_t)
+ files_read_default_symlinks(xend_t)
+
++term_setattr_generic_ptys(xend_t)
+ term_getattr_all_ptys(xend_t)
++term_setattr_all_ptys(xend_t)
+ term_use_generic_ptys(xend_t)
+ term_use_ptmx(xend_t)
+ term_getattr_pty_fs(xend_t)
+@@ -320,13 +328,11 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
-lvm_domtrans(xend_t)
--
++auth_read_passwd(xend_t)
+
miscfiles_read_localization(xend_t)
miscfiles_read_hwdata(xend_t)
@@ -155654,7 +156113,7 @@ index 4350ba0..b1de3a5 100644
sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
sysnet_domtrans_ifconfig(xend_t)
-@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+@@ -339,8 +345,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
xen_stream_connect_xenstore(xend_t)
@@ -155663,7 +156122,7 @@ index 4350ba0..b1de3a5 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +349,23 @@ optional_policy(`
+@@ -349,6 +353,27 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -155680,6 +156139,10 @@ index 4350ba0..b1de3a5 100644
+')
+
+optional_policy(`
++ ptchown_exec(xend_t)
++')
++
++optional_policy(`
+ virt_search_images(xend_t)
+ virt_read_config(xend_t)
+')
@@ -155687,7 +156150,7 @@ index 4350ba0..b1de3a5 100644
########################################
#
# Xen console local policy
-@@ -374,8 +391,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -374,8 +399,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -155696,7 +156159,7 @@ index 4350ba0..b1de3a5 100644
files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
-@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +436,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -155708,7 +156171,7 @@ index 4350ba0..b1de3a5 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +466,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -155720,7 +156183,7 @@ index 4350ba0..b1de3a5 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -457,96 +475,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +483,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -155817,7 +156280,7 @@ index 4350ba0..b1de3a5 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +490,4 @@ optional_policy(`
+@@ -559,8 +498,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4fe8d59..d732ae3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 138%{?dist}
+Release: 139%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,28 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Sun Jul 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-139
+- Add support for ecryptfs
+ * ecryptfs does not support xattr
+- Allow lpstat.cups to read fips_enabled file
+- Allow pyzor running as spamc_t to create /root/.pyzor directory
+- Add labeling for amavisd-snmp init script
+- Add support for amavisd-snmp
+- Allow fprintd sigkill self
+- Allow xend (w/o libvirt) to start virtual machines
+- Allow aiccu to read /etc/passwd
+- accountsd needs to fchown some files/directories
+- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
+- Allow xend_t to read the /etc/passwd file
+- Allow freshclam to update databases thru HTTP proxy
+- Add init_access_check() interface
+- Allow s-m-config to access check on systemd
+- Allow abrt to read public files by default
+- Fix amavis_create_pid_files() interface
+- Allow tuned sys_nice, sys_admin caps
+- Allow amavisd to execute fsav
+- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
+
* Tue Jul 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-138
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
More information about the scm-commits
mailing list