[selinux-policy] Add temporary roleattribute patches
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jun 7 09:59:08 UTC 2012
commit 1ee0a31352aa1e5925fa5044c9b1bfd297a59e5d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jun 7 11:58:33 2012 +0200
Add temporary roleattribute patches
policy-rawhide-roleattribute.patch | 1128 ++++++++++++++++++++++++++++
policy-rawhide.patch | 56 +-
policy_contrib-rawhide-roleattribute.patch | 854 +++++++++++++++++++++
policy_contrib-rawhide.patch | 43 +-
selinux-policy.spec | 2 +
5 files changed, 2038 insertions(+), 45 deletions(-)
---
diff --git a/policy-rawhide-roleattribute.patch b/policy-rawhide-roleattribute.patch
new file mode 100644
index 0000000..5862462
--- /dev/null
+++ b/policy-rawhide-roleattribute.patch
@@ -0,0 +1,1128 @@
+commit cfa63bfedb3b94a2b78bc3ee394cf7132167e45b
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 02:18:29 2012 +0200
+
+ roleattribute patch
+
+diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
+index 4a50807..5e914db 100644
+--- a/policy/modules/admin/bootloader.if
++++ b/policy/modules/admin/bootloader.if
+@@ -56,11 +56,21 @@ interface(`bootloader_exec',`
+ #
+ interface(`bootloader_run',`
+ gen_require(`
+- attribute_role bootloader_roles;
++ type bootloader_t;
++ #attribute_role bootloader_roles;
+ ')
+
++ #bootloader_domtrans($1)
++ #roleattribute $2 bootloader_roles;
++
+ bootloader_domtrans($1)
+- roleattribute $2 bootloader_roles;
++
++ role $2 types bootloader_t;
++
++ ifdef(`distro_redhat',`
++ # for mke2fs
++ mount_run(bootloader_t, $2)
++ ')
+ ')
+
+ ########################################
+diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
+index 81a08e4..e717a21 100644
+--- a/policy/modules/admin/bootloader.te
++++ b/policy/modules/admin/bootloader.te
+@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
+ # Declarations
+ #
+
+-attribute_role bootloader_roles;
+-roleattribute system_r bootloader_roles;
++#attribute_role bootloader_roles;
++#roleattribute system_r bootloader_roles;
+
+ #
+ # boot_runtime_t is the type for /boot/kernel.h,
+@@ -19,7 +19,8 @@ files_type(boot_runtime_t)
+ type bootloader_t;
+ type bootloader_exec_t;
+ application_domain(bootloader_t, bootloader_exec_t)
+-role bootloader_roles types bootloader_t;
++#role bootloader_roles types bootloader_t;
++role system_r types bootloader_t;
+
+ #
+ # bootloader_etc_t is the configuration file,
+@@ -174,7 +175,8 @@ ifdef(`distro_redhat',`
+ files_manage_isid_type_chr_files(bootloader_t)
+
+ # for mke2fs
+- mount_run(bootloader_t, bootloader_roles)
++ #mount_run(bootloader_t, bootloader_roles)
++ mount_domtrans(bootloader_t)
+
+ optional_policy(`
+ unconfined_domain(bootloader_t)
+diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
+index 4d387af..764260e 100644
+--- a/policy/modules/admin/usermanage.if
++++ b/policy/modules/admin/usermanage.if
+@@ -37,11 +37,16 @@ interface(`usermanage_domtrans_chfn',`
+ #
+ interface(`usermanage_run_chfn',`
+ gen_require(`
+- attribute_role chfn_roles;
++ #attribute_role chfn_roles;
++ type chfn_t;
+ ')
+
++ #usermanage_domtrans_chfn($1)
++ #roleattribute $2 chfn_roles;
++
+ usermanage_domtrans_chfn($1)
+- roleattribute $2 chfn_roles;
++ role $2 types chfn_t;
++
+ ')
+
+ ########################################
+@@ -101,11 +106,19 @@ interface(`usermanage_access_check_groupadd',`
+ #
+ interface(`usermanage_run_groupadd',`
+ gen_require(`
+- attribute_role groupadd_roles;
++ type groupadd_t;
++ #attribute_role groupadd_roles;
+ ')
+
++ #usermanage_domtrans_groupadd($1)
++ #roleattribute $2 groupadd_roles;
+ usermanage_domtrans_groupadd($1)
+- roleattribute $2 groupadd_roles;
++ role $2 types groupadd_t;
++
++ optional_policy(`
++ nscd_run(groupadd_t, $2)
++ ')
++
+ ')
+
+ ########################################
+@@ -163,11 +176,17 @@ interface(`usermanage_kill_passwd',`
+ #
+ interface(`usermanage_run_passwd',`
+ gen_require(`
+- attribute_role passwd_roles;
++ type type passwd_t;
++ #attribute_role passwd_roles;
+ ')
+
++ #usermanage_domtrans_passwd($1)
++ #roleattribute $2 passwd_roles;
++
+ usermanage_domtrans_passwd($1)
+- roleattribute $2 passwd_roles;
++ role $2 types passwd_t;
++ auth_run_chk_passwd(passwd_t, $2)
++
+ ')
+
+ ########################################
+@@ -229,11 +248,20 @@ interface(`usermanage_domtrans_admin_passwd',`
+ #
+ interface(`usermanage_run_admin_passwd',`
+ gen_require(`
+- attribute_role sysadm_passwd_roles;
++ type sysadm_passwd_t;
++ #attribute_role sysadm_passwd_roles;
+ ')
+
++ #usermanage_domtrans_admin_passwd($1)
++ #roleattribute $2 sysadm_passwd_roles;
++
+ usermanage_domtrans_admin_passwd($1)
+- roleattribute $2 sysadm_passwd_roles;
++ role $2 types sysadm_passwd_t;
++
++ optional_policy(`
++ nscd_run(sysadm_passwd_t, $2)
++ ')
++
+ ')
+
+ ########################################
+@@ -292,11 +320,20 @@ interface(`usermanage_domtrans_useradd',`
+ #
+ interface(`usermanage_run_useradd',`
+ gen_require(`
+- attribute_role useradd_roles;
++ #attribute_role useradd_roles;
++ type sysadm_passwd_t;
+ ')
+
+- usermanage_domtrans_useradd($1)
+- roleattribute $2 useradd_roles;
++ #usermanage_domtrans_useradd($1)
++ #roleattribute $2 useradd_roles;
++
++ usermanage_domtrans_admin_passwd($1)
++ role $2 types sysadm_passwd_t;
++
++ optional_policy(`
++ nscd_run(sysadm_passwd_t, $2)
++ ')
++
+ ')
+
+ ########################################
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 446b743..a077b28 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3)
+ # Declarations
+ #
+
+-attribute_role chfn_roles;
+-role system_r types chfn_t;
++#attribute_role chfn_roles;
++#role system_r types chfn_t;
+
+-attribute_role groupadd_roles;
++#attribute_role groupadd_roles;
+
+-attribute_role passwd_roles;
+-roleattribute system_r passwd_roles;
++#attribute_role passwd_roles;
++#roleattribute system_r passwd_roles;
+
+-attribute_role sysadm_passwd_roles;
+-roleattribute system_r sysadm_passwd_roles;
++#attribute_role sysadm_passwd_roles;
++#roleattribute system_r sysadm_passwd_roles;
+
+-attribute_role useradd_roles;
++#attribute_role useradd_roles;
+
+ type admin_passwd_exec_t;
+ files_type(admin_passwd_exec_t)
+@@ -25,7 +25,8 @@ type chfn_t;
+ type chfn_exec_t;
+ domain_obj_id_change_exemption(chfn_t)
+ application_domain(chfn_t, chfn_exec_t)
+-role chfn_roles types chfn_t;
++#role chfn_roles types chfn_t;
++role system_r types chfn_t;
+
+ type crack_t;
+ type crack_exec_t;
+@@ -42,18 +43,21 @@ type groupadd_t;
+ type groupadd_exec_t;
+ domain_obj_id_change_exemption(groupadd_t)
+ init_system_domain(groupadd_t, groupadd_exec_t)
+-role groupadd_roles types groupadd_t;
++#role groupadd_roles types groupadd_t;
++
+
+ type passwd_t;
+ type passwd_exec_t;
+ domain_obj_id_change_exemption(passwd_t)
+ application_domain(passwd_t, passwd_exec_t)
+-role passwd_roles types passwd_t;
++#role passwd_roles types passwd_t;
++role system_r types passwd_t;
+
+ type sysadm_passwd_t;
+ domain_obj_id_change_exemption(sysadm_passwd_t)
+ application_domain(sysadm_passwd_t, admin_passwd_exec_t)
+-role sysadm_passwd_roles types sysadm_passwd_t;
++#role sysadm_passwd_roles types sysadm_passwd_t;
++role system_r types sysadm_passwd_t;
+
+ type sysadm_passwd_tmp_t;
+ files_tmp_file(sysadm_passwd_tmp_t)
+@@ -62,7 +66,8 @@ type useradd_t;
+ type useradd_exec_t;
+ domain_obj_id_change_exemption(useradd_t)
+ init_system_domain(useradd_t, useradd_exec_t)
+-role useradd_roles types useradd_t;
++#role useradd_roles types useradd_t;
++role system_r types useradd_t;
+
+ ########################################
+ #
+@@ -106,11 +111,11 @@ fs_search_auto_mountpoints(chfn_t)
+ dev_read_urand(chfn_t)
+ dev_dontaudit_getattr_all(chfn_t)
+
+-#auth_manage_passwd(chfn_t)
+-#auth_use_pam(chfn_t)
+-auth_run_chk_passwd(chfn_t, chfn_roles)
+-auth_dontaudit_read_shadow(chfn_t)
+-auth_use_nsswitch(chfn_t)
++auth_manage_passwd(chfn_t)
++auth_use_pam(chfn_t)
++#auth_run_chk_passwd(chfn_t, chfn_roles)
++#auth_dontaudit_read_shadow(chfn_t)
++#auth_use_nsswitch(chfn_t)
+
+ # allow checking if a shell is executable
+ corecmd_check_exec_shell(chfn_t)
+@@ -250,7 +255,8 @@ logging_send_syslog_msg(groupadd_t)
+
+ miscfiles_read_localization(groupadd_t)
+
+-auth_run_chk_passwd(groupadd_t, groupadd_roles)
++#auth_run_chk_passwd(groupadd_t, groupadd_roles)
++auth_domtrans_chk_passwd(groupadd_t)
+ auth_rw_lastlog(groupadd_t)
+ auth_use_nsswitch(groupadd_t)
+ auth_manage_passwd(groupadd_t)
+@@ -273,7 +279,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_run(groupadd_t, groupadd_roles)
++# nscd_run(groupadd_t, groupadd_roles)
++ nscd_domtrans(groupadd_t)
+ ')
+
+ optional_policy(`
+@@ -332,18 +339,18 @@ selinux_compute_user_contexts(passwd_t)
+ term_use_all_inherited_terms(passwd_t)
+ term_getattr_all_ptys(passwd_t)
+
+-#auth_manage_passwd(passwd_t)
+-#auth_manage_shadow(passwd_t)
+-#auth_relabel_shadow(passwd_t)
+-#auth_etc_filetrans_shadow(passwd_t)
+-#auth_use_pam(passwd_t)
+-
+-auth_run_chk_passwd(passwd_t, passwd_roles)
+ auth_manage_passwd(passwd_t)
+ auth_manage_shadow(passwd_t)
+ auth_relabel_shadow(passwd_t)
+ auth_etc_filetrans_shadow(passwd_t)
+-auth_use_nsswitch(passwd_t)
++auth_use_pam(passwd_t)
++
++#auth_run_chk_passwd(passwd_t, passwd_roles)
++#auth_manage_passwd(passwd_t)
++#auth_manage_shadow(passwd_t)
++#auth_relabel_shadow(passwd_t)
++#auth_etc_filetrans_shadow(passwd_t)
++#auth_use_nsswitch(passwd_t)
+
+ # allow checking if a shell is executable
+ corecmd_check_exec_shell(passwd_t)
+@@ -385,7 +392,8 @@ userdom_dontaudit_search_user_home_content(passwd_t)
+ userdom_stream_connect(passwd_t)
+
+ optional_policy(`
+- nscd_run(passwd_t, passwd_roles)
++ #nscd_run(passwd_t, passwd_roles)
++ nscd_domtrans(passwd_t)
+ ')
+
+ ########################################
+@@ -469,7 +477,8 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
+ userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
+
+ optional_policy(`
+- nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
++ nscd_domtrans(sysadm_passwd_t)
++ #nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
+ ')
+
+ ########################################
+@@ -525,7 +534,8 @@ seutil_manage_default_contexts(useradd_t)
+ term_use_all_inherited_terms(useradd_t)
+ term_getattr_all_ptys(useradd_t)
+
+-auth_run_chk_passwd(useradd_t, useradd_roles)
++#auth_run_chk_passwd(useradd_t, useradd_roles)
++auth_domtrans_chk_passwd(useradd_t)
+ auth_rw_lastlog(useradd_t)
+ auth_rw_faillog(useradd_t)
+ auth_use_nsswitch(useradd_t)
+@@ -547,15 +557,15 @@ miscfiles_read_localization(useradd_t)
+ seutil_read_config(useradd_t)
+ seutil_read_file_contexts(useradd_t)
+ seutil_read_default_contexts(useradd_t)
+-#seutil_domtrans_semanage(useradd_t)
+-#seutil_domtrans_setfiles(useradd_t)
+-#seutil_domtrans_loadpolicy(useradd_t)
+-#seutil_manage_bin_policy(useradd_t)
+-#seutil_manage_module_store(useradd_t)
+-#seutil_get_semanage_trans_lock(useradd_t)
+-#seutil_get_semanage_read_lock(useradd_t)
+-seutil_run_semanage(useradd_t, useradd_roles)
+-seutil_run_setfiles(useradd_t, useradd_roles)
++seutil_domtrans_semanage(useradd_t)
++seutil_domtrans_setfiles(useradd_t)
++seutil_domtrans_loadpolicy(useradd_t)
++seutil_manage_bin_policy(useradd_t)
++seutil_manage_module_store(useradd_t)
++seutil_get_semanage_trans_lock(useradd_t)
++seutil_get_semanage_read_lock(useradd_t)
++#seutil_run_semanage(useradd_t, useradd_roles)
++#seutil_run_setfiles(useradd_t, useradd_roles)
+
+ userdom_use_unpriv_users_fds(useradd_t)
+ # Add/remove user home directories
+@@ -576,7 +586,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_run(useradd_t, useradd_roles)
++ nscd_domtrans(useradd_t)
++# nscd_run(useradd_t, useradd_roles)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
+index 174cfdb..7071460 100644
+--- a/policy/modules/system/iptables.if
++++ b/policy/modules/system/iptables.if
+@@ -38,11 +38,22 @@ interface(`iptables_domtrans',`
+ #
+ interface(`iptables_run',`
+ gen_require(`
+- attribute_role iptables_roles;
++ #attribute_role iptables_roles;
++ type iptables_t;
+ ')
+
++ #iptables_domtrans($1)
++ #roleattribute $2 iptables_roles;
++
+ iptables_domtrans($1)
+- roleattribute $2 iptables_roles;
++ role $2 types iptables_t;
++
++ sysnet_run_ifconfig(iptables_t, $2)
++
++ optional_policy(`
++ modutils_run_insmod(iptables_t, $2)
++ ')
++
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
+index cc8d773..36e02fa 100644
+--- a/policy/modules/system/iptables.te
++++ b/policy/modules/system/iptables.te
+@@ -5,13 +5,14 @@ policy_module(iptables, 1.13.0)
+ # Declarations
+ #
+
+-attribute_role iptables_roles;
+-roleattribute system_r iptables_roles;
++#attribute_role iptables_roles;
++#roleattribute system_r iptables_roles;
+
+ type iptables_t;
+ type iptables_exec_t;
+ init_system_domain(iptables_t, iptables_exec_t)
+-role iptables_roles types iptables_t;
++#role iptables_roles types iptables_t;
++role system_r types iptables_t;
+
+ type iptables_initrc_exec_t;
+ init_script_file(iptables_initrc_exec_t)
+@@ -97,7 +98,8 @@ logging_send_syslog_msg(iptables_t)
+
+ miscfiles_read_localization(iptables_t)
+
+-sysnet_run_ifconfig(iptables_t, iptables_roles)
++#sysnet_run_ifconfig(iptables_t, iptables_roles)
++sysnet_domtrans_ifconfig(iptables_t)
+ sysnet_dns_name_resolve(iptables_t)
+
+ userdom_use_inherited_user_terminals(iptables_t)
+@@ -119,7 +121,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- modutils_run_insmod(iptables_t, iptables_roles)
++ modutils_domtrans_insmod(iptables_t)
++ #modutils_run_insmod(iptables_t, iptables_roles)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
+index 786f87a..2debedc 100644
+--- a/policy/modules/system/modutils.if
++++ b/policy/modules/system/modutils.if
+@@ -345,11 +345,18 @@ interface(`modutils_domtrans_update_mods',`
+ #
+ interface(`modutils_run_update_mods',`
+ gen_require(`
+- attribute_role update_modules_roles;
++ #attribute_role update_modules_roles;
++ type update_modules_t;
+ ')
+
++ #modutils_domtrans_update_mods($1)
++ #roleattribute $2 update_modules_roles;
++
+ modutils_domtrans_update_mods($1)
+- roleattribute $2 update_modules_roles;
++ role $2 types update_modules_t;
++
++ modutils_run_insmod(update_modules_t, $2)
++
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
+index b83608d..86a7107 100644
+--- a/policy/modules/system/modutils.te
++++ b/policy/modules/system/modutils.te
+@@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1)
+ # Declarations
+ #
+
+-attribute_role update_modules_roles;
++#attribute_role update_modules_roles;
+
+ type depmod_t;
+ type depmod_exec_t;
+@@ -30,8 +30,9 @@ files_type(modules_dep_t)
+ type update_modules_t;
+ type update_modules_exec_t;
+ init_system_domain(update_modules_t, update_modules_exec_t)
+-roleattribute system_r update_modules_roles;
+-role update_modules_roles types update_modules_t;
++#roleattribute system_r update_modules_roles;
++#role update_modules_roles types update_modules_t;
++role system_r types update_modules_t;
+
+ type update_modules_tmp_t;
+ files_tmp_file(update_modules_tmp_t)
+@@ -318,7 +319,7 @@ logging_send_syslog_msg(update_modules_t)
+
+ miscfiles_read_localization(update_modules_t)
+
+-modutils_run_insmod(update_modules_t, update_modules_roles)
++#modutils_run_insmod(update_modules_t, update_modules_roles)
+
+ userdom_use_inherited_user_terminals(update_modules_t)
+ userdom_dontaudit_search_user_home_dirs(update_modules_t)
+diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
+index 52e78b8..4881d86 100644
+--- a/policy/modules/system/mount.if
++++ b/policy/modules/system/mount.if
+@@ -44,11 +44,36 @@ interface(`mount_domtrans',`
+ #
+ interface(`mount_run',`
+ gen_require(`
+- attribute_role mount_roles;
++ #attribute_role mount_roles;
++ type mount_t;
+ ')
+
++ #mount_domtrans($1)
++ #roleattribute $2 mount_roles;
++
+ mount_domtrans($1)
+- roleattribute $2 mount_roles;
++ role $2 types mount_t;
++
++ optional_policy(`
++ fstools_run(mount_t, $2)
++ ')
++
++ optional_policy(`
++ lvm_run(mount_t, $2)
++ ')
++
++ optional_policy(`
++ modutils_run_insmod(mount_t, $2)
++ ')
++
++ optional_policy(`
++ rpc_run_rpcd(mount_t, $2)
++ ')
++
++ optional_policy(`
++ samba_run_smbmount(mount_t, $2)
++ ')
++
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index cc76452..14320fe 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -12,13 +12,14 @@ policy_module(mount, 1.14.2)
+ ## </desc>
+ gen_tunable(allow_mount_anyfile, false)
+
+-attribute_role mount_roles;
+-roleattribute system_r mount_roles;
++#attribute_role mount_roles;
++#roleattribute system_r mount_roles;
+
+ type mount_t;
+ type mount_exec_t;
+ init_system_domain(mount_t, mount_exec_t)
+-role mount_roles types mount_t;
++#role mount_roles types mount_t;
++role system_r types mount_t;
+
+ type fusermount_exec_t;
+ domain_entry_file(mount_t, fusermount_exec_t)
+@@ -286,25 +287,28 @@ optional_policy(`
+
+ # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
+ optional_policy(`
+- lvm_run(mount_t, mount_roles)
++# lvm_run(mount_t, mount_roles)
++ lvm_domtrans(mount_t)
+ ')
+
+ optional_policy(`
+- modutils_run_insmod(mount_t, mount_roles)
++ #modutils_run_insmod(mount_t, mount_roles)
++ modutils_domtrans_insmod(mount_t)
+ modutils_read_module_deps(mount_t)
+ ')
+
+ optional_policy(`
+- fstools_run(mount_t, mount_roles)
++ fstools_domtrans(mount_t)
++ #fstools_run(mount_t, mount_roles)
+ ')
+
+ optional_policy(`
+ rhcs_stream_connect_gfs_controld(mount_t)
+ ')
+
+-optional_policy(`
+- rpc_run_rpcd(mount_t, mount_roles)
+-')
++#optional_policy(`
++# rpc_run_rpcd(mount_t, mount_roles)
++#')
+
+ # for kernel package installation
+ optional_policy(`
+@@ -314,7 +318,8 @@ optional_policy(`
+
+ optional_policy(`
+ samba_read_config(mount_t)
+- samba_run_smbmount(mount_t, mount_roles)
++ samba_domtrans_smbmount(mount_t)
++ #samba_run_smbmount(mount_t, mount_roles)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index a853819..cebf588 100644
+--- a/policy/modules/system/selinuxutil.if
++++ b/policy/modules/system/selinuxutil.if
+@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
+ #
+ interface(`seutil_run_newrole',`
+ gen_require(`
+- attribute_role newrole_roles;
++ type newrole_t;
++ #attribute_role newrole_roles;
+ ')
+
++ #seutil_domtrans_newrole($1)
++ #roleattribute $2 newrole_roles;
++
+ seutil_domtrans_newrole($1)
+- roleattribute $2 newrole_roles;
++ role $2 types newrole_t;
++
++ auth_run_upd_passwd(newrole_t, $2)
++
++ optional_policy(`
++ namespace_init_run(newrole_t, $2)
++ ')
++
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 2aee0c0..4c24e3e 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -14,7 +14,7 @@ attribute can_relabelto_binary_policy;
+ attribute setfiles_domain;
+ attribute seutil_semanage_domain;
+
+-attribute_role newrole_roles;
++#attribute_role newrole_roles;
+
+ attribute_role run_init_roles;
+ role system_r types run_init_t;
+@@ -65,7 +65,8 @@ application_domain(newrole_t, newrole_exec_t)
+ domain_role_change_exemption(newrole_t)
+ domain_obj_id_change_exemption(newrole_t)
+ domain_interactive_fd(newrole_t)
+-role newrole_roles types newrole_t;
++#role newrole_roles types newrole_t;
++role system_r types newrole_t;
+
+ #
+ # policy_config_t is the type of /etc/security/selinux/*
+@@ -299,10 +300,11 @@ term_relabel_all_ptys(newrole_t)
+ term_getattr_unallocated_ttys(newrole_t)
+ term_dontaudit_use_unallocated_ttys(newrole_t)
+
+-auth_use_nsswitch(newrole_t)
+-auth_run_chk_passwd(newrole_t, newrole_roles)
+-auth_run_upd_passwd(newrole_t, newrole_roles)
+-auth_rw_faillog(newrole_t)
++#auth_use_nsswitch(newrole_t)
++#auth_run_chk_passwd(newrole_t, newrole_roles)
++#auth_run_upd_passwd(newrole_t, newrole_roles)
++#auth_rw_faillog(newrole_t)
++auth_use_pam(newrole_t)
+
+ # Write to utmp.
+ init_rw_utmp(newrole_t)
+@@ -322,9 +324,9 @@ optional_policy(`
+ dbus_system_bus_client(newrole_t)
+ ')
+
+-optional_policy(`
+- namespace_init_run(newrole_t, newrole_roles)
+-')
++#optional_policy(`
++# namespace_init_run(newrole_t, newrole_roles)
++#')
+
+
+ optional_policy(`
+diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
+index 7b08f77..949fdcc 100644
+--- a/policy/modules/system/sysnetwork.if
++++ b/policy/modules/system/sysnetwork.if
+@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',`
+ #
+ interface(`sysnet_run_dhcpc',`
+ gen_require(`
+- attribute_role dhcpc_roles;
++ type dhcpc_t;
++ #attribute_role dhcpc_roles;
+ ')
+
++ #sysnet_domtrans_dhcpc($1)
++ #roleattribute $2 dhcpc_roles;
++
+ sysnet_domtrans_dhcpc($1)
+- roleattribute $2 dhcpc_roles;
++ role $2 types dhcpc_t;
++
++ modutils_run_insmod(dhcpc_t, $2)
++
++ sysnet_run_ifconfig(dhcpc_t, $2)
++
++ optional_policy(`
++ hostname_run(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ netutils_run(dhcpc_t, $2)
++ netutils_run_ping(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ networkmanager_run(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ nis_run_ypbind(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ nscd_run(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ ntp_run(dhcpc_t, $2)
++ ')
++
++ seutil_run_setfiles(dhcpc_t, $2)
++
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index 2d2b6ef..1bfcd4f 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -12,8 +12,8 @@ policy_module(sysnetwork, 1.13.2)
+ ## </desc>
+ gen_tunable(dhcpc_exec_iptables, false)
+
+-attribute_role dhcpc_roles;
+-roleattribute system_r dhcpc_roles;
++#attribute_role dhcpc_roles;
++#roleattribute system_r dhcpc_roles;
+
+ # this is shared between dhcpc and dhcpd:
+ type dhcp_etc_t;
+@@ -27,7 +27,8 @@ files_type(dhcp_state_t)
+ type dhcpc_t;
+ type dhcpc_exec_t;
+ init_daemon_domain(dhcpc_t, dhcpc_exec_t)
+-role dhcpc_roles types dhcpc_t;
++#role dhcpc_roles types dhcpc_t;
++role system_r types dhcpc_t;
+
+ type dhcpc_helper_exec_t;
+ init_script_file(dhcpc_helper_exec_t)
+@@ -159,9 +160,10 @@ logging_send_syslog_msg(dhcpc_t)
+ miscfiles_read_generic_certs(dhcpc_t)
+ miscfiles_read_localization(dhcpc_t)
+
+-modutils_run_insmod(dhcpc_t, dhcpc_roles)
++#modutils_run_insmod(dhcpc_t, dhcpc_roles)
++modutils_domtrans_insmod(dhcpc_t)
++#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
+
+-sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
+
+ userdom_use_user_terminals(dhcpc_t)
+ userdom_dontaudit_search_user_home_dirs(dhcpc_t)
+@@ -176,9 +178,9 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
+-optional_policy(`
+- consoletype_run(dhcpc_t, dhcpc_roles)
+-')
++#optional_policy(`
++# consoletype_run(dhcpc_t, dhcpc_roles)
++#')
+
+ optional_policy(`
+ chronyd_initrc_domtrans(dhcpc_t)
+@@ -203,7 +205,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- hostname_run(dhcpc_t, dhcpc_roles)
++ hostname_domtrans(dhcpc_t)
++# hostname_run(dhcpc_t, dhcpc_roles)
+ ')
+
+ optional_policy(`
+commit 0a0c8b9d35398f3662db1b0bdb2f4c7761121ba1
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 02:26:53 2012 +0200
+
+ roleattribute patch for passwd_t
+
+diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
+index 764260e..da75471 100644
+--- a/policy/modules/admin/usermanage.if
++++ b/policy/modules/admin/usermanage.if
+@@ -176,7 +176,7 @@ interface(`usermanage_kill_passwd',`
+ #
+ interface(`usermanage_run_passwd',`
+ gen_require(`
+- type type passwd_t;
++ type passwd_t;
+ #attribute_role passwd_roles;
+ ')
+
+commit 0b71245f63ddbb6ca00790fa5318db798286d8d8
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 02:38:28 2012 +0200
+
+ Fix also for sysnetwork.te
+
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index 1bfcd4f..3a94d52 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -226,8 +226,10 @@ optional_policy(`
+
+ # for the dhcp client to run ping to check IP addresses
+ optional_policy(`
+- netutils_run_ping(dhcpc_t, dhcpc_roles)
+- netutils_run(dhcpc_t, dhcpc_roles)
++ #netutils_run_ping(dhcpc_t, dhcpc_roles)
++ #netutils_run(dhcpc_t, dhcpc_roles)
++ netutils_domtrans_ping(dhcpc_t)
++ netutils_domtrans(dhcpc_t
+ ',`
+ allow dhcpc_t self:capability setuid;
+ allow dhcpc_t self:rawip_socket create_socket_perms;
+commit fdfc3cf8dbc69bda177afe16e78a52891cb6da4a
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 02:41:48 2012 +0200
+
+ Other
+
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index 3a94d52..6a6f03f 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -229,7 +229,7 @@ optional_policy(`
+ #netutils_run_ping(dhcpc_t, dhcpc_roles)
+ #netutils_run(dhcpc_t, dhcpc_roles)
+ netutils_domtrans_ping(dhcpc_t)
+- netutils_domtrans(dhcpc_t
++ netutils_domtrans(dhcpc_t)
+ ',`
+ allow dhcpc_t self:capability setuid;
+ allow dhcpc_t self:rawip_socket create_socket_perms;
+commit 2ea19d46d563741f998001a38f9d4dbb4d1fdd06
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 08:10:01 2012 +0200
+
+ Fix passwd
+
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index a077b28..396909c 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -526,11 +526,6 @@ fs_getattr_xattr_fs(useradd_t)
+ mls_file_upgrade(useradd_t)
+ mls_process_read_to_clearance(useradd_t)
+
+-seutil_semanage_policy(useradd_t)
+-seutil_manage_file_contexts(useradd_t)
+-seutil_manage_config(useradd_t)
+-seutil_manage_default_contexts(useradd_t)
+-
+ term_use_all_inherited_terms(useradd_t)
+ term_getattr_all_ptys(useradd_t)
+
+@@ -554,14 +549,19 @@ logging_send_syslog_msg(useradd_t)
+
+ miscfiles_read_localization(useradd_t)
+
++seutil_semanage_policy(useradd_t)
++seutil_manage_file_contexts(useradd_t)
++seutil_manage_config(useradd_t)
++seutil_manage_default_contexts(useradd_t)
++
+ seutil_read_config(useradd_t)
+ seutil_read_file_contexts(useradd_t)
+ seutil_read_default_contexts(useradd_t)
+ seutil_domtrans_semanage(useradd_t)
+ seutil_domtrans_setfiles(useradd_t)
+ seutil_domtrans_loadpolicy(useradd_t)
+-seutil_manage_bin_policy(useradd_t)
+-seutil_manage_module_store(useradd_t)
++#seutil_manage_bin_policy(useradd_t)
++#seutil_manage_module_store(useradd_t)
+ seutil_get_semanage_trans_lock(useradd_t)
+ seutil_get_semanage_read_lock(useradd_t)
+ #seutil_run_semanage(useradd_t, useradd_roles)
+commit db92f5bcb6fe7f86aae12dffe64ec3d920815343
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 08:30:34 2012 +0200
+
+ Also for semanage_roles
+
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index cebf588..7e38077 100644
+--- a/policy/modules/system/selinuxutil.if
++++ b/policy/modules/system/selinuxutil.if
+@@ -1140,11 +1140,18 @@ interface(`seutil_domtrans_setsebool',`
+ #
+ interface(`seutil_run_semanage',`
+ gen_require(`
+- attribute_role semanage_roles;
++ #attribute_role semanage_roles;
++ type semanage_t;
+ ')
+
++ #seutil_domtrans_semanage($1)
++ #roleattribute $2 semanage_roles;
++
+ seutil_domtrans_semanage($1)
+- roleattribute $2 semanage_roles;
++ seutil_run_setfiles(semanage_t, $2)
++ seutil_run_loadpolicy(semanage_t, $2)
++ role $2 types semanage_t;
++
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 4c24e3e..90498cd 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -19,8 +19,8 @@ attribute seutil_semanage_domain;
+ attribute_role run_init_roles;
+ role system_r types run_init_t;
+
+-attribute_role semanage_roles;
+-roleattribute system_r semanage_roles;
++#attribute_role semanage_roles;
++#roleattribute system_r semanage_roles;
+
+ #
+ # selinux_config_t is the type applied to
+@@ -110,7 +110,8 @@ application_domain(semanage_t, semanage_exec_t)
+ dbus_system_domain(semanage_t, semanage_exec_t)
+ init_daemon_domain(semanage_t, semanage_exec_t)
+ domain_interactive_fd(semanage_t)
+-role semanage_roles types semanage_t;
++#role semanage_roles types semanage_t;
++role system_r types semanage_t;
+
+ type setsebool_t;
+ type setsebool_exec_t;
+@@ -530,14 +531,15 @@ files_read_non_security_files(semanage_t)
+
+ seutil_manage_file_contexts(semanage_t)
+ seutil_manage_config(semanage_t)
+-
+-seutil_run_setfiles(semanage_t, semanage_roles)
+-seutil_run_loadpolicy(semanage_t, semanage_roles)
+-seutil_manage_bin_policy(semanage_t)
+-seutil_use_newrole_fds(semanage_t)
+-seutil_manage_module_store(semanage_t)
+-seutil_get_semanage_trans_lock(semanage_t)
+-seutil_get_semanage_read_lock(semanage_t)
++seutil_domtrans_setfiles(semanage_t)
++
++#seutil_run_setfiles(semanage_t, semanage_roles)
++#seutil_run_loadpolicy(semanage_t, semanage_roles)
++#seutil_manage_bin_policy(semanage_t)
++#seutil_use_newrole_fds(semanage_t)
++#seutil_manage_module_store(semanage_t)
++#seutil_get_semanage_trans_lock(semanage_t)
++#seutil_get_semanage_read_lock(semanage_t)
+ # netfilter_contexts:
+ seutil_manage_default_contexts(semanage_t)
+
+commit aebf9204ec2a7cfb943327eb3aace2a9b4130769
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 08:38:22 2012 +0200
+
+ run_init roles
+
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 7e38077..6903c5e 100644
+--- a/policy/modules/system/selinuxutil.if
++++ b/policy/modules/system/selinuxutil.if
+@@ -457,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',`
+ #
+ interface(`seutil_run_runinit',`
+ gen_require(`
+- attribute_role run_init_roles;
++ #attribute_role run_init_roles;
++ type run_init_t;
++ role system_r;
+ ')
+
+- seutil_domtrans_runinit($1)
+- roleattribute $2 run_init_roles;
++ #seutil_domtrans_runinit($1)
++ #roleattribute $2 run_init_roles;
++
++ auth_run_chk_passwd(run_init_t, $2)
++ seutil_domtrans_runinit($1)
++ role $2 types run_init_t;
++
++ allow $2 system_r;
++
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 90498cd..06b4e9a 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -16,8 +16,8 @@ attribute seutil_semanage_domain;
+
+ #attribute_role newrole_roles;
+
+-attribute_role run_init_roles;
+-role system_r types run_init_t;
++#attribute_role run_init_roles;
++#role system_r types run_init_t;
+
+ #attribute_role semanage_roles;
+ #roleattribute system_r semanage_roles;
+@@ -102,7 +102,8 @@ type run_init_t;
+ type run_init_exec_t;
+ application_domain(run_init_t, run_init_exec_t)
+ domain_system_change_exemption(run_init_t)
+-role run_init_roles types run_init_t;
++#role run_init_roles types run_init_t;
++role system_r types run_init_t;
+
+ type semanage_t;
+ type semanage_exec_t;
+@@ -412,7 +413,7 @@ optional_policy(`
+ # Run_init local policy
+ #
+
+-allow run_init_roles system_r;
++#allow run_init_roles system_r;
+
+ allow run_init_t self:process setexec;
+ allow run_init_t self:capability setuid;
+@@ -449,11 +450,17 @@ selinux_compute_user_contexts(run_init_t)
+
+ term_use_console(run_init_t)
+
++#auth_use_nsswitch(run_init_t)
++#auth_run_chk_passwd(run_init_t, run_init_roles)
++#auth_run_upd_passwd(run_init_t, run_init_roles)
++#auth_dontaudit_read_shadow(run_init_t)
++
+ auth_use_nsswitch(run_init_t)
+-auth_run_chk_passwd(run_init_t, run_init_roles)
+-auth_run_upd_passwd(run_init_t, run_init_roles)
++auth_domtrans_chk_passwd(run_init_t)
++auth_domtrans_upd_passwd(run_init_t)
+ auth_dontaudit_read_shadow(run_init_t)
+
++
+ init_spec_domtrans_script(run_init_t)
+ # for utmp
+ init_rw_utmp(run_init_t)
+commit 4803dd3583e4c84e24a7f6974e195bb8145f1bb5
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 10:01:51 2012 +0200
+
+ One more for run_init
+
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 6903c5e..b64a37a 100644
+--- a/policy/modules/system/selinuxutil.if
++++ b/policy/modules/system/selinuxutil.if
+@@ -502,11 +502,19 @@ interface(`seutil_run_runinit',`
+ #
+ interface(`seutil_init_script_run_runinit',`
+ gen_require(`
+- attribute_role run_init_roles;
++ #attribute_role run_init_roles;
++ type run_init_t;
++ role system_r
+ ')
+
+- seutil_init_script_domtrans_runinit($1)
+- roleattribute $2 run_init_roles;
++ #seutil_init_script_domtrans_runinit($1)
++ #roleattribute $2 run_init_roles;
++ auth_run_chk_passwd(run_init_t, $2)
++ seutil_init_script_domtrans_runinit($1)
++ role $2 types run_init_t;
++
++ allow $2 system_r;
++
+ ')
+
+ ########################################
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 71830fc..115f7d4 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -58144,7 +58144,7 @@ index 3a45f23..f4754f0 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index f462e95..ce808db 100644
+index f462e95..d29da40 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -393,6 +393,10 @@ class system
@@ -58158,7 +58158,16 @@ index f462e95..ce808db 100644
}
#
-@@ -860,3 +864,20 @@ inherits database
+@@ -445,6 +449,8 @@ class capability2
+ mac_override # unused by SELinux
+ mac_admin # unused by SELinux
+ syslog
++ wake_alarm
++ epolwakeup
+ }
+
+ #
+@@ -860,3 +866,20 @@ inherits database
implement
execute
}
@@ -79909,24 +79918,10 @@ index 0e3c2a9..40adf5a 100644
+')
+
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 9fd5be7..3eb0e5e 100644
+index 9fd5be7..db7e141 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
-@@ -9,13 +9,22 @@ type local_login_t;
- domain_interactive_fd(local_login_t)
- auth_login_pgm_domain(local_login_t)
- auth_login_entry_type(local_login_t)
-+init_daemon_domain(local_login_t, login_exec_t)
-+init_ranged_daemon_domain(local_login_t, login_exec_t, s0 - mcs_systemhigh)
-+
-+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(local_login_t, login_exec_t, mls_systemhigh)
-+')
-+
-+ifdef(`enable_mcs',`
-+ init_ranged_daemon_domain(local_login_t, login_exec_t, mcs_systemhigh)
-+')
-
+@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
type local_login_lock_t;
files_lock_file(local_login_lock_t)
@@ -79938,7 +79933,7 @@ index 9fd5be7..3eb0e5e 100644
type sulogin_t;
type sulogin_exec_t;
-@@ -32,9 +41,8 @@ role system_r types sulogin_t;
+@@ -32,9 +31,8 @@ role system_r types sulogin_t;
# Local login local policy
#
@@ -79950,7 +79945,7 @@ index 9fd5be7..3eb0e5e 100644
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
-@@ -51,9 +59,7 @@ allow local_login_t self:key { search write link };
+@@ -51,9 +49,7 @@ allow local_login_t self:key { search write link };
allow local_login_t local_login_lock_t:file manage_file_perms;
files_lock_filetrans(local_login_t, local_login_lock_t, file)
@@ -79961,7 +79956,7 @@ index 9fd5be7..3eb0e5e 100644
kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctls(local_login_t)
-@@ -73,6 +79,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
+@@ -73,6 +69,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
@@ -79970,7 +79965,7 @@ index 9fd5be7..3eb0e5e 100644
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
-@@ -117,14 +125,18 @@ term_relabel_unallocated_ttys(local_login_t)
+@@ -117,14 +115,18 @@ term_relabel_unallocated_ttys(local_login_t)
term_relabel_all_ttys(local_login_t)
term_setattr_all_ttys(local_login_t)
term_setattr_unallocated_ttys(local_login_t)
@@ -79990,7 +79985,7 @@ index 9fd5be7..3eb0e5e 100644
miscfiles_read_localization(local_login_t)
-@@ -146,14 +158,14 @@ tunable_policy(`console_login',`
+@@ -146,14 +148,14 @@ tunable_policy(`console_login',`
term_relabel_console(local_login_t)
')
@@ -80012,7 +80007,7 @@ index 9fd5be7..3eb0e5e 100644
')
optional_policy(`
-@@ -177,14 +189,6 @@ optional_policy(`
+@@ -177,14 +179,6 @@ optional_policy(`
')
optional_policy(`
@@ -80027,7 +80022,7 @@ index 9fd5be7..3eb0e5e 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,6 +219,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,6 +209,7 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -80035,7 +80030,7 @@ index 9fd5be7..3eb0e5e 100644
kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +228,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+@@ -223,13 +218,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -80053,7 +80048,7 @@ index 9fd5be7..3eb0e5e 100644
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
-@@ -238,14 +247,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +237,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -80080,7 +80075,7 @@ index 9fd5be7..3eb0e5e 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +275,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +265,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -84576,10 +84571,10 @@ index 0000000..0898030
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..33c1c9f
+index 0000000..eec7c72
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,422 @@
+@@ -0,0 +1,423 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -84660,6 +84655,7 @@ index 0000000..33c1c9f
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
++dev_rw_input_dev(systemd_logind_t)
+dev_setattr_all_chr_files(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
diff --git a/policy_contrib-rawhide-roleattribute.patch b/policy_contrib-rawhide-roleattribute.patch
new file mode 100644
index 0000000..cbdb104
--- /dev/null
+++ b/policy_contrib-rawhide-roleattribute.patch
@@ -0,0 +1,854 @@
+commit f53f820fe366940d4fdecaef80de4e5b1178fac6
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 01:38:59 2012 +0200
+
+ roleattribute patch
+
+diff --git a/livecd.if b/livecd.if
+index bfbf676..fb7869e 100644
+--- a/livecd.if
++++ b/livecd.if
+@@ -38,12 +38,19 @@ interface(`livecd_run',`
+ gen_require(`
+ type livecd_t;
+ type livecd_exec_t;
+- attribute_role livecd_roles;
++ #attribute_role livecd_roles;
+ ')
+
+ livecd_domtrans($1)
+- roleattribute $2 livecd_roles;
++ #roleattribute $2 livecd_roles;
++ role $2 types livecd_t;
+ role_transition $2 livecd_exec_t system_r;
++
++ seutil_run_setfiles_mac(livecd_t, system_r)
++
++ optional_policy(`
++ mount_run(livecd_t, $2)
++ ')
+ ')
+
+ ########################################
+diff --git a/livecd.te b/livecd.te
+index 65efdae..7a944b5 100644
+--- a/livecd.te
++++ b/livecd.te
+@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
+ # Declarations
+ #
+
+-attribute_role livecd_roles;
+-roleattribute system_r livecd_roles;
++#attribute_role livecd_roles;
++#roleattribute system_r livecd_roles;
+
+ type livecd_t;
+ type livecd_exec_t;
+ application_domain(livecd_t, livecd_exec_t)
+-role livecd_roles types livecd_t;
++role system_r types livecd_t;
++#role livecd_roles types livecd_t;
+
+ type livecd_tmp_t;
+ files_tmp_file(livecd_tmp_t)
+@@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t)
+
+ sysnet_filetrans_named_content(livecd_t)
+
+-optional_policy(`
+- mount_run(livecd_t, livecd_roles)
+- seutil_run_setfiles_mac(livecd_t, livecd_roles)
+-')
++#optional_policy(`
++# mount_run(livecd_t, livecd_roles)
++# seutil_run_setfiles_mac(livecd_t, livecd_roles)
++#')
+
+ optional_policy(`
+ ssh_filetrans_admin_home_content(livecd_t)
+diff --git a/mozilla.if b/mozilla.if
+index 30b0241..30bfefb 100644
+--- a/mozilla.if
++++ b/mozilla.if
+@@ -18,10 +18,11 @@
+ interface(`mozilla_role',`
+ gen_require(`
+ type mozilla_t, mozilla_exec_t, mozilla_home_t;
+- attribute_role mozilla_roles;
++ #attribute_role mozilla_roles;
+ ')
+
+- roleattribute $1 mozilla_roles;
++ #roleattribute $1 mozilla_roles;
++ role $1 types mozilla_t;
+
+ domain_auto_trans($2, mozilla_exec_t, mozilla_t)
+ # Unrestricted inheritance from the caller.
+@@ -47,6 +48,8 @@ interface(`mozilla_role',`
+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+
++ #should be remove then with adding of roleattribute
++ mozilla_run_plugin(mozilla_t, $1)
+ mozilla_dbus_chat($2)
+
+ userdom_manage_tmp_role($1, mozilla_t)
+@@ -63,7 +66,6 @@ interface(`mozilla_role',`
+
+ mozilla_filetrans_home_content($2)
+
+- mozilla_dbus_chat($2)
+ ')
+
+ ########################################
+diff --git a/mozilla.te b/mozilla.te
+index 7bf56bf..56700a4 100644
+--- a/mozilla.te
++++ b/mozilla.te
+@@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false)
+ ## </desc>
+ gen_tunable(mozilla_plugin_enable_homedirs, false)
+
+-attribute_role mozilla_roles;
++#attribute_role mozilla_roles;
+
+ type mozilla_t;
+ type mozilla_exec_t;
+ typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
+ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+ userdom_user_application_domain(mozilla_t, mozilla_exec_t)
+-role mozilla_roles types mozilla_t;
++#role mozilla_roles types mozilla_t;
++role system_r types mozilla_t;
+
+ type mozilla_conf_t;
+ files_config_file(mozilla_conf_t)
+@@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t)
+ type mozilla_plugin_t;
+ type mozilla_plugin_exec_t;
+ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+-role mozilla_roles types mozilla_plugin_t;
++#role mozilla_roles types mozilla_plugin_t;
++role system_r types mozilla_plugin_t;
+
+ type mozilla_plugin_tmp_t;
+ userdom_user_tmp_content(mozilla_plugin_tmp_t)
+@@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t)
+ type mozilla_plugin_config_t;
+ type mozilla_plugin_config_exec_t;
+ application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+-role mozilla_roles types mozilla_plugin_config_t;
++#role mozilla_roles types mozilla_plugin_config_t;
++role system_r types mozilla_plugin_config_t;
+
+ type mozilla_tmp_t;
+ userdom_user_tmp_file(mozilla_tmp_t)
+@@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t)
+
+ userdom_use_inherited_user_ptys(mozilla_t)
+
+-mozilla_run_plugin(mozilla_t, mozilla_roles)
++#mozilla_run_plugin(mozilla_t, mozilla_roles)
+
+ xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+@@ -298,7 +301,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- pulseaudio_role(mozilla_roles, mozilla_t)
++ #pulseaudio_role(mozilla_roles, mozilla_t)
++ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
+ pulseaudio_manage_home_files(mozilla_t)
+ ')
+@@ -476,9 +480,9 @@ optional_policy(`
+ java_exec(mozilla_plugin_t)
+ ')
+
+-optional_policy(`
+- lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
+-')
++#optional_policy(`
++# lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
++#')
+
+ optional_policy(`
+ mplayer_exec(mozilla_plugin_t)
+diff --git a/ncftool.if b/ncftool.if
+index 1520b6c..3a4455f 100644
+--- a/ncftool.if
++++ b/ncftool.if
+@@ -36,10 +36,18 @@ interface(`ncftool_domtrans',`
+ #
+ interface(`ncftool_run',`
+ gen_require(`
+- attribute_role ncftool_roles;
++ type ncftool_t;
++ #attribute_role ncftool_roles;
+ ')
+
+- ncftool_domtrans($1)
+- roleattribute $2 ncftool_roles;
++ #ncftool_domtrans($1)
++ #roleattribute $2 ncftool_roles;
++
++ role $1 types ncftool_t;
++
++ ncftool_domtrans($2)
++
++ ps_process_pattern($2, ncftool_t)
++ allow $2 ncftool_t:process signal;
+ ')
+
+diff --git a/ncftool.te b/ncftool.te
+index 91ab36d..8c48c33 100644
+--- a/ncftool.te
++++ b/ncftool.te
+@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0)
+ # Declarations
+ #
+
+-attribute_role ncftool_roles;
+-roleattribute system_r ncftool_roles;
++#attribute_role ncftool_roles;
++#roleattribute system_r ncftool_roles;
+
+ type ncftool_t;
+ type ncftool_exec_t;
+ application_domain(ncftool_t, ncftool_exec_t)
+ domain_obj_id_change_exemption(ncftool_t)
+ domain_system_change_exemption(ncftool_t)
+-role ncftool_roles types ncftool_t;
++#role ncftool_roles types ncftool_t;
++role system_r types ncftool_t;
+
+ ########################################
+ #
+@@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t)
+
+ miscfiles_read_localization(ncftool_t)
+ sysnet_delete_dhcpc_pid(ncftool_t)
+-sysnet_run_dhcpc(ncftool_t, ncftool_roles)
+-sysnet_run_ifconfig(ncftool_t, ncftool_roles)
++sysnet_domtrans_dhcpc(ncftool_t)
++sysnet_domtrans_ifconfig(ncftool_t)
++#sysnet_run_dhcpc(ncftool_t, ncftool_roles)
++#sysnet_run_ifconfig(ncftool_t, ncftool_roles)
+ sysnet_etc_filetrans_config(ncftool_t)
+ sysnet_manage_config(ncftool_t)
+ sysnet_read_dhcpc_state(ncftool_t)
+@@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t)
+ userdom_use_user_terminals(ncftool_t)
+ userdom_read_user_tmp_files(ncftool_t)
+
+-optional_policy(`
+- brctl_run(ncftool_t, ncftool_roles)
+-')
++#optional_policy(`
++# brctl_run(ncftool_t, ncftool_roles)
++#')
+
+ optional_policy(`
+ consoletype_exec(ncftool_t)
+@@ -85,9 +88,12 @@ optional_policy(`
+
+ optional_policy(`
+ modutils_read_module_config(ncftool_t)
+- modutils_run_insmod(ncftool_t, ncftool_roles)
++ modutils_domtrans_insmod(ncftool_t)
++ #modutils_run_insmod(ncftool_t, ncftool_roles)
++
+ ')
+
+ optional_policy(`
+- netutils_run(ncftool_t, ncftool_roles)
++ netutils_domtrans(ncftool_t)
++ #netutils_run(ncftool_t, ncftool_roles)
+ ')
+diff --git a/ppp.if b/ppp.if
+index c174b05..a4cad0b 100644
+--- a/ppp.if
++++ b/ppp.if
+@@ -175,11 +175,18 @@ interface(`ppp_run_cond',`
+ #
+ interface(`ppp_run',`
+ gen_require(`
+- attribute_role pppd_roles;
++ #attribute_role pppd_roles;
++ type pppd_t;
+ ')
+
+- ppp_domtrans($1)
+- roleattribute $2 pppd_roles;
++ #ppp_domtrans($1)
++ #roleattribute $2 pppd_roles;
++
++ role $2 types pppd_t;
++
++ tunable_policy(`pppd_for_user',`
++ ppp_domtrans($1)
++ ')
+ ')
+
+ ########################################
+diff --git a/ppp.te b/ppp.te
+index 17e10a2..92cec2b 100644
+--- a/ppp.te
++++ b/ppp.te
+@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
+ ## </desc>
+ gen_tunable(pppd_for_user, false)
+
+-attribute_role pppd_roles;
++#attribute_role pppd_roles;
+
+ # pppd_t is the domain for the pppd program.
+ # pppd_exec_t is the type of the pppd executable.
+ type pppd_t;
+ type pppd_exec_t;
+ init_daemon_domain(pppd_t, pppd_exec_t)
+-role pppd_roles types pppd_t;
++#role pppd_roles types pppd_t;
++role system_r types pppd_t;
+
+ type pppd_devpts_t;
+ term_pty(pppd_devpts_t)
+@@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t)
+ type pptp_t;
+ type pptp_exec_t;
+ init_daemon_domain(pptp_t, pptp_exec_t)
+-role pppd_roles types pptp_t;
++#role pppd_roles types pptp_t;
++role system_r types pptp_t;
+
+ type pptp_log_t;
+ logging_log_file(pptp_log_t)
+@@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t)
+ init_signal_script(pppd_t)
+
+ auth_use_nsswitch(pppd_t)
+-auth_run_chk_passwd(pppd_t,pppd_roles)
++auth_domtrans_chk_passwd(pppd_t)
++#auth_run_chk_passwd(pppd_t,pppd_roles)
+ auth_write_login_records(pppd_t)
+
+ logging_send_syslog_msg(pppd_t)
+@@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t)
+ ppp_exec(pppd_t)
+
+ optional_policy(`
+- ddclient_run(pppd_t, pppd_roles)
++ #ddclient_run(pppd_t, pppd_roles)
++ ddclient_domtrans(pppd_t)
+ ')
+
+ optional_policy(`
+diff --git a/usernetctl.if b/usernetctl.if
+index d45c715..2d4f1ba 100644
+--- a/usernetctl.if
++++ b/usernetctl.if
+@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',`
+ #
+ interface(`usernetctl_run',`
+ gen_require(`
+- attribute_role usernetctl_roles;
++ type usernetctl_t;
++ #attribute_role usernetctl_roles;
+ ')
+
+- usernetctl_domtrans($1)
+- roleattribute $2 usernetctl_roles;
++ #usernetctl_domtrans($1)
++ #roleattribute $2 usernetctl_roles;
++
++ sysnet_run_ifconfig(usernetctl_t, $2)
++ sysnet_run_dhcpc(usernetctl_t, $2)
++
++ optional_policy(`
++ iptables_run(usernetctl_t, $2)
++ ')
++
++ optional_policy(`
++ modutils_run_insmod(usernetctl_t, $2)
++ ')
++
++ optional_policy(`
++ ppp_run(usernetctl_t, $2)
++ ')
++
+ ')
+diff --git a/usernetctl.te b/usernetctl.te
+index 8604c1c..35b12a6 100644
+--- a/usernetctl.te
++++ b/usernetctl.te
+@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
+ # Declarations
+ #
+
+-attribute_role usernetctl_roles;
++#attribute_role usernetctl_roles;
+
+ type usernetctl_t;
+ type usernetctl_exec_t;
+ application_domain(usernetctl_t, usernetctl_exec_t)
+ domain_interactive_fd(usernetctl_t)
+-role usernetctl_roles types usernetctl_t;
++#role usernetctl_roles types usernetctl_t;
++role system_r types usernetctl_t;
+
+ ########################################
+ #
+@@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t)
+
+ userdom_use_inherited_user_terminals(usernetctl_t)
+
+-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
+-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
++#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
++#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
+
+ optional_policy(`
+- consoletype_run(usernetctl_t, usernetctl_roles)
++ #consoletype_run(usernetctl_t, usernetctl_roles)
++ consoletype_exec(usernetctl_t)
+ ')
+
+ optional_policy(`
+ hostname_exec(usernetctl_t)
+ ')
+
+-optional_policy(`
+- iptables_run(usernetctl_t, usernetctl_roles)
+-')
++#optional_policy(`
++# iptables_run(usernetctl_t, usernetctl_roles)
++#')
+
+-optional_policy(`
+- modutils_run_insmod(usernetctl_t, usernetctl_roles)
+-')
++#optional_policy(`
++# modutils_run_insmod(usernetctl_t, usernetctl_roles)
++#')
+
+ optional_policy(`
+ nis_use_ypbind(usernetctl_t)
+ ')
+
+-optional_policy(`
+- ppp_run(usernetctl_t, usernetctl_roles)
+-')
++#optional_policy(`
++# ppp_run(usernetctl_t, usernetctl_roles)
++#')
+diff --git a/vpn.if b/vpn.if
+index 7b93e07..a4e2f60 100644
+--- a/vpn.if
++++ b/vpn.if
+@@ -37,11 +37,16 @@ interface(`vpn_domtrans',`
+ #
+ interface(`vpn_run',`
+ gen_require(`
+- attribute_role vpnc_roles;
++ #attribute_role vpnc_roles;
++ type vpnc_t;
+ ')
+
++ #vpn_domtrans($1)
++ #roleattribute $2 vpnc_roles;
++
+ vpn_domtrans($1)
+- roleattribute $2 vpnc_roles;
++ role $2 types vpnc_t;
++ sysnet_run_ifconfig(vpnc_t, $2)
+ ')
+
+ ########################################
+diff --git a/vpn.te b/vpn.te
+index 99fd457..d2585bb 100644
+--- a/vpn.te
++++ b/vpn.te
+@@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0)
+ # Declarations
+ #
+
+-attribute_role vpnc_roles;
+-roleattribute system_r vpnc_roles;
++#attribute_role vpnc_roles;
++#roleattribute system_r vpnc_roles;
+
+ type vpnc_t;
+ type vpnc_exec_t;
+ init_system_domain(vpnc_t, vpnc_exec_t)
+ application_domain(vpnc_t, vpnc_exec_t)
+-role vpnc_roles types vpnc_t;
++#role vpnc_roles types vpnc_t;
++role system_r types vpnc_t;
+
+ type vpnc_tmp_t;
+ files_tmp_file(vpnc_tmp_t)
+@@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t)
+ seutil_dontaudit_search_config(vpnc_t)
+ seutil_use_newrole_fds(vpnc_t)
+
+-sysnet_run_ifconfig(vpnc_t, vpnc_roles)
++#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
+ sysnet_etc_filetrans_config(vpnc_t)
+ sysnet_manage_config(vpnc_t)
+
+commit 88b64bdd71ef734271b9370fc37e02785f354f7f
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 02:33:40 2012 +0200
+
+ Fix ncftool.if
+
+diff --git a/ncftool.if b/ncftool.if
+index 3a4455f..59f096b 100644
+--- a/ncftool.if
++++ b/ncftool.if
+@@ -43,11 +43,12 @@ interface(`ncftool_run',`
+ #ncftool_domtrans($1)
+ #roleattribute $2 ncftool_roles;
+
+- role $1 types ncftool_t;
++ ncftool_domtrans($1)
++ role $2 types ncftool_t;
+
+- ncftool_domtrans($2)
++ optional_policy(`
++ brctl_run(ncftool_t, $2)
++ ')
+
+- ps_process_pattern($2, ncftool_t)
+- allow $2 ncftool_t:process signal;
+ ')
+
+commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 10:47:57 2012 +0200
+
+ roleattriburte temp fixes for portage and dpkg
+
+diff --git a/dpkg.if b/dpkg.if
+index 4d32b42..d945bd0 100644
+--- a/dpkg.if
++++ b/dpkg.if
+@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',`
+ #
+ interface(`dpkg_run',`
+ gen_require(`
+- attribute_role dpkg_roles;
++ #attribute_role dpkg_roles;
++ type dpkg_t, dpkg_script_t
+ ')
+
++ #dpkg_domtrans($1)
++ #roleattribute $2 dpkg_roles;
++
+ dpkg_domtrans($1)
+- roleattribute $2 dpkg_roles;
++ role $2 types dpkg_t;
++ role $2 types dpkg_script_t;
++ seutil_run_loadpolicy(dpkg_script_t, $2)
++
+ ')
+
+ ########################################
+diff --git a/dpkg.te b/dpkg.te
+index a1b8f92..9ac1b80 100644
+--- a/dpkg.te
++++ b/dpkg.te
+@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1)
+ # Declarations
+ #
+
+-attribute_role dpkg_roles;
+-roleattribute system_r dpkg_roles;
++#attribute_role dpkg_roles;
++#roleattribute system_r dpkg_roles;
+
+ type dpkg_t;
+ type dpkg_exec_t;
+@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t)
+ domain_role_change_exemption(dpkg_t)
+ domain_system_change_exemption(dpkg_t)
+ domain_interactive_fd(dpkg_t)
+-role dpkg_roles types dpkg_t;
++#role dpkg_roles types dpkg_t;
++role system_r types dpkg_t;
+
+ # lockfile
+ type dpkg_lock_t;
+@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t)
+ domain_obj_id_change_exemption(dpkg_script_t)
+ domain_system_change_exemption(dpkg_script_t)
+ domain_interactive_fd(dpkg_script_t)
+-role dpkg_roles types dpkg_script_t;
++#role dpkg_roles types dpkg_script_t;
++role system_r types dpkg_script_t;
+
+ type dpkg_script_tmp_t;
+ files_tmp_file(dpkg_script_tmp_t)
+@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t)
+ init_domtrans_script(dpkg_t)
+ init_use_script_ptys(dpkg_t)
+
++#libs_exec_ld_so(dpkg_t)
++#libs_exec_lib_files(dpkg_t)
++#libs_run_ldconfig(dpkg_t, dpkg_roles)
+ libs_exec_ld_so(dpkg_t)
+ libs_exec_lib_files(dpkg_t)
+-libs_run_ldconfig(dpkg_t, dpkg_roles)
++libs_domtrans_ldconfig(dpkg_t)
+
+ logging_send_syslog_msg(dpkg_t)
+
+@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t)
+ files_read_etc_runtime_files(dpkg_t)
+ files_exec_usr_files(dpkg_t)
+ miscfiles_read_localization(dpkg_t)
+-modutils_run_depmod(dpkg_t, dpkg_roles)
+-modutils_run_insmod(dpkg_t, dpkg_roles)
+-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
+-seutil_run_setfiles(dpkg_t, dpkg_roles)
++#modutils_run_depmod(dpkg_t, dpkg_roles)
++#modutils_run_insmod(dpkg_t, dpkg_roles)
++#seutil_run_loadpolicy(dpkg_t, dpkg_roles)
++#seutil_run_setfiles(dpkg_t, dpkg_roles)
+ userdom_use_all_users_fds(dpkg_t)
+ optional_policy(`
+ mta_send_mail(dpkg_t)
+ ')
++
++
+ optional_policy(`
+- usermanage_run_groupadd(dpkg_t, dpkg_roles)
+- usermanage_run_useradd(dpkg_t, dpkg_roles)
++ modutils_domtrans_depmod(dpkg_t)
++ modutils_domtrans_insmod(dpkg_t)
++ seutil_domtrans_loadpolicy(dpkg_t)
++ seutil_domtrans_setfiles(dpkg_t)
++ usermanage_domtrans_groupadd(dpkg_t)
++ usermanage_domtrans_useradd(dpkg_t)
+ ')
+
++#optional_policy(`
++# usermanage_run_groupadd(dpkg_t, dpkg_roles)
++# usermanage_run_useradd(dpkg_t, dpkg_roles)
++#')
++
+ ########################################
+ #
+ # dpkg-script Local policy
+@@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t)
+
+ miscfiles_read_localization(dpkg_script_t)
+
+-modutils_run_depmod(dpkg_script_t, dpkg_roles)
+-modutils_run_insmod(dpkg_script_t, dpkg_roles)
++#modutils_run_depmod(dpkg_script_t, dpkg_roles)
++#modutils_run_insmod(dpkg_script_t, dpkg_roles)
+
+-seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
+-seutil_run_setfiles(dpkg_script_t, dpkg_roles)
++#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
++#seutil_run_setfiles(dpkg_script_t, dpkg_roles)
+
+ userdom_use_all_users_fds(dpkg_script_t)
+
+@@ -319,9 +335,9 @@ optional_policy(`
+ apt_use_fds(dpkg_script_t)
+ ')
+
+-optional_policy(`
+- bootloader_run(dpkg_script_t, dpkg_roles)
+-')
++#optional_policy(`
++# bootloader_run(dpkg_script_t, dpkg_roles)
++#')
+
+ optional_policy(`
+ mta_send_mail(dpkg_script_t)
+@@ -335,7 +351,7 @@ optional_policy(`
+ unconfined_domain(dpkg_script_t)
+ ')
+
+-optional_policy(`
+- usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
+- usermanage_run_useradd(dpkg_script_t, dpkg_roles)
+-')
++#optional_policy(`
++# usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
++# usermanage_run_useradd(dpkg_script_t, dpkg_roles)
++#')
+diff --git a/portage.if b/portage.if
+index b4bb48a..e5e8f12 100644
+--- a/portage.if
++++ b/portage.if
+@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
+ #
+ interface(`portage_run',`
+ gen_require(`
+- attribute_role portage_roles;
++ type portage_t, portage_fetch_t, portage_sandbox_t;
++ #attribute_role portage_roles;
+ ')
+
+- portage_domtrans($1)
+- roleattribute $2 portage_roles;
++ #portage_domtrans($1)
++ #roleattribute $2 portage_roles;
++ portage_domtrans($1)
++ role $2 types { portage_t portage_fetch_t portage_sandbox_t }
++
+ ')
+
+ ########################################
+diff --git a/portage.te b/portage.te
+index 22bdf7d..f726e1d 100644
+--- a/portage.te
++++ b/portage.te
+@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4)
+ ## </desc>
+ gen_tunable(portage_use_nfs, false)
+
+-attribute_role portage_roles;
++#attribute_role portage_roles;
+
+ type gcc_config_t;
+ type gcc_config_exec_t;
+@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t)
+ domain_obj_id_change_exemption(portage_t)
+ rsync_entry_type(portage_t)
+ corecmd_shell_entry_type(portage_t)
+-role portage_roles types portage_t;
++#role portage_roles types portage_t;
++role system_r types portage_t;
+
+ # portage compile sandbox domain
+ type portage_sandbox_t;
+@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t)
+ # the shell is the entrypoint if regular sandbox is disabled
+ # portage_exec_t is the entrypoint if regular sandbox is enabled
+ corecmd_shell_entry_type(portage_sandbox_t)
+-role portage_roles types portage_sandbox_t;
++#role portage_roles types portage_sandbox_t;
++role system_r types portage_sandbox_t;
+
+ # portage package fetching domain
+ type portage_fetch_t;
+@@ -41,7 +43,8 @@ type portage_fetch_exec_t;
+ application_domain(portage_fetch_t, portage_fetch_exec_t)
+ corecmd_shell_entry_type(portage_fetch_t)
+ rsync_entry_type(portage_fetch_t)
+-role portage_roles types portage_fetch_t;
++#role portage_roles types portage_fetch_t;
++role system_r types portage_fetch_t;
+
+ type portage_devpts_t;
+ term_pty(portage_devpts_t)
+@@ -115,7 +118,8 @@ files_list_all(gcc_config_t)
+ init_dontaudit_read_script_status_files(gcc_config_t)
+
+ libs_read_lib_files(gcc_config_t)
+-libs_run_ldconfig(gcc_config_t, portage_roles)
++#libs_run_ldconfig(gcc_config_t, portage_roles)
++libs_domtrans_ldconfig(gcc_config_t)
+ libs_manage_shared_libs(gcc_config_t)
+ # gcc-config creates a temp dir for the libs
+ libs_manage_lib_dirs(gcc_config_t)
+@@ -196,33 +200,41 @@ auth_manage_shadow(portage_t)
+ init_exec(portage_t)
+
+ # run setfiles -r
+-seutil_run_setfiles(portage_t, portage_roles)
++#seutil_run_setfiles(portage_t, portage_roles)
+ # run semodule
+-seutil_run_semanage(portage_t, portage_roles)
++#seutil_run_semanage(portage_t, portage_roles)
+
+-portage_run_gcc_config(portage_t, portage_roles)
++#portage_run_gcc_config(portage_t, portage_roles)
+ # if sesandbox is disabled, compiling is performed in this domain
+ portage_compile_domain(portage_t)
+
+-optional_policy(`
+- bootloader_run(portage_t, portage_roles)
+-')
++#optional_policy(`
++# bootloader_run(portage_t, portage_roles)
++#')
+
+ optional_policy(`
+ cron_system_entry(portage_t, portage_exec_t)
+ cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
+ ')
+
+-optional_policy(`
+- modutils_run_depmod(portage_t, portage_roles)
+- modutils_run_update_mods(portage_t, portage_roles)
++#optional_policy(`
++# modutils_run_depmod(portage_t, portage_roles)
++# modutils_run_update_mods(portage_t, portage_roles)
+ #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
+ ')
+
+-optional_policy(`
+- usermanage_run_groupadd(portage_t, portage_roles)
+- usermanage_run_useradd(portage_t, portage_roles)
+-')
++#optional_policy(`
++# usermanage_run_groupadd(portage_t, portage_roles)
++# usermanage_run_useradd(portage_t, portage_roles)
++#')
++
++seutil_domtrans_setfiles(portage_t)
++seutil_domtrans_semanage(portage_t)
++bootloader_domtrans(portage_t)
++modutils_domtrans_depmod(portage_t)
++modutils_domtrans_update_mods(portage_t)
++usermanage_domtrans_groupadd(portage_t)
++usermanage_domtrans_useradd(portage_t)
+
+ ifdef(`TODO',`
+ # seems to work ok without these
+commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 10:52:09 2012 +0200
+
+ Fix typo
+
+diff --git a/portage.if b/portage.if
+index e5e8f12..7098ded 100644
+--- a/portage.if
++++ b/portage.if
+@@ -50,7 +50,7 @@ interface(`portage_run',`
+ #portage_domtrans($1)
+ #roleattribute $2 portage_roles;
+ portage_domtrans($1)
+- role $2 types { portage_t portage_fetch_t portage_sandbox_t }
++ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
+
+ ')
+
+commit cf999ca29d2a4401c481e28c169e10d676d73526
+Author: Miroslav Grepl <mgrepl at redhat.com>
+Date: Thu Jun 7 10:59:22 2012 +0200
+
+ One more typo
+
+diff --git a/dpkg.if b/dpkg.if
+index d945bd0..78736d8 100644
+--- a/dpkg.if
++++ b/dpkg.if
+@@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',`
+ interface(`dpkg_run',`
+ gen_require(`
+ #attribute_role dpkg_roles;
+- type dpkg_t, dpkg_script_t
++ type dpkg_t, dpkg_script_t;
+ ')
+
+ #dpkg_domtrans($1)
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index b1052b6..600b000 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -18728,7 +18728,7 @@ index 9d3201b..6e75e3d 100644
+ allow $1 ftpd_unit_file_t:service all_service_perms;
')
diff --git a/ftp.te b/ftp.te
-index 4285c83..4bd0373 100644
+index 4285c83..ed96e96 100644
--- a/ftp.te
+++ b/ftp.te
@@ -40,6 +40,27 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -18812,7 +18812,15 @@ index 4285c83..4bd0373 100644
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -163,13 +200,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+@@ -151,7 +188,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+
+ manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+ manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+-files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
+
+ manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+ manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+@@ -163,13 +199,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@@ -18828,7 +18836,7 @@ index 4285c83..4bd0373 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -177,7 +214,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+@@ -177,7 +213,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
@@ -18837,7 +18845,7 @@ index 4285c83..4bd0373 100644
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
-@@ -196,9 +233,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
+@@ -196,9 +232,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
@@ -18849,7 +18857,7 @@ index 4285c83..4bd0373 100644
corenet_sendrecv_ftp_server_packets(ftpd_t)
domain_use_interactive_fds(ftpd_t)
-@@ -212,13 +248,11 @@ fs_search_auto_mountpoints(ftpd_t)
+@@ -212,13 +247,11 @@ fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
fs_search_fusefs(ftpd_t)
@@ -18865,7 +18873,7 @@ index 4285c83..4bd0373 100644
init_rw_utmp(ftpd_t)
-@@ -261,7 +295,15 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+@@ -261,7 +294,15 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
@@ -18882,7 +18890,7 @@ index 4285c83..4bd0373 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -270,10 +312,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +311,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -18900,7 +18908,7 @@ index 4285c83..4bd0373 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,10 +354,34 @@ optional_policy(`
+@@ -309,10 +353,34 @@ optional_policy(`
')
optional_policy(`
@@ -18936,7 +18944,7 @@ index 4285c83..4bd0373 100644
')
optional_policy(`
-@@ -347,16 +416,17 @@ optional_policy(`
+@@ -347,16 +415,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -18956,7 +18964,7 @@ index 4285c83..4bd0373 100644
########################################
#
-@@ -365,18 +435,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +434,33 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -18993,7 +19001,7 @@ index 4285c83..4bd0373 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +479,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +478,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -53059,10 +53067,10 @@ index 58e7ec0..e4119f7 100644
+ allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms;
+')
diff --git a/telnet.te b/telnet.te
-index f40e67b..50163e0 100644
+index f40e67b..3519e88 100644
--- a/telnet.te
+++ b/telnet.te
-@@ -24,16 +24,16 @@ files_pid_file(telnetd_var_run_t)
+@@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t)
# Local policy
#
@@ -53082,7 +53090,12 @@ index f40e67b..50163e0 100644
term_create_pty(telnetd_t, telnetd_devpts_t)
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
-@@ -81,15 +81,10 @@ miscfiles_read_localization(telnetd_t)
+ manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+-files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
+
+ manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
+ files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
+@@ -81,15 +80,10 @@ miscfiles_read_localization(telnetd_t)
seutil_read_config(telnetd_t)
@@ -53100,7 +53113,7 @@ index f40e67b..50163e0 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
-@@ -98,3 +93,12 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -98,3 +92,12 @@ tunable_policy(`use_nfs_home_dirs',`
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs(telnetd_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bbc3b70..c6e309c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -254,9 +254,11 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-contrib-%{version} -q -b 29
%patch1 -p1
+%patch2 -p1
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
%patch -p1
+%patch3 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
More information about the scm-commits
mailing list