[selinux-policy/f17] - Allow collectd to read virt config - Allow collectd setsched - Add support for /usr/sbin/mdm* - Fi
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jun 8 12:54:34 UTC 2012
commit 184f70428bdc913d40b7001a7be88536be935dfe
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jun 8 14:54:14 2012 +0200
- Allow collectd to read virt config
- Allow collectd setsched
- Add support for /usr/sbin/mdm*
- Fix java binaries labels when installed under /usr/lib/jvm/java
- Add labeling for /var/run/mdm
- Allow apps that can read net_conf_t files read symlinks
- Allow all domains that can search or read tmp_t, able to read a tmp_t link
- Dontaudit mozilla_plugin looking at xdm_tmp_t
- Looks like collectd needs to change it scheduling priority
- Allow uux_t to access nsswitch data
- New labeling for samba, pid dirs moved to subdirs of samba
- Allow nova_api to use nsswitch
- Allow mozilla_plugin to execute files labeled as lib_t
- Label content under HOME_DIR/zimbrauserdata as mozilla_home date
- abrt is fooled into reading mozilla_plugin content, we want to dontaudit
- Allow mozilla_plugin to connect to ircd ports since a plugin might be a irc chat window
- Allow winbind to create content in smbd_var_run_t directories
- Allow setroubleshoot_fixit to read the selinux policy store. No reason to deny it
- Support libvirt plugin for collectd
policy-F16.patch | 1117 ++++++++++++++++++++++++++-------------------------
selinux-policy.spec | 23 +-
2 files changed, 590 insertions(+), 550 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 221a418..6034671 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -62658,7 +62658,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..968fdbe 100644
+index 441cf22..b599f68 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -62941,18 +62941,6 @@ index 441cf22..968fdbe 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -531,6 +547,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rpc_list_nfs_state_data(useradd_t)
-+ rpc_read_nfs_state_data(useradd_t)
-+')
-+
-+optional_policy(`
- tunable_policy(`samba_domain_controller',`
- samba_append_log(useradd_t)
- ')
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index ebf4b26..b58c822 100644
--- a/policy/modules/admin/vpn.te
@@ -66828,10 +66816,10 @@ index dff0f12..ecab36d 100644
init_dbus_chat_script(mono_t)
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
-index 93ac529..6e03a8c 100644
+index 93ac529..82f8e65 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
-@@ -1,8 +1,16 @@
+@@ -1,8 +1,17 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -66845,10 +66833,11 @@ index 93ac529..6e03a8c 100644
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
-@@ -14,16 +22,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -14,16 +23,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -67137,7 +67126,7 @@ index fbb5c5a..ce9aee0 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..c5f9431 100644
+index 2e9318b..3a09bbc 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
@@ -67185,7 +67174,7 @@ index 2e9318b..c5f9431 100644
type mozilla_tmp_t;
files_tmp_file(mozilla_tmp_t)
ubac_constrained(mozilla_tmp_t)
-@@ -111,7 +128,9 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
+@@ -111,12 +128,15 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
@@ -67195,16 +67184,24 @@ index 2e9318b..c5f9431 100644
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
-@@ -156,6 +175,8 @@ fs_rw_tmpfs_files(mozilla_t)
+ corenet_tcp_connect_squid_port(mozilla_t)
+ corenet_tcp_connect_ftp_port(mozilla_t)
++corenet_tcp_connect_ircd_port(mozilla_plugin_t)
+ corenet_tcp_connect_ipp_port(mozilla_t)
+ corenet_tcp_connect_generic_port(mozilla_t)
+ corenet_tcp_connect_soundd_port(mozilla_t)
+@@ -156,6 +176,10 @@ fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
+auth_use_nsswitch(mozilla_t)
+
++libs_exec_lib_files(mozilla_plugin_t)
++
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-@@ -165,27 +186,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -165,27 +189,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -67238,7 +67235,7 @@ index 2e9318b..c5f9431 100644
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-@@ -262,6 +277,7 @@ optional_policy(`
+@@ -262,6 +280,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -67246,7 +67243,7 @@ index 2e9318b..c5f9431 100644
')
optional_policy(`
-@@ -278,10 +294,6 @@ optional_policy(`
+@@ -278,10 +297,6 @@ optional_policy(`
')
optional_policy(`
@@ -67257,7 +67254,7 @@ index 2e9318b..c5f9431 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -296,25 +308,34 @@ optional_policy(`
+@@ -296,25 +311,34 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -67300,7 +67297,7 @@ index 2e9318b..c5f9431 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,6 +343,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,6 +346,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -67311,7 +67308,7 @@ index 2e9318b..c5f9431 100644
can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_kernel_sysctls(mozilla_plugin_t)
-@@ -331,22 +356,31 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -331,22 +359,31 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -67349,7 +67346,7 @@ index 2e9318b..c5f9431 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -355,6 +389,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -355,6 +392,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -67357,7 +67354,7 @@ index 2e9318b..c5f9431 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,11 +397,14 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,11 +400,14 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -67372,7 +67369,7 @@ index 2e9318b..c5f9431 100644
application_dontaudit_signull(mozilla_plugin_t)
auth_use_nsswitch(mozilla_plugin_t)
-@@ -383,35 +421,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,35 +424,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -67419,7 +67416,7 @@ index 2e9318b..c5f9431 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,11 +450,19 @@ optional_policy(`
+@@ -421,11 +453,19 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -67439,7 +67436,7 @@ index 2e9318b..c5f9431 100644
')
optional_policy(`
-@@ -438,18 +475,103 @@ optional_policy(`
+@@ -438,18 +478,105 @@ optional_policy(`
')
optional_policy(`
@@ -67460,13 +67457,15 @@ index 2e9318b..c5f9431 100644
+
+optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(mozilla_plugin_t)
')
optional_policy(`
++ udev_read_db(mozilla_plugin_t)
++')
++
++optional_policy(`
++ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
++ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
xserver_read_xdm_pid(mozilla_plugin_t)
xserver_stream_connect(mozilla_plugin_t)
xserver_use_user_fonts(mozilla_plugin_t)
@@ -71295,10 +71294,10 @@ index 0000000..9127cec
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..5a84da4
+index 0000000..04711c6
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,103 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -71361,7 +71360,6 @@ index 0000000..5a84da4
+dev_read_sysfs(thumb_t)
+dev_read_urand(thumb_t)
+dev_dontaudit_rw_dri(thumb_t)
-+dev_rw_xserver_misc(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
+
@@ -72120,7 +72118,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..f55e193 100644
+index 3fae11a..4172347 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -72209,7 +72207,7 @@ index 3fae11a..f55e193 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,67 +184,93 @@ ifdef(`distro_gentoo',`
+@@ -179,67 +184,94 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -72244,6 +72242,7 @@ index 3fae11a..f55e193 100644
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -72348,7 +72347,7 @@ index 3fae11a..f55e193 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,11 +278,18 @@ ifdef(`distro_gentoo',`
+@@ -247,11 +279,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -72368,7 +72367,7 @@ index 3fae11a..f55e193 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +305,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +306,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -72379,7 +72378,7 @@ index 3fae11a..f55e193 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +328,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +329,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -72400,7 +72399,7 @@ index 3fae11a..f55e193 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +352,12 @@ ifdef(`distro_redhat', `
+@@ -306,10 +353,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -72415,7 +72414,7 @@ index 3fae11a..f55e193 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +367,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +368,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -72427,7 +72426,7 @@ index 3fae11a..f55e193 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,20 +413,21 @@ ifdef(`distro_redhat', `
+@@ -363,20 +414,21 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -72453,7 +72452,7 @@ index 3fae11a..f55e193 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +436,13 @@ ifdef(`distro_suse', `
+@@ -385,3 +437,13 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -76776,7 +76775,7 @@ index c19518a..7ace2f2 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..95fcd54 100644
+index ff006ea..dfb7ed0 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -77438,7 +77437,15 @@ index ff006ea..95fcd54 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -3945,7 +4357,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3935,6 +4347,7 @@ interface(`files_getattr_tmp_dirs',`
+ type tmp_t;
+ ')
+
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir getattr;
+ ')
+
+@@ -3945,7 +4358,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -77447,7 +77454,23 @@ index ff006ea..95fcd54 100644
## </summary>
## </param>
#
-@@ -4017,7 +4429,7 @@ interface(`files_list_tmp',`
+@@ -3972,6 +4385,7 @@ interface(`files_search_tmp',`
+ type tmp_t;
+ ')
+
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir search_dir_perms;
+ ')
+
+@@ -4008,6 +4422,7 @@ interface(`files_list_tmp',`
+ type tmp_t;
+ ')
+
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir list_dir_perms;
+ ')
+
+@@ -4017,7 +4432,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -77456,7 +77479,7 @@ index ff006ea..95fcd54 100644
## </summary>
## </param>
#
-@@ -4029,6 +4441,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4444,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -77475,13 +77498,22 @@ index ff006ea..95fcd54 100644
+ type tmp_t;
+ ')
+
++ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
+')
+
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4085,6 +4515,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4044,6 +4478,7 @@ interface(`files_delete_tmp_dir_entry',`
+ type tmp_t;
+ ')
+
++ files_search_tmp($1)
+ allow $1 tmp_t:dir del_entry_dir_perms;
+ ')
+
+@@ -4085,6 +4520,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -77514,7 +77546,7 @@ index ff006ea..95fcd54 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4139,6 +4595,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4600,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -77557,7 +77589,7 @@ index ff006ea..95fcd54 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4202,7 +4694,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4699,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -77566,7 +77598,7 @@ index ff006ea..95fcd54 100644
## </summary>
## </param>
#
-@@ -4262,7 +4754,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4759,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -77575,7 +77607,7 @@ index ff006ea..95fcd54 100644
## </summary>
## </param>
#
-@@ -4318,7 +4810,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4815,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -77584,7 +77616,7 @@ index ff006ea..95fcd54 100644
')
########################################
-@@ -4342,6 +4834,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4839,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -77601,7 +77633,7 @@ index ff006ea..95fcd54 100644
')
########################################
-@@ -4681,7 +5183,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5188,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -77610,7 +77642,7 @@ index ff006ea..95fcd54 100644
')
########################################
-@@ -4914,6 +5416,24 @@ interface(`files_list_var',`
+@@ -4914,6 +5421,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -77635,7 +77667,7 @@ index ff006ea..95fcd54 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5084,7 +5604,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5609,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -77644,7 +77676,7 @@ index ff006ea..95fcd54 100644
')
########################################
-@@ -5219,7 +5739,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5744,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -77653,7 +77685,7 @@ index ff006ea..95fcd54 100644
')
########################################
-@@ -5259,6 +5779,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5259,6 +5784,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -77679,7 +77711,7 @@ index ff006ea..95fcd54 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5304,6 +5843,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5848,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -77705,7 +77737,7 @@ index ff006ea..95fcd54 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5875,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5880,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -77714,7 +77746,7 @@ index ff006ea..95fcd54 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5896,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5901,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -77730,7 +77762,7 @@ index ff006ea..95fcd54 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5911,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5916,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -77763,7 +77795,7 @@ index ff006ea..95fcd54 100644
')
########################################
-@@ -5373,6 +5953,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5958,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -77771,7 +77803,7 @@ index ff006ea..95fcd54 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5966,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5971,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -77779,7 +77811,7 @@ index ff006ea..95fcd54 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5992,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5997,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -77788,7 +77820,7 @@ index ff006ea..95fcd54 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +6008,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +6013,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -77805,7 +77837,7 @@ index ff006ea..95fcd54 100644
')
########################################
-@@ -5452,7 +6032,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +6037,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -77814,7 +77846,7 @@ index ff006ea..95fcd54 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +6073,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +6078,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -77823,7 +77855,7 @@ index ff006ea..95fcd54 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +6095,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +6100,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -77832,7 +77864,7 @@ index ff006ea..95fcd54 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +6127,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6132,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -77843,7 +77875,7 @@ index ff006ea..95fcd54 100644
')
########################################
-@@ -5608,6 +6188,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6193,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -77887,7 +77919,7 @@ index ff006ea..95fcd54 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5629,6 +6246,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,6 +6251,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -77913,7 +77945,7 @@ index ff006ea..95fcd54 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -5736,7 +6372,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6377,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -77922,7 +77954,7 @@ index ff006ea..95fcd54 100644
')
########################################
-@@ -5815,29 +6451,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6456,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -77956,18 +77988,16 @@ index ff006ea..95fcd54 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5845,12 +6477,182 @@ interface(`files_read_all_pids',`
+@@ -5845,7 +6482,177 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
-interface(`files_mounton_all_poly_members',`
+interface(`files_delete_all_pid_sockets',`
- gen_require(`
-- attribute polymember;
++ gen_require(`
+ attribute pidfile;
- ')
-
-- allow $1 polymember:dir mounton;
++ ')
++
+ allow $1 pidfile:sock_file delete_sock_file_perms;
+')
+
@@ -78134,15 +78164,10 @@ index ff006ea..95fcd54 100644
+## </param>
+#
+interface(`files_mounton_all_poly_members',`
-+ gen_require(`
-+ attribute polymember;
-+ ')
-+
-+ allow $1 polymember:dir mounton;
- ')
-
- ########################################
-@@ -5900,6 +6702,90 @@ interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute polymember;
+ ')
+@@ -5900,6 +6707,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -78233,7 +78258,7 @@ index ff006ea..95fcd54 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6042,7 +6928,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6933,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -78242,7 +78267,7 @@ index ff006ea..95fcd54 100644
')
########################################
-@@ -6117,3 +7003,332 @@ interface(`files_unconfined',`
+@@ -6117,3 +7008,332 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -84514,7 +84539,7 @@ index 0b827c5..ac79ca6 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..c872f94 100644
+index 30861ec..9ea7f1f 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -84679,7 +84704,7 @@ index 30861ec..c872f94 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +197,26 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +197,30 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -84699,20 +84724,23 @@ index 30861ec..c872f94 100644
+tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
+')
-
- optional_policy(`
-- dbus_system_domain(abrt_t, abrt_exec_t)
++
++optional_policy(`
+ apache_list_modules(abrt_t)
+ apache_read_modules(abrt_t)
++')
+
+ optional_policy(`
+ dbus_system_domain(abrt_t, abrt_exec_t)
')
optional_policy(`
- nis_use_ypbind(abrt_t)
-+ dbus_system_domain(abrt_t, abrt_exec_t)
++ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
')
optional_policy(`
-@@ -167,6 +237,7 @@ optional_policy(`
+@@ -167,6 +241,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -84720,7 +84748,7 @@ index 30861ec..c872f94 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +249,35 @@ optional_policy(`
+@@ -178,12 +253,35 @@ optional_policy(`
')
optional_policy(`
@@ -84757,7 +84785,7 @@ index 30861ec..c872f94 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +294,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +298,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -84786,7 +84814,7 @@ index 30861ec..c872f94 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +317,146 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +321,146 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -84804,7 +84832,7 @@ index 30861ec..c872f94 100644
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
-+')
+ ')
+
+#######################################
+#
@@ -84919,7 +84947,7 @@ index 30861ec..c872f94 100644
+
+optional_policy(`
+ unconfined_domain(abrt_watch_log_t)
- ')
++')
+
+#######################################
+#
@@ -93563,7 +93591,7 @@ index 0000000..40415f8
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..e7ca6fc
+index 0000000..04ff5c1
--- /dev/null
+++ b/policy/modules/services/collectd.te
@@ -0,0 +1,88 @@
@@ -93603,8 +93631,8 @@ index 0000000..e7ca6fc
+# collectd local policy
+#
+
-+allow collectd_t self:capability ipc_lock;
-+allow collectd_t self:process { signal fork };
++allow collectd_t self:capability { ipc_lock sys_nice };
++allow collectd_t self:process { getsched setsched signal fork };
+
+allow collectd_t self:fifo_file rw_fifo_file_perms;
+allow collectd_t self:packet_socket create_socket_perms;
@@ -104192,10 +104220,10 @@ index 0000000..ebe1dde
+')
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
new file mode 100644
-index 0000000..57e0566
+index 0000000..842165a
--- /dev/null
+++ b/policy/modules/services/glance.te
-@@ -0,0 +1,112 @@
+@@ -0,0 +1,117 @@
+policy_module(glance, 1.0.0)
+
+########################################
@@ -104255,12 +104283,17 @@ index 0000000..57e0566
+kernel_read_system_state(glance_domain)
+
+corecmd_exec_bin(glance_domain)
++corecmd_exec_shell(glance_domain)
+
+dev_read_urand(glance_domain)
+
+files_read_etc_files(glance_domain)
+files_read_usr_files(glance_domain)
+
++auth_read_passwd(glance_domain)
++
++libs_exec_ldconfig(glance_domain)
++
+miscfiles_read_localization(glance_domain)
+
+optional_policy(`
@@ -104278,6 +104311,7 @@ index 0000000..57e0566
+
+corenet_tcp_bind_generic_node(glance_registry_t)
+corenet_tcp_bind_glance_registry_port(glance_registry_t)
++corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
+
+logging_send_syslog_msg(glance_registry_t)
+
@@ -104300,14 +104334,13 @@ index 0000000..57e0566
+
+corenet_tcp_bind_generic_node(glance_api_t)
+corenet_tcp_bind_glance_port(glance_api_t)
++corenet_tcp_bind_hplip_port(glance_api_t)
+corenet_tcp_connect_glance_registry_port(glance_api_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+
+dev_read_urand(glance_api_t)
+
+fs_getattr_xattr_fs(glance_api_t)
-+
-+libs_exec_ldconfig(glance_api_t)
diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc
index 462de63..5df751b 100644
--- a/policy/modules/services/gnomeclock.fc
@@ -113896,7 +113929,7 @@ index 0000000..0d11800
+')
diff --git a/policy/modules/services/nova.te b/policy/modules/services/nova.te
new file mode 100644
-index 0000000..b0d25bb
+index 0000000..415b098
--- /dev/null
+++ b/policy/modules/services/nova.te
@@ -0,0 +1,328 @@
@@ -114043,7 +114076,7 @@ index 0000000..b0d25bb
+
+allow nova_cert_t self:udp_socket create_socket_perms;
+
-+auth_read_passwd(nova_cert_t)
++auth_use_nsswitch(nova_cert_t)
+
+miscfiles_read_certs(nova_cert_t)
+
@@ -115824,7 +115857,7 @@ index d883214..d6afa87 100644
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..6075d39 100644
+index 8b550f4..cae4941 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@@ -115869,25 +115902,21 @@ index 8b550f4..6075d39 100644
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
can_exec(openvpn_t, openvpn_etc_t)
-@@ -58,9 +60,15 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+@@ -58,9 +60,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
--allow openvpn_t openvpn_var_log_t:file manage_file_perms;
--logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
+ allow openvpn_t openvpn_var_log_t:file manage_file_perms;
+ logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
-+manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-+logging_log_filetrans(openvpn_t, openvpn_var_log_t, { dir file })
-+
+manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
-@@ -68,6 +76,7 @@ kernel_read_kernel_sysctls(openvpn_t)
+@@ -68,6 +74,7 @@ kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)
@@ -115895,7 +115924,7 @@ index 8b550f4..6075d39 100644
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-@@ -87,6 +96,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
+@@ -87,6 +94,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
@@ -115903,7 +115932,7 @@ index 8b550f4..6075d39 100644
corenet_tcp_connect_http_cache_port(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
-@@ -100,33 +110,40 @@ dev_read_urand(openvpn_t)
+@@ -100,33 +108,40 @@ dev_read_urand(openvpn_t)
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
@@ -115952,7 +115981,7 @@ index 8b550f4..6075d39 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +155,7 @@ optional_policy(`
+@@ -138,3 +153,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -124468,7 +124497,7 @@ index 0000000..6572600
+')
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..d45cfe5
+index 0000000..cff25a9
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
@@ -0,0 +1,69 @@
@@ -124520,7 +124549,7 @@ index 0000000..d45cfe5
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
-+files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
++files_pid_filetrans(rhsmcertd_var_run_t, rhsmcertd_var_run_t, { file dir })
+
+kernel_read_network_state(rhsmcertd_t)
+kernel_read_system_state(rhsmcertd_t)
@@ -125181,7 +125210,7 @@ index 5c70c0c..b0c22f7 100644
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
-index cda37bb..fa20a5d 100644
+index cda37bb..b3469d6 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -32,7 +32,11 @@ interface(`rpc_stub',`
@@ -125317,42 +125346,23 @@ index cda37bb..fa20a5d 100644
')
########################################
-@@ -375,7 +451,26 @@ interface(`rpc_search_nfs_state_data',`
+@@ -375,7 +451,7 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
- allow $1 var_lib_nfs_t:dir search;
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## List NFS state data in /var/lib/nfs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`rpc_list_nfs_state_data',`
-+ gen_require(`
-+ type var_lib_nfs_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 var_lib_nfs_t:dir list_dir_perms;
')
########################################
-@@ -414,4 +509,5 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -414,4 +490,5 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..6ca60ac 100644
+index b1468ed..f30c62e 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -125400,12 +125410,7 @@ index b1468ed..6ca60ac 100644
type nfsd_rw_t;
files_type(nfsd_rw_t)
-@@ -58,13 +64,14 @@ files_mountpoint(var_lib_nfs_t)
- # RPC local policy
- #
-
--allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
-+allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
+@@ -62,9 +68,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
@@ -126046,7 +126051,7 @@ index a07b2f4..36b4903 100644
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
-index 69a6074..5c02dec 100644
+index 69a6074..3d65472 100644
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
@@ -14,6 +14,8 @@
@@ -126058,17 +126063,22 @@ index 69a6074..5c02dec 100644
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-@@ -36,6 +38,9 @@
+@@ -36,6 +38,10 @@
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
++/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
+
+/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-@@ -51,3 +56,7 @@
+@@ -48,6 +54,11 @@
+ /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+
++/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
@@ -126077,13 +126087,32 @@ index 69a6074..5c02dec 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
-index 82cb169..0ed7e14 100644
+index 82cb169..9642fe3 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
-@@ -42,6 +42,25 @@ interface(`samba_signal_nmbd',`
+@@ -42,6 +42,44 @@ interface(`samba_signal_nmbd',`
########################################
## <summary>
++## Search the samba pid directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`samba_search_pid',`
++ gen_require(`
++ type smbd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 smbd_var_run_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+## Connect to nmbd.
+## </summary>
+## <param name="domain">
@@ -126097,7 +126126,7 @@ index 82cb169..0ed7e14 100644
+ type nmbd_t, nmbd_var_run_t;
+ ')
+
-+ files_search_pids($1)
++ samba_search_pid($1)
+ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+')
+
@@ -126106,7 +126135,7 @@ index 82cb169..0ed7e14 100644
## Execute samba server in the samba domain.
## </summary>
## <param name="domain">
-@@ -60,6 +79,29 @@ interface(`samba_initrc_domtrans',`
+@@ -60,6 +98,29 @@ interface(`samba_initrc_domtrans',`
########################################
## <summary>
@@ -126136,7 +126165,7 @@ index 82cb169..0ed7e14 100644
## Execute samba net in the samba_net domain.
## </summary>
## <param name="domain">
-@@ -79,6 +121,25 @@ interface(`samba_domtrans_net',`
+@@ -79,6 +140,25 @@ interface(`samba_domtrans_net',`
########################################
## <summary>
@@ -126162,7 +126191,7 @@ index 82cb169..0ed7e14 100644
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
-@@ -103,6 +164,51 @@ interface(`samba_run_net',`
+@@ -103,6 +183,51 @@ interface(`samba_run_net',`
role $2 types samba_net_t;
')
@@ -126214,61 +126243,19 @@ index 82cb169..0ed7e14 100644
########################################
## <summary>
## Execute smbmount in the smbmount domain.
-@@ -327,7 +433,6 @@ interface(`samba_search_var',`
- type samba_var_t;
- ')
-
-- files_search_var($1)
- files_search_var_lib($1)
- allow $1 samba_var_t:dir search_dir_perms;
- ')
-@@ -348,7 +453,6 @@ interface(`samba_read_var_files',`
- type samba_var_t;
- ')
-
-- files_search_var($1)
- files_search_var_lib($1)
- read_files_pattern($1, samba_var_t, samba_var_t)
- ')
-@@ -388,7 +492,6 @@ interface(`samba_rw_var_files',`
- type samba_var_t;
- ')
-
-- files_search_var($1)
- files_search_var_lib($1)
- rw_files_pattern($1, samba_var_t, samba_var_t)
- ')
-@@ -409,9 +512,9 @@ interface(`samba_manage_var_files',`
+@@ -409,9 +534,10 @@ interface(`samba_manage_var_files',`
type samba_var_t;
')
- files_search_var($1)
++ files_search_var_lib($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
')
########################################
-@@ -419,15 +522,14 @@ interface(`samba_manage_var_files',`
- ## Execute a domain transition to run smbcontrol.
- ## </summary>
- ## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed to transition.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`samba_domtrans_smbcontrol',`
- gen_require(`
-- type smbcontrol_t;
-- type smbcontrol_exec_t;
-+ type smbcontrol_t, smbcontrol_exec_t;
- ')
-
- domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
-@@ -564,6 +666,7 @@ interface(`samba_domtrans_winbind_helper',`
+@@ -564,6 +690,7 @@ interface(`samba_domtrans_winbind_helper',`
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -126276,7 +126263,28 @@ index 82cb169..0ed7e14 100644
')
########################################
-@@ -644,6 +747,37 @@ interface(`samba_stream_connect_winbind',`
+@@ -607,7 +734,7 @@ interface(`samba_read_winbind_pid',`
+ type winbind_var_run_t;
+ ')
+
+- files_search_pids($1)
++ samba_search_pid($1)
+ allow $1 winbind_var_run_t:file read_file_perms;
+ ')
+
+@@ -626,9 +753,10 @@ interface(`samba_stream_connect_winbind',`
+ type samba_var_t, winbind_t, winbind_var_run_t;
+ ')
+
+- files_search_pids($1)
++ samba_search_pid($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
++ samba_read_config($1)
+
+ ifndef(`distro_redhat',`
+ gen_require(`
+@@ -644,6 +772,37 @@ interface(`samba_stream_connect_winbind',`
########################################
## <summary>
@@ -126314,7 +126322,7 @@ index 82cb169..0ed7e14 100644
## All of the rules required to administrate
## an samba environment
## </summary>
-@@ -661,33 +795,33 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,33 +820,33 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
@@ -126369,17 +126377,7 @@ index 82cb169..0ed7e14 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -709,9 +843,6 @@ interface(`samba_admin',`
- admin_pattern($1, samba_var_t)
- files_list_var($1)
-
-- admin_pattern($1, smbd_spool_t)
-- files_list_spool($1)
--
- admin_pattern($1, smbd_var_run_t)
- files_list_pids($1)
-
-@@ -727,4 +858,9 @@ interface(`samba_admin',`
+@@ -727,4 +886,9 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
@@ -126390,10 +126388,24 @@ index 82cb169..0ed7e14 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..ef60f40 100644
+index e30bb63..110ed47 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
-@@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false)
+@@ -1,4 +1,4 @@
+-policy_module(samba, 1.13.0)
++policy_module(samba, 1.14.1)
+
+ #################################
+ #
+@@ -25,13 +25,21 @@ gen_tunable(samba_create_home_dirs, false)
+ ## <p>
+ ## Allow samba to act as the domain controller, add users,
+ ## groups and change passwords.
+-##
++##
+ ## </p>
+ ## </desc>
+ gen_tunable(samba_domain_controller, false)
## <desc>
## <p>
@@ -126428,15 +126440,7 @@ index e30bb63..ef60f40 100644
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
-@@ -181,7 +189,6 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
- manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
- manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
- manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
--
- kernel_read_proc_symlinks(samba_net_t)
- kernel_read_system_state(samba_net_t)
-
-@@ -215,22 +222,30 @@ miscfiles_read_localization(samba_net_t)
+@@ -215,22 +223,31 @@ miscfiles_read_localization(samba_net_t)
samba_read_var_files(samba_net_t)
@@ -126465,21 +126469,20 @@ index e30bb63..ef60f40 100644
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
++
+allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -248,7 +263,9 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
+@@ -249,6 +266,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow smbd_t nmbd_t:process { signal signull };
-+allow winbind_t smbd_var_run_t:dir search_dir_perms;
allow smbd_t nmbd_var_run_t:file rw_file_perms;
+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-@@ -263,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -263,12 +281,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -126494,7 +126497,7 @@ index e30bb63..ef60f40 100644
allow smbd_t smbcontrol_t:process { signal signull };
-@@ -279,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -279,7 +298,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -126503,7 +126506,7 @@ index e30bb63..ef60f40 100644
allow smbd_t swat_t:process signal;
-@@ -316,6 +334,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
+@@ -316,6 +335,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
@@ -126511,7 +126514,7 @@ index e30bb63..ef60f40 100644
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
# For redhat bug 566984
-@@ -323,15 +342,18 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -323,15 +343,18 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -126530,7 +126533,7 @@ index e30bb63..ef60f40 100644
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -343,6 +365,7 @@ files_read_usr_files(smbd_t)
+@@ -343,6 +366,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
@@ -126538,7 +126541,7 @@ index e30bb63..ef60f40 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -354,6 +377,8 @@ logging_send_syslog_msg(smbd_t)
+@@ -354,6 +378,8 @@ logging_send_syslog_msg(smbd_t)
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -126547,7 +126550,7 @@ index e30bb63..ef60f40 100644
userdom_use_unpriv_users_fds(smbd_t)
userdom_search_user_home_content(smbd_t)
userdom_signal_all_users(smbd_t)
-@@ -372,6 +397,11 @@ tunable_policy(`allow_smbd_anon_write',`
+@@ -372,6 +398,11 @@ tunable_policy(`allow_smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
')
@@ -126559,7 +126562,7 @@ index e30bb63..ef60f40 100644
tunable_policy(`samba_domain_controller',`
gen_require(`
class passwd passwd;
-@@ -385,12 +415,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -385,12 +416,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -126573,7 +126576,7 @@ index e30bb63..ef60f40 100644
')
# Support Samba sharing of NFS mount points
-@@ -410,6 +435,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -410,6 +436,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -126584,7 +126587,7 @@ index e30bb63..ef60f40 100644
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -422,6 +451,11 @@ optional_policy(`
+@@ -422,6 +452,11 @@ optional_policy(`
')
optional_policy(`
@@ -126596,14 +126599,15 @@ index e30bb63..ef60f40 100644
lpd_exec_lpr(smbd_t)
')
-@@ -445,26 +479,25 @@ optional_policy(`
+@@ -445,26 +480,26 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
- userdom_home_filetrans_user_home_dir(smbd_t)
')
-+userdom_home_filetrans_user_home_dir(smbd_t)
++userdom_home_filetrans_user_home_dir(smbd_t)
++
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
- auth_read_all_dirs_except_shadow(smbd_t)
@@ -126630,19 +126634,29 @@ index e30bb63..ef60f40 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +517,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
++manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
+manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
+files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
++filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir)
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -555,18 +590,21 @@ optional_policy(`
+@@ -497,8 +535,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+
+ allow nmbd_t smbcontrol_t:process signal;
+
+-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+-
+ kernel_getattr_core_if(nmbd_t)
+ kernel_getattr_message_if(nmbd_t)
+ kernel_read_kernel_sysctls(nmbd_t)
+@@ -555,18 +591,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -126668,7 +126682,7 @@ index e30bb63..ef60f40 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -574,11 +612,21 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +613,21 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -126691,7 +126705,7 @@ index e30bb63..ef60f40 100644
########################################
#
-@@ -644,19 +692,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +693,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -126716,7 +126730,7 @@ index e30bb63..ef60f40 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +727,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +728,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -126726,7 +126740,7 @@ index e30bb63..ef60f40 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +743,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +744,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -126741,7 +126755,7 @@ index e30bb63..ef60f40 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +763,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +764,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -126749,7 +126763,7 @@ index e30bb63..ef60f40 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -752,8 +806,12 @@ logging_send_syslog_msg(swat_t)
+@@ -752,8 +807,12 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -126762,17 +126776,16 @@ index e30bb63..ef60f40 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +841,8 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +842,7 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
-allow winbind_t nmbd_var_run_t:file read_file_perms;
-+allow winbind_t smbd_var_run_t:dir search_dir_perms;
+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +865,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +865,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -126784,17 +126797,20 @@ index e30bb63..ef60f40 100644
+userdom_manage_user_tmp_files(winbind_t)
+userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
-+manage_dirs_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
++manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
-files_pid_filetrans(winbind_t, winbind_var_run_t, file)
-+files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir })
++files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
++filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
++# /run/samba/krb5cc_samba
++manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+kernel_read_network_state(winbind_t)
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +893,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +896,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -126802,7 +126818,7 @@ index e30bb63..ef60f40 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +911,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +914,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -126817,29 +126833,29 @@ index e30bb63..ef60f40 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -863,6 +928,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
- userdom_manage_user_home_content_sockets(winbind_t)
+@@ -864,6 +932,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
-+
-+optional_policy(`
+ optional_policy(`
+ ctdbd_stream_connect(winbind_t)
+ ctdbd_manage_lib_files(winbind_t)
+')
+
- optional_policy(`
++optional_policy(`
kerberos_use(winbind_t)
')
-@@ -904,7 +975,7 @@ logging_send_syslog_msg(winbind_helper_t)
+
+@@ -904,7 +977,8 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
-userdom_use_user_terminals(winbind_helper_t)
+userdom_use_inherited_user_terminals(winbind_helper_t)
++
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,19 +993,34 @@ optional_policy(`
+@@ -922,19 +996,34 @@ optional_policy(`
#
optional_policy(`
@@ -126862,14 +126878,14 @@ index e30bb63..ef60f40 100644
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
+')
-
++
+type samba_unconfined_script_t;
+type samba_unconfined_script_exec_t;
+domain_type(samba_unconfined_script_t)
+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+corecmd_shell_entry_type(samba_unconfined_script_t)
+role system_r types samba_unconfined_script_t;
-+
+
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
@@ -127756,7 +127772,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..e010142 100644
+index 086cd5f..4e69f51 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -127860,7 +127876,7 @@ index 086cd5f..e010142 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -151,7 +173,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -151,7 +173,12 @@ kernel_read_system_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -127869,10 +127885,11 @@ index 086cd5f..e010142 100644
+
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
++seutil_read_module_store(setroubleshoot_fixit_t)
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +190,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +191,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -131941,7 +131958,7 @@ index ebc5414..8f8ac45 100644
logging_list_logs($1)
admin_pattern($1, uucpd_log_t)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
-index d4349e9..f14d337 100644
+index d4349e9..2f0887d 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -24,7 +24,7 @@ type uucpd_ro_t;
@@ -131962,7 +131979,16 @@ index d4349e9..f14d337 100644
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
-@@ -145,5 +147,5 @@ optional_policy(`
+@@ -134,6 +136,8 @@ files_read_etc_files(uux_t)
+
+ fs_rw_anon_inodefs_files(uux_t)
+
++auth_use_nsswitch(uux_t)
++
+ logging_send_syslog_msg(uux_t)
+
+ miscfiles_read_localization(uux_t)
+@@ -145,5 +149,5 @@ optional_policy(`
')
optional_policy(`
@@ -133408,7 +133434,7 @@ index 7c5d8d8..85b7d8b 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..96f86b2 100644
+index 3eca020..cf6ce6e 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -133836,9 +133862,9 @@ index 3eca020..96f86b2 100644
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-
-+selinux_validate_context(virtd_t)
+
++selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -133905,20 +133931,7 @@ index 3eca020..96f86b2 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -353,6 +544,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ # Run mount in the mount_t domain.
-+ mount_domtrans(virtd_t)
-+ mount_signal(virtd_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(virtd_t)
- policykit_domtrans_auth(virtd_t)
- policykit_domtrans_resolve(virtd_t)
-@@ -360,11 +557,11 @@ optional_policy(`
+@@ -360,11 +551,11 @@ optional_policy(`
')
optional_policy(`
@@ -133935,7 +133948,7 @@ index 3eca020..96f86b2 100644
')
optional_policy(`
-@@ -394,20 +591,36 @@ optional_policy(`
+@@ -394,20 +585,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -133975,7 +133988,7 @@ index 3eca020..96f86b2 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +631,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +625,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -133989,7 +134002,7 @@ index 3eca020..96f86b2 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +644,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +638,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -134002,7 +134015,7 @@ index 3eca020..96f86b2 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +657,428 @@ files_search_all(virt_domain)
+@@ -440,25 +651,428 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -134010,12 +134023,12 @@ index 3eca020..96f86b2 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -134721,7 +134734,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 4966c94..587ddea 100644
+index 4966c94..e3b85b6 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,34 @@
@@ -134790,7 +134803,7 @@ index 4966c94..587ddea 100644
#
# /opt
#
-@@ -48,28 +71,35 @@ ifdef(`distro_redhat',`
+@@ -48,28 +71,31 @@ ifdef(`distro_redhat',`
# /tmp
#
@@ -134808,16 +134821,11 @@ index 4966c94..587ddea 100644
# /usr
#
--/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/sbin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/sbin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/sbin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/sbin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -134834,13 +134842,14 @@ index 4966c94..587ddea 100644
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-@@ -90,17 +120,45 @@ ifdef(`distro_debian', `
+@@ -90,17 +116,45 @@ ifdef(`distro_debian', `
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/[mxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
@@ -134848,24 +134857,23 @@ index 4966c94..587ddea 100644
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/(l)?xdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
++/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
+
-+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -139233,7 +139241,7 @@ index 73554ec..a0bd29b 100644
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..27ad087 100644
+index b7a5f00..b2a6592 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,22 +5,42 @@ policy_module(authlogin, 2.2.1)
@@ -139249,7 +139257,7 @@ index b7a5f00..27ad087 100644
+
+## <desc>
+## <p>
-+## Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
++## Allow users to login using a sssd server
+## </p>
+## </desc>
+gen_tunable(authlogin_nsswitch_use_ldap, false)
@@ -143399,22 +143407,20 @@ index 0e3c2a9..40adf5a 100644
+')
+
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a0b379d..362176f 100644
+index a0b379d..95bf920 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
-@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
- type local_login_lock_t;
- files_lock_file(local_login_lock_t)
+@@ -17,6 +17,9 @@ type local_login_tmp_t;
+ files_tmp_file(local_login_tmp_t)
+ files_poly_parent(local_login_tmp_t)
--type local_login_tmp_t;
--files_tmp_file(local_login_tmp_t)
--files_poly_parent(local_login_tmp_t)
+type local_login_home_t;
+userdom_user_home_content(local_login_home_t)
-
++
type sulogin_t;
type sulogin_exec_t;
-@@ -32,9 +31,8 @@ role system_r types sulogin_t;
+ domain_obj_id_change_exemption(sulogin_t)
+@@ -32,9 +35,8 @@ role system_r types sulogin_t;
# Local login local policy
#
@@ -143426,18 +143432,16 @@ index a0b379d..362176f 100644
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
-@@ -51,9 +49,7 @@ allow local_login_t self:key { search write link };
+@@ -51,6 +53,8 @@ allow local_login_t self:key { search write link };
allow local_login_t local_login_lock_t:file manage_file_perms;
files_lock_filetrans(local_login_t, local_login_lock_t, file)
--allow local_login_t local_login_tmp_t:dir manage_dir_perms;
--allow local_login_t local_login_tmp_t:file manage_file_perms;
--files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
+allow local_login_t local_login_home_t:file read_file_perms;
-
- kernel_read_system_state(local_login_t)
- kernel_read_kernel_sysctls(local_login_t)
-@@ -73,6 +69,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
++
+ allow local_login_t local_login_tmp_t:dir manage_dir_perms;
+ allow local_login_t local_login_tmp_t:file manage_file_perms;
+ files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
+@@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
@@ -143446,7 +143450,7 @@ index a0b379d..362176f 100644
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
-@@ -120,11 +118,13 @@ term_setattr_unallocated_ttys(local_login_t)
+@@ -120,11 +126,13 @@ term_setattr_unallocated_ttys(local_login_t)
auth_rw_login_records(local_login_t)
auth_rw_faillog(local_login_t)
@@ -143461,7 +143465,7 @@ index a0b379d..362176f 100644
miscfiles_read_localization(local_login_t)
-@@ -146,14 +146,14 @@ tunable_policy(`console_login',`
+@@ -146,14 +154,12 @@ tunable_policy(`console_login',`
term_relabel_console(local_login_t)
')
@@ -143470,8 +143474,6 @@ index a0b379d..362176f 100644
- fs_read_nfs_symlinks(local_login_t)
-')
+userdom_home_reader(local_login_t)
-+userdom_manage_tmp_files(local_login_t)
-+userdom_tmp_filetrans_user_tmp(local_login_t, file)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(local_login_t)
@@ -143483,7 +143485,7 @@ index a0b379d..362176f 100644
')
optional_policy(`
-@@ -177,14 +177,6 @@ optional_policy(`
+@@ -177,14 +183,6 @@ optional_policy(`
')
optional_policy(`
@@ -143498,7 +143500,7 @@ index a0b379d..362176f 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,6 +207,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,6 +213,7 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -143506,7 +143508,7 @@ index a0b379d..362176f 100644
kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +216,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+@@ -223,13 +222,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -143524,7 +143526,7 @@ index a0b379d..362176f 100644
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
-@@ -238,14 +235,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +241,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -143551,7 +143553,7 @@ index a0b379d..362176f 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +263,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +269,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -147057,7 +147059,7 @@ index 694fd94..ff9af99 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index ff80d0a..b8c1b90 100644
+index ff80d0a..419fc29 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -49,10 +49,6 @@ interface(`sysnet_run_dhcpc',`
@@ -147185,7 +147187,15 @@ index ff80d0a..b8c1b90 100644
## Read network config files.
## </summary>
## <desc>
-@@ -405,7 +494,7 @@ interface(`sysnet_etc_filetrans_config',`
+@@ -329,6 +418,7 @@ interface(`sysnet_read_config',`
+
+ ifdef(`distro_redhat',`
+ allow $1 net_conf_t:dir list_dir_perms;
++ allow $1 net_conf_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, net_conf_t, net_conf_t)
+ ')
+ ')
+@@ -405,7 +495,7 @@ interface(`sysnet_etc_filetrans_config',`
type net_conf_t;
')
@@ -147194,7 +147204,7 @@ index ff80d0a..b8c1b90 100644
')
#######################################
-@@ -426,6 +515,7 @@ interface(`sysnet_manage_config',`
+@@ -426,6 +516,7 @@ interface(`sysnet_manage_config',`
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_redhat',`
@@ -147202,7 +147212,7 @@ index ff80d0a..b8c1b90 100644
manage_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -464,6 +554,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -464,6 +555,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@@ -147210,7 +147220,7 @@ index ff80d0a..b8c1b90 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -554,6 +645,45 @@ interface(`sysnet_signal_ifconfig',`
+@@ -554,6 +646,45 @@ interface(`sysnet_signal_ifconfig',`
########################################
## <summary>
@@ -147256,7 +147266,7 @@ index ff80d0a..b8c1b90 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -661,6 +791,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -661,6 +792,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
@@ -147265,7 +147275,7 @@ index ff80d0a..b8c1b90 100644
sysnet_read_config($1)
optional_policy(`
-@@ -698,6 +830,9 @@ interface(`sysnet_use_ldap',`
+@@ -698,6 +831,9 @@ interface(`sysnet_use_ldap',`
corenet_sendrecv_ldap_client_packets($1)
sysnet_read_config($1)
@@ -147275,7 +147285,7 @@ index ff80d0a..b8c1b90 100644
')
########################################
-@@ -731,3 +866,73 @@ interface(`sysnet_use_portmap',`
+@@ -731,3 +867,73 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -150116,7 +150126,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..b0c7451 100644
+index 4b2878a..2fe0743 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -150431,33 +150441,7 @@ index 4b2878a..b0c7451 100644
')
')
-@@ -272,6 +317,25 @@ interface(`userdom_manage_home_role',`
- ## <summary>
- ## Manage user temporary files
- ## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolebase/>
-+#
-+interface(`userdom_manage_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file manage_file_perms;
-+')
-+
-+#######################################
-+## <summary>
-+## Manage user temporary files
-+## </summary>
- ## <param name="role">
- ## <summary>
- ## Role allowed access.
-@@ -286,17 +350,64 @@ interface(`userdom_manage_home_role',`
+@@ -286,17 +331,64 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -150527,7 +150511,7 @@ index 4b2878a..b0c7451 100644
')
#######################################
-@@ -316,6 +427,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +408,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -150535,7 +150519,7 @@ index 4b2878a..b0c7451 100644
files_search_tmp($1)
')
-@@ -347,59 +459,62 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -347,59 +440,62 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -150630,7 +150614,7 @@ index 4b2878a..b0c7451 100644
')
#######################################
-@@ -430,6 +545,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +526,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -150638,7 +150622,7 @@ index 4b2878a..b0c7451 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -462,8 +578,8 @@ template(`userdom_change_password_template',`
+@@ -462,8 +559,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -150649,7 +150633,7 @@ index 4b2878a..b0c7451 100644
')
')
-@@ -490,7 +606,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +587,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -150658,7 +150642,7 @@ index 4b2878a..b0c7451 100644
##############################
#
-@@ -500,73 +616,83 @@ template(`userdom_common_user_template',`
+@@ -500,73 +597,83 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -150680,27 +150664,27 @@ index 4b2878a..b0c7451 100644
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
--
-- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- corecmd_exec_bin($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+-
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -150724,10 +150708,10 @@ index 4b2878a..b0c7451 100644
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
++
++ application_getattr_socket($1_usertype)
- fs_rw_cgroup_files($1_t)
-+ application_getattr_socket($1_usertype)
-+
+ logging_send_syslog_msg($1_usertype)
+ logging_send_audit_msgs($1_usertype)
+ selinux_get_enforce_mode($1_usertype)
@@ -150784,7 +150768,7 @@ index 4b2878a..b0c7451 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +700,113 @@ template(`userdom_common_user_template',`
+@@ -574,67 +681,113 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -150843,51 +150827,51 @@ index 4b2878a..b0c7451 100644
+ evolution_dbus_chat($1_usertype)
+ evolution_alarm_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ gnome_dbus_chat_gconfdefault($1_usertype)
-+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ kde_dbus_chat_backlighthelper($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ kde_dbus_chat_backlighthelper($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ vpn_dbus_chat($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
')
- ')
-
- optional_policy(`
-- inetd_use_fds($1_t)
-- inetd_rw_tcp_sockets($1_t)
-+ git_session_role($1_r, $1_usertype)
++
++ optional_policy(`
++ vpn_dbus_chat($1_usertype)
++ ')
+ ')
+
+ optional_policy(`
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
++ git_session_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
+ ')
+
+ optional_policy(`
+- inetd_use_fds($1_t)
+- inetd_rw_tcp_sockets($1_t)
+ inn_read_config($1_usertype)
+ inn_read_news_lib($1_usertype)
+ inn_read_news_spool($1_usertype)
@@ -150919,7 +150903,7 @@ index 4b2878a..b0c7451 100644
')
optional_policy(`
-@@ -650,40 +822,52 @@ template(`userdom_common_user_template',`
+@@ -650,40 +803,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -150955,35 +150939,35 @@ index 4b2878a..b0c7451 100644
+
+ optional_policy(`
+ rpcbind_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ slrnpull_search_spool($1_usertype)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
-+ slrnpull_search_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ thumb_role($1_r, $1_usertype)
')
')
-@@ -708,17 +892,33 @@ template(`userdom_common_user_template',`
+@@ -708,17 +873,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -150996,15 +150980,17 @@ index 4b2878a..b0c7451 100644
+ typeattribute $1_t login_userdomain;
+
+ userdom_manage_home_role($1_r, $1_usertype)
++
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -151012,9 +150998,7 @@ index 4b2878a..b0c7451 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -151022,7 +151006,7 @@ index 4b2878a..b0c7451 100644
userdom_change_password_template($1)
-@@ -727,81 +927,98 @@ template(`userdom_login_user_template', `
+@@ -727,81 +908,98 @@ template(`userdom_login_user_template', `
# User domain Local policy
#
@@ -151112,14 +151096,14 @@ index 4b2878a..b0c7451 100644
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_exec_setfiles($1_usertype)
-
-- seutil_read_config($1_t)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
+ ')
-+
+
+- seutil_read_config($1_t)
+ optional_policy(`
+ kerberos_use($1_usertype)
+ kerberos_filetrans_home_content($1_usertype)
@@ -151156,7 +151140,7 @@ index 4b2878a..b0c7451 100644
')
')
-@@ -833,6 +1050,12 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1031,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -151169,7 +151153,7 @@ index 4b2878a..b0c7451 100644
##############################
#
# Local policy
-@@ -873,46 +1096,115 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -873,46 +1077,115 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -151298,7 +151282,7 @@ index 4b2878a..b0c7451 100644
')
')
-@@ -947,7 +1239,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1220,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -151307,7 +151291,7 @@ index 4b2878a..b0c7451 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1248,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1229,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -151325,7 +151309,7 @@ index 4b2878a..b0c7451 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1273,60 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1254,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -151368,11 +151352,9 @@ index 4b2878a..b0c7451 100644
+
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ gnomeclock_dbus_chat($1_t)
+ ')
+
@@ -151383,9 +151365,11 @@ index 4b2878a..b0c7451 100644
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ wine_role_template($1, $1_r, $1_t)
+ ')
+
@@ -151395,7 +151379,7 @@ index 4b2878a..b0c7451 100644
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1335,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1316,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -151406,7 +151390,7 @@ index 4b2878a..b0c7451 100644
')
')
-@@ -1039,7 +1373,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1354,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -151415,7 +151399,7 @@ index 4b2878a..b0c7451 100644
')
##############################
-@@ -1066,6 +1400,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1381,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -151423,7 +151407,7 @@ index 4b2878a..b0c7451 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1409,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1390,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -151433,7 +151417,7 @@ index 4b2878a..b0c7451 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1426,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1407,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -151441,7 +151425,7 @@ index 4b2878a..b0c7451 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1444,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1425,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -151455,7 +151439,7 @@ index 4b2878a..b0c7451 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1461,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1442,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -151498,7 +151482,7 @@ index 4b2878a..b0c7451 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1502,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1483,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -151507,7 +151491,7 @@ index 4b2878a..b0c7451 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1165,6 +1518,10 @@ template(`userdom_admin_user_template',`
+@@ -1165,6 +1499,10 @@ template(`userdom_admin_user_template',`
fs_read_noxattr_fs_files($1_t)
')
@@ -151518,7 +151502,7 @@ index 4b2878a..b0c7451 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1210,6 +1567,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1548,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -151527,7 +151511,7 @@ index 4b2878a..b0c7451 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1581,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1562,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -151538,7 +151522,7 @@ index 4b2878a..b0c7451 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1594,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1575,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -151567,7 +151551,7 @@ index 4b2878a..b0c7451 100644
')
optional_policy(`
-@@ -1251,12 +1622,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1603,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -151583,7 +151567,7 @@ index 4b2878a..b0c7451 100644
')
optional_policy(`
-@@ -1279,25 +1650,74 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1631,103 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -151616,42 +151600,71 @@ index 4b2878a..b0c7451 100644
#
-interface(`userdom_attach_admin_tun_iface',`
+interface(`userdom_user_tmp_content',`
-+ gen_require(`
+ gen_require(`
+- attribute admindomain;
+ attribute user_tmp_type;
-+ ')
-+
+ ')
+
+- allow $1 admindomain:tun_socket relabelfrom;
+- allow $1 self:tun_socket relabelto;
+ typeattribute $1 user_tmp_type;
+
+ files_tmp_file($1)
+ ubac_constrained($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of a user pty.
+## Make the specified type usable in a
+## generic tmpfs_t directory.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type to be used as a file in the
+## generic temporary directory.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_setattr_user_ptys',`
+interface(`userdom_user_tmpfs_content',`
-+ gen_require(`
+ gen_require(`
+- type user_devpts_t;
+ attribute user_tmpfs_type;
-+ ')
-+
+ ')
+
+- allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
+ typeattribute $1 user_tmpfs_type;
+
+ files_tmpfs_file($1)
+ ubac_constrained($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create a user pty.
++## Allow domain to attach to TUN devices created by administrative users.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_attach_admin_tun_iface',`
++ gen_require(`
++ attribute admindomain;
++ ')
++
++ allow $1 admindomain:tun_socket relabelfrom;
++ allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
-+## Allow domain to attach to TUN devices created by administrative users.
++## Set the attributes of a user pty.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -151659,11 +151672,21 @@ index 4b2878a..b0c7451 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_attach_admin_tun_iface',`
- gen_require(`
- attribute admindomain;
- ')
-@@ -1395,11 +1815,31 @@ interface(`userdom_search_user_home_dirs',`
++interface(`userdom_setattr_user_ptys',`
++ gen_require(`
++ type user_devpts_t;
++ ')
++
++ allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++')
++
++########################################
++## <summary>
++## Create a user pty.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1395,11 +1796,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -151695,7 +151718,7 @@ index 4b2878a..b0c7451 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1441,6 +1881,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1862,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -151710,7 +151733,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -1456,9 +1904,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1885,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -151722,7 +151745,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -1515,6 +1965,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1946,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -151765,7 +151788,7 @@ index 4b2878a..b0c7451 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2075,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2056,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -151774,7 +151797,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -1603,10 +2091,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2072,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -151789,7 +151812,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -1649,6 +2139,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2120,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -151833,7 +151856,7 @@ index 4b2878a..b0c7451 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2195,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2176,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -151859,7 +151882,7 @@ index 4b2878a..b0c7451 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1698,14 +2244,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2225,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -151897,7 +151920,7 @@ index 4b2878a..b0c7451 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2284,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2265,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -151915,7 +151938,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -1779,6 +2350,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2331,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -151976,7 +151999,7 @@ index 4b2878a..b0c7451 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2435,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2416,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -151986,7 +152009,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -1827,20 +2451,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2432,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -152011,7 +152034,7 @@ index 4b2878a..b0c7451 100644
########################################
## <summary>
-@@ -1941,6 +2559,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2540,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -152036,7 +152059,7 @@ index 4b2878a..b0c7451 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2644,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2625,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -152045,7 +152068,7 @@ index 4b2878a..b0c7451 100644
files_search_home($1)
')
-@@ -2039,7 +2675,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2656,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -152054,7 +152077,7 @@ index 4b2878a..b0c7451 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2794,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2775,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -152069,7 +152092,7 @@ index 4b2878a..b0c7451 100644
files_search_tmp($1)
')
-@@ -2182,7 +2818,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2799,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -152078,7 +152101,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -2390,7 +3026,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +3007,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -152087,7 +152110,7 @@ index 4b2878a..b0c7451 100644
files_search_tmp($1)
')
-@@ -2419,6 +3055,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3036,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -152113,7 +152136,7 @@ index 4b2878a..b0c7451 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3090,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3071,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -152129,7 +152152,7 @@ index 4b2878a..b0c7451 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3118,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3099,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -152138,7 +152161,7 @@ index 4b2878a..b0c7451 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,14 +3126,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3107,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -152173,7 +152196,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -2572,7 +3244,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3225,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -152182,24 +152205,21 @@ index 4b2878a..b0c7451 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,32 +3252,62 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,7 +3233,25 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
-interface(`userdom_use_user_ptys',`
+interface(`userdom_use_inherited_user_ttys',`
- gen_require(`
-- type user_devpts_t;
++ gen_require(`
+ type user_tty_device_t;
- ')
-
-- allow $1 user_devpts_t:chr_file rw_term_perms;
++ ')
++
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
- ')
-
- ########################################
- ## <summary>
--## Read and write a user TTYs and PTYs.
++')
++
++########################################
++## <summary>
+## Read and write a user domain pty.
+## </summary>
+## <param name="domain">
@@ -152209,15 +152229,14 @@ index 4b2878a..b0c7451 100644
+## </param>
+#
+interface(`userdom_use_user_ptys',`
-+ gen_require(`
-+ type user_devpts_t;
-+ ')
-+
-+ allow $1 user_devpts_t:chr_file rw_term_perms;
-+')
-+
-+########################################
-+## <summary>
+ gen_require(`
+ type user_devpts_t;
+ ')
+@@ -2590,22 +3261,34 @@ interface(`userdom_use_user_ptys',`
+
+ ########################################
+ ## <summary>
+-## Read and write a user TTYs and PTYs.
+## Read and write a inherited user domain pty.
+## </summary>
+## <param name="domain">
@@ -152256,7 +152275,7 @@ index 4b2878a..b0c7451 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2614,14 +3316,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3297,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -152294,7 +152313,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -2640,8 +3361,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,8 +3342,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -152324,7 +152343,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -2713,69 +3453,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,69 +3434,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -152425,7 +152444,7 @@ index 4b2878a..b0c7451 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2783,12 +3522,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2783,12 +3503,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -152440,7 +152459,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -2852,7 +3591,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3572,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -152449,7 +152468,7 @@ index 4b2878a..b0c7451 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3607,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3588,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -152483,7 +152502,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -2972,7 +3695,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3676,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -152492,7 +152511,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -3027,7 +3750,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3731,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -152539,7 +152558,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -3045,7 +3806,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3787,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -152548,7 +152567,7 @@ index 4b2878a..b0c7451 100644
')
########################################
-@@ -3064,6 +3825,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3806,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -152556,7 +152575,7 @@ index 4b2878a..b0c7451 100644
kernel_search_proc($1)
')
-@@ -3140,6 +3902,42 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3883,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -152599,7 +152618,7 @@ index 4b2878a..b0c7451 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3160,6 +3958,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3939,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -152624,7 +152643,7 @@ index 4b2878a..b0c7451 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +4010,1292 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3991,1292 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8add07d..99ce12a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 128%{?dist}
+Release: 129%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,27 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jun 8 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-129
+- Allow collectd to read virt config
+- Allow collectd setsched
+- Add support for /usr/sbin/mdm*
+- Fix java binaries labels when installed under /usr/lib/jvm/java
+- Add labeling for /var/run/mdm
+- Allow apps that can read net_conf_t files read symlinks
+- Allow all domains that can search or read tmp_t, able to read a tmp_t link
+- Dontaudit mozilla_plugin looking at xdm_tmp_t
+- Looks like collectd needs to change it scheduling priority
+- Allow uux_t to access nsswitch data
+- New labeling for samba, pid dirs moved to subdirs of samba
+- Allow nova_api to use nsswitch
+- Allow mozilla_plugin to execute files labeled as lib_t
+- Label content under HOME_DIR/zimbrauserdata as mozilla_home date
+- abrt is fooled into reading mozilla_plugin content, we want to dontaudit
+- Allow mozilla_plugin to connect to ircd ports since a plugin might be a irc chat window
+- Allow winbind to create content in smbd_var_run_t directories
+- Allow setroubleshoot_fixit to read the selinux policy store. No reason to deny it
+- Support libvirt plugin for collectd
+
* Wed May 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-128
- Fix description of authlogin_nsswitch_use_ldap
- Fix transition rule for rhsmcertd_t needed for RHEL7
More information about the scm-commits
mailing list