[selinux-policy/f17] * Fri Jun 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-131 - Fix labeling of kerbero host cache
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jun 15 10:01:40 UTC 2012
commit 56d4d59c7499f9b6d0534f3884e08f5bd2000f61
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jun 15 12:01:04 2012 +0200
* Fri Jun 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-131
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage
- Allow dovecot to manage Maildir content, fix transitions to Maildir
- Allow postfix_local to transition to dovecot_deliver
- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
- Cleanup interface definitions
- Allow apmd to change with the logind daemon
- Changes required for sanlock in rhel6
- Label /run/user/apache as httpd_tmp_t
- Allow thumb to use lib_t as execmod if boolean turned on
- Allow squid to create the squid directory in /var with the correct
- When staff_t runs libvirt it reads dnsmasq_var_run_t
- Mount command now lists user_tmp looking for gvfs
- /etc/blkid is moving to /run/blkid
- Allow rw_cgroup_files to also read a symlink
- Make sure gdm directory in ~/.cache/gdm gets created with the correct label
- Add labeling for .cache/gdm in the homedir
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
policy-F16.patch | 1133 ++++++++++++++++++++++++++++-----------------------
selinux-policy.spec | 23 +-
2 files changed, 644 insertions(+), 512 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 5aecd05..c8a3b71 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -58704,10 +58704,10 @@ index 0bfc958..af95b7a 100644
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..530d2df 100644
+index 7a6f06f..48fc840 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
-@@ -1,9 +1,14 @@
+@@ -1,9 +1,16 @@
-
+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
@@ -58719,6 +58719,8 @@ index 7a6f06f..530d2df 100644
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++
++/var/run/blkid(/.*)? gen_context(system_u:object_r:bootloader_var_run_t,s0)
-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
@@ -58787,10 +58789,18 @@ index 63eb96b..d7a6063 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index d3da8f2..a10844b 100644
+index d3da8f2..a78599d 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
-@@ -23,7 +23,7 @@ role system_r types bootloader_t;
+@@ -18,12 +18,15 @@ type bootloader_exec_t;
+ application_domain(bootloader_t, bootloader_exec_t)
+ role system_r types bootloader_t;
+
++type bootloader_var_run_t;
++files_pid_file(bootloader_var_run_t)
++
+ #
+ # bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
#
type bootloader_etc_t alias etc_bootloader_t;
@@ -58799,7 +58809,7 @@ index d3da8f2..a10844b 100644
#
# The temp file is used for initrd creation;
-@@ -38,7 +38,7 @@ dev_node(bootloader_tmp_t)
+@@ -38,7 +41,7 @@ dev_node(bootloader_tmp_t)
# bootloader local policy
#
@@ -58808,7 +58818,18 @@ index d3da8f2..a10844b 100644
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
-@@ -78,6 +78,7 @@ dev_rw_nvram(bootloader_t)
+@@ -56,6 +59,10 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
+ # for tune2fs (cjp: ?)
+ files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
+
++manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
++manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
++files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file })
++
+ kernel_getattr_core_if(bootloader_t)
+ kernel_read_network_state(bootloader_t)
+ kernel_read_system_state(bootloader_t)
+@@ -78,6 +85,7 @@ dev_rw_nvram(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
fs_getattr_tmpfs(bootloader_t)
@@ -58816,7 +58837,7 @@ index d3da8f2..a10844b 100644
fs_read_tmpfs_symlinks(bootloader_t)
#Needed for ia64
fs_manage_dos_files(bootloader_t)
-@@ -86,6 +87,7 @@ mls_file_read_all_levels(bootloader_t)
+@@ -86,6 +94,7 @@ mls_file_read_all_levels(bootloader_t)
mls_file_write_all_levels(bootloader_t)
term_getattr_all_ttys(bootloader_t)
@@ -58824,7 +58845,7 @@ index d3da8f2..a10844b 100644
term_dontaudit_manage_pty_dirs(bootloader_t)
corecmd_exec_all_executables(bootloader_t)
-@@ -95,12 +97,14 @@ domain_use_interactive_fds(bootloader_t)
+@@ -95,12 +104,14 @@ domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
@@ -58839,7 +58860,7 @@ index d3da8f2..a10844b 100644
# for nscd
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
-@@ -108,6 +112,7 @@ files_manage_etc_runtime_files(bootloader_t)
+@@ -108,6 +119,7 @@ files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
@@ -58847,7 +58868,7 @@ index d3da8f2..a10844b 100644
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
init_use_script_fds(bootloader_t)
-@@ -115,19 +120,21 @@ init_rw_script_pipes(bootloader_t)
+@@ -115,19 +127,21 @@ init_rw_script_pipes(bootloader_t)
libs_read_lib_files(bootloader_t)
libs_exec_lib_files(bootloader_t)
@@ -58872,7 +58893,7 @@ index d3da8f2..a10844b 100644
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
-@@ -162,8 +169,10 @@ ifdef(`distro_redhat',`
+@@ -162,8 +176,10 @@ ifdef(`distro_redhat',`
files_manage_isid_type_blk_files(bootloader_t)
files_manage_isid_type_chr_files(bootloader_t)
@@ -58885,7 +58906,7 @@ index d3da8f2..a10844b 100644
optional_policy(`
unconfined_domain(bootloader_t)
-@@ -171,6 +180,10 @@ ifdef(`distro_redhat',`
+@@ -171,6 +187,10 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -58896,7 +58917,7 @@ index d3da8f2..a10844b 100644
fstools_exec(bootloader_t)
')
-@@ -180,6 +193,10 @@ optional_policy(`
+@@ -180,6 +200,10 @@ optional_policy(`
')
optional_policy(`
@@ -58907,7 +58928,7 @@ index d3da8f2..a10844b 100644
kudzu_domtrans(bootloader_t)
')
-@@ -192,15 +209,13 @@ optional_policy(`
+@@ -192,15 +216,13 @@ optional_policy(`
optional_policy(`
modutils_exec_insmod(bootloader_t)
@@ -67152,7 +67173,7 @@ index fbb5c5a..ce9aee0 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..3a09bbc 100644
+index 2e9318b..094441e 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
@@ -67462,7 +67483,7 @@ index 2e9318b..3a09bbc 100644
')
optional_policy(`
-@@ -438,18 +478,105 @@ optional_policy(`
+@@ -438,18 +478,106 @@ optional_policy(`
')
optional_policy(`
@@ -67492,6 +67513,7 @@ index 2e9318b..3a09bbc 100644
+optional_policy(`
+ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
++ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
xserver_read_xdm_pid(mozilla_plugin_t)
xserver_stream_connect(mozilla_plugin_t)
xserver_use_user_fonts(mozilla_plugin_t)
@@ -71320,10 +71342,10 @@ index 0000000..9127cec
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..7eea9cd
+index 0000000..386f9a1
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,109 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -71398,6 +71420,10 @@ index 0000000..7eea9cd
+
+auth_use_nsswitch(thumb_t)
+
++tunable_policy(`allow_execmod',`
++ libs_legacy_use_shared_libs(thumb_t)
++')
++
+miscfiles_read_fonts(thumb_t)
+miscfiles_read_localization(thumb_t)
+
@@ -78731,7 +78757,7 @@ index cda5588..e89e4bf 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..aa54b2c 100644
+index 97fcdac..cab2348 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -78857,15 +78883,17 @@ index 97fcdac..aa54b2c 100644
dev_search_sysfs($1)
')
-@@ -763,6 +829,7 @@ interface(`fs_rw_cgroup_files',`
+@@ -762,7 +828,9 @@ interface(`fs_rw_cgroup_files',`
+
')
++ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
rw_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
-@@ -803,6 +870,8 @@ interface(`fs_manage_cgroup_files',`
+@@ -803,6 +871,8 @@ interface(`fs_manage_cgroup_files',`
')
manage_files_pattern($1, cgroup_t, cgroup_t)
@@ -78874,7 +78902,7 @@ index 97fcdac..aa54b2c 100644
dev_search_sysfs($1)
')
-@@ -1107,6 +1176,24 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',`
########################################
## <summary>
@@ -78899,7 +78927,7 @@ index 97fcdac..aa54b2c 100644
## Do not audit attempts to read all
## noxattrfs files.
## </summary>
-@@ -1245,7 +1332,7 @@ interface(`fs_append_cifs_files',`
+@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',`
########################################
## <summary>
@@ -78908,7 +78936,7 @@ index 97fcdac..aa54b2c 100644
## on a CIFS filesystem.
## </summary>
## <param name="domain">
-@@ -1265,6 +1352,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
## <summary>
@@ -78951,7 +78979,7 @@ index 97fcdac..aa54b2c 100644
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </summary>
-@@ -1279,7 +1402,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -78960,7 +78988,7 @@ index 97fcdac..aa54b2c 100644
')
########################################
-@@ -1542,6 +1665,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1666,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -78986,7 +79014,7 @@ index 97fcdac..aa54b2c 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1582,6 +1724,24 @@ interface(`fs_manage_configfs_files',`
+@@ -1582,6 +1725,24 @@ interface(`fs_manage_configfs_files',`
########################################
## <summary>
@@ -79011,7 +79039,7 @@ index 97fcdac..aa54b2c 100644
## Mount a DOS filesystem, such as
## FAT32 or NTFS.
## </summary>
-@@ -1679,6 +1839,25 @@ interface(`fs_relabelfrom_dos_fs',`
+@@ -1679,6 +1840,25 @@ interface(`fs_relabelfrom_dos_fs',`
########################################
## <summary>
@@ -79037,7 +79065,7 @@ index 97fcdac..aa54b2c 100644
## Search dosfs filesystem.
## </summary>
## <param name="domain">
-@@ -2025,6 +2204,68 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2025,6 +2205,68 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -79106,7 +79134,7 @@ index 97fcdac..aa54b2c 100644
## Get the attributes of an hugetlbfs
## filesystem.
## </summary>
-@@ -2080,6 +2321,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2080,6 +2322,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -79131,7 +79159,7 @@ index 97fcdac..aa54b2c 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,11 +2407,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2408,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -79145,7 +79173,7 @@ index 97fcdac..aa54b2c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2480,6 +2740,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2741,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -79153,7 +79181,7 @@ index 97fcdac..aa54b2c 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2779,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2780,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -79161,7 +79189,7 @@ index 97fcdac..aa54b2c 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +2806,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2807,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -79187,7 +79215,7 @@ index 97fcdac..aa54b2c 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2564,7 +2845,7 @@ interface(`fs_append_nfs_files',`
+@@ -2564,7 +2846,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@@ -79196,7 +79224,7 @@ index 97fcdac..aa54b2c 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
-@@ -2584,6 +2865,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2866,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -79239,7 +79267,7 @@ index 97fcdac..aa54b2c 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2598,7 +2915,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2916,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -79248,7 +79276,7 @@ index 97fcdac..aa54b2c 100644
')
########################################
-@@ -2622,7 +2939,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2622,7 +2940,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -79257,7 +79285,7 @@ index 97fcdac..aa54b2c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2736,7 +3053,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +3054,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -79266,7 +79294,7 @@ index 97fcdac..aa54b2c 100644
## </summary>
## </param>
#
-@@ -2772,7 +3089,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3090,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -79275,7 +79303,7 @@ index 97fcdac..aa54b2c 100644
## </summary>
## </param>
#
-@@ -2965,6 +3282,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3283,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -79283,7 +79311,7 @@ index 97fcdac..aa54b2c 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3323,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3324,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -79291,7 +79319,7 @@ index 97fcdac..aa54b2c 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3364,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3365,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -79299,7 +79327,7 @@ index 97fcdac..aa54b2c 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3258,6 +3578,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3258,6 +3579,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -79324,7 +79352,7 @@ index 97fcdac..aa54b2c 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3278,6 +3616,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3278,6 +3617,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@@ -79349,7 +79377,7 @@ index 97fcdac..aa54b2c 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
-@@ -3387,7 +3743,7 @@ interface(`fs_search_ramfs',`
+@@ -3387,7 +3744,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -79358,7 +79386,7 @@ index 97fcdac..aa54b2c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3424,7 +3780,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3424,7 +3781,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -79367,7 +79395,7 @@ index 97fcdac..aa54b2c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3442,7 +3798,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3442,7 +3799,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -79376,7 +79404,7 @@ index 97fcdac..aa54b2c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3810,6 +4166,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3810,6 +4167,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -79401,7 +79429,7 @@ index 97fcdac..aa54b2c 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3958,6 +4332,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4333,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -79444,7 +79472,7 @@ index 97fcdac..aa54b2c 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4059,7 +4469,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4059,7 +4470,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -79453,7 +79481,7 @@ index 97fcdac..aa54b2c 100644
')
########################################
-@@ -4119,6 +4529,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4119,6 +4530,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -79478,7 +79506,7 @@ index 97fcdac..aa54b2c 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4156,7 +4584,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4156,7 +4585,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -79487,7 +79515,7 @@ index 97fcdac..aa54b2c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4175,6 +4603,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4604,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -79530,7 +79558,7 @@ index 97fcdac..aa54b2c 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4232,6 +4696,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4232,6 +4697,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -79555,7 +79583,7 @@ index 97fcdac..aa54b2c 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4251,6 +4733,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4734,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -79581,7 +79609,7 @@ index 97fcdac..aa54b2c 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4457,6 +4958,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4959,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -79590,7 +79618,7 @@ index 97fcdac..aa54b2c 100644
')
########################################
-@@ -4503,7 +5006,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +5007,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -79599,7 +79627,7 @@ index 97fcdac..aa54b2c 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5369,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5370,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -81984,10 +82012,10 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..9c21943 100644
+index 2be17d2..93323c7 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,52 @@ policy_module(staff, 2.2.0)
+@@ -8,12 +8,57 @@ policy_module(staff, 2.2.0)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -82037,10 +82065,15 @@ index 2be17d2..9c21943 100644
+ abrt_read_cache(staff_t)
+')
+
++optional_policy(`
++ accountsd_dbus_chat(staff_t)
++ accountsd_read_lib_files(staff_t)
++')
++
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,23 +63,119 @@ optional_policy(`
+@@ -23,23 +68,122 @@ optional_policy(`
')
optional_policy(`
@@ -82052,20 +82085,19 @@ index 2be17d2..9c21943 100644
+')
+
+optional_policy(`
- dbadm_role_change(staff_r)
- ')
-
- optional_policy(`
-+ accountsd_dbus_chat(staff_t)
-+ accountsd_read_lib_files(staff_t)
++ chrome_role(staff_r, staff_t)
+')
+
+optional_policy(`
-+ chrome_role(staff_r, staff_t)
++ colord_dbus_chat(staff_t)
+')
+
+optional_policy(`
-+ colord_dbus_chat(staff_t)
+ dbadm_role_change(staff_r)
+ ')
+
+ optional_policy(`
++ dnsmasq_read_pid_files(staff_t)
+')
+
+optional_policy(`
@@ -82148,6 +82180,10 @@ index 2be17d2..9c21943 100644
+')
+
+optional_policy(`
++ rwho_read_spool_files(staff_t)
++')
++
++optional_policy(`
secadm_role_change(staff_r)
')
@@ -82162,7 +82198,7 @@ index 2be17d2..9c21943 100644
')
optional_policy(`
-@@ -48,10 +184,59 @@ optional_policy(`
+@@ -48,10 +192,59 @@ optional_policy(`
')
optional_policy(`
@@ -82222,7 +82258,7 @@ index 2be17d2..9c21943 100644
xserver_role(staff_r, staff_t)
')
-@@ -61,10 +246,6 @@ ifndef(`distro_redhat',`
+@@ -61,10 +254,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -82233,7 +82269,7 @@ index 2be17d2..9c21943 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -89,18 +270,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +278,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -82252,7 +82288,7 @@ index 2be17d2..9c21943 100644
java_role(staff_r, staff_t)
')
-@@ -121,10 +294,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +302,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -82263,7 +82299,7 @@ index 2be17d2..9c21943 100644
pyzor_role(staff_r, staff_t)
')
-@@ -137,10 +306,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +314,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -82274,7 +82310,7 @@ index 2be17d2..9c21943 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +337,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +345,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -85637,7 +85673,7 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..8281bc3 100644
+index 9e39aa5..c1e18e1 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,39 +1,54 @@
@@ -85728,7 +85764,7 @@ index 9e39aa5..8281bc3 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,25 +92,36 @@ ifdef(`distro_suse', `
+@@ -73,39 +92,72 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -85769,7 +85805,13 @@ index 9e39aa5..8281bc3 100644
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -104,8 +134,29 @@ ifdef(`distro_debian', `
+ /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+ /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -85801,7 +85843,7 @@ index 9e39aa5..8281bc3 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..d0bf548 100644
+index 6480167..c453e35 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,62 +13,46 @@
@@ -86446,7 +86488,7 @@ index 6480167..d0bf548 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1349,93 @@ interface(`apache_admin',`
+@@ -1205,14 +1349,95 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -86515,11 +86557,13 @@ index 6480167..d0bf548 100644
+interface(`apache_filetrans_named_content',`
+ gen_require(`
+ type httpd_sys_content_t, httpd_sys_rw_content_t;
++ type httpd_tmp_t;
+ ')
+
+
+ apache_filetrans_home_content($1)
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
+########################################
@@ -86546,7 +86590,7 @@ index 6480167..d0bf548 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..6aa4bdc 100644
+index 3136c6a..8ce80e7 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,136 +18,268 @@ policy_module(apache, 2.2.1)
@@ -86679,17 +86723,17 @@ index 3136c6a..6aa4bdc 100644
gen_tunable(httpd_can_sendmail, false)
+
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
+## <p>
+## Allow http daemon to connect to zabbix
+## </p>
+## </desc>
+gen_tunable(httpd_can_connect_zabbix, false)
+
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++## <desc>
+## <p>
+## Allow http daemon to check spam
+## </p>
@@ -86973,7 +87017,7 @@ index 3136c6a..6aa4bdc 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +494,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +494,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -86981,10 +87025,11 @@ index 3136c6a..6aa4bdc 100644
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
++userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +505,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +506,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -86995,7 +87040,7 @@ index 3136c6a..6aa4bdc 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +522,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +523,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -87005,7 +87050,7 @@ index 3136c6a..6aa4bdc 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +536,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -87026,7 +87071,7 @@ index 3136c6a..6aa4bdc 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +556,13 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +557,13 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -87043,7 +87088,7 @@ index 3136c6a..6aa4bdc 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +570,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +571,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -87051,7 +87096,7 @@ index 3136c6a..6aa4bdc 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +582,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +583,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -87155,7 +87200,7 @@ index 3136c6a..6aa4bdc 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -454,27 +687,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +688,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -87219,7 +87264,7 @@ index 3136c6a..6aa4bdc 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +751,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +752,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -87242,7 +87287,7 @@ index 3136c6a..6aa4bdc 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +781,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +782,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -87263,7 +87308,7 @@ index 3136c6a..6aa4bdc 100644
')
optional_policy(`
-@@ -513,7 +805,13 @@ optional_policy(`
+@@ -513,7 +806,13 @@ optional_policy(`
')
optional_policy(`
@@ -87278,12 +87323,18 @@ index 3136c6a..6aa4bdc 100644
')
optional_policy(`
-@@ -528,7 +826,19 @@ optional_policy(`
+@@ -528,7 +827,25 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
- optional_policy(`
+optional_policy(`
++ # needed by FreeIPA
++ dirsrv_stream_connect(httpd_t)
++ ldap_stream_connect(httpd_t)
++')
++
++optional_policy(`
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
@@ -87299,7 +87350,7 @@ index 3136c6a..6aa4bdc 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,12 +847,21 @@ optional_policy(`
+@@ -537,13 +854,24 @@ optional_policy(`
')
optional_policy(`
@@ -87320,9 +87371,12 @@ index 3136c6a..6aa4bdc 100644
+
+optional_policy(`
kerberos_keytab_template(httpd, httpd_t)
++ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
++ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
')
-@@ -556,7 +875,21 @@ optional_policy(`
+ optional_policy(`
+@@ -556,7 +884,21 @@ optional_policy(`
')
optional_policy(`
@@ -87344,7 +87398,7 @@ index 3136c6a..6aa4bdc 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +900,7 @@ optional_policy(`
+@@ -567,6 +909,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -87352,7 +87406,7 @@ index 3136c6a..6aa4bdc 100644
')
optional_policy(`
-@@ -577,6 +911,33 @@ optional_policy(`
+@@ -577,6 +920,33 @@ optional_policy(`
')
optional_policy(`
@@ -87386,7 +87440,7 @@ index 3136c6a..6aa4bdc 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +952,11 @@ optional_policy(`
+@@ -591,6 +961,11 @@ optional_policy(`
')
optional_policy(`
@@ -87398,7 +87452,7 @@ index 3136c6a..6aa4bdc 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +969,12 @@ optional_policy(`
+@@ -603,6 +978,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -87411,7 +87465,7 @@ index 3136c6a..6aa4bdc 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +988,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +997,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -87424,7 +87478,7 @@ index 3136c6a..6aa4bdc 100644
########################################
#
-@@ -654,28 +1030,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1039,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -87468,7 +87522,7 @@ index 3136c6a..6aa4bdc 100644
')
########################################
-@@ -685,6 +1063,8 @@ optional_policy(`
+@@ -685,6 +1072,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -87477,7 +87531,7 @@ index 3136c6a..6aa4bdc 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1079,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1088,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -87503,7 +87557,7 @@ index 3136c6a..6aa4bdc 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1125,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1134,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -87536,7 +87590,7 @@ index 3136c6a..6aa4bdc 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1172,25 @@ optional_policy(`
+@@ -769,6 +1181,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -87562,7 +87616,7 @@ index 3136c6a..6aa4bdc 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1211,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1220,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -87580,7 +87634,7 @@ index 3136c6a..6aa4bdc 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1230,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1239,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -87637,7 +87691,7 @@ index 3136c6a..6aa4bdc 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1281,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1290,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -87678,7 +87732,7 @@ index 3136c6a..6aa4bdc 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1326,20 @@ optional_policy(`
+@@ -842,10 +1335,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -87699,7 +87753,7 @@ index 3136c6a..6aa4bdc 100644
')
########################################
-@@ -891,11 +1385,146 @@ optional_policy(`
+@@ -891,11 +1394,146 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -87723,7 +87777,7 @@ index 3136c6a..6aa4bdc 100644
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
- ')
++')
+
+########################################
+#
@@ -87826,7 +87880,7 @@ index 3136c6a..6aa4bdc 100644
+
+optional_policy(`
+ nscd_socket_use(httpd_script_type)
-+')
+ ')
+
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
@@ -88044,7 +88098,7 @@ index 1ea99b2..1bf05b5 100644
+ ps_process_pattern($1, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..1fbabf7 100644
+index 1c8c27e..35d798f 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -88095,15 +88149,7 @@ index 1c8c27e..1fbabf7 100644
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
-@@ -101,7 +108,6 @@ selinux_search_fs(apmd_t)
- corecmd_exec_all_executables(apmd_t)
-
- domain_read_all_domains_state(apmd_t)
--domain_dontaudit_ptrace_all_domains(apmd_t)
- domain_use_interactive_fds(apmd_t)
- domain_dontaudit_getattr_all_sockets(apmd_t)
- domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
-@@ -114,6 +120,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+@@ -114,6 +121,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
@@ -88112,19 +88158,15 @@ index 1c8c27e..1fbabf7 100644
init_domtrans_script(apmd_t)
init_rw_utmp(apmd_t)
init_telinit(apmd_t)
-@@ -127,10 +135,8 @@ logging_send_audit_msgs(apmd_t)
- miscfiles_read_localization(apmd_t)
- miscfiles_read_hwdata(apmd_t)
+@@ -131,6 +140,7 @@ modutils_domtrans_insmod(apmd_t)
+ modutils_read_module_config(apmd_t)
--modutils_domtrans_insmod(apmd_t)
--modutils_read_module_config(apmd_t)
--
seutil_dontaudit_read_config(apmd_t)
+seutil_sigchld_newrole(apmd_t)
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
-@@ -142,9 +148,8 @@ ifdef(`distro_redhat',`
+@@ -142,9 +152,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
@@ -88135,7 +88177,7 @@ index 1c8c27e..1fbabf7 100644
')
optional_policy(`
-@@ -155,6 +160,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +164,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
@@ -88151,7 +88193,7 @@ index 1c8c27e..1fbabf7 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-@@ -181,6 +195,12 @@ optional_policy(`
+@@ -181,6 +199,12 @@ optional_policy(`
')
optional_policy(`
@@ -88164,38 +88206,21 @@ index 1c8c27e..1fbabf7 100644
dbus_system_bus_client(apmd_t)
optional_policy(`
-@@ -201,7 +221,8 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_socket_use(apmd_t)
-+ modutils_domtrans_insmod(apmd_t)
-+ modutils_read_module_config(apmd_t)
- ')
-
- optional_policy(`
-@@ -209,8 +230,9 @@ optional_policy(`
+@@ -209,8 +233,13 @@ optional_policy(`
pcmcia_domtrans_cardctl(apmd_t)
')
+
- optional_policy(`
-- seutil_sigchld_newrole(apmd_t)
++optional_policy(`
+ shutdown_domtrans(apmd_t)
- ')
-
++')
++
optional_policy(`
-@@ -219,10 +241,6 @@ optional_policy(`
+- seutil_sigchld_newrole(apmd_t)
++ systemd_dbus_chat_logind(apmd_t)
')
optional_policy(`
-- unconfined_domain(apmd_t)
--')
--
--optional_policy(`
- vbetool_domtrans(apmd_t)
- ')
-
diff --git a/policy/modules/services/arpwatch.fc b/policy/modules/services/arpwatch.fc
index a86a6c7..ab50afe 100644
--- a/policy/modules/services/arpwatch.fc
@@ -97226,7 +97251,7 @@ index 305ddf4..4d70951 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..085e634 100644
+index 0f28095..58143ec 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -97342,10 +97367,11 @@ index 0f28095..085e634 100644
')
')
-@@ -311,10 +319,22 @@ optional_policy(`
+@@ -311,10 +319,23 @@ optional_policy(`
')
optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
+ kerberos_manage_host_rcache(cupsd_t)
+')
+
@@ -97365,7 +97391,7 @@ index 0f28095..085e634 100644
mta_send_mail(cupsd_t)
')
-@@ -322,6 +342,8 @@ optional_policy(`
+@@ -322,6 +343,8 @@ optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -97374,7 +97400,7 @@ index 0f28095..085e634 100644
')
optional_policy(`
-@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +394,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -97385,7 +97411,7 @@ index 0f28095..085e634 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +416,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +417,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -97396,7 +97422,7 @@ index 0f28095..085e634 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +452,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +453,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -97410,7 +97436,7 @@ index 0f28095..085e634 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +480,10 @@ optional_policy(`
+@@ -453,6 +481,10 @@ optional_policy(`
')
optional_policy(`
@@ -97421,7 +97447,7 @@ index 0f28095..085e634 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +498,10 @@ optional_policy(`
+@@ -467,6 +499,10 @@ optional_policy(`
')
optional_policy(`
@@ -97432,7 +97458,7 @@ index 0f28095..085e634 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -537,6 +572,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +573,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -97440,7 +97466,7 @@ index 0f28095..085e634 100644
dev_read_urand(cupsd_lpd_t)
dev_read_rand(cupsd_lpd_t)
-@@ -587,23 +623,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +624,22 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -97473,7 +97499,7 @@ index 0f28095..085e634 100644
')
########################################
-@@ -639,7 +674,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +675,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -97482,7 +97508,7 @@ index 0f28095..085e634 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -661,6 +696,8 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,6 +697,8 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -97491,7 +97517,7 @@ index 0f28095..085e634 100644
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
-@@ -685,6 +722,9 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +723,9 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -97501,7 +97527,7 @@ index 0f28095..085e634 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +736,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +737,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -99954,10 +99980,10 @@ index 0000000..b214253
+')
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
new file mode 100644
-index 0000000..71f225b
+index 0000000..4409b7d
--- /dev/null
+++ b/policy/modules/services/dirsrv.te
-@@ -0,0 +1,194 @@
+@@ -0,0 +1,197 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -100095,6 +100121,9 @@ index 0000000..71f225b
+
+optional_policy(`
+ kerberos_use(dirsrv_t)
++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
+')
+
+# FIPS mode
@@ -100207,7 +100236,7 @@ index b886676..3d5ca2b 100644
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
-index 9bd812b..6572368 100644
+index 9bd812b..53f895e 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -100273,31 +100302,7 @@ index 9bd812b..6572368 100644
## Send dnsmasq a signal
## </summary>
## <param name="domain">
-@@ -101,9 +141,9 @@ interface(`dnsmasq_kill',`
- ## Read dnsmasq config files.
- ## </summary>
- ## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed access.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`dnsmasq_read_config',`
-@@ -120,9 +160,9 @@ interface(`dnsmasq_read_config',`
- ## Write to dnsmasq config files.
- ## </summary>
- ## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed access.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`dnsmasq_write_config',`
-@@ -144,12 +184,12 @@ interface(`dnsmasq_write_config',`
+@@ -144,18 +184,18 @@ interface(`dnsmasq_write_config',`
## </summary>
## </param>
#
@@ -100311,11 +100316,36 @@ index 9bd812b..6572368 100644
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -163,17 +203,80 @@ interface(`dnsmasq_delete_pid_files',`
+ ########################################
+ ## <summary>
+-## Read dnsmasq pid files
++## Manage dnsmasq pid files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -163,17 +203,99 @@ interface(`dnsmasq_delete_pid_files',`
## </summary>
## </param>
#
--#
++interface(`dnsmasq_manage_pid_files',`
++ gen_require(`
++ type dnsmasq_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
++')
++
++########################################
++## <summary>
++## Read dnsmasq pid files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+ #
interface(`dnsmasq_read_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
@@ -100393,7 +100423,7 @@ index 9bd812b..6572368 100644
## All of the rules required to administrate
## an dnsmasq environment
## </summary>
-@@ -193,10 +296,14 @@ interface(`dnsmasq_admin',`
+@@ -193,10 +315,14 @@ interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
type dnsmasq_initrc_exec_t;
@@ -100409,7 +100439,7 @@ index 9bd812b..6572368 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -208,4 +315,8 @@ interface(`dnsmasq_admin',`
+@@ -208,4 +334,8 @@ interface(`dnsmasq_admin',`
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
@@ -100779,9 +100809,15 @@ index e1d7dc5..13e4800 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..44fb831 100644
+index acf6d4f..0e55b6d 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
+@@ -1,4 +1,4 @@
+-policy_module(dovecot, 1.12.1)
++policy_module(dovecot, 1.14.0)
+
+ ########################################
+ #
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
files_tmp_file(dovecot_auth_tmp_t)
@@ -100871,15 +100907,14 @@ index acf6d4f..44fb831 100644
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -153,17 +163,34 @@ userdom_manage_user_home_content_pipes(dovecot_t)
+@@ -152,18 +162,34 @@ userdom_manage_user_home_content_symlinks(dovecot_t)
+ userdom_manage_user_home_content_pipes(dovecot_t)
userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
++mta_manage_home_rw(dovecot_t)
--mta_manage_spool(dovecot_t)
-+optional_policy(`
-+ mta_manage_spool(dovecot_t)
-+ mta_read_home_rw(dovecot_t)
-+')
+ mta_manage_spool(dovecot_t)
++mta_read_home_rw(dovecot_t)
optional_policy(`
kerberos_keytab_template(dovecot, dovecot_t)
@@ -100907,7 +100942,7 @@ index acf6d4f..44fb831 100644
seutil_sigchld_newrole(dovecot_t)
')
-@@ -180,8 +207,8 @@ optional_policy(`
+@@ -180,8 +206,8 @@ optional_policy(`
# dovecot auth local policy
#
@@ -100918,7 +100953,7 @@ index acf6d4f..44fb831 100644
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +217,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +216,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -100928,7 +100963,7 @@ index acf6d4f..44fb831 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +231,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +230,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -100941,7 +100976,7 @@ index acf6d4f..44fb831 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +249,8 @@ files_read_usr_files(dovecot_auth_t)
+@@ -216,7 +248,8 @@ files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
@@ -100951,7 +100986,7 @@ index acf6d4f..44fb831 100644
init_rw_utmp(dovecot_auth_t)
-@@ -236,6 +270,8 @@ optional_policy(`
+@@ -236,6 +269,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -100960,7 +100995,7 @@ index acf6d4f..44fb831 100644
')
optional_policy(`
-@@ -243,6 +279,8 @@ optional_policy(`
+@@ -243,6 +278,8 @@ optional_policy(`
')
optional_policy(`
@@ -100969,7 +101004,7 @@ index acf6d4f..44fb831 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +288,42 @@ optional_policy(`
+@@ -250,23 +287,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -101014,7 +101049,7 @@ index acf6d4f..44fb831 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +340,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +339,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -102940,7 +102975,7 @@ index 9d3201b..6e75e3d 100644
+ allow $1 ftpd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..9be06fe 100644
+index 8a74a83..7eccc14 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,27 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -103129,7 +103164,7 @@ index 8a74a83..9be06fe 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,10 +353,34 @@ optional_policy(`
+@@ -309,10 +353,35 @@ optional_policy(`
')
optional_policy(`
@@ -103143,6 +103178,7 @@ index 8a74a83..9be06fe 100644
- kerberos_manage_host_rcache(ftpd_t)
+ # this part of auth_use_pam
+ #kerberos_manage_host_rcache(ftpd_t)
++ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
+')
+
+optional_policy(`
@@ -103165,7 +103201,7 @@ index 8a74a83..9be06fe 100644
')
optional_policy(`
-@@ -347,16 +415,17 @@ optional_policy(`
+@@ -347,16 +416,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -103185,7 +103221,7 @@ index 8a74a83..9be06fe 100644
########################################
#
-@@ -365,18 +434,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +435,33 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -103222,7 +103258,7 @@ index 8a74a83..9be06fe 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +478,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +479,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -106673,7 +106709,7 @@ index 3525d24..36582cd 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..ea249fa 100644
+index 604f67b..baf83ce 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -106766,7 +106802,7 @@ index 604f67b..ea249fa 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -289,31 +304,18 @@ interface(`kerberos_manage_host_rcache',`
+@@ -289,35 +304,14 @@ interface(`kerberos_manage_host_rcache',`
seutil_read_file_contexts($1)
@@ -106775,10 +106811,10 @@ index 604f67b..ea249fa 100644
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
files_search_tmp($1)
')
--')
--
--########################################
--## <summary>
+ ')
+
+ ########################################
+ ## <summary>
-## Connect to krb524 service
-## </summary>
-## <param name="domain">
@@ -106790,24 +106826,21 @@ index 604f67b..ea249fa 100644
-interface(`kerberos_connect_524',`
- tunable_policy(`allow_kerberos',`
- allow $1 self:udp_socket create_socket_perms;
-
+-
- corenet_all_recvfrom_unlabeled($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_node($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
- corenet_sendrecv_kerberos_master_client_packets($1)
- ')
-+ kerberos_tmp_filetrans_host_rcache($1, "host_0")
-+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
-+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
-+ kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
-+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
-+ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
-+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
- ')
-
- ########################################
-@@ -338,18 +340,22 @@ interface(`kerberos_admin',`
+-')
+-
+-########################################
+-## <summary>
+ ## All of the rules required to administrate
+ ## an kerberos environment
+ ## </summary>
+@@ -338,18 +332,22 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -106835,7 +106868,7 @@ index 604f67b..ea249fa 100644
ps_process_pattern($1, kpropd_t)
init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-@@ -378,3 +384,113 @@ interface(`kerberos_admin',`
+@@ -378,3 +376,114 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -106856,6 +106889,7 @@ index 604f67b..ea249fa 100644
+ type krb5_host_rcache_t;
+ ')
+
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
+')
+
@@ -108146,7 +108180,7 @@ index 3aa8fa7..27cb806 100644
+ allow $1 ldap_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
-index 64fd1ff..0f5d0b7 100644
+index 64fd1ff..47c43ab 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -10,7 +10,7 @@ type slapd_exec_t;
@@ -108214,6 +108248,16 @@ index 64fd1ff..0f5d0b7 100644
logging_send_syslog_msg(slapd_t)
+@@ -117,6 +135,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
+
+ optional_policy(`
+ kerberos_keytab_template(slapd, slapd_t)
++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
index 057a4e4..57491fc 100644
--- a/policy/modules/services/likewise.fc
@@ -110834,21 +110878,18 @@ index 256166a..a8fe27a 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..35f9799 100644
+index 343cee3..d5a1725 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
-@@ -37,9 +37,9 @@ interface(`mta_stub',`
+@@ -37,6 +37,7 @@ interface(`mta_stub',`
## is the prefix for user_t).
## </summary>
## </param>
+## <rolecap/>
#
template(`mta_base_mail_template',`
--
- gen_require(`
- attribute user_mail_domain;
- type sendmail_exec_t;
-@@ -56,92 +56,15 @@ template(`mta_base_mail_template',`
+
+@@ -56,92 +57,15 @@ template(`mta_base_mail_template',`
type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t)
@@ -110944,14 +110985,6 @@ index 343cee3..35f9799 100644
')
########################################
-@@ -158,6 +81,7 @@ template(`mta_base_mail_template',`
- ## User domain for the role
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
- interface(`mta_role',`
- gen_require(`
@@ -169,11 +93,19 @@ interface(`mta_role',`
# Transition from the user domain to the derived domain.
@@ -111012,31 +111045,16 @@ index 343cee3..35f9799 100644
')
#######################################
-@@ -330,12 +282,6 @@ interface(`mta_mailserver_user_agent',`
- ')
-
- typeattribute $1 mta_user_agent;
--
-- optional_policy(`
-- # apache should set close-on-exec
-- apache_dontaudit_rw_stream_sockets($1)
-- apache_dontaudit_rw_sys_script_stream_sockets($1)
-- ')
+@@ -362,6 +314,8 @@ interface(`mta_send_mail',`
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
++
++ dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
')
########################################
-@@ -350,9 +296,8 @@ interface(`mta_mailserver_user_agent',`
- #
- interface(`mta_send_mail',`
- gen_require(`
-- attribute mta_user_agent;
-+ attribute mta_user_agent, mta_exec_type;
- type system_mail_t;
-- attribute mta_exec_type;
- ')
-
- allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -391,12 +336,19 @@ interface(`mta_send_mail',`
+@@ -391,12 +345,19 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -111058,7 +111076,7 @@ index 343cee3..35f9799 100644
')
########################################
-@@ -409,7 +361,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +370,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -111066,7 +111084,7 @@ index 343cee3..35f9799 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +371,60 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +380,60 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -111127,7 +111145,7 @@ index 343cee3..35f9799 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -438,6 +443,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +452,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
@@ -111154,17 +111172,7 @@ index 343cee3..35f9799 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -474,7 +499,8 @@ interface(`mta_write_config',`
- type etc_mail_t;
- ')
-
-- write_files_pattern($1, etc_mail_t, etc_mail_t)
-+ manage_files_pattern($1, etc_mail_t, etc_mail_t)
-+ allow $1 etc_mail_t:file setattr_file_perms;
- ')
-
- ########################################
-@@ -494,6 +520,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +528,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -111172,7 +111180,7 @@ index 343cee3..35f9799 100644
')
########################################
-@@ -532,7 +559,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +567,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -111181,7 +111189,7 @@ index 343cee3..35f9799 100644
')
########################################
-@@ -552,7 +579,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +587,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -111190,7 +111198,7 @@ index 343cee3..35f9799 100644
')
#######################################
-@@ -646,8 +673,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +681,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -111201,7 +111209,7 @@ index 343cee3..35f9799 100644
')
#######################################
-@@ -677,7 +704,26 @@ interface(`mta_spool_filetrans',`
+@@ -677,7 +712,26 @@ interface(`mta_spool_filetrans',`
')
files_search_spool($1)
@@ -111224,12 +111232,12 @@ index 343cee3..35f9799 100644
+ type mail_spool_t;
+ ')
+
-+ files_search_spool($1)
++ files_search_spool($1)
+ read_files_pattern($1, mail_spool_t, mail_spool_t)
')
########################################
-@@ -697,8 +743,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +751,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -111240,7 +111248,7 @@ index 343cee3..35f9799 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +884,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +892,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -111249,7 +111257,7 @@ index 343cee3..35f9799 100644
')
########################################
-@@ -864,6 +910,36 @@ interface(`mta_manage_queue',`
+@@ -864,6 +918,36 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -111286,7 +111294,7 @@ index 343cee3..35f9799 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -899,3 +975,141 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +983,169 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -111338,7 +111346,7 @@ index 343cee3..35f9799 100644
+ ')
+')
+
-+###################################
++####################################
+## <summary>
+## ALlow domain to read mail content in the homedir
+## </summary>
@@ -111361,6 +111369,32 @@ index 343cee3..35f9799 100644
+ ')
+')
+
++####################################
++## <summary>
++## Allow domain to manage mail content in the homedir
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_manage_home_rw',`
++ gen_require(`
++ type mail_home_rw_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
++ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++
++ ifdef(`distro_redhat',`
++ userdom_search_admin_dir($1)
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++ ')
++')
++
+########################################
+## <summary>
+## create mail content in the in the /root directory
@@ -111381,7 +111415,8 @@ index 343cee3..35f9799 100644
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
-+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir")
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+')
+
+########################################
@@ -111403,7 +111438,8 @@ index 343cee3..35f9799 100644
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
-+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir")
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+')
+
+########################################
@@ -117725,7 +117761,7 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..11800bb 100644
+index 1e7169d..939fe6d 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -5,47 +5,69 @@ policy_module(policykit, 1.1.0)
@@ -117810,7 +117846,7 @@ index 1e7169d..11800bb 100644
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +78,111 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +78,112 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@@ -117854,6 +117890,7 @@ index 1e7169d..11800bb 100644
+')
+
+optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0")
+ kerberos_manage_host_rcache(policykit_t)
+')
+
@@ -117934,11 +117971,12 @@ index 1e7169d..11800bb 100644
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,14 +195,25 @@ optional_policy(`
+@@ -118,14 +196,26 @@ optional_policy(`
hal_read_state(policykit_auth_t)
')
+optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0")
+ kerberos_manage_host_rcache(policykit_auth_t)
+')
+
@@ -117962,7 +118000,7 @@ index 1e7169d..11800bb 100644
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -145,19 +233,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
+@@ -145,19 +235,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
files_read_etc_files(policykit_grant_t)
files_read_usr_files(policykit_grant_t)
@@ -117987,7 +118025,7 @@ index 1e7169d..11800bb 100644
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,9 +254,8 @@ optional_policy(`
+@@ -167,9 +256,8 @@ optional_policy(`
# polkit_resolve local policy
#
@@ -117999,7 +118037,7 @@ index 1e7169d..11800bb 100644
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-@@ -185,14 +271,8 @@ corecmd_search_bin(policykit_resolve_t)
+@@ -185,14 +273,8 @@ corecmd_search_bin(policykit_resolve_t)
files_read_etc_files(policykit_resolve_t)
files_read_usr_files(policykit_resolve_t)
@@ -118014,7 +118052,7 @@ index 1e7169d..11800bb 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -207,4 +287,3 @@ optional_policy(`
+@@ -207,4 +289,3 @@ optional_policy(`
kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
@@ -119080,7 +119118,7 @@ index 46bee12..99499ef 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..f278544 100644
+index a32c4b3..aa63a83 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.12.1)
@@ -119271,7 +119309,7 @@ index a32c4b3..f278544 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +318,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,16 +318,30 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -119290,18 +119328,22 @@ index a32c4b3..f278544 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +334,10 @@ optional_policy(`
+ clamav_exec_clamscan(postfix_local_t)
')
- optional_policy(`
-+ dspam_domtrans(postfix_local_t)
++
++optional_policy(`
++ dovecot_domtrans_deliver(postfix_local_t)
+')
+
+optional_policy(`
++ dspam_domtrans(postfix_local_t)
++')
++
+ optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
- mailman_append_log(postfix_local_t)
-@@ -304,9 +345,22 @@ optional_policy(`
+@@ -304,9 +350,22 @@ optional_policy(`
')
optional_policy(`
@@ -119324,7 +119366,7 @@ index a32c4b3..f278544 100644
########################################
#
# Postfix map local policy
-@@ -379,18 +433,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +438,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -119350,7 +119392,7 @@ index a32c4b3..f278544 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +461,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +466,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -119359,7 +119401,7 @@ index a32c4b3..f278544 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +482,7 @@ optional_policy(`
+@@ -420,6 +487,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -119367,7 +119409,7 @@ index a32c4b3..f278544 100644
')
optional_policy(`
-@@ -436,11 +499,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +504,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -119385,7 +119427,7 @@ index a32c4b3..f278544 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +556,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +561,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -119396,7 +119438,7 @@ index a32c4b3..f278544 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +588,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +593,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -119409,7 +119451,7 @@ index a32c4b3..f278544 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +612,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +617,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -119420,7 +119462,7 @@ index a32c4b3..f278544 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +633,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +638,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -119429,7 +119471,7 @@ index a32c4b3..f278544 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +642,14 @@ optional_policy(`
+@@ -565,6 +647,14 @@ optional_policy(`
')
optional_policy(`
@@ -119444,7 +119486,7 @@ index a32c4b3..f278544 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +666,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +671,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -119471,7 +119513,7 @@ index a32c4b3..f278544 100644
')
optional_policy(`
-@@ -599,6 +692,12 @@ optional_policy(`
+@@ -599,6 +697,12 @@ optional_policy(`
')
optional_policy(`
@@ -119484,7 +119526,7 @@ index a32c4b3..f278544 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +710,6 @@ optional_policy(`
+@@ -611,7 +715,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -119492,7 +119534,7 @@ index a32c4b3..f278544 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +728,75 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +733,75 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -125168,7 +125210,7 @@ index 63e78c6..fdd8228 100644
type rlogind_home_t;
')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..1570864 100644
+index 779fa44..53cf247 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -125208,7 +125250,7 @@ index 779fa44..1570864 100644
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
-@@ -88,27 +88,23 @@ seutil_read_config(rlogind_t)
+@@ -88,27 +88,24 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
@@ -125235,6 +125277,7 @@ index 779fa44..1570864 100644
- fs_read_cifs_symlinks(rlogind_t)
+optional_policy(`
+ kerberos_keytab_template(rlogind, rlogind_t)
++ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
+ #part of auth_use_pam
+ #kerberos_manage_host_rcache(rlogind_t)
')
@@ -127159,10 +127202,10 @@ index 0000000..3eb745d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..d5d96e7
+index 0000000..f1314b0
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,103 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -127209,8 +127252,8 @@ index 0000000..d5d96e7
+#
+# sanlock local policy
+#
-+allow sanlock_t self:capability { sys_nice ipc_lock };
-+allow sanlock_t self:process { setsched signull };
++allow sanlock_t self:capability { chown setgid dac_override ipc_lock sys_nice };
++allow sanlock_t self:process { setsched signull signal };
+
+allow sanlock_t self:fifo_file rw_fifo_file_perms;
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
@@ -127224,6 +127267,7 @@ index 0000000..d5d96e7
+files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+
+kernel_read_system_state(sanlock_t)
++kernel_read_kernel_sysctls(sanlock_t)
+
+domain_use_interactive_fds(sanlock_t)
+
@@ -127297,7 +127341,7 @@ index f1aea88..3e6a93f 100644
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index cfc60dd..8908145 100644
+index cfc60dd..c4608e5 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
@@ -127310,15 +127354,14 @@ index cfc60dd..8908145 100644
type saslauthd_var_run_t;
files_pid_file(saslauthd_var_run_t)
-@@ -38,16 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+@@ -38,16 +35,17 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t self:tcp_socket create_socket_perms;
-allow saslauthd_t saslauthd_tmp_t:dir setattr;
-manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
-files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
-+kerberos_tmp_filetrans_host_rcache(saslauthd_t)
-
+-
+manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
@@ -127334,7 +127377,7 @@ index cfc60dd..8908145 100644
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
-@@ -55,6 +55,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t)
+@@ -55,6 +53,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t)
corenet_tcp_sendrecv_generic_node(saslauthd_t)
corenet_tcp_sendrecv_all_ports(saslauthd_t)
corenet_tcp_connect_pop_port(saslauthd_t)
@@ -127342,14 +127385,14 @@ index cfc60dd..8908145 100644
corenet_sendrecv_pop_client_packets(saslauthd_t)
dev_read_urand(saslauthd_t)
-@@ -94,6 +95,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+@@ -93,6 +92,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+ ')
optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
kerberos_keytab_template(saslauthd, saslauthd_t)
-+ #kerberos_manage_host_rcache(saslauthd_t)
')
- optional_policy(`
diff --git a/policy/modules/services/sblim.fc b/policy/modules/services/sblim.fc
new file mode 100644
index 0000000..d5c3c3f
@@ -129460,7 +129503,7 @@ index d2496bd..c7614d7 100644
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..51dc8d8 100644
+index 4b2230e..89784b9 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
@@ -129507,7 +129550,15 @@ index 4b2230e..51dc8d8 100644
type squid_var_run_t;
files_pid_file(squid_var_run_t)
-@@ -85,11 +88,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
+@@ -69,6 +72,7 @@ allow squid_t self:udp_socket create_socket_perms;
+ manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
++files_var_filetrans(squid_t, squid_cache_t, dir, "squid")
+
+ allow squid_t squid_conf_t:dir list_dir_perms;
+ read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
+@@ -85,11 +89,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
@@ -129524,7 +129575,7 @@ index 4b2230e..51dc8d8 100644
files_dontaudit_getattr_boot_dirs(squid_t)
-@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -169,7 +178,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
corenet_tcp_bind_all_ports(squid_t)
@@ -129534,7 +129585,7 @@ index 4b2230e..51dc8d8 100644
')
tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +194,7 @@ optional_policy(`
+@@ -185,6 +195,7 @@ optional_policy(`
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -129542,13 +129593,13 @@ index 4b2230e..51dc8d8 100644
sysnet_dns_name_resolve(httpd_squid_script_t)
-@@ -206,3 +216,7 @@ optional_policy(`
+@@ -206,3 +217,7 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
+
+optional_policy(`
-+ kerberos_manage_host_rcache(squid_t)
++ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..21ff471 100644
@@ -130741,7 +130792,7 @@ index 941380a..e1095f0 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..1dfa5ce 100644
+index 8ffa257..20d8944 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -130833,10 +130884,11 @@ index 8ffa257..1dfa5ce 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +108,18 @@ optional_policy(`
+@@ -87,4 +108,19 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
++ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
+ kerberos_read_home_content(sssd_t)
+')
+
@@ -131270,7 +131322,7 @@ index 58e7ec0..e4119f7 100644
+ allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms;
+')
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
-index f40e67b..8d1e658 100644
+index f40e67b..14c8b58 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -8,7 +8,6 @@ policy_module(telnet, 1.10.0)
@@ -131332,13 +131384,14 @@ index f40e67b..8d1e658 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
-@@ -98,3 +88,12 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -98,3 +88,13 @@ tunable_policy(`use_nfs_home_dirs',`
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs(telnetd_t)
')
+
+optional_policy(`
+ kerberos_keytab_template(telnetd, telnetd_t)
++ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
+ kerberos_manage_host_rcache(telnetd_t)
+')
+
@@ -131806,7 +131859,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
-index db9d2a5..da20967 100644
+index db9d2a5..c7b09c0 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -131822,7 +131875,7 @@ index db9d2a5..da20967 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
-@@ -23,23 +29,38 @@ files_pid_file(tuned_var_run_t)
+@@ -23,23 +29,39 @@ files_pid_file(tuned_var_run_t)
# tuned local policy
#
@@ -131851,10 +131904,12 @@ index db9d2a5..da20967 100644
kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
+-
+kernel_read_kernel_sysctls(tuned_t)
++kernel_rw_kernel_sysctl(tuned_t)
+kernel_rw_hotplug_sysctls(tuned_t)
+kernel_rw_vm_sysctls(tuned_t)
-
++
+dev_getattr_all_blk_files(tuned_t)
+dev_getattr_all_chr_files(tuned_t)
+dev_dontaudit_getattr_all(tuned_t)
@@ -131864,7 +131919,7 @@ index db9d2a5..da20967 100644
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
-@@ -47,6 +68,10 @@ files_read_etc_files(tuned_t)
+@@ -47,6 +69,10 @@ files_read_etc_files(tuned_t)
files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t)
@@ -131875,7 +131930,7 @@ index db9d2a5..da20967 100644
logging_send_syslog_msg(tuned_t)
miscfiles_read_localization(tuned_t)
-@@ -58,6 +83,14 @@ optional_policy(`
+@@ -58,6 +84,14 @@ optional_policy(`
fstools_domtrans(tuned_t)
')
@@ -133524,10 +133579,15 @@ index 7c5d8d8..85b7d8b 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..c3b25a6 100644
+index 3eca020..55dd15c 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
-@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
+@@ -1,60 +1,91 @@
+-policy_module(virt, 1.4.0)
++policy_module(virt, 1.4.2)
+
+ ########################################
+ #
# Declarations
#
@@ -133535,66 +133595,53 @@ index 3eca020..c3b25a6 100644
+attribute virt_ptynode;
+
## <desc>
--## <p>
+ ## <p>
-## Allow virt to use serial/parallell communication ports
--## </p>
-+## <p>
-+## Allow confined virtual guests to use serial/parallel communication ports
-+## </p>
++## Allow confined virtual guests to use serial/parallel communication ports
+ ## </p>
## </desc>
gen_tunable(virt_use_comm, false)
## <desc>
--## <p>
+ ## <p>
-## Allow virt to read fuse files
--## </p>
-+## <p>
-+## Allow confined virtual guests to use executable memory and executable stack
-+## </p>
++## Allow confined virtual guests to use executable memory and executable stack
++## </p>
+## </desc>
+gen_tunable(virt_use_execmem, false)
+
+## <desc>
-+## <p>
-+## Allow confined virtual guests to read fuse files
-+## </p>
++## <p>
++## Allow confined virtual guests to read fuse files
+ ## </p>
## </desc>
gen_tunable(virt_use_fusefs, false)
## <desc>
--## <p>
+ ## <p>
-## Allow virt to manage nfs files
--## </p>
-+## <p>
-+## Allow confined virtual guests to manage nfs files
-+## </p>
++## Allow confined virtual guests to manage nfs files
+ ## </p>
## </desc>
gen_tunable(virt_use_nfs, false)
## <desc>
--## <p>
+ ## <p>
-## Allow virt to manage cifs files
--## </p>
-+## <p>
-+## Allow confined virtual guests to manage cifs files
-+## </p>
++## Allow confined virtual guests to manage cifs files
+ ## </p>
## </desc>
gen_tunable(virt_use_samba, false)
## <desc>
--## <p>
+ ## <p>
-## Allow virt to manage device configuration, (pci)
--## </p>
-+## <p>
-+## Allow confined virtual guests to manage device configuration, (pci)
-+## </p>
++## Allow confined virtual guests to manage device configuration, (pci)
+ ## </p>
## </desc>
gen_tunable(virt_use_sysfs, false)
## <desc>
--## <p>
--## Allow virt to use usb devices
--## </p>
+## <p>
+## Allow confined virtual guests to interact with the sanlock
+## </p>
@@ -133602,16 +133649,17 @@ index 3eca020..c3b25a6 100644
+gen_tunable(virt_use_sanlock, false)
+
+## <desc>
-+## <p>
-+## Allow confined virtual guests to interact with the xserver
-+## </p>
++## <p>
++## Allow confined virtual guests to interact with the xserver
++## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
+## <desc>
-+## <p>
-+## Allow confined virtual guests to use usb devices
-+## </p>
+ ## <p>
+-## Allow virt to use usb devices
++## Allow confined virtual guests to use usb devices
+ ## </p>
## </desc>
gen_tunable(virt_use_usb, true)
@@ -133809,7 +133857,7 @@ index 3eca020..c3b25a6 100644
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
-+ dontaudit virtd_t self:capability sys_module;
++ dontaudit virtd_t self:capability { sys_module sys_ptrace };
+')
-allow virtd_t self:fifo_file rw_fifo_file_perms;
@@ -133952,9 +134000,9 @@ index 3eca020..c3b25a6 100644
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -133991,7 +134039,7 @@ index 3eca020..c3b25a6 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,6 +506,14 @@ optional_policy(`
+@@ -326,19 +506,30 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -134006,12 +134054,14 @@ index 3eca020..c3b25a6 100644
')
optional_policy(`
-@@ -334,11 +522,14 @@ optional_policy(`
+ dnsmasq_domtrans(virtd_t)
+ dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
- dnsmasq_read_pid_files(virtd_t)
+- dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
+ dnsmasq_create_pid_dirs(virtd_t)
+ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
++ dnsmasq_manage_pid_files(virtd_t)
')
optional_policy(`
@@ -134021,7 +134071,20 @@ index 3eca020..c3b25a6 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +551,11 @@ optional_policy(`
+@@ -353,6 +544,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Run mount in the mount_t domain.
++ mount_domtrans(virtd_t)
++ mount_signal(virtd_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(virtd_t)
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
+@@ -360,11 +557,11 @@ optional_policy(`
')
optional_policy(`
@@ -134038,7 +134101,15 @@ index 3eca020..c3b25a6 100644
')
optional_policy(`
-@@ -394,20 +585,36 @@ optional_policy(`
+@@ -375,6 +572,7 @@ optional_policy(`
+ kernel_read_xen_state(virtd_t)
+ kernel_write_xen_state(virtd_t)
+
++ xen_exec(virtd_t)
+ xen_stream_connect(virtd_t)
+ xen_stream_connect_xenstore(virtd_t)
+ xen_read_image_files(virtd_t)
+@@ -394,20 +592,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -134078,7 +134149,7 @@ index 3eca020..c3b25a6 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +625,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +632,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -134092,7 +134163,7 @@ index 3eca020..c3b25a6 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +638,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +645,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -134105,7 +134176,7 @@ index 3eca020..c3b25a6 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +651,430 @@ files_search_all(virt_domain)
+@@ -440,25 +658,429 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -134204,12 +134275,12 @@ index 3eca020..c3b25a6 100644
+
+term_use_all_inherited_terms(virsh_t)
+
-+auth_read_passwd(virsh_t)
-+
+init_stream_connect_script(virsh_t)
+init_rw_script_stream_sockets(virsh_t)
+init_use_fds(virsh_t)
+
++auth_read_passwd(virsh_t)
++
+miscfiles_read_localization(virsh_t)
+
+sysnet_dns_name_resolve(virsh_t)
@@ -134327,8 +134398,7 @@ index 3eca020..c3b25a6 100644
+fs_mounton_tmpfs(virtd_lxc_t)
+fs_remount_all_fs(virtd_lxc_t)
+fs_rw_cgroup_files(virtd_lxc_t)
-+fs_unmount_xattr_fs(virtd_lxc_t)
-+fs_unmount_configfs(virtd_lxc_t)
++fs_unmount_all_fs(virtd_lxc_t)
+fs_relabelfrom_tmpfs(virtd_lxc_t)
+
+selinux_mount_fs(virtd_lxc_t)
@@ -134826,10 +134896,10 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 4966c94..e3b85b6 100644
+index 4966c94..b53c4fa 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
-@@ -2,13 +2,34 @@
+@@ -2,13 +2,35 @@
# HOME_DIR
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -134844,6 +134914,7 @@ index 4966c94..e3b85b6 100644
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++HOME_DIR/\.cache/gdm(/.*)? -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+
@@ -134864,7 +134935,7 @@ index 4966c94..e3b85b6 100644
#
# /dev
-@@ -21,11 +42,18 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -21,11 +43,18 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -134883,7 +134954,7 @@ index 4966c94..e3b85b6 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -33,11 +61,6 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -33,11 +62,6 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -134895,7 +134966,7 @@ index 4966c94..e3b85b6 100644
#
# /opt
#
-@@ -48,28 +71,31 @@ ifdef(`distro_redhat',`
+@@ -48,28 +72,31 @@ ifdef(`distro_redhat',`
# /tmp
#
@@ -134934,14 +135005,14 @@ index 4966c94..e3b85b6 100644
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-@@ -90,17 +116,45 @@ ifdef(`distro_debian', `
+@@ -90,17 +117,45 @@ ifdef(`distro_debian', `
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+/var/lib/[mxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
@@ -134984,7 +135055,7 @@ index 4966c94..e3b85b6 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..56cb1f8 100644
+index 130ced9..d1576ab 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -135473,16 +135544,34 @@ index 130ced9..56cb1f8 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -765,7 +918,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +918,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
- allow $1 xdm_tmp_t:dir setattr;
+ allow $1 xdm_tmp_t:dir setattr_dir_perms;
++')
++
++########################################
++## <summary>
++## Dont audit attempts to set the attributes of XDM temporary directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`xserver_dontaudit_xdm_tmp_dirs',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ dontaudit $1 xdm_tmp_t:dir setattr_dir_perms;
')
########################################
-@@ -805,7 +958,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +976,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -135510,7 +135599,7 @@ index 130ced9..56cb1f8 100644
')
########################################
-@@ -828,6 +1000,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +1018,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -135535,7 +135624,7 @@ index 130ced9..56cb1f8 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -897,7 +1087,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1105,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -135544,7 +135633,7 @@ index 130ced9..56cb1f8 100644
')
########################################
-@@ -916,7 +1106,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1124,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -135553,7 +135642,7 @@ index 130ced9..56cb1f8 100644
')
########################################
-@@ -963,6 +1153,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1171,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -135599,7 +135688,7 @@ index 130ced9..56cb1f8 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1205,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1223,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -135608,7 +135697,7 @@ index 130ced9..56cb1f8 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1267,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1285,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -135651,7 +135740,7 @@ index 130ced9..56cb1f8 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1317,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1335,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -135660,7 +135749,7 @@ index 130ced9..56cb1f8 100644
')
########################################
-@@ -1070,8 +1335,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1353,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -135672,7 +135761,7 @@ index 130ced9..56cb1f8 100644
')
########################################
-@@ -1185,6 +1452,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1470,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -135699,7 +135788,7 @@ index 130ced9..56cb1f8 100644
')
########################################
-@@ -1210,7 +1497,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1515,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -135708,7 +135797,7 @@ index 130ced9..56cb1f8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1507,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1525,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -135733,7 +135822,7 @@ index 130ced9..56cb1f8 100644
')
########################################
-@@ -1243,10 +1540,533 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1558,536 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -136237,6 +136326,9 @@ index 130ced9..56cb1f8 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
+ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++ optional_policy(`
++ gnome_cache_filetrans($1, xdm_home_t, dir, "gdm")
++ ')
+')
+
+########################################
@@ -136270,7 +136362,7 @@ index 130ced9..56cb1f8 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..a4cacbf 100644
+index 143c893..3b5b571 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -136596,7 +136688,7 @@ index 143c893..a4cacbf 100644
')
optional_policy(`
-@@ -304,20 +400,38 @@ optional_policy(`
+@@ -304,64 +400,103 @@ optional_policy(`
# XDM Local policy
#
@@ -136639,7 +136731,8 @@ index 143c893..a4cacbf 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +439,63 @@ can_exec(xdm_t, xdm_exec_t)
++can_exec(xdm_t, xsession_exec_t)
+
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -136709,7 +136802,7 @@ index 143c893..a4cacbf 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +504,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +505,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -136737,7 +136830,7 @@ index 143c893..a4cacbf 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +535,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +536,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -136790,7 +136883,7 @@ index 143c893..a4cacbf 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +587,25 @@ files_list_mnt(xdm_t)
+@@ -435,9 +588,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -136816,7 +136909,7 @@ index 143c893..a4cacbf 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +614,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +615,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -136858,7 +136951,7 @@ index 143c893..a4cacbf 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,24 +654,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +655,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -136908,7 +137001,7 @@ index 143c893..a4cacbf 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +704,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +705,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -136930,7 +137023,7 @@ index 143c893..a4cacbf 100644
')
optional_policy(`
-@@ -519,12 +726,63 @@ optional_policy(`
+@@ -519,12 +727,64 @@ optional_policy(`
')
optional_policy(`
@@ -136988,13 +137081,14 @@ index 143c893..a4cacbf 100644
+ gnome_read_usr_config(xdm_t)
+ gnome_read_gconf_config(xdm_t)
+ gnome_transition_gkeyringd(xdm_t)
++ #gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm")
+')
+
+optional_policy(`
hostname_exec(xdm_t)
')
-@@ -542,28 +800,69 @@ optional_policy(`
+@@ -542,28 +802,69 @@ optional_policy(`
')
optional_policy(`
@@ -137073,7 +137167,7 @@ index 143c893..a4cacbf 100644
')
optional_policy(`
-@@ -575,6 +874,14 @@ optional_policy(`
+@@ -575,6 +876,14 @@ optional_policy(`
')
optional_policy(`
@@ -137088,7 +137182,7 @@ index 143c893..a4cacbf 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +906,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +908,8 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -137098,7 +137192,7 @@ index 143c893..a4cacbf 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +921,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +923,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -137114,7 +137208,7 @@ index 143c893..a4cacbf 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +948,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +950,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -137136,7 +137230,7 @@ index 143c893..a4cacbf 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +968,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +970,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -137144,7 +137238,7 @@ index 143c893..a4cacbf 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,21 +995,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +997,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -137175,7 +137269,7 @@ index 143c893..a4cacbf 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1027,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1029,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -137189,7 +137283,7 @@ index 143c893..a4cacbf 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1046,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1048,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -137198,7 +137292,7 @@ index 143c893..a4cacbf 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1053,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1055,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -137213,7 +137307,7 @@ index 143c893..a4cacbf 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1112,40 @@ optional_policy(`
+@@ -778,16 +1114,40 @@ optional_policy(`
')
optional_policy(`
@@ -137255,7 +137349,7 @@ index 143c893..a4cacbf 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1154,10 @@ optional_policy(`
+@@ -796,6 +1156,10 @@ optional_policy(`
')
optional_policy(`
@@ -137266,7 +137360,7 @@ index 143c893..a4cacbf 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1173,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1175,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -137280,7 +137374,7 @@ index 143c893..a4cacbf 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1184,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1186,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -137289,7 +137383,7 @@ index 143c893..a4cacbf 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,26 +1197,21 @@ init_use_fds(xserver_t)
+@@ -835,26 +1199,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -137324,7 +137418,7 @@ index 143c893..a4cacbf 100644
')
optional_policy(`
-@@ -862,6 +1219,10 @@ optional_policy(`
+@@ -862,6 +1221,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -137335,7 +137429,7 @@ index 143c893..a4cacbf 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1266,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1268,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -137344,7 +137438,7 @@ index 143c893..a4cacbf 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1320,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1322,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -137376,7 +137470,7 @@ index 143c893..a4cacbf 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1366,43 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1368,43 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -142716,7 +142810,7 @@ index ddbd8be..fad18e0 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..e644b1e 100644
+index 560dc48..efd3c8c 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -28,26 +28,24 @@ ifdef(`distro_redhat',`
@@ -142774,7 +142868,7 @@ index 560dc48..e644b1e 100644
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -119,64 +122,63 @@ ifdef(`distro_redhat',`
+@@ -119,64 +122,62 @@ ifdef(`distro_redhat',`
/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -142834,14 +142928,13 @@ index 560dc48..e644b1e 100644
+/usr/lib(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libzita-convolver\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/nero/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libzvbi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -142874,7 +142967,7 @@ index 560dc48..e644b1e 100644
')
ifdef(`distro_gentoo',`
-@@ -195,7 +197,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -195,7 +196,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -142882,7 +142975,7 @@ index 560dc48..e644b1e 100644
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -203,86 +204,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -203,86 +203,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -143027,7 +143120,7 @@ index 560dc48..e644b1e 100644
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -303,8 +305,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -303,8 +304,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -143037,7 +143130,7 @@ index 560dc48..e644b1e 100644
') dnl end distro_redhat
#
-@@ -312,17 +313,157 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -312,17 +312,157 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -145514,7 +145607,7 @@ index 8b5c196..da41726 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..5c5ecf6 100644
+index 15832c7..ce3806c 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,17 +17,29 @@ type mount_exec_t;
@@ -145695,16 +145788,17 @@ index 15832c7..5c5ecf6 100644
logging_send_syslog_msg(mount_t)
-@@ -126,6 +186,8 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +186,9 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
+userdom_manage_user_home_content_dirs(mount_t)
+userdom_read_user_home_content_symlinks(mount_t)
++userdom_list_user_tmp(mount_t)
ifdef(`distro_redhat',`
optional_policy(`
-@@ -141,26 +203,28 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +204,28 @@ ifdef(`distro_ubuntu',`
')
')
@@ -145743,7 +145837,7 @@ index 15832c7..5c5ecf6 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +238,8 @@ optional_policy(`
+@@ -174,6 +239,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -145752,7 +145846,7 @@ index 15832c7..5c5ecf6 100644
')
optional_policy(`
-@@ -181,6 +247,28 @@ optional_policy(`
+@@ -181,6 +248,28 @@ optional_policy(`
')
optional_policy(`
@@ -145781,7 +145875,7 @@ index 15832c7..5c5ecf6 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,21 +276,88 @@ optional_policy(`
+@@ -188,21 +277,88 @@ optional_policy(`
')
')
@@ -150215,7 +150309,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..2fe0743 100644
+index 4b2878a..6a544e3 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -152732,7 +152826,7 @@ index 4b2878a..2fe0743 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3991,1292 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3991,1282 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -152759,11 +152853,6 @@ index 4b2878a..2fe0743 100644
+## <summary>
+## Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
@@ -152793,11 +152882,6 @@ index 4b2878a..2fe0743 100644
+## <summary>
+## Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
@@ -154026,7 +154110,7 @@ index 4b2878a..2fe0743 100644
+ typeattribute $1 userdom_home_manager_type;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..fd86f24 100644
+index 9b4a930..26e8127 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -154089,7 +154173,7 @@ index 9b4a930..fd86f24 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +102,111 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +102,112 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -154114,6 +154198,7 @@ index 9b4a930..fd86f24 100644
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
+files_poly_parent(user_tmp_t)
++files_mountpoint(user_tmp_t)
-type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+type user_tmpfs_t, user_tmpfs_type;
@@ -154230,10 +154315,36 @@ index a865da7..f22f770 100644
')
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
-index 77d41b6..138efd8 100644
+index 77d41b6..cc73c96 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
-@@ -55,6 +55,26 @@ interface(`xen_dontaudit_use_fds',`
+@@ -20,6 +20,25 @@ interface(`xen_domtrans',`
+
+ ########################################
+ ## <summary>
++## Allow the specified domain to execute xend
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xen_exec',`
++ gen_require(`
++ type xend_exec_t;
++ ')
++
++ can_exec($1, xend_exec_t)
++')
++
++########################################
++## <summary>
+ ## Inherit and use xen file descriptors.
+ ## </summary>
+ ## <param name="domain">
+@@ -55,6 +74,26 @@ interface(`xen_dontaudit_use_fds',`
dontaudit $1 xend_t:fd use;
')
@@ -154260,7 +154371,7 @@ index 77d41b6..138efd8 100644
########################################
## <summary>
## Read xend image files.
-@@ -87,6 +107,26 @@ interface(`xen_read_image_files',`
+@@ -87,6 +126,26 @@ interface(`xen_read_image_files',`
## </summary>
## </param>
#
@@ -154287,7 +154398,7 @@ index 77d41b6..138efd8 100644
interface(`xen_rw_image_files',`
gen_require(`
type xen_image_t, xend_var_lib_t;
-@@ -161,7 +201,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
+@@ -161,7 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
########################################
## <summary>
@@ -154296,7 +154407,7 @@ index 77d41b6..138efd8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -180,7 +220,7 @@ interface(`xen_stream_connect_xenstore',`
+@@ -180,7 +239,7 @@ interface(`xen_stream_connect_xenstore',`
########################################
## <summary>
@@ -154305,7 +154416,7 @@ index 77d41b6..138efd8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -213,14 +253,15 @@ interface(`xen_stream_connect',`
+@@ -213,14 +272,15 @@ interface(`xen_stream_connect',`
interface(`xen_domtrans_xm',`
gen_require(`
type xm_t, xm_exec_t;
@@ -154323,7 +154434,7 @@ index 77d41b6..138efd8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -230,7 +271,7 @@ interface(`xen_domtrans_xm',`
+@@ -230,7 +290,7 @@ interface(`xen_domtrans_xm',`
#
interface(`xen_stream_connect_xm',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b75f48b..161d616 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 130%{?dist}
+Release: 131%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,27 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jun 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-131
+- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage
+- Allow dovecot to manage Maildir content, fix transitions to Maildir
+- Allow postfix_local to transition to dovecot_deliver
+- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
+- Cleanup interface definitions
+- Allow apmd to change with the logind daemon
+- Changes required for sanlock in rhel6
+- Label /run/user/apache as httpd_tmp_t
+- Allow thumb to use lib_t as execmod if boolean turned on
+- Allow squid to create the squid directory in /var with the correct
+- When staff_t runs libvirt it reads dnsmasq_var_run_t
+- Mount command now lists user_tmp looking for gvfs
+- /etc/blkid is moving to /run/blkid
+- Allow rw_cgroup_files to also read a symlink
+- Make sure gdm directory in ~/.cache/gdm gets created with the correct label
+- Add labeling for .cache/gdm in the homedir
+- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
+- xdm now needs to execute xsession_exec_t
+- Need labels for /var/lib/gdm
+
* Mon Jun 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-130
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
More information about the scm-commits
mailing list