[selinux-policy/f17] * Mon March 5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-96 - Add labeling for /var/spool/postfi
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Mar 5 20:36:35 UTC 2012
commit b78eaccdf2c0fc9c7900028a698dfc276f235f9c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Mar 5 21:36:14 2012 +0100
* Mon March 5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-96
- Add labeling for /var/spool/postfix/dev/log
- NM reads sysctl.conf
- Iscsi log file context specification fix
- Allow mozilla plugins to send dbus messages to user domains that transition to it
- Allow mysql to read the passwd file
- Allow mozilla_plugin_t to create mozilla home dirs in user homedir
- Allow deltacloud to read kernel sysctl
- Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself
- Allow postgresql_t to connectto itself
- Add login_userdomain attribute for users which can log in using terminal
policy-F16.patch | 1033 ++++++++++++++++++++++++++++++---------------------
selinux-policy.spec | 14 +-
2 files changed, 616 insertions(+), 431 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index ecf4e57..081d05e 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -61064,7 +61064,7 @@ index 93ac529..4c0895e 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..ffeec16 100644
+index fbb5c5a..094d03b 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -61105,7 +61105,7 @@ index fbb5c5a..ffeec16 100644
')
########################################
-@@ -197,12 +209,31 @@ interface(`mozilla_domtrans',`
+@@ -197,12 +209,34 @@ interface(`mozilla_domtrans',`
#
interface(`mozilla_domtrans_plugin',`
gen_require(`
@@ -61134,11 +61134,14 @@ index fbb5c5a..ffeec16 100644
+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ can_exec($1, mozilla_plugin_rw_t)
+
++ allow $1 mozilla_plugin_t:dbus send_msg;
++ allow mozilla_plugin_t $1:dbus send_msg;
++
+ #mozilla_filetrans_home_content($1)
')
########################################
-@@ -228,6 +259,27 @@ interface(`mozilla_run_plugin',`
+@@ -228,6 +262,27 @@ interface(`mozilla_run_plugin',`
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
@@ -61166,7 +61169,7 @@ index fbb5c5a..ffeec16 100644
')
########################################
-@@ -269,9 +321,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -269,9 +324,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -61195,7 +61198,7 @@ index fbb5c5a..ffeec16 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +349,79 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +352,79 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -61283,7 +61286,7 @@ index fbb5c5a..ffeec16 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..194857d 100644
+index 2e9318b..428478e 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -61389,7 +61392,7 @@ index 2e9318b..194857d 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -296,25 +301,32 @@ optional_policy(`
+@@ -296,25 +301,33 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -61416,6 +61419,7 @@ index 2e9318b..194857d 100644
+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++mozilla_filetrans_home_content(mozilla_plugin_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -61429,7 +61433,7 @@ index 2e9318b..194857d 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,6 +334,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,6 +335,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -61440,7 +61444,7 @@ index 2e9318b..194857d 100644
can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_kernel_sysctls(mozilla_plugin_t)
-@@ -332,11 +348,9 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -332,11 +349,9 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -61454,7 +61458,7 @@ index 2e9318b..194857d 100644
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,6 +358,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+@@ -344,6 +359,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
@@ -61466,7 +61470,7 @@ index 2e9318b..194857d 100644
dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
-@@ -385,33 +404,30 @@ term_getattr_all_ttys(mozilla_plugin_t)
+@@ -385,33 +405,30 @@ term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -61512,7 +61516,7 @@ index 2e9318b..194857d 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -425,7 +441,13 @@ optional_policy(`
+@@ -425,7 +442,13 @@ optional_policy(`
')
optional_policy(`
@@ -61526,7 +61530,7 @@ index 2e9318b..194857d 100644
')
optional_policy(`
-@@ -438,18 +460,97 @@ optional_policy(`
+@@ -438,18 +461,97 @@ optional_policy(`
')
optional_policy(`
@@ -63665,11 +63669,12 @@ index 0000000..809784d
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..e8f0ef5
+index 0000000..4e9f4a1
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,502 @@
+@@ -0,0 +1,503 @@
+policy_module(sandbox,1.0.0)
++
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
@@ -63711,7 +63716,7 @@ index 0000000..e8f0ef5
+#
+# sandbox xserver policy
+#
-+allow sandbox_xserver_t self:process execstack;
++allow sandbox_xserver_t self:process { signal_perms execstack };
+
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_xserver_t self:process execmem;
@@ -66340,7 +66345,7 @@ index f9b25c1..9af1f7a 100644
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 4f3b542..f4e36ee 100644
+index 4f3b542..1552f90 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
@@ -66624,8 +66629,10 @@ index 4f3b542..f4e36ee 100644
- attribute port_type;
+ type port_t, unreserved_port_t;
+ attribute defined_port_type;
-+ ')
-+
+ ')
+
+- allow $1 port_t:udp_socket name_bind;
+- dontaudit $1 { port_type -port_t }:udp_socket name_bind;
+ allow $1 { port_t unreserved_port_t }:udp_socket name_bind;
+ dontaudit $1 defined_port_type:udp_socket name_bind;
+')
@@ -66643,10 +66650,8 @@ index 4f3b542..f4e36ee 100644
+interface(`corenet_dccp_connect_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t;
- ')
-
-- allow $1 port_t:udp_socket name_bind;
-- dontaudit $1 { port_type -port_t }:udp_socket name_bind;
++ ')
++
+ allow $1 { port_t unreserved_port_t }:dccp_socket name_connect;
')
@@ -66657,8 +66662,9 @@ index 4f3b542..f4e36ee 100644
gen_require(`
- type port_t;
+ type port_t, unreserved_port_t;
-+ ')
-+
+ ')
+
+- allow $1 port_t:tcp_socket name_connect;
+ allow $1 { port_t unreserved_port_t }:tcp_socket name_connect;
+')
+
@@ -66675,9 +66681,8 @@ index 4f3b542..f4e36ee 100644
+interface(`corenet_dccp_sendrecv_all_ports',`
+ gen_require(`
+ attribute port_type;
- ')
-
-- allow $1 port_t:tcp_socket name_connect;
++ ')
++
+ allow $1 port_type:dccp_socket { send_msg recv_msg };
')
@@ -66809,142 +66814,96 @@ index 4f3b542..f4e36ee 100644
## Send and receive TCP network traffic on generic reserved ports.
## </summary>
## <param name="domain">
-@@ -1647,7 +1924,7 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+@@ -1647,6 +1924,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
########################################
## <summary>
--## Bind TCP sockets to generic reserved ports.
+## Bind DCCP sockets to generic reserved ports.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1655,18 +1932,18 @@ interface(`corenet_udp_sendrecv_reserved_port',`
- ## </summary>
- ## </param>
- #
--interface(`corenet_tcp_bind_reserved_port',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`corenet_dccp_bind_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
-- allow $1 reserved_port_t:tcp_socket name_bind;
++ gen_require(`
++ type reserved_port_t;
++ ')
++
+ allow $1 reserved_port_t:dccp_socket name_bind;
- allow $1 self:capability net_bind_service;
- ')
-
- ########################################
- ## <summary>
--## Bind UDP sockets to generic reserved ports.
-+## Bind TCP sockets to generic reserved ports.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1674,18 +1951,18 @@ interface(`corenet_tcp_bind_reserved_port',`
- ## </summary>
- ## </param>
- #
--interface(`corenet_udp_bind_reserved_port',`
-+interface(`corenet_tcp_bind_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
-- allow $1 reserved_port_t:udp_socket name_bind;
-+ allow $1 reserved_port_t:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
- ')
-
- ########################################
- ## <summary>
--## Connect TCP sockets to generic reserved ports.
-+## Bind UDP sockets to generic reserved ports.
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++## <summary>
+ ## Bind TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -1693,17 +1970,18 @@ interface(`corenet_udp_bind_reserved_port',`
- ## </summary>
- ## </param>
- #
--interface(`corenet_tcp_connect_reserved_port',`
-+interface(`corenet_udp_bind_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
-- allow $1 reserved_port_t:tcp_socket name_connect;
-+ allow $1 reserved_port_t:udp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
- ')
+@@ -1685,6 +1981,24 @@ interface(`corenet_udp_bind_reserved_port',`
########################################
## <summary>
--## Send and receive TCP network traffic on all reserved ports.
+## Connect DCCP sockets to generic reserved ports.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1711,17 +1989,17 @@ interface(`corenet_tcp_connect_reserved_port',`
- ## </summary>
- ## </param>
- #
--interface(`corenet_tcp_sendrecv_all_reserved_ports',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`corenet_dccp_connect_reserved_port',`
- gen_require(`
-- attribute reserved_port_type;
++ gen_require(`
+ type reserved_port_t;
- ')
-
-- allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
++ ')
++
+ allow $1 reserved_port_t:dccp_socket name_connect;
- ')
-
- ########################################
- ## <summary>
--## Send UDP network traffic on all reserved ports.
-+## Connect TCP sockets to generic reserved ports.
++')
++
++########################################
++## <summary>
+ ## Connect TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -1729,17 +2007,17 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',`
- ## </summary>
- ## </param>
- #
--interface(`corenet_udp_send_all_reserved_ports',`
-+interface(`corenet_tcp_connect_reserved_port',`
- gen_require(`
-- attribute reserved_port_type;
-+ type reserved_port_t;
- ')
-
-- allow $1 reserved_port_type:udp_socket send_msg;
-+ allow $1 reserved_port_t:tcp_socket name_connect;
- ')
+@@ -1703,6 +2017,24 @@ interface(`corenet_tcp_connect_reserved_port',`
########################################
## <summary>
--## Receive UDP network traffic on all reserved ports.
+## Send and receive DCCP network traffic on all reserved ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_dccp_sendrecv_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++## <summary>
+ ## Send and receive TCP network traffic on all reserved ports.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -1747,12 +2025,66 @@ interface(`corenet_udp_send_all_reserved_ports',`
- ## </summary>
- ## </param>
+@@ -1749,15 +2081,213 @@ interface(`corenet_udp_send_all_reserved_ports',`
#
--interface(`corenet_udp_receive_all_reserved_ports',`
-+interface(`corenet_dccp_sendrecv_all_reserved_ports',`
+ interface(`corenet_udp_receive_all_reserved_ports',`
gen_require(`
- attribute reserved_port_type;
- ')
-
-- allow $1 reserved_port_type:udp_socket recv_msg;
-+ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
+- attribute reserved_port_type;
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
-+## Send and receive TCP network traffic on all reserved ports.
++## Send and receive UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66952,17 +66911,33 @@ index 4f3b542..f4e36ee 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_tcp_sendrecv_all_reserved_ports',`
++interface(`corenet_udp_sendrecv_all_reserved_ports',`
++ corenet_udp_send_all_reserved_ports($1)
++ corenet_udp_receive_all_reserved_ports($1)
++')
++
++########################################
++## <summary>
++## Bind DCCP sockets to all reserved ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_dccp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
++ allow $1 reserved_port_type:dccp_socket name_bind;
++ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
-+## Send UDP network traffic on all reserved ports.
++## Bind TCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -66970,38 +66945,54 @@ index 4f3b542..f4e36ee 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_udp_send_all_reserved_ports',`
++interface(`corenet_tcp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:udp_socket send_msg;
++ allow $1 reserved_port_type:tcp_socket name_bind;
++ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
-+## Receive UDP network traffic on all reserved ports.
++## Do not audit attempts to bind DCCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`corenet_udp_receive_all_reserved_ports',`
++interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:udp_socket recv_msg;
- ')
-
- ########################################
-@@ -1772,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
-
- ########################################
- ## <summary>
-+## Bind DCCP sockets to all reserved ports.
++ dontaudit $1 reserved_port_type:dccp_socket name_bind;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to bind TCP sockets to all reserved ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ dontaudit $1 reserved_port_type:tcp_socket name_bind;
++')
++
++########################################
++## <summary>
++## Bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -67009,25 +67000,18 @@ index 4f3b542..f4e36ee 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_dccp_bind_all_reserved_ports',`
++interface(`corenet_udp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:dccp_socket name_bind;
++ allow $1 reserved_port_type:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
- ## Bind TCP sockets to all reserved ports.
- ## </summary>
- ## <param name="domain">
-@@ -1791,6 +2142,24 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
-
- ########################################
- ## <summary>
-+## Do not audit attempts to bind DCCP sockets to all reserved ports.
++## Do not audit attempts to bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -67035,23 +67019,16 @@ index 4f3b542..f4e36ee 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',`
++interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ dontaudit $1 reserved_port_type:dccp_socket name_bind;
++ dontaudit $1 reserved_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
- ## Do not audit attempts to bind TCP sockets to all reserved ports.
- ## </summary>
- ## <param name="domain">
-@@ -1846,6 +2215,24 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
-
- ########################################
- ## <summary>
+## Bind DCCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
@@ -67070,36 +67047,7 @@ index 4f3b542..f4e36ee 100644
+
+########################################
+## <summary>
- ## Bind TCP sockets to all ports > 1024.
- ## </summary>
- ## <param name="domain">
-@@ -1856,10 +2243,10 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
- #
- interface(`corenet_tcp_bind_all_unreserved_ports',`
- gen_require(`
-- attribute port_type, reserved_port_type;
-+ attribute unreserved_port_type;
- ')
-
-- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
-+ allow $1 unreserved_port_type:tcp_socket name_bind;
- ')
-
- ########################################
-@@ -1874,10 +2261,64 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
- #
- interface(`corenet_udp_bind_all_unreserved_ports',`
- gen_require(`
-- attribute port_type, reserved_port_type;
-+ attribute unreserved_port_type;
-+ ')
-+
-+ allow $1 unreserved_port_type:udp_socket name_bind;
-+')
-+
-+########################################
-+## <summary>
-+## Bind TCP sockets to all ports > 32768.
++## Bind TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -67107,17 +67055,17 @@ index 4f3b542..f4e36ee 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_tcp_bind_all_ephemeral_ports',`
++interface(`corenet_tcp_bind_all_unreserved_ports',`
+ gen_require(`
-+ attribute ephemeral_port_type;
++ attribute unreserved_port_type;
+ ')
+
-+ allow $1 ephemeral_port_type:tcp_socket name_bind;
++ allow $1 unreserved_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
-+## Bind UDP sockets to all ports > 32768.
++## Bind UDP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -67125,17 +67073,17 @@ index 4f3b542..f4e36ee 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_udp_bind_all_ephemeral_ports',`
++interface(`corenet_udp_bind_all_unreserved_ports',`
+ gen_require(`
-+ attribute ephemeral_port_type;
++ attribute unreserved_port_type;
+ ')
+
-+ allow $1 ephemeral_port_type:udp_socket name_bind;
++ allow $1 unreserved_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
-+## Connect DCCP sockets to reserved ports.
++## Bind TCP sockets to all ports > 32768.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -67143,33 +67091,101 @@ index 4f3b542..f4e36ee 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_dccp_connect_all_reserved_ports',`
++interface(`corenet_tcp_bind_all_ephemeral_ports',`
+ gen_require(`
-+ attribute reserved_port_type;
++ attribute ephemeral_port_type;
')
-- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+- allow $1 reserved_port_type:udp_socket recv_msg;
++ allow $1 ephemeral_port_type:tcp_socket name_bind;
+ ')
+
+ ########################################
+ ## <summary>
+-## Send and receive UDP network traffic on all reserved ports.
++## Bind UDP sockets to all ports > 32768.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1765,14 +2295,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_udp_sendrecv_all_reserved_ports',`
+- corenet_udp_send_all_reserved_ports($1)
+- corenet_udp_receive_all_reserved_ports($1)
++interface(`corenet_udp_bind_all_ephemeral_ports',`
++ gen_require(`
++ attribute ephemeral_port_type;
++ ')
++
++ allow $1 ephemeral_port_type:udp_socket name_bind;
+ ')
+
+ ########################################
+ ## <summary>
+-## Bind TCP sockets to all reserved ports.
++## Connect DCCP sockets to reserved ports.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1780,36 +2313,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_bind_all_reserved_ports',`
++interface(`corenet_dccp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+- allow $1 reserved_port_type:tcp_socket name_bind;
+- allow $1 self:capability net_bind_service;
+ allow $1 reserved_port_type:dccp_socket name_connect;
')
########################################
-@@ -1900,6 +2341,42 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+ ## <summary>
+-## Do not audit attempts to bind TCP sockets to all reserved ports.
++## Connect TCP sockets to reserved ports.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+- dontaudit $1 reserved_port_type:tcp_socket name_bind;
++ allow $1 reserved_port_type:tcp_socket name_connect;
+ ')
########################################
## <summary>
+-## Bind UDP sockets to all reserved ports.
+## Connect DCCP sockets to all ports > 1024.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1817,36 +2349,53 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_udp_bind_all_reserved_ports',`
+interface(`corenet_dccp_connect_all_unreserved_ports',`
-+ gen_require(`
+ gen_require(`
+- attribute reserved_port_type;
+ attribute unreserved_port_type;
-+ ')
-+
+ ')
+
+- allow $1 reserved_port_type:udp_socket name_bind;
+- allow $1 self:capability net_bind_service;
+ allow $1 unreserved_port_type:dccp_socket name_connect;
+')
+
@@ -67189,114 +67205,170 @@ index 4f3b542..f4e36ee 100644
+ ')
+
+ allow $1 unreserved_port_t:tcp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
- ## Connect TCP sockets to all ports > 1024.
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to bind UDP sockets to all reserved ports.
++## Connect TCP sockets to all ports > 1024.
## </summary>
## <param name="domain">
-@@ -1910,10 +2387,47 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
#
- interface(`corenet_tcp_connect_all_unreserved_ports',`
+-interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_unreserved_ports',`
gen_require(`
-- attribute port_type, reserved_port_type;
+- attribute reserved_port_type;
+ attribute unreserved_port_type;
-+ ')
-+
+ ')
+
+- dontaudit $1 reserved_port_type:udp_socket name_bind;
+ allow $1 unreserved_port_type:tcp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Bind TCP sockets to all ports > 1024.
+## Connect TCP sockets to all ports > 32768.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1854,53 +2403,55 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_bind_all_unreserved_ports',`
+interface(`corenet_tcp_connect_all_ephemeral_ports',`
-+ gen_require(`
+ gen_require(`
+- attribute port_type, reserved_port_type;
+ attribute ephemeral_port_type;
-+ ')
-+
+ ')
+
+- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
+ allow $1 ephemeral_port_type:tcp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Bind UDP sockets to all ports > 1024.
+## Do not audit attempts to connect DCCP sockets
+## all reserved ports.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_udp_bind_all_unreserved_ports',`
+interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
-+ gen_require(`
+ gen_require(`
+- attribute port_type, reserved_port_type;
+ attribute reserved_port_type;
')
-- allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+ dontaudit $1 reserved_port_type:dccp_socket name_connect;
')
########################################
-@@ -1937,6 +2451,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+ ## <summary>
+-## Connect TCP sockets to reserved ports.
++## Do not audit attempts to connect TCP sockets
++## all reserved ports.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_connect_all_reserved_ports',`
++interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+- allow $1 reserved_port_type:tcp_socket name_connect;
++ dontaudit $1 reserved_port_type:tcp_socket name_connect;
+ ')
########################################
## <summary>
+-## Connect TCP sockets to all ports > 1024.
+## Connect DCCP sockets to rpc ports.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1908,49 +2459,49 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_connect_all_unreserved_ports',`
+interface(`corenet_dccp_connect_all_rpc_ports',`
-+ gen_require(`
+ gen_require(`
+- attribute port_type, reserved_port_type;
+ attribute rpc_port_type;
-+ ')
-+
+ ')
+
+- allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+ allow $1 rpc_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
- ## Connect TCP sockets to rpc ports.
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to connect TCP sockets
+-## all reserved ports.
++## Connect TCP sockets to rpc ports.
## </summary>
## <param name="domain">
-@@ -1955,6 +2487,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_rpc_ports',`
+ gen_require(`
+- attribute reserved_port_type;
++ attribute rpc_port_type;
+ ')
+
+- dontaudit $1 reserved_port_type:tcp_socket name_connect;
++ allow $1 rpc_port_type:tcp_socket name_connect;
+ ')
########################################
## <summary>
+-## Connect TCP sockets to rpc ports.
+## Do not audit attempts to connect DCCP sockets
+## all rpc ports.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_connect_all_rpc_ports',`
+interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
-+ gen_require(`
-+ attribute rpc_port_type;
-+ ')
-+
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+- allow $1 rpc_port_type:tcp_socket name_connect;
+ dontaudit $1 rpc_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to connect TCP sockets
- ## all rpc ports.
- ## </summary>
+ ')
+
+ ########################################
@@ -1993,6 +2544,24 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
@@ -67595,6 +67667,50 @@ index 4f3b542..f4e36ee 100644
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
+@@ -3134,3 +3885,43 @@ interface(`corenet_unconfined',`
+
+ typeattribute $1 corenet_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## Create all network named devices with the correct label
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_filetrans_all_named_dev',`
++
++ gen_require(`
++ type tun_tap_device_t;
++ type ppp_device_t;
++ ')
++
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap0")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap1")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap2")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap3")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap4")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap5")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap6")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap7")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap8")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap9")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap10")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap11")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap12")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap13")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap14")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap15")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap16")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap17")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap18")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap19")
++ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
++')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 99b71cb..63b5c4a 100644
--- a/policy/modules/kernel/corenetwork.te.in
@@ -69746,7 +69862,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..d61bc3d 100644
+index fae1ab1..2be8074 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -69847,10 +69963,12 @@ index fae1ab1..d61bc3d 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +199,230 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +199,232 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
++corenet_filetrans_all_named_dev(unconfined_domain_type)
++
+dev_filetrans_all_named_dev(unconfined_domain_type)
+
# receive from all domains over labeled networking
@@ -84505,10 +84623,10 @@ index 0000000..7f55959
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..22b18dc
+index 0000000..82d0dad
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,222 @@
+@@ -0,0 +1,223 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -84605,6 +84723,7 @@ index 0000000..22b18dc
+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
+
++kernel_read_kernel_sysctls(deltacloudd_t)
+kernel_read_system_state(deltacloudd_t)
+
+corecmd_exec_bin(deltacloudd_t)
@@ -101582,7 +101701,7 @@ index e9c0982..67a500f 100644
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..5866289 100644
+index 0a0d63c..49848dd 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -101674,7 +101793,7 @@ index 0a0d63c..5866289 100644
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
-@@ -170,26 +179,33 @@ kernel_read_system_state(mysqld_safe_t)
+@@ -170,26 +179,35 @@ kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
@@ -101693,6 +101812,8 @@ index 0a0d63c..5866289 100644
-hostname_exec(mysqld_safe_t)
+logging_send_syslog_msg(mysqld_safe_t)
++
++auth_read_passwd(mysqld_safe_t)
miscfiles_read_localization(mysqld_safe_t)
@@ -102388,7 +102509,7 @@ index 2324d9e..8666a3c 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..64d170f 100644
+index 0619395..e8e7ad6 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -102472,7 +102593,7 @@ index 0619395..64d170f 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,7 +143,7 @@ corecmd_exec_shell(NetworkManager_t)
+@@ -113,10 +143,11 @@ corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
@@ -102481,7 +102602,11 @@ index 0619395..64d170f 100644
files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
-@@ -133,30 +163,37 @@ logging_send_syslog_msg(NetworkManager_t)
++files_read_system_conf_files(NetworkManager_t)
+ files_read_usr_files(NetworkManager_t)
+ files_read_usr_src_files(NetworkManager_t)
+
+@@ -133,30 +164,37 @@ logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
@@ -102521,7 +102646,7 @@ index 0619395..64d170f 100644
')
optional_policy(`
-@@ -176,10 +213,17 @@ optional_policy(`
+@@ -176,10 +214,17 @@ optional_policy(`
')
optional_policy(`
@@ -102539,7 +102664,7 @@ index 0619395..64d170f 100644
')
')
-@@ -191,6 +235,7 @@ optional_policy(`
+@@ -191,6 +236,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -102547,7 +102672,7 @@ index 0619395..64d170f 100644
')
optional_policy(`
-@@ -202,23 +247,45 @@ optional_policy(`
+@@ -202,23 +248,45 @@ optional_policy(`
')
optional_policy(`
@@ -102593,7 +102718,7 @@ index 0619395..64d170f 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -241,6 +308,7 @@ optional_policy(`
+@@ -241,6 +309,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -102601,7 +102726,7 @@ index 0619395..64d170f 100644
')
optional_policy(`
-@@ -254,6 +322,10 @@ optional_policy(`
+@@ -254,6 +323,10 @@ optional_policy(`
')
optional_policy(`
@@ -102612,7 +102737,7 @@ index 0619395..64d170f 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +335,7 @@ optional_policy(`
+@@ -263,6 +336,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -108003,7 +108128,7 @@ index 09aeffa..e66adbd 100644
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 4a5387a..6a6dd0e 100644
+index 4a5387a..3124e96 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,16 +19,16 @@ gen_require(`
@@ -108029,6 +108154,15 @@ index 4a5387a..6a6dd0e 100644
## </desc>
gen_tunable(sepgsql_unconfined_dbadm, true)
+@@ -205,7 +205,7 @@ allow postgresql_t self:shm create_shm_perms;
+ allow postgresql_t self:tcp_socket create_stream_socket_perms;
+ allow postgresql_t self:udp_socket create_stream_socket_perms;
+ allow postgresql_t self:unix_dgram_socket create_socket_perms;
+-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
++allow postgresql_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow postgresql_t self:netlink_selinux_socket create_socket_perms;
+
+ allow postgresql_t sepgsql_database_type:db_database *;
@@ -241,7 +241,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
@@ -119433,7 +119567,7 @@ index 93975d6..7a665ff 100644
init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
-index f9310f3..7a350f1 100644
+index f9310f3..a6ed441 100644
--- a/policy/modules/services/varnishd.te
+++ b/policy/modules/services/varnishd.te
@@ -6,10 +6,10 @@ policy_module(varnishd, 1.2.0)
@@ -119469,6 +119603,15 @@ index f9310f3..7a350f1 100644
########################################
#
+@@ -87,6 +87,8 @@ corenet_tcp_connect_http_port(varnishd_t)
+
+ dev_read_urand(varnishd_t)
+
++files_read_usr_files(varnishd_t)
++
+ fs_getattr_all_fs(varnishd_t)
+
+ auth_use_nsswitch(varnishd_t)
diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc
new file mode 100644
index 0000000..2ba852c
@@ -128855,7 +128998,7 @@ index 0d4c8d3..9d66bf7 100644
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 55a6cd8..7232fa6 100644
+index 55a6cd8..02378d2 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -73,13 +73,15 @@ role system_r types setkey_t;
@@ -128875,7 +129018,7 @@ index 55a6cd8..7232fa6 100644
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-@@ -128,13 +130,13 @@ corecmd_exec_bin(ipsec_t)
+@@ -128,19 +130,21 @@ corecmd_exec_bin(ipsec_t)
# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
@@ -128895,7 +129038,15 @@ index 55a6cd8..7232fa6 100644
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
-@@ -156,6 +158,8 @@ files_dontaudit_search_home(ipsec_t)
+ corenet_udp_bind_ipsecnat_port(ipsec_t)
+ corenet_sendrecv_generic_server_packets(ipsec_t)
+ corenet_sendrecv_isakmp_server_packets(ipsec_t)
++corenet_tcp_connect_http_port(ipsec_t)
++corenet_tcp_connect_ldap_port(ipsec_t)
+
+ dev_read_sysfs(ipsec_t)
+ dev_read_rand(ipsec_t)
+@@ -156,6 +160,8 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -128904,7 +129055,7 @@ index 55a6cd8..7232fa6 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -169,6 +173,8 @@ logging_send_syslog_msg(ipsec_t)
+@@ -169,6 +175,8 @@ logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -128913,7 +129064,7 @@ index 55a6cd8..7232fa6 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,9 +192,9 @@ optional_policy(`
+@@ -186,9 +194,9 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -128926,7 +129077,7 @@ index 55a6cd8..7232fa6 100644
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -245,6 +251,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -245,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -128943,7 +129094,7 @@ index 55a6cd8..7232fa6 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -254,6 +270,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -254,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -128952,7 +129103,7 @@ index 55a6cd8..7232fa6 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -277,9 +295,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -277,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -128964,7 +129115,7 @@ index 55a6cd8..7232fa6 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -297,7 +316,12 @@ sysnet_manage_config(ipsec_mgmt_t)
+@@ -297,7 +318,12 @@ sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
@@ -128978,7 +129129,7 @@ index 55a6cd8..7232fa6 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -324,10 +348,6 @@ optional_policy(`
+@@ -324,10 +350,6 @@ optional_policy(`
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -128989,7 +129140,7 @@ index 55a6cd8..7232fa6 100644
ifdef(`TODO',`
# ideally it would not need this. It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
-@@ -377,12 +397,12 @@ corecmd_exec_shell(racoon_t)
+@@ -377,12 +399,12 @@ corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
@@ -129008,7 +129159,7 @@ index 55a6cd8..7232fa6 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -411,6 +431,8 @@ miscfiles_read_localization(racoon_t)
+@@ -411,6 +433,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -129017,7 +129168,7 @@ index 55a6cd8..7232fa6 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -448,5 +470,6 @@ miscfiles_read_localization(setkey_t)
+@@ -448,5 +472,6 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
@@ -129216,7 +129367,7 @@ index f3e1b57..d7fd7fb 100644
')
diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
-index 14d9670..16d4a57 100644
+index 14d9670..358255e 100644
--- a/policy/modules/system/iscsi.fc
+++ b/policy/modules/system/iscsi.fc
@@ -1,7 +1,16 @@
@@ -129229,7 +129380,7 @@ index 14d9670..16d4a57 100644
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+
/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
-+/var/log/iscsiuio\.log.* gen_context(system_u:object_r:iscsi_log_t,s0)
++/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
+
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
+
@@ -130175,7 +130326,7 @@ index a0b379d..95bf920 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..dfd853e 100644
+index 02f4c97..7bd737a 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,12 +17,28 @@
@@ -130225,7 +130376,16 @@ index 02f4c97..dfd853e 100644
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -66,6 +83,7 @@ ifdef(`distro_redhat',`
+@@ -54,6 +71,8 @@ ifndef(`distro_gentoo',`
+ ifdef(`distro_redhat',`
+ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
+ /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
++/var/spool/postfix/dev -d gen_context(system_u:object_r:var_log_t,s0)
++/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+ ')
+
+ /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+@@ -66,6 +85,7 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -130233,7 +130393,7 @@ index 02f4c97..dfd853e 100644
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-@@ -73,4 +91,9 @@ ifdef(`distro_redhat',`
+@@ -73,4 +93,9 @@ ifdef(`distro_redhat',`
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -136430,7 +136590,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..433773d 100644
+index 4b2878a..846a061 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -137271,8 +137431,15 @@ index 4b2878a..433773d 100644
')
')
-@@ -712,13 +877,26 @@ template(`userdom_login_user_template', `
+@@ -708,17 +873,33 @@ template(`userdom_common_user_template',`
+ template(`userdom_login_user_template', `
+ gen_require(`
+ class context contains;
++ attribute login_userdomain;
+ ')
++ typeattribute $1_t login_userdomain;
++
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
@@ -137280,12 +137447,12 @@ index 4b2878a..433773d 100644
+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
++
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable(allow_$1_exec_content, true)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable(allow_$1_exec_content, true)
-+
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -137303,7 +137470,7 @@ index 4b2878a..433773d 100644
userdom_change_password_template($1)
-@@ -730,78 +908,86 @@ template(`userdom_login_user_template', `
+@@ -730,78 +911,86 @@ template(`userdom_login_user_template', `
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
@@ -137380,14 +137547,14 @@ index 4b2878a..433773d 100644
+ miscfiles_exec_tetex_data($1_usertype)
+
+ seutil_read_config($1_usertype)
-+
+
+- seutil_read_config($1_t)
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
+ ')
-
-- seutil_read_config($1_t)
++
+ optional_policy(`
+ kerberos_use($1_usertype)
+ kerberos_filetrans_home_content($1_usertype)
@@ -137424,7 +137591,7 @@ index 4b2878a..433773d 100644
')
')
-@@ -833,6 +1019,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1022,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -137434,7 +137601,7 @@ index 4b2878a..433773d 100644
##############################
#
# Local policy
-@@ -874,45 +1063,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1066,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -137507,41 +137674,41 @@ index 4b2878a..433773d 100644
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
-+
-+ optional_policy(`
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
-+ ')
+ ')
+
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ fprintd_dbus_chat($1_t)
- ')
++ ')
++ ')
++
++ optional_policy(`
++ policykit_role($1_r, $1_usertype)
')
optional_policy(`
- java_role($1_r, $1_t)
-+ policykit_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
+ pulseaudio_filetrans_home_content($1_usertype)
@@ -137564,7 +137731,7 @@ index 4b2878a..433773d 100644
')
')
-@@ -947,7 +1209,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1212,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -137573,7 +137740,7 @@ index 4b2878a..433773d 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1218,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1221,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -137591,7 +137758,7 @@ index 4b2878a..433773d 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1243,60 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1246,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -137647,21 +137814,21 @@ index 4b2878a..433773d 100644
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
++ ')
++
++ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
-+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1305,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1308,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -137672,7 +137839,7 @@ index 4b2878a..433773d 100644
')
')
-@@ -1039,7 +1343,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1346,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -137681,7 +137848,7 @@ index 4b2878a..433773d 100644
')
##############################
-@@ -1065,7 +1369,11 @@ template(`userdom_admin_user_template',`
+@@ -1065,7 +1372,11 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -137694,7 +137861,7 @@ index 4b2878a..433773d 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1382,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1385,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -137704,7 +137871,7 @@ index 4b2878a..433773d 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1399,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1402,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -137712,7 +137879,7 @@ index 4b2878a..433773d 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1417,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1420,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -137726,7 +137893,7 @@ index 4b2878a..433773d 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1434,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1437,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -137769,7 +137936,7 @@ index 4b2878a..433773d 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1475,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1478,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -137778,7 +137945,7 @@ index 4b2878a..433773d 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1536,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1539,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -137787,7 +137954,7 @@ index 4b2878a..433773d 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1550,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1553,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -137798,7 +137965,7 @@ index 4b2878a..433773d 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1563,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1566,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -137827,7 +137994,7 @@ index 4b2878a..433773d 100644
')
optional_policy(`
-@@ -1251,12 +1591,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1594,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -137843,7 +138010,7 @@ index 4b2878a..433773d 100644
')
optional_policy(`
-@@ -1279,11 +1619,60 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1622,60 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -137904,7 +138071,7 @@ index 4b2878a..433773d 100644
ubac_constrained($1)
')
-@@ -1395,6 +1784,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1787,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -137912,11 +138079,10 @@ index 4b2878a..433773d 100644
files_search_home($1)
')
-@@ -1441,7 +1831,15 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1834,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
--')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
@@ -137925,11 +138091,10 @@ index 4b2878a..433773d 100644
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ ')
-+')
+ ')
########################################
- ## <summary>
-@@ -1456,9 +1854,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1857,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -137941,7 +138106,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -1515,6 +1915,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1918,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -137984,7 +138149,7 @@ index 4b2878a..433773d 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2025,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2028,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -137993,7 +138158,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -1603,10 +2041,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2044,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -138008,7 +138173,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -1649,6 +2089,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2092,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -138052,7 +138217,7 @@ index 4b2878a..433773d 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2145,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2148,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -138078,7 +138243,7 @@ index 4b2878a..433773d 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1698,14 +2194,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2197,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -138116,7 +138281,7 @@ index 4b2878a..433773d 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2234,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2237,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -138134,7 +138299,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -1779,6 +2300,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2303,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -138195,7 +138360,7 @@ index 4b2878a..433773d 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2385,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2388,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -138205,7 +138370,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -1827,20 +2401,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2404,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -138219,18 +138384,19 @@ index 4b2878a..433773d 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -1941,6 +2509,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+ ## Do not audit attempts to execute user home files.
+@@ -1941,6 +2512,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -138255,7 +138421,7 @@ index 4b2878a..433773d 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2594,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2597,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -138264,7 +138430,7 @@ index 4b2878a..433773d 100644
files_search_home($1)
')
-@@ -2039,7 +2625,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2628,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -138273,7 +138439,7 @@ index 4b2878a..433773d 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2744,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2747,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -138288,7 +138454,7 @@ index 4b2878a..433773d 100644
files_search_tmp($1)
')
-@@ -2182,7 +2768,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2771,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -138297,7 +138463,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -2390,7 +2976,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2979,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -138306,7 +138472,7 @@ index 4b2878a..433773d 100644
files_search_tmp($1)
')
-@@ -2419,6 +3005,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3008,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -138332,7 +138498,7 @@ index 4b2878a..433773d 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3040,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3043,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -138348,7 +138514,7 @@ index 4b2878a..433773d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3068,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3071,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -138357,7 +138523,7 @@ index 4b2878a..433773d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,14 +3076,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3079,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -138392,7 +138558,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -2572,6 +3194,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +3197,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -138417,7 +138583,7 @@ index 4b2878a..433773d 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2590,22 +3230,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +3233,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -138460,7 +138626,7 @@ index 4b2878a..433773d 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2614,14 +3266,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3269,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -138498,7 +138664,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -2640,36 +3311,32 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,36 +3314,32 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -138544,7 +138710,7 @@ index 4b2878a..433773d 100644
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
-@@ -2679,12 +3346,12 @@ interface(`userdom_spec_domtrans_all_users',`
+@@ -2679,12 +3349,12 @@ interface(`userdom_spec_domtrans_all_users',`
## </summary>
## </param>
#
@@ -138559,7 +138725,7 @@ index 4b2878a..433773d 100644
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
-@@ -2692,7 +3359,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
+@@ -2692,7 +3362,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
########################################
## <summary>
@@ -138568,7 +138734,7 @@ index 4b2878a..433773d 100644
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
-@@ -2702,20 +3369,20 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
+@@ -2702,20 +3372,20 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
## </summary>
## </param>
#
@@ -138596,7 +138762,7 @@ index 4b2878a..433773d 100644
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
-@@ -2725,57 +3392,61 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2725,57 +3395,61 @@ interface(`userdom_spec_domtrans_unpriv_users',`
## </summary>
## </param>
#
@@ -138677,7 +138843,7 @@ index 4b2878a..433773d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2783,12 +3454,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2783,12 +3457,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -138692,7 +138858,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -2852,7 +3523,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3526,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -138701,7 +138867,7 @@ index 4b2878a..433773d 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3539,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3542,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -138735,7 +138901,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -2972,7 +3627,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3630,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -138744,7 +138910,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -3027,7 +3682,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3685,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -138791,7 +138957,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -3045,7 +3738,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3741,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -138800,7 +138966,7 @@ index 4b2878a..433773d 100644
')
########################################
-@@ -3064,6 +3757,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3760,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -138808,7 +138974,7 @@ index 4b2878a..433773d 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3836,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3839,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -138833,7 +138999,7 @@ index 4b2878a..433773d 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3160,6 +3872,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3875,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -138858,7 +139024,7 @@ index 4b2878a..433773d 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3924,1254 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3927,1254 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -140114,7 +140280,7 @@ index 4b2878a..433773d 100644
+ typeattribute $1 userdom_home_manager_type;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..0e7648c 100644
+index 9b4a930..fd86f24 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -140126,7 +140292,7 @@ index 9b4a930..0e7648c 100644
## </p>
## </desc>
gen_tunable(allow_user_mysql_connect, false)
-@@ -43,6 +43,20 @@ gen_tunable(user_rw_noexattrfile, false)
+@@ -43,12 +43,27 @@ gen_tunable(user_rw_noexattrfile, false)
## <desc>
## <p>
@@ -140147,7 +140313,14 @@ index 9b4a930..0e7648c 100644
## Allow w to display everyone
## </p>
## </desc>
-@@ -59,6 +73,22 @@ attribute unpriv_userdomain;
+ gen_tunable(user_ttyfile_stat, false)
+
+ attribute admindomain;
++attribute login_userdomain;
+
+ # all user domains
+ attribute userdomain;
+@@ -59,6 +74,22 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
@@ -140170,7 +140343,7 @@ index 9b4a930..0e7648c 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +101,111 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +102,111 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
diff --git a/selinux-policy.spec b/selinux-policy.spec
index da05f1b..716c4e0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 95%{?dist}
+Release: 96%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -478,6 +478,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon March 5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-96
+- Add labeling for /var/spool/postfix/dev/log
+- NM reads sysctl.conf
+- Iscsi log file context specification fix
+- Allow mozilla plugins to send dbus messages to user domains that transition to it
+- Allow mysql to read the passwd file
+- Allow mozilla_plugin_t to create mozilla home dirs in user homedir
+- Allow deltacloud to read kernel sysctl
+- Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself
+- Allow postgresql_t to connectto itself
+- Add login_userdomain attribute for users which can log in using terminal
+
* Tue Feb 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-95
- Allow sysadm_u to reach system_r by default #784011
- Allow nagios plugins to use inherited user terminals
More information about the scm-commits
mailing list