[selinux-policy/f17] * Mon Mar 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0- - More fixes for systemd from Dan Walsh
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Mar 19 20:33:19 UTC 2012
commit aadc27b82eeb965131872be2d12357eeb8a296cd
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Mar 19 21:33:01 2012 +0100
* Mon Mar 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-
- More fixes for systemd from Dan Walsh
policy-F16.patch | 1837 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 5 +-
2 files changed, 1373 insertions(+), 469 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index c114c74..d14d168 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -56151,10 +56151,20 @@ index 1308871..c994c93 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index bf24160..4c5554c 100644
+index bf24160..d62508b 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
-@@ -862,3 +862,26 @@ inherits database
+@@ -393,6 +393,9 @@ class system
+ syslog_mod
+ syslog_console
+ module_request
++ halt
++ reboot
++ status
+ }
+
+ #
+@@ -862,3 +865,20 @@ inherits database
implement
execute
}
@@ -56171,30 +56181,21 @@ index bf24160..4c5554c 100644
+ disable
+}
+
-+class systemd
-+{
-+ halt
-+ reboot
-+}
-+
+class proxy
+{
+ read
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
-index 14a4799..4582f92 100644
+index 14a4799..db2e4a0 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
-@@ -131,4 +131,14 @@ class db_view # userspace
+@@ -131,4 +131,11 @@ class db_view # userspace
class db_sequence # userspace
class db_language # userspace
+# systemd services
+class service
+
-+# systemd commands
-+class systemd
-+
+# gssd services
+class proxy
+
@@ -56463,10 +56464,10 @@ index 63ef90e..a535b31 100644
')
diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
-index d362d9c..10261ed 100644
+index d362d9c..a977ac0 100644
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
-@@ -11,8 +11,10 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
+@@ -11,10 +11,14 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -56477,8 +56478,12 @@ index d362d9c..10261ed 100644
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+ /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
++
++/lib/systemd/system/alsa-.*\.service -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index 1392679..407f9f7 100644
+index 1392679..25e02df 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
@@ -56489,7 +56494,7 @@ index 1392679..407f9f7 100644
')
########################################
-@@ -206,3 +207,46 @@ interface(`alsa_read_lib',`
+@@ -206,3 +207,69 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')
@@ -56536,6 +56541,43 @@ index 1392679..407f9f7 100644
+ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
+')
++
++########################################
++## <summary>
++## Execute alsa server in the alsa domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`alsa_systemctl',`
++ gen_require(`
++ type alsa_t;
++ type alsa_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 alsa_unit_file_t:file read_file_perms;
++ allow $1 alsa_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, alsa_t)
++')
+diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
+index 54d0f14..413b6b6 100644
+--- a/policy/modules/admin/alsa.te
++++ b/policy/modules/admin/alsa.te
+@@ -22,6 +22,9 @@ files_type(alsa_var_lib_t)
+ type alsa_home_t;
+ userdom_user_home_content(alsa_home_t)
+
++type alsa_unit_file_t;
++systemd_unit_file(alsa_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index e3e0701..3fd0282 100644
--- a/policy/modules/admin/amanda.fc
@@ -57363,7 +57405,7 @@ index c66934f..b1d31d0 100644
+/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+
diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if
-index 4198ff5..419c7a9 100644
+index 4198ff5..9bf4898 100644
--- a/policy/modules/admin/kdump.if
+++ b/policy/modules/admin/kdump.if
@@ -37,6 +37,30 @@ interface(`kdump_initrc_domtrans',`
@@ -57422,8 +57464,11 @@ index 4198ff5..419c7a9 100644
####################################
## <summary>
## Manage kdump configuration file.
-@@ -98,8 +140,11 @@ interface(`kdump_admin',`
+@@ -96,10 +138,14 @@ interface(`kdump_admin',`
+ gen_require(`
+ type kdump_t, kdump_etc_t;
type kdump_initrc_exec_t;
++ type kdump_unit_file_t;
')
- allow $1 kdump_t:process { ptrace signal_perms };
@@ -57435,6 +57480,15 @@ index 4198ff5..419c7a9 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
+@@ -108,4 +154,8 @@ interface(`kdump_admin',`
+
+ files_search_etc($1)
+ admin_pattern($1, kdump_etc_t)
++
++ kdump_systemctl($1)
++ admin_pattern($1, kdump_unit_file_t)
++ allow $1 kdump_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/admin/kdump.te b/policy/modules/admin/kdump.te
index b29d8e2..ed79499 100644
--- a/policy/modules/admin/kdump.te
@@ -69328,7 +69382,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..7f7c853 100644
+index 3fae11a..cf3cf20 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -69647,7 +69701,7 @@ index 3fae11a..7f7c853 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +433,12 @@ ifdef(`distro_suse', `
+@@ -385,3 +433,13 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -69656,7 +69710,8 @@ index 3fae11a..7f7c853 100644
+# /usr/lib
+#
+
-+/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/dracut(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -81037,19 +81092,21 @@ index e88b95f..9b6536a 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..0d7d8d1 100644
+index 1bd5812..2e52710 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
-@@ -1,13 +1,13 @@
+@@ -1,13 +1,15 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
- /usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/lib/systemd/system/abrt.*\.service -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
--
++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -81057,7 +81114,7 @@ index 1bd5812..0d7d8d1 100644
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-@@ -15,6 +15,19 @@
+@@ -15,6 +17,19 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -81078,7 +81135,7 @@ index 1bd5812..0d7d8d1 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..7f57a98 100644
+index 0b827c5..ac79ca6 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,12 +71,13 @@ interface(`abrt_read_state',`
@@ -81096,7 +81153,7 @@ index 0b827c5..7f57a98 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -160,8 +161,45 @@ interface(`abrt_run_helper',`
+@@ -160,8 +161,26 @@ interface(`abrt_run_helper',`
########################################
## <summary>
@@ -81122,13 +81179,14 @@ index 0b827c5..7f57a98 100644
+########################################
+## <summary>
+## Append abrt cache
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -169,12 +188,33 @@ interface(`abrt_run_helper',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`abrt_cache_manage',`
+interface(`abrt_append_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
@@ -81141,14 +81199,13 @@ index 0b827c5..7f57a98 100644
+########################################
+## <summary>
+## Manage abrt cache
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -169,12 +207,14 @@ interface(`abrt_run_helper',`
- ## </summary>
- ## </param>
- #
--interface(`abrt_cache_manage',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`abrt_manage_cache',`
gen_require(`
type abrt_var_cache_t;
@@ -81160,7 +81217,7 @@ index 0b827c5..7f57a98 100644
')
####################################
-@@ -253,6 +293,24 @@ interface(`abrt_manage_pid_files',`
+@@ -253,6 +293,47 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -81182,11 +81239,37 @@ index 0b827c5..7f57a98 100644
+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
++########################################
++## <summary>
++## Execute abrt server in the abrt domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`abrt_systemctl',`
++ gen_require(`
++ type abrt_t;
++ type abrt_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 abrt_unit_file_t:file read_file_perms;
++ allow $1 abrt_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, abrt_t)
++')
++
#####################################
## <summary>
## All of the rules required to administrate
-@@ -278,26 +336,128 @@ interface(`abrt_admin',`
+@@ -276,28 +357,135 @@ interface(`abrt_admin',`
+ type abrt_var_cache_t, abrt_var_log_t;
+ type abrt_var_run_t, abrt_tmp_t;
type abrt_initrc_exec_t;
++ type abrt_unit_file_t;
')
- allow $1 abrt_t:process { ptrace signal_perms };
@@ -81221,7 +81304,11 @@ index 0b827c5..7f57a98 100644
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, abrt_tmp_t)
- ')
++
++ abrt_systemctl($1)
++ admin_pattern($1, abrt_unit_file_t)
++ allow $1 abrt_unit_file_t:service all_service_perms;
++')
+
+####################################
+## <summary>
@@ -81319,12 +81406,12 @@ index 0b827c5..7f57a98 100644
+ ')
+
+ dontaudit $1 abrt_t:sock_file write;
-+')
+ ')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..c66fd4a 100644
+index 30861ec..4038dc6 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
-@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
+@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
# Declarations
#
@@ -81351,7 +81438,16 @@ index 30861ec..c66fd4a 100644
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -32,9 +50,20 @@ files_type(abrt_var_cache_t)
+ type abrt_initrc_exec_t;
+ init_script_file(abrt_initrc_exec_t)
+
++type abrt_unit_file_t;
++systemd_unit_file(abrt_unit_file_t)
++
+ # etc files
+ type abrt_etc_t;
+ files_config_file(abrt_etc_t)
+@@ -32,9 +53,20 @@ files_type(abrt_var_cache_t)
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -81373,7 +81469,7 @@ index 30861ec..c66fd4a 100644
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
-@@ -43,22 +72,42 @@ ifdef(`enable_mcs',`
+@@ -43,22 +75,42 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -81419,7 +81515,7 @@ index 30861ec..c66fd4a 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -68,7 +117,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +120,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -81429,7 +81525,7 @@ index 30861ec..c66fd4a 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +133,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +136,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -81442,7 +81538,7 @@ index 30861ec..c66fd4a 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +155,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +158,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -81451,7 +81547,7 @@ index 30861ec..c66fd4a 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +166,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +169,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -81461,7 +81557,7 @@ index 30861ec..c66fd4a 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +175,9 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +178,9 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -81471,7 +81567,7 @@ index 30861ec..c66fd4a 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +188,26 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +191,26 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -81504,7 +81600,7 @@ index 30861ec..c66fd4a 100644
')
optional_policy(`
-@@ -167,6 +228,7 @@ optional_policy(`
+@@ -167,6 +231,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -81512,7 +81608,7 @@ index 30861ec..c66fd4a 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +240,35 @@ optional_policy(`
+@@ -178,12 +243,35 @@ optional_policy(`
')
optional_policy(`
@@ -81549,7 +81645,7 @@ index 30861ec..c66fd4a 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +285,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +288,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -81578,7 +81674,7 @@ index 30861ec..c66fd4a 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +308,128 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +311,128 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -81586,7 +81682,7 @@ index 30861ec..c66fd4a 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
- ')
++')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -81664,7 +81760,7 @@ index 30861ec..c66fd4a 100644
+
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
-+')
+ ')
+
+########################################
+#
@@ -81707,8 +81803,18 @@ index 30861ec..c66fd4a 100644
+logging_send_syslog_msg(abrt_domain)
+
+miscfiles_read_localization(abrt_domain)
+diff --git a/policy/modules/services/accountsd.fc b/policy/modules/services/accountsd.fc
+index 1adca53..e79b798 100644
+--- a/policy/modules/services/accountsd.fc
++++ b/policy/modules/services/accountsd.fc
+@@ -1,3 +1,5 @@
++/lib/systemd/system/accountsd\.service -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
++
+ /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+
+ /var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
-index c0f858d..5770f1a 100644
+index c0f858d..10a0cd6 100644
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
@@ -5,9 +5,9 @@
@@ -81732,8 +81838,41 @@ index c0f858d..5770f1a 100644
## </summary>
## </param>
#
-@@ -138,8 +138,12 @@ interface(`accountsd_admin',`
+@@ -118,6 +118,29 @@ interface(`accountsd_manage_lib_files',`
+
+ ########################################
+ ## <summary>
++## Execute accountsd server in the accountsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`accountsd_systemctl',`
++ gen_require(`
++ type accountsd_t;
++ type accountsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 accountsd_unit_file_t:file read_file_perms;
++ allow $1 accountsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, accountsd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an accountsd environment
+ ## </summary>
+@@ -136,10 +159,19 @@ interface(`accountsd_manage_lib_files',`
+ interface(`accountsd_admin',`
+ gen_require(`
type accountsd_t;
++ type accountsd_unit_file_t;
')
- allow $1 accountsd_t:process { ptrace signal_perms getattr };
@@ -81745,12 +81884,16 @@ index c0f858d..5770f1a 100644
+ ')
+
accountsd_manage_lib_files($1)
++
++ accountsd_systemctl($1)
++ admin_pattern($1, accountsd_unit_file_t)
++ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..6ede64d 100644
+index 1632f10..2a0a8e7 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
-@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
+@@ -8,16 +8,22 @@ policy_module(accountsd, 1.0.0)
type accountsd_t;
type accountsd_exec_t;
dbus_system_domain(accountsd_t, accountsd_exec_t)
@@ -81759,7 +81902,12 @@ index 1632f10..6ede64d 100644
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
-@@ -17,7 +19,8 @@ files_type(accountsd_var_lib_t)
+
++type accountsd_unit_file_t;
++systemd_unit_file(accountsd_unit_file_t)
++
+ ########################################
+ #
# accountsd local policy
#
@@ -81769,7 +81917,7 @@ index 1632f10..6ede64d 100644
allow accountsd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
-@@ -28,14 +31,18 @@ kernel_read_kernel_sysctls(accountsd_t)
+@@ -28,14 +34,18 @@ kernel_read_kernel_sysctls(accountsd_t)
corecmd_exec_bin(accountsd_t)
@@ -81788,7 +81936,7 @@ index 1632f10..6ede64d 100644
miscfiles_read_localization(accountsd_t)
-@@ -55,3 +62,8 @@ optional_policy(`
+@@ -55,3 +65,8 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
@@ -82260,10 +82408,10 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..2386b92 100644
+index 9e39aa5..c5c0af6 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
-@@ -1,21 +1,32 @@
+@@ -1,21 +1,33 @@
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
@@ -82289,7 +82437,8 @@ index 9e39aa5..2386b92 100644
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+
+/usr/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
@@ -82297,7 +82446,7 @@ index 9e39aa5..2386b92 100644
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -24,16 +35,18 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+@@ -24,16 +36,18 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -82323,7 +82472,7 @@ index 9e39aa5..2386b92 100644
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-@@ -43,8 +56,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +57,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -82335,7 +82484,7 @@ index 9e39aa5..2386b92 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,11 +68,14 @@ ifdef(`distro_suse', `
+@@ -54,11 +69,14 @@ ifdef(`distro_suse', `
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -82350,7 +82499,7 @@ index 9e39aa5..2386b92 100644
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,28 +90,40 @@ ifdef(`distro_suse', `
+@@ -73,28 +91,40 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -82395,7 +82544,7 @@ index 9e39aa5..2386b92 100644
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -104,8 +133,26 @@ ifdef(`distro_debian', `
+@@ -104,8 +134,26 @@ ifdef(`distro_debian', `
/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -82424,7 +82573,7 @@ index 9e39aa5..2386b92 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..b2db556 100644
+index 6480167..4fc1968 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,62 +13,46 @@
@@ -83015,7 +83164,7 @@ index 6480167..b2db556 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 httpd_unit_file_t:file read_file_perms;
-+ allow $1 httpd_unit_file_t:service all_service_perms;
++ allow $1 httpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, httpd_t)
+')
@@ -83069,7 +83218,7 @@ index 6480167..b2db556 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1349,70 @@ interface(`apache_admin',`
+@@ -1205,14 +1349,71 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -83088,8 +83237,9 @@ index 6480167..b2db556 100644
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+
-+ admin_pattern($1, httpd_unit_file_t)
+ httpd_systemctl($1)
++ admin_pattern($1, httpd_unit_file_t)
++ allow $1 httpd_unit_file_t:service all_service_perms;
+
+ ifdef(`TODO',`
+ apache_set_booleans($1, $2, $3, httpd_bool_t)
@@ -84357,10 +84507,15 @@ index 3136c6a..46c1cf3 100644
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
')
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
-index cd07b96..9b7742f 100644
+index cd07b96..f5298af 100644
--- a/policy/modules/services/apcupsd.fc
+++ b/policy/modules/services/apcupsd.fc
-@@ -4,6 +4,8 @@
+@@ -1,9 +1,13 @@
+ /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+
++/lib/systemd/system/apcupsd\.service -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
++
+ /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
@@ -84369,17 +84524,50 @@ index cd07b96..9b7742f 100644
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
-@@ -13,3 +15,4 @@
+@@ -13,3 +17,4 @@
/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
-index e342775..4ffdb80 100644
+index e342775..1fedbe5 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
-@@ -146,9 +146,13 @@ interface(`apcupsd_admin',`
+@@ -123,6 +123,29 @@ interface(`apcupsd_cgi_script_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute apcupsd server in the apcupsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`apcupsd_systemctl',`
++ gen_require(`
++ type apcupsd_t;
++ type apcupsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 apcupsd_unit_file_t:file read_file_perms;
++ allow $1 apcupsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, apcupsd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an apcupsd environment
+ ## </summary>
+@@ -144,11 +167,16 @@ interface(`apcupsd_admin',`
+ type apcupsd_log_t, apcupsd_lock_t;
+ type apcupsd_var_run_t;
type apcupsd_initrc_exec_t;
++ type apcupsd_unit_file_t;
')
- allow $1 apcupsd_t:process { ptrace signal_perms };
@@ -84393,11 +84581,30 @@ index e342775..4ffdb80 100644
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
+@@ -165,4 +193,8 @@ interface(`apcupsd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, apcupsd_var_run_t)
++
++ apcupsd_systemctl($1)
++ admin_pattern($1, apcupsd_unit_file_t)
++ allow $1 apcupsd_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
-index d052bf0..3059bd2 100644
+index d052bf0..77e6e19 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
-@@ -76,6 +76,7 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
+@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
+ type apcupsd_var_run_t;
+ files_pid_file(apcupsd_var_run_t)
+
++type apcupsd_unit_file_t;
++systemd_unit_file(apcupsd_unit_file_t)
++
+ ########################################
+ #
+ # apcupsd local policy
+@@ -76,6 +79,7 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
term_use_unallocated_ttys(apcupsd_t)
@@ -84405,7 +84612,7 @@ index d052bf0..3059bd2 100644
#apcupsd runs shutdown, probably need a shutdown domain
init_rw_utmp(apcupsd_t)
-@@ -87,13 +88,17 @@ miscfiles_read_localization(apcupsd_t)
+@@ -87,13 +91,17 @@ miscfiles_read_localization(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
@@ -84424,8 +84631,17 @@ index d052bf0..3059bd2 100644
mta_send_mail(apcupsd_t)
mta_system_content(apcupsd_tmp_t)
')
+diff --git a/policy/modules/services/apm.fc b/policy/modules/services/apm.fc
+index 0123777..cb3f8a0 100644
+--- a/policy/modules/services/apm.fc
++++ b/policy/modules/services/apm.fc
+@@ -1,3 +1,4 @@
++/lib/systemd/system/apmd\.service -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
+
+ #
+ # /usr
diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if
-index 1ea99b2..3582863 100644
+index 1ea99b2..1bf05b5 100644
--- a/policy/modules/services/apm.if
+++ b/policy/modules/services/apm.if
@@ -52,7 +52,8 @@ interface(`apm_write_pipes',`
@@ -84453,16 +84669,39 @@ index 1ea99b2..3582863 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -108,6 +109,5 @@ interface(`apm_stream_connect',`
+@@ -108,6 +109,28 @@ interface(`apm_stream_connect',`
')
files_search_pids($1)
- allow $1 apmd_var_run_t:sock_file write;
- allow $1 apmd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
++')
++
++########################################
++## <summary>
++## Execute apmd server in the apmd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`apmd_systemctl',`
++ gen_require(`
++ type apmd_t;
++ type apmd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 apmd_unit_file_t:file read_file_perms;
++ allow $1 apmd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..29bb904 100644
+index 1c8c27e..1fbabf7 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -84473,7 +84712,17 @@ index 1c8c27e..29bb904 100644
type apmd_t;
type apmd_exec_t;
init_daemon_domain(apmd_t, apmd_exec_t)
-@@ -45,7 +46,7 @@ dev_rw_apm_bios(apm_t)
+@@ -32,6 +33,9 @@ ifdef(`distro_suse',`
+ files_type(apmd_var_lib_t)
+ ')
+
++type apmd_unit_file_t;
++systemd_unit_file(apmd_unit_file_t)
++
+ ########################################
+ #
+ # apm client Local policy
+@@ -45,7 +49,7 @@ dev_rw_apm_bios(apm_t)
fs_getattr_xattr_fs(apm_t)
@@ -84482,7 +84731,7 @@ index 1c8c27e..29bb904 100644
domain_use_interactive_fds(apm_t)
-@@ -59,9 +60,10 @@ logging_send_syslog_msg(apm_t)
+@@ -59,9 +63,10 @@ logging_send_syslog_msg(apm_t)
# mknod: controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
@@ -84494,7 +84743,7 @@ index 1c8c27e..29bb904 100644
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -81,6 +83,8 @@ kernel_rw_all_sysctls(apmd_t)
+@@ -81,6 +86,8 @@ kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
@@ -84503,7 +84752,7 @@ index 1c8c27e..29bb904 100644
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
-@@ -101,7 +105,6 @@ selinux_search_fs(apmd_t)
+@@ -101,7 +108,6 @@ selinux_search_fs(apmd_t)
corecmd_exec_all_executables(apmd_t)
domain_read_all_domains_state(apmd_t)
@@ -84511,7 +84760,7 @@ index 1c8c27e..29bb904 100644
domain_use_interactive_fds(apmd_t)
domain_dontaudit_getattr_all_sockets(apmd_t)
domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
-@@ -114,6 +117,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+@@ -114,6 +120,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
@@ -84520,7 +84769,7 @@ index 1c8c27e..29bb904 100644
init_domtrans_script(apmd_t)
init_rw_utmp(apmd_t)
init_telinit(apmd_t)
-@@ -127,10 +132,8 @@ logging_send_audit_msgs(apmd_t)
+@@ -127,10 +135,8 @@ logging_send_audit_msgs(apmd_t)
miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
@@ -84532,7 +84781,7 @@ index 1c8c27e..29bb904 100644
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
-@@ -142,9 +145,8 @@ ifdef(`distro_redhat',`
+@@ -142,9 +148,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
@@ -84543,7 +84792,7 @@ index 1c8c27e..29bb904 100644
')
optional_policy(`
-@@ -155,6 +157,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +160,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
@@ -84559,7 +84808,7 @@ index 1c8c27e..29bb904 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-@@ -181,6 +192,12 @@ optional_policy(`
+@@ -181,6 +195,12 @@ optional_policy(`
')
optional_policy(`
@@ -84572,7 +84821,7 @@ index 1c8c27e..29bb904 100644
dbus_system_bus_client(apmd_t)
optional_policy(`
-@@ -201,7 +218,8 @@ optional_policy(`
+@@ -201,7 +221,8 @@ optional_policy(`
')
optional_policy(`
@@ -84582,7 +84831,7 @@ index 1c8c27e..29bb904 100644
')
optional_policy(`
-@@ -209,8 +227,9 @@ optional_policy(`
+@@ -209,8 +230,9 @@ optional_policy(`
pcmcia_domtrans_cardctl(apmd_t)
')
@@ -84593,7 +84842,7 @@ index 1c8c27e..29bb904 100644
')
optional_policy(`
-@@ -219,10 +238,6 @@ optional_policy(`
+@@ -219,10 +241,6 @@ optional_policy(`
')
optional_policy(`
@@ -84604,12 +84853,57 @@ index 1c8c27e..29bb904 100644
vbetool_domtrans(apmd_t)
')
+diff --git a/policy/modules/services/arpwatch.fc b/policy/modules/services/arpwatch.fc
+index a86a6c7..a29212e 100644
+--- a/policy/modules/services/arpwatch.fc
++++ b/policy/modules/services/arpwatch.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+
++/lib/systemd/system/arpwatch.service -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
++
+ #
+ # /usr
+ #
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
-index c804110..980cd57 100644
+index c804110..06a516f 100644
--- a/policy/modules/services/arpwatch.if
+++ b/policy/modules/services/arpwatch.if
-@@ -137,9 +137,13 @@ interface(`arpwatch_admin',`
+@@ -115,6 +115,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
+
+ ########################################
+ ## <summary>
++## Execute arpwatch server in the arpwatch domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`arpwatch_systemctl',`
++ gen_require(`
++ type arpwatch_t;
++ type arpwatch_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 arpwatch_unit_file_t:file read_file_perms;
++ allow $1 arpwatch_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, arpwatch_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an arpwatch environment
+ ## </summary>
+@@ -135,11 +158,16 @@ interface(`arpwatch_admin',`
+ type arpwatch_t, arpwatch_tmp_t;
+ type arpwatch_data_t, arpwatch_var_run_t;
type arpwatch_initrc_exec_t;
++ type arpwatch_unit_file_t;
')
- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
@@ -84623,11 +84917,30 @@ index c804110..980cd57 100644
arpwatch_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
+@@ -153,4 +181,8 @@ interface(`arpwatch_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, arpwatch_var_run_t)
++
++ arpwatch_systemctl($1)
++ admin_pattern($1, arpwatch_unit_file_t)
++ allow $1 arpwatch_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
-index 804135f..2573a6d 100644
+index 804135f..613f77f 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
-@@ -34,6 +34,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
+@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
+ type arpwatch_var_run_t;
+ files_pid_file(arpwatch_var_run_t)
+
++type arpwatch_unit_file_t;
++systemd_unit_file(arpwatch_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -34,6 +37,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:socket create_socket_perms;
@@ -84635,7 +84948,7 @@ index 804135f..2573a6d 100644
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
-@@ -47,8 +48,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+@@ -47,8 +51,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
kernel_read_network_state(arpwatch_t)
@@ -84838,8 +85151,21 @@ index 2b348c7..0000000
-optional_policy(`
- udev_read_db(entropyd_t)
-')
+diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc
+index f16ab68..4dfe0ed 100644
+--- a/policy/modules/services/automount.fc
++++ b/policy/modules/services/automount.fc
+@@ -4,6 +4,8 @@
+ /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
+ /etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+
++/lib/systemd/system/autofs\.service -- gen_context(system_u:object_r:automount_unit_file_t,s0)
++
+ #
+ # /usr
+ #
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
-index d80a16b..4f2a53f 100644
+index d80a16b..14c7b1e 100644
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
@@ -84868,17 +85194,43 @@ index d80a16b..4f2a53f 100644
dontaudit $1 automount_t:fifo_file write;
')
-@@ -123,7 +124,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
+@@ -123,7 +124,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
type automount_tmp_t;
')
- dontaudit $1 automount_tmp_t:dir getattr;
+ dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
++')
++
++########################################
++## <summary>
++## Execute automount server in the automount domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`automount_systemctl',`
++ gen_require(`
++ type automount_t;
++ type automount_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 automount_unit_file_t:file read_file_perms;
++ allow $1 automount_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, automount_t)
')
########################################
-@@ -149,9 +150,13 @@ interface(`automount_admin',`
+@@ -147,11 +171,16 @@ interface(`automount_admin',`
+ gen_require(`
+ type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
++ type automount_unit_file_t;
')
- allow $1 automount_t:process { ptrace signal_perms getattr };
@@ -84892,11 +85244,30 @@ index d80a16b..4f2a53f 100644
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
+@@ -165,4 +194,8 @@ interface(`automount_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, automount_var_run_t)
++
++ automount_systemctl($1)
++ admin_pattern($1, automount_unit_file_t)
++ allow $1 automount_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
-index 39799db..9390ef1 100644
+index 39799db..fe1653e 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
-@@ -64,6 +64,7 @@ kernel_read_network_state(automount_t)
+@@ -22,6 +22,9 @@ type automount_tmp_t;
+ files_tmp_file(automount_tmp_t)
+ files_mountpoint(automount_tmp_t)
+
++type automount_unit_file_t;
++systemd_unit_file(automount_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -64,6 +67,7 @@ kernel_read_network_state(automount_t)
kernel_list_proc(automount_t)
kernel_dontaudit_search_xen_state(automount_t)
@@ -84904,7 +85275,7 @@ index 39799db..9390ef1 100644
files_search_boot(automount_t)
# Automount is slowly adding all mount functionality internally
files_search_all(automount_t)
-@@ -143,9 +144,6 @@ logging_search_logs(automount_t)
+@@ -143,9 +147,6 @@ logging_search_logs(automount_t)
miscfiles_read_localization(automount_t)
miscfiles_read_generic_certs(automount_t)
@@ -84914,7 +85285,7 @@ index 39799db..9390ef1 100644
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_user_home_dirs(automount_t)
-@@ -155,6 +153,13 @@ optional_policy(`
+@@ -155,6 +156,13 @@ optional_policy(`
')
optional_policy(`
@@ -84928,8 +85299,20 @@ index 39799db..9390ef1 100644
fstools_domtrans(automount_t)
')
+diff --git a/policy/modules/services/avahi.fc b/policy/modules/services/avahi.fc
+index 7e36549..150bd76 100644
+--- a/policy/modules/services/avahi.fc
++++ b/policy/modules/services/avahi.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+
++/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
++
+ /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
-index 61c74bc..c7a0db2 100644
+index 61c74bc..5e6a564 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',`
@@ -84940,8 +85323,41 @@ index 61c74bc..c7a0db2 100644
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
-@@ -153,9 +154,13 @@ interface(`avahi_admin',`
+@@ -133,6 +134,29 @@ interface(`avahi_dontaudit_search_pid',`
+
+ ########################################
+ ## <summary>
++## Execute avahi server in the avahi domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`avahi_systemctl',`
++ gen_require(`
++ type avahi_t;
++ type avahi_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 avahi_unit_file_t:file read_file_perms;
++ allow $1 avahi_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, avahi_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an avahi environment
+ ## </summary>
+@@ -151,11 +175,16 @@ interface(`avahi_dontaudit_search_pid',`
+ interface(`avahi_admin',`
+ gen_require(`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
++ type avahi_unit_file_t;
')
- allow $1 avahi_t:process { ptrace signal_perms };
@@ -84955,19 +85371,31 @@ index 61c74bc..c7a0db2 100644
init_labeled_script_domtrans($1, avahi_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
+@@ -163,4 +192,8 @@ interface(`avahi_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, avahi_var_run_t)
++
++ avahi_systemctl($1)
++ admin_pattern($1, avahi_unit_file_t)
++ allow $1 avahi_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
-index a7a0e71..5352ef6 100644
+index a7a0e71..3b01eed 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
-@@ -17,6 +17,7 @@ files_pid_file(avahi_var_lib_t)
+@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
+init_sock_file(avahi_var_run_t)
++
++type avahi_unit_file_t;
++systemd_unit_file(avahi_unit_file_t)
########################################
#
-@@ -46,6 +47,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
+@@ -46,6 +50,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
kernel_read_system_state(avahi_t)
kernel_read_kernel_sysctls(avahi_t)
kernel_read_network_state(avahi_t)
@@ -84975,7 +85403,7 @@ index a7a0e71..5352ef6 100644
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
-@@ -104,6 +106,10 @@ optional_policy(`
+@@ -104,6 +109,10 @@ optional_policy(`
')
optional_policy(`
@@ -84987,16 +85415,18 @@ index a7a0e71..5352ef6 100644
')
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
-index 59aa54f..643afce 100644
+index 59aa54f..d5d9ca1 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
-@@ -4,6 +4,12 @@
+@@ -4,6 +4,14 @@
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+
++/lib/systemd/system/unbound.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
++/lib/systemd/system/unbound-keygen.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
+
+/usr/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
@@ -85004,7 +85434,7 @@ index 59aa54f..643afce 100644
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
-index 44a1e3d..7381f07 100644
+index 44a1e3d..9b50c13 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -85027,7 +85457,7 @@ index 44a1e3d..7381f07 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 named_unit_file_t:file read_file_perms;
-+ allow $1 named_unit_file_t:service all_service_perms;
++ allow $1 named_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, named_t)
+')
@@ -85118,7 +85548,7 @@ index 44a1e3d..7381f07 100644
## Manage BIND zone files.
## </summary>
## <param name="domain">
-@@ -359,18 +422,25 @@ interface(`bind_udp_chat_named',`
+@@ -359,18 +422,26 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
@@ -85129,6 +85559,7 @@ index 44a1e3d..7381f07 100644
+ type named_conf_t, named_var_run_t, named_cache_t;
+ type named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_keytab_t;
++ type named_unit_file_t;
')
- allow $1 named_t:process { ptrace signal_perms };
@@ -85150,7 +85581,7 @@ index 44a1e3d..7381f07 100644
bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
-@@ -391,9 +461,10 @@ interface(`bind_admin',`
+@@ -391,9 +462,12 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
@@ -85161,7 +85592,9 @@ index 44a1e3d..7381f07 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
+
++ admin_pattern($1, named_unit_file_t)
+ bind_systemctl($1)
++ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 4deca04..7859fa1 100644
@@ -85527,8 +85960,21 @@ index 0000000..bccefc9
+optional_policy(`
+ gnome_search_gconf(blueman_t)
+')
+diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
+index dc687e6..40b43c3 100644
+--- a/policy/modules/services/bluetooth.fc
++++ b/policy/modules/services/bluetooth.fc
+@@ -7,6 +7,8 @@
+ /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+
++/lib/systemd/system/bluetooth\.service -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
++
+ #
+ # /usr
+ #
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
-index 3e45431..58b9ece 100644
+index 3e45431..2d28039 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -14,6 +14,7 @@
@@ -85607,7 +86053,7 @@ index 3e45431..58b9ece 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -170,8 +198,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+@@ -170,8 +198,31 @@ interface(`bluetooth_dontaudit_read_helper_state',`
type bluetooth_helper_t;
')
@@ -85615,10 +86061,33 @@ index 3e45431..58b9ece 100644
- dontaudit $1 bluetooth_helper_t:file { read getattr };
+ dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
+ dontaudit $1 bluetooth_helper_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Execute bluetooth server in the bluetooth domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bluetooth_systemctl',`
++ gen_require(`
++ type bluetooth_t;
++ type bluetooth_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 bluetooth_unit_file_t:file read_file_perms;
++ allow $1 bluetooth_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, bluetooth_t)
')
########################################
-@@ -193,23 +221,23 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+@@ -193,23 +244,24 @@ interface(`bluetooth_dontaudit_read_helper_state',`
#
interface(`bluetooth_admin',`
gen_require(`
@@ -85628,6 +86097,7 @@ index 3e45431..58b9ece 100644
+ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
type bluetooth_conf_t, bluetooth_conf_rw_t;
- type bluetooth_initrc_exec_t;
++ type bluetooth_unit_file_t;
')
- allow $1 bluetooth_t:process { ptrace signal_perms };
@@ -85649,7 +86119,7 @@ index 3e45431..58b9ece 100644
files_list_var($1)
admin_pattern($1, bluetooth_lock_t)
-@@ -217,9 +245,6 @@ interface(`bluetooth_admin',`
+@@ -217,12 +269,13 @@ interface(`bluetooth_admin',`
admin_pattern($1, bluetooth_conf_t)
admin_pattern($1, bluetooth_conf_rw_t)
@@ -85659,8 +86129,15 @@ index 3e45431..58b9ece 100644
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)
+ files_list_pids($1)
+ admin_pattern($1, bluetooth_var_run_t)
++
++ bluetooth_systemctl($1)
++ admin_pattern($1, bluetooth_unit_file_t)
++ allow $1 bluetooth_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index 215b86b..76ab538 100644
+index 215b86b..d7c4d98 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0)
@@ -85678,7 +86155,7 @@ index 215b86b..76ab538 100644
type bluetooth_conf_rw_t;
files_type(bluetooth_conf_rw_t)
-@@ -39,9 +40,6 @@ init_script_file(bluetooth_initrc_exec_t)
+@@ -39,15 +40,15 @@ init_script_file(bluetooth_initrc_exec_t)
type bluetooth_lock_t;
files_lock_file(bluetooth_lock_t)
@@ -85688,7 +86165,16 @@ index 215b86b..76ab538 100644
type bluetooth_var_lib_t;
files_type(bluetooth_var_lib_t)
-@@ -80,10 +78,6 @@ can_exec(bluetooth_t, bluetooth_helper_exec_t)
+ type bluetooth_var_run_t;
+ files_pid_file(bluetooth_var_run_t)
+
++type bluetooth_unit_file_t;
++systemd_unit_file(bluetooth_unit_file_t)
++
+ ########################################
+ #
+ # Bluetooth services local policy
+@@ -80,10 +81,6 @@ can_exec(bluetooth_t, bluetooth_helper_exec_t)
allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
@@ -85699,7 +86185,7 @@ index 215b86b..76ab538 100644
manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
-@@ -147,6 +141,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+@@ -147,6 +144,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
@@ -85710,7 +86196,7 @@ index 215b86b..76ab538 100644
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
-@@ -190,7 +188,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
+@@ -190,7 +191,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow bluetooth_helper_t self:tcp_socket create_socket_perms;
@@ -85718,7 +86204,7 @@ index 215b86b..76ab538 100644
allow bluetooth_helper_t bluetooth_t:socket { read write };
-@@ -220,6 +217,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
+@@ -220,6 +220,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
files_read_usr_files(bluetooth_helper_t)
files_dontaudit_list_default(bluetooth_helper_t)
@@ -85727,7 +86213,7 @@ index 215b86b..76ab538 100644
locallogin_dontaudit_use_fds(bluetooth_helper_t)
logging_send_syslog_msg(bluetooth_helper_t)
-@@ -236,9 +235,5 @@ optional_policy(`
+@@ -236,9 +238,5 @@ optional_policy(`
')
optional_policy(`
@@ -87590,14 +88076,14 @@ index dad226c..944cc0f 100644
miscfiles_read_localization(cgred_t)
diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
-index fd8cd0b..c11cd2f 100644
+index fd8cd0b..83f3c9f 100644
--- a/policy/modules/services/chronyd.fc
+++ b/policy/modules/services/chronyd.fc
@@ -2,8 +2,14 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
-+/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
++/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
+/usr/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
@@ -87609,7 +88095,7 @@ index fd8cd0b..c11cd2f 100644
+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..e3cec85 100644
+index 9a0da94..113eae2 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -87717,7 +88203,7 @@ index 9a0da94..e3cec85 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 chronyd_unit_file_t:file read_file_perms;
-+ allow $1 chronyd_unit_file_t:service all_service_perms;
++ allow $1 chronyd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, chronyd_t)
+')
@@ -87763,7 +88249,7 @@ index 9a0da94..e3cec85 100644
####################################
## <summary>
## All of the rules required to administrate
-@@ -75,31 +212,36 @@ interface(`chronyd_read_log',`
+@@ -75,31 +212,38 @@ interface(`chronyd_read_log',`
#
interface(`chronyd_admin',`
gen_require(`
@@ -87772,7 +88258,7 @@ index 9a0da94..e3cec85 100644
- type chronyd_initrc_exec_t, chronyd_keys_t;
+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
-+ type chronyd_keys_t;
++ type chronyd_keys_t, chronyd_unit_file_t;
')
- allow $1 chronyd_t:process { ptrace signal_perms };
@@ -87808,7 +88294,9 @@ index 9a0da94..e3cec85 100644
- admin_pattern($1, chronyd_tmp_t)
+ admin_pattern($1, chronyd_tmpfs_t)
+
++ admin_pattern($1, chronyd_unit_file_t)
+ chronyd_systemctl($1)
++ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index fa82327..1a486b0 100644
@@ -88571,10 +89059,10 @@ index f8463c0..126b293 100644
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
-index 1cf6c4e..e4bac67 100644
+index 1cf6c4e..bd284a4 100644
--- a/policy/modules/services/cobbler.fc
+++ b/policy/modules/services/cobbler.fc
-@@ -1,7 +1,33 @@
+@@ -1,7 +1,35 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
@@ -88583,6 +89071,8 @@ index 1cf6c4e..e4bac67 100644
+
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
+
++/lib/systemd/system/cobblerd.*.service -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0)
++
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
@@ -88614,7 +89104,7 @@ index 1cf6c4e..e4bac67 100644
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
-index 116d60f..11f6a31 100644
+index 116d60f..e2c6ec6 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -1,12 +1,12 @@
@@ -88721,7 +89211,7 @@ index 116d60f..11f6a31 100644
files_search_var_lib($1)
')
-@@ -137,12 +140,33 @@ interface(`cobbler_manage_lib_files',`
+@@ -137,12 +140,56 @@ interface(`cobbler_manage_lib_files',`
type cobbler_var_lib_t;
')
@@ -88752,16 +89242,40 @@ index 116d60f..11f6a31 100644
+
+########################################
+## <summary>
++## Execute cobblerd server in the cobblerd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cobblerd_systemctl',`
++ gen_require(`
++ type cobblerd_t;
++ type cobblerd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 cobblerd_unit_file_t:file read_file_perms;
++ allow $1 cobblerd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, cobblerd_t)
++')
++
++########################################
++## <summary>
## All of the rules required to administrate
## an cobblerd environment
## </summary>
-@@ -161,25 +185,38 @@ interface(`cobbler_manage_lib_files',`
+@@ -161,25 +208,43 @@ interface(`cobbler_manage_lib_files',`
interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
+ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
++ type cobblerd_unit_file_t;
')
- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
@@ -88798,9 +89312,13 @@ index 116d60f..11f6a31 100644
+ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
+ tftp_search_rw_content($1)
+ ')
++
++ cobblerd_systemctl($1)
++ admin_pattern($1, cobblerd_unit_file_t)
++ allow $1 cobblerd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
-index 0258b48..1328a63 100644
+index 0258b48..5fe2f77 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
@@ -88843,7 +89361,7 @@ index 0258b48..1328a63 100644
type cobblerd_t;
type cobblerd_exec_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)
-@@ -26,25 +48,40 @@ files_config_file(cobbler_etc_t)
+@@ -26,25 +48,43 @@ files_config_file(cobbler_etc_t)
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
@@ -88854,6 +89372,9 @@ index 0258b48..1328a63 100644
+type cobbler_tmp_t;
+files_tmp_file(cobbler_tmp_t)
+
++type cobblerd_unit_file_t;
++systemd_unit_file(cobblerd_unit_file_t)
++
########################################
#
# Cobbler personal policy.
@@ -88887,7 +89408,7 @@ index 0258b48..1328a63 100644
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -52,7 +89,12 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -52,7 +92,12 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
@@ -88900,7 +89421,7 @@ index 0258b48..1328a63 100644
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
-@@ -65,44 +107,111 @@ corenet_tcp_bind_generic_node(cobblerd_t)
+@@ -65,44 +110,111 @@ corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
@@ -89014,7 +89535,7 @@ index 0258b48..1328a63 100644
')
optional_policy(`
-@@ -110,12 +219,20 @@ optional_policy(`
+@@ -110,12 +222,20 @@ optional_policy(`
')
optional_policy(`
@@ -89038,7 +89559,7 @@ index 0258b48..1328a63 100644
')
########################################
-@@ -124,5 +241,6 @@ optional_policy(`
+@@ -124,5 +244,6 @@ optional_policy(`
#
apache_content_template(cobbler)
@@ -89047,13 +89568,15 @@ index 0258b48..1328a63 100644
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/collectd.fc b/policy/modules/services/collectd.fc
new file mode 100644
-index 0000000..9d06a27
+index 0000000..498643a
--- /dev/null
+++ b/policy/modules/services/collectd.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,13 @@
+
+/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+
++/lib/systemd/system/collectd\.service -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
++
+/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
+
+/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
@@ -89064,14 +89587,13 @@ index 0000000..9d06a27
+
diff --git a/policy/modules/services/collectd.if b/policy/modules/services/collectd.if
new file mode 100644
-index 0000000..40a0157
+index 0000000..40415f8
--- /dev/null
+++ b/policy/modules/services/collectd.if
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,186 @@
+
+## <summary>policy for collectd</summary>
+
-+
+########################################
+## <summary>
+## Transition to collectd.
@@ -89187,6 +89709,28 @@ index 0000000..40a0157
+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
++########################################
++## <summary>
++## Execute collectd server in the collectd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`collectd_systemctl',`
++ gen_require(`
++ type collectd_t;
++ type collectd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 collectd_unit_file_t:file read_file_perms;
++ allow $1 collectd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, collectd_t)
++')
+
+########################################
+## <summary>
@@ -89208,8 +89752,9 @@ index 0000000..40a0157
+interface(`collectd_admin',`
+ gen_require(`
+ type collectd_t;
-+ type collectd_initrc_exec_t;
-+ type collectd_var_lib_t;
++ type collectd_initrc_exec_t;
++ type collectd_var_lib_t;
++ type collectd_unit_file_t;
+ ')
+
+ allow $1 collectd_t:process signal_perms;
@@ -89227,14 +89772,17 @@ index 0000000..40a0157
+ files_search_var_lib($1)
+ admin_pattern($1, collectd_var_lib_t)
+
++ collectd_systemctl($1)
++ admin_pattern($1, collectd_unit_file_t)
++ allow $1 collectd_unit_file_t:service all_service_perms;
+')
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..ab1d55b
+index 0000000..9bd6b56
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,84 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -89263,6 +89811,9 @@ index 0000000..ab1d55b
+type collectd_var_run_t;
+files_pid_file(collectd_var_run_t)
+
++type collectd_unit_file_t;
++systemd_unit_file(collectd_unit_file_t)
++
+########################################
+#
+# collectd local policy
@@ -89316,8 +89867,51 @@ index 0000000..ab1d55b
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+')
+
+diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
+index 78b2fea..c13e863 100644
+--- a/policy/modules/services/colord.fc
++++ b/policy/modules/services/colord.fc
+@@ -1,4 +1,7 @@
+ /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
++/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
++
++/lib/systemd/system/colord.*\.service -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+
+ /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+ /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if
+index 733e4e6..fa2c3cb 100644
+--- a/policy/modules/services/colord.if
++++ b/policy/modules/services/colord.if
+@@ -57,3 +57,26 @@ interface(`colord_read_lib_files',`
+ files_search_var_lib($1)
+ read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
+ ')
++
++########################################
++## <summary>
++## Execute colord server in the colord domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`colord_systemctl',`
++ gen_require(`
++ type colord_t;
++ type colord_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 colord_unit_file_t:file read_file_perms;
++ allow $1 colord_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, colord_t)
++')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..37cb2d5 100644
+index 74505cc..6d575af 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
@@ -89328,7 +89922,15 @@ index 74505cc..37cb2d5 100644
type colord_tmp_t;
files_tmp_file(colord_tmp_t)
-@@ -23,9 +24,11 @@ files_type(colord_var_lib_t)
+@@ -18,14 +19,19 @@ files_tmpfs_file(colord_tmpfs_t)
+ type colord_var_lib_t;
+ files_type(colord_var_lib_t)
+
++type colord_unit_file_t;
++systemd_unit_file(colord_unit_file_t)
++
+ ########################################
+ #
# colord local policy
#
allow colord_t self:capability { dac_read_search dac_override };
@@ -89340,7 +89942,7 @@ index 74505cc..37cb2d5 100644
allow colord_t self:udp_socket create_socket_perms;
allow colord_t self:unix_dgram_socket create_socket_perms;
-@@ -41,8 +44,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+@@ -41,8 +47,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@@ -89356,7 +89958,7 @@ index 74505cc..37cb2d5 100644
corenet_all_recvfrom_unlabeled(colord_t)
corenet_all_recvfrom_netlabel(colord_t)
-@@ -50,6 +59,8 @@ corenet_udp_bind_generic_node(colord_t)
+@@ -50,6 +62,8 @@ corenet_udp_bind_generic_node(colord_t)
corenet_udp_bind_ipp_port(colord_t)
corenet_tcp_connect_ipp_port(colord_t)
@@ -89365,7 +89967,7 @@ index 74505cc..37cb2d5 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,19 +76,35 @@ files_list_mnt(colord_t)
+@@ -65,19 +79,35 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
@@ -89402,7 +90004,7 @@ index 74505cc..37cb2d5 100644
fs_read_cifs_files(colord_t)
')
-@@ -89,6 +116,12 @@ optional_policy(`
+@@ -89,6 +119,12 @@ optional_policy(`
')
optional_policy(`
@@ -89415,7 +90017,7 @@ index 74505cc..37cb2d5 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -96,5 +129,20 @@ optional_policy(`
+@@ -96,5 +132,20 @@ optional_policy(`
')
optional_policy(`
@@ -89436,8 +90038,18 @@ index 74505cc..37cb2d5 100644
+optional_policy(`
+ zoneminder_rw_tmpfs_files(colord_t)
+')
+diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc
+index 32233ab..8a073d1 100644
+--- a/policy/modules/services/consolekit.fc
++++ b/policy/modules/services/consolekit.fc
+@@ -1,3 +1,5 @@
++/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
++
+ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+
+ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
-index fd15dfe..d33cc41 100644
+index fd15dfe..b6337fd 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -5,9 +5,9 @@
@@ -89505,7 +90117,7 @@ index fd15dfe..d33cc41 100644
## Read consolekit log files.
## </summary>
## <param name="domain">
-@@ -96,3 +135,41 @@ interface(`consolekit_read_pid_files',`
+@@ -96,3 +135,64 @@ interface(`consolekit_read_pid_files',`
allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
@@ -89547,17 +90159,43 @@ index fd15dfe..d33cc41 100644
+ kernel_search_proc($1)
+ ps_process_pattern($1, consolekit_t)
+')
++
++########################################
++## <summary>
++## Execute consolekit server in the consolekit domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`consolekit_systemctl',`
++ gen_require(`
++ type consolekit_t;
++ type consolekit_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 consolekit_unit_file_t:file read_file_perms;
++ allow $1 consolekit_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, consolekit_t)
++')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index e67a003..edd6f6c 100644
+index e67a003..cc813f3 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
-@@ -15,12 +15,16 @@ logging_log_file(consolekit_log_t)
+@@ -15,12 +15,19 @@ logging_log_file(consolekit_log_t)
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
+type consolekit_tmpfs_t;
+files_tmpfs_file(consolekit_tmpfs_t)
+
++type consolekit_unit_file_t;
++systemd_unit_file(consolekit_unit_file_t)
++
########################################
#
# consolekit local policy
@@ -89568,7 +90206,7 @@ index e67a003..edd6f6c 100644
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -43,7 +47,6 @@ dev_read_sysfs(consolekit_t)
+@@ -43,7 +50,6 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -89576,7 +90214,7 @@ index e67a003..edd6f6c 100644
files_read_etc_files(consolekit_t)
files_read_usr_files(consolekit_t)
-@@ -53,8 +56,6 @@ files_search_all_mountpoints(consolekit_t)
+@@ -53,8 +59,6 @@ files_search_all_mountpoints(consolekit_t)
fs_list_inotifyfs(consolekit_t)
@@ -89585,7 +90223,7 @@ index e67a003..edd6f6c 100644
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
-@@ -69,17 +70,17 @@ logging_send_audit_msgs(consolekit_t)
+@@ -69,17 +73,17 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
@@ -89610,7 +90248,7 @@ index e67a003..edd6f6c 100644
')
optional_policy(`
-@@ -99,6 +100,10 @@ optional_policy(`
+@@ -99,6 +103,10 @@ optional_policy(`
')
optional_policy(`
@@ -89621,7 +90259,7 @@ index e67a003..edd6f6c 100644
policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
-@@ -106,9 +111,10 @@ optional_policy(`
+@@ -106,9 +114,10 @@ optional_policy(`
')
optional_policy(`
@@ -89634,7 +90272,7 @@ index e67a003..edd6f6c 100644
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
-@@ -124,6 +130,5 @@ optional_policy(`
+@@ -124,6 +133,5 @@ optional_policy(`
')
optional_policy(`
@@ -89642,12 +90280,14 @@ index e67a003..edd6f6c 100644
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
-index 3a6d7eb..6c753ff 100644
+index 3a6d7eb..4837d4d 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
-@@ -1,8 +1,14 @@
+@@ -1,8 +1,16 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
++
++/lib/systemd/system/corosync.*\.service -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
@@ -89660,13 +90300,13 @@ index 3a6d7eb..6c753ff 100644
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
-@@ -10,3 +16,4 @@
+@@ -10,3 +18,4 @@
/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/hearbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
-index 5220c9d..db158cc 100644
+index 5220c9d..11e5dc4 100644
--- a/policy/modules/services/corosync.if
+++ b/policy/modules/services/corosync.if
@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
@@ -89695,8 +90335,41 @@ index 5220c9d..db158cc 100644
#######################################
## <summary>
## Allow the specified domain to read corosync's log files.
-@@ -82,9 +101,13 @@ interface(`corosyncd_admin',`
+@@ -58,6 +77,29 @@ interface(`corosync_stream_connect',`
+ stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
+ ')
+
++########################################
++## <summary>
++## Execute corosync server in the corosync domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`corosync_systemctl',`
++ gen_require(`
++ type corosync_t;
++ type corosync_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 corosync_unit_file_t:file read_file_perms;
++ allow $1 corosync_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, corosync_t)
++')
++
+ ######################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -80,11 +122,16 @@ interface(`corosyncd_admin',`
+ type corosync_t, corosync_var_lib_t, corosync_var_log_t;
+ type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
++ type corosync_unit_file_t;
')
- allow $1 corosync_t:process { ptrace signal_perms };
@@ -89710,8 +90383,17 @@ index 5220c9d..db158cc 100644
init_labeled_script_domtrans($1, corosync_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
+@@ -103,4 +150,8 @@ interface(`corosyncd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, corosync_var_run_t)
++
++ corosync_systemctl($1)
++ admin_pattern($1, corosync_unit_file_t)
++ allow $1 corosync_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 04969e5..a603e70 100644
+index 04969e5..5ca259d 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
@@ -89722,7 +90404,15 @@ index 04969e5..a603e70 100644
type corosync_initrc_exec_t;
init_script_file(corosync_initrc_exec_t)
-@@ -32,8 +33,8 @@ files_pid_file(corosync_var_run_t)
+@@ -27,13 +28,16 @@ logging_log_file(corosync_var_log_t)
+ type corosync_var_run_t;
+ files_pid_file(corosync_var_run_t)
+
++type corosync_unit_file_t;
++systemd_unit_file(corosync_unit_file_t)
++
+ ########################################
+ #
# corosync local policy
#
@@ -89733,7 +90423,7 @@ index 04969e5..a603e70 100644
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
-@@ -41,9 +42,12 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
+@@ -41,9 +45,12 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
@@ -89746,7 +90436,7 @@ index 04969e5..a603e70 100644
manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
-@@ -63,8 +67,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+@@ -63,8 +70,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
kernel_read_system_state(corosync_t)
@@ -89758,7 +90448,7 @@ index 04969e5..a603e70 100644
corenet_udp_bind_netsupport_port(corosync_t)
-@@ -73,9 +80,12 @@ dev_read_urand(corosync_t)
+@@ -73,9 +83,12 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
@@ -89771,7 +90461,7 @@ index 04969e5..a603e70 100644
init_read_script_state(corosync_t)
init_rw_script_tmp_files(corosync_t)
-@@ -83,21 +93,51 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,21 +96,51 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
@@ -89792,11 +90482,13 @@ index 04969e5..a603e70 100644
- rhcs_rw_dlm_controld_semaphores(corosync_t)
+ cmirrord_rw_shm(corosync_t)
+')
-+
+
+- rhcs_rw_fenced_semaphores(corosync_t)
+optional_policy(`
+ dbus_system_bus_client(corosync_t)
+')
-+
+
+- rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
+ drbd_domtrans(corosync_t)
+')
@@ -89805,13 +90497,11 @@ index 04969e5..a603e70 100644
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
-
-- rhcs_rw_fenced_semaphores(corosync_t)
++
+optional_policy(`
+ qpidd_rw_shm(corosync_t)
+')
-
-- rhcs_rw_gfs_controld_semaphores(corosync_t)
++
+optional_policy(`
+ rhcs_getattr_fenced(corosync_t)
+ # to communication with RHCS
@@ -89846,7 +90536,7 @@ index 0000000..a0c0865
+/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
diff --git a/policy/modules/services/couchdb.if b/policy/modules/services/couchdb.if
new file mode 100644
-index 0000000..b556467
+index 0000000..1729414
--- /dev/null
+++ b/policy/modules/services/couchdb.if
@@ -0,0 +1,249 @@
@@ -90045,7 +90735,7 @@ index 0000000..b556467
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 couchdb_unit_file_t:file read_file_perms;
-+ allow $1 couchdb_unit_file_t:service all_service_perms;
++ allow $1 couchdb_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, couchdb_t)
+')
@@ -90070,11 +90760,8 @@ index 0000000..b556467
+#
+interface(`couchdb_admin',`
+ gen_require(`
-+ type couchdb_t;
-+ type couchdb_etc_t;
-+ type couchdb_log_t;
-+ type couchdb_var_lib_t;
-+ type couchdb_var_run_t;
++ type couchdb_t, couchdb_etc_t, couchdb_log_t;
++ type couchdb_var_lib_t, couchdb_var_run_t;
+ type couchdb_unit_file_t;
+ ')
+
@@ -90093,7 +90780,10 @@ index 0000000..b556467
+ files_search_pids($1)
+ admin_pattern($1, couchdb_var_run_t)
+
++ admin_pattern($1, couchdb_unit_file_t)
+ couchdb_systemctl($1)
++ allow $1 couchdb_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -90407,19 +91097,20 @@ index 13d2f63..861fad7 100644
')
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..32a4a69 100644
+index 2eefc08..d520976 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
-@@ -2,6 +2,8 @@
+@@ -2,6 +2,9 @@
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
++/lib/systemd/system/atd\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+/usr/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-@@ -14,14 +16,15 @@
+@@ -14,14 +17,15 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -90437,14 +91128,14 @@ index 2eefc08..32a4a69 100644
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/cron/[^/]* -- <<none>>
-@@ -45,3 +48,5 @@ ifdef(`distro_suse', `
+@@ -45,3 +49,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..1b14bab 100644
+index 35241ed..2f6f038 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -90699,7 +91390,7 @@ index 35241ed..1b14bab 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 crond_unit_file_t:file read_file_perms;
-+ allow $1 crond_unit_file_t:service all_service_perms;
++ allow $1 crond_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, crond_t)
+')
@@ -91830,18 +92521,21 @@ index 0000000..284fbae
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
-index 1b492ed..ac5dae0 100644
+index 1b492ed..5810711 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
-@@ -20,6 +20,7 @@
+@@ -19,7 +19,10 @@
+
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/lib/systemd/system/cups\.service -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
++
/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -28,11 +29,8 @@
+@@ -28,11 +31,8 @@
# keep as separate lines to ensure proper sorting
/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
@@ -91853,7 +92547,7 @@ index 1b492ed..ac5dae0 100644
/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-@@ -56,6 +54,7 @@
+@@ -56,6 +56,7 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -91861,7 +92555,7 @@ index 1b492ed..ac5dae0 100644
/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-@@ -64,10 +63,16 @@
+@@ -64,10 +65,16 @@
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
@@ -91880,7 +92574,7 @@ index 1b492ed..ac5dae0 100644
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
-index 305ddf4..917dbab 100644
+index 305ddf4..4d70951 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -9,6 +9,11 @@
@@ -91926,7 +92620,37 @@ index 305ddf4..917dbab 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -314,16 +321,19 @@ interface(`cups_stream_connect_ptal',`
+@@ -296,6 +303,29 @@ interface(`cups_stream_connect_ptal',`
+
+ ########################################
+ ## <summary>
++## Execute cupsd server in the cupsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cupsd_systemctl',`
++ gen_require(`
++ type cupsd_t;
++ type cupsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 cupsd_unit_file_t:file read_file_perms;
++ allow $1 cupsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, cupsd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an cups environment
+ ## </summary>
+@@ -314,16 +344,20 @@ interface(`cups_stream_connect_ptal',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
@@ -91939,6 +92663,7 @@ index 305ddf4..917dbab 100644
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
+ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
+ type ptal_var_run_t;
++ type cupsd_unit_file_t;
')
- allow $1 cupsd_t:process { ptrace signal_perms };
@@ -91952,7 +92677,7 @@ index 305ddf4..917dbab 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cupsd_initrc_exec_t system_r;
-@@ -341,18 +351,43 @@ interface(`cups_admin',`
+@@ -341,18 +375,47 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_lpd_var_run_t)
@@ -91972,7 +92697,11 @@ index 305ddf4..917dbab 100644
admin_pattern($1, ptal_etc_t)
admin_pattern($1, ptal_var_run_t)
- ')
++
++ cupsd_systemctl($1)
++ admin_pattern($1, cupsd_unit_file_t)
++ allow $1 cupsd_unit_file_t:service all_service_perms;
++')
+
+########################################
+## <summary>
@@ -91998,9 +92727,9 @@ index 305ddf4..917dbab 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "subscriptions.conf")
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "subscriptions.conf.O")
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
-+')
+ ')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..03f22e6 100644
+index 0f28095..db6e8b6 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -92011,7 +92740,17 @@ index 0f28095..03f22e6 100644
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
-@@ -123,6 +124,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -60,6 +61,9 @@ type cupsd_var_run_t;
+ files_pid_file(cupsd_var_run_t)
+ mls_trusted_object(cupsd_var_run_t)
+
++type cupsd_unit_file_t;
++systemd_unit_file(cupsd_unit_file_t)
++
+ type hplip_t;
+ type hplip_exec_t;
+ init_daemon_domain(hplip_t, hplip_exec_t)
+@@ -123,6 +127,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -92019,7 +92758,7 @@ index 0f28095..03f22e6 100644
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -137,6 +139,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+@@ -137,6 +142,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
@@ -92027,7 +92766,7 @@ index 0f28095..03f22e6 100644
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
-@@ -146,11 +149,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+@@ -146,11 +152,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
@@ -92042,7 +92781,7 @@ index 0f28095..03f22e6 100644
allow cupsd_t hplip_t:process { signal sigkill };
-@@ -159,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+@@ -159,7 +166,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -92051,7 +92790,7 @@ index 0f28095..03f22e6 100644
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
-@@ -211,6 +215,7 @@ mls_rangetrans_target(cupsd_t)
+@@ -211,6 +218,7 @@ mls_rangetrans_target(cupsd_t)
mls_socket_write_all_levels(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
@@ -92059,7 +92798,7 @@ index 0f28095..03f22e6 100644
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-@@ -220,6 +225,7 @@ corecmd_exec_bin(cupsd_t)
+@@ -220,6 +228,7 @@ corecmd_exec_bin(cupsd_t)
domain_use_interactive_fds(cupsd_t)
@@ -92067,7 +92806,7 @@ index 0f28095..03f22e6 100644
files_list_spool(cupsd_t)
files_read_etc_files(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
-@@ -270,12 +276,6 @@ files_dontaudit_list_home(cupsd_t)
+@@ -270,12 +279,6 @@ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
@@ -92080,7 +92819,7 @@ index 0f28095..03f22e6 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
')
-@@ -287,6 +287,8 @@ optional_policy(`
+@@ -287,6 +290,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -92089,7 +92828,7 @@ index 0f28095..03f22e6 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -297,8 +299,10 @@ optional_policy(`
+@@ -297,8 +302,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -92100,7 +92839,7 @@ index 0f28095..03f22e6 100644
')
')
-@@ -311,10 +315,22 @@ optional_policy(`
+@@ -311,10 +318,22 @@ optional_policy(`
')
optional_policy(`
@@ -92123,7 +92862,7 @@ index 0f28095..03f22e6 100644
mta_send_mail(cupsd_t)
')
-@@ -371,8 +387,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +390,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -92134,7 +92873,7 @@ index 0f28095..03f22e6 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +410,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +413,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -92145,7 +92884,7 @@ index 0f28095..03f22e6 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +446,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +449,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -92159,7 +92898,7 @@ index 0f28095..03f22e6 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +474,10 @@ optional_policy(`
+@@ -453,6 +477,10 @@ optional_policy(`
')
optional_policy(`
@@ -92170,7 +92909,7 @@ index 0f28095..03f22e6 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +492,10 @@ optional_policy(`
+@@ -467,6 +495,10 @@ optional_policy(`
')
optional_policy(`
@@ -92181,7 +92920,7 @@ index 0f28095..03f22e6 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -537,6 +566,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +569,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -92189,7 +92928,7 @@ index 0f28095..03f22e6 100644
dev_read_urand(cupsd_lpd_t)
dev_read_rand(cupsd_lpd_t)
-@@ -587,23 +617,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +620,22 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -92222,7 +92961,7 @@ index 0f28095..03f22e6 100644
')
########################################
-@@ -639,7 +668,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +671,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -92231,7 +92970,7 @@ index 0f28095..03f22e6 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +714,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +717,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -92239,7 +92978,7 @@ index 0f28095..03f22e6 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +729,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -93932,7 +94671,7 @@ index 767e0c7..c8306c2 100644
-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
-index 5e2cea8..8eec089 100644
+index 5e2cea8..2ab8a14 100644
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
@@ -93965,7 +94704,7 @@ index 5e2cea8..8eec089 100644
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 dhcpd_unit_file_t:file read_file_perms;
-+ allow $1 dhcpd_unit_file_t:service all_service_perms;
++ allow $1 dhcpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dhcpd_t)
+')
@@ -93975,13 +94714,14 @@ index 5e2cea8..8eec089 100644
## All of the rules required to administrate
## an dhcp environment
## </summary>
-@@ -77,12 +101,15 @@ interface(`dhcpd_initrc_domtrans',`
+@@ -77,12 +101,16 @@ interface(`dhcpd_initrc_domtrans',`
#
interface(`dhcpd_admin',`
gen_require(`
- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
+ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
++ type dhcpd_unit_file_t;
')
- allow $1 dhcpd_t:process { ptrace signal_perms };
@@ -93993,12 +94733,14 @@ index 5e2cea8..8eec089 100644
init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -96,4 +123,6 @@ interface(`dhcpd_admin',`
+@@ -96,4 +124,8 @@ interface(`dhcpd_admin',`
files_list_pids($1)
admin_pattern($1, dhcpd_var_run_t)
+
+ dhcpd_systemctl($1)
++ admin_pattern($1, dhcpd_unit_file_t)
++ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index d4424ad..5d01064 100644
@@ -94901,7 +95643,7 @@ index b886676..2b4d0f6 100644
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
-index 9bd812b..144cbb7 100644
+index 9bd812b..6572368 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -94957,7 +95699,7 @@ index 9bd812b..144cbb7 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 dnsmasq_unit_file_t:file read_file_perms;
-+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
++ allow $1 dnsmasq_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dnsmasq_t)
+')
@@ -95087,8 +95829,11 @@ index 9bd812b..144cbb7 100644
## All of the rules required to administrate
## an dnsmasq environment
## </summary>
-@@ -195,8 +298,11 @@ interface(`dnsmasq_admin',`
+@@ -193,10 +296,14 @@ interface(`dnsmasq_admin',`
+ gen_require(`
+ type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
type dnsmasq_initrc_exec_t;
++ type dnsmasq_unit_file_t;
')
- allow $1 dnsmasq_t:process { ptrace signal_perms };
@@ -95100,12 +95845,14 @@ index 9bd812b..144cbb7 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -208,4 +314,6 @@ interface(`dnsmasq_admin',`
+@@ -208,4 +315,8 @@ interface(`dnsmasq_admin',`
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
+
+ dnsmasq_systemctl($1)
++ admin_pattern($1, dnsmasq_unit_file_t)
++ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index fdaeeba..b1ea136 100644
@@ -97193,31 +97940,31 @@ index 9b7036a..4770f61 100644
diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc
new file mode 100644
-index 0000000..9e82406
+index 0000000..b468a30
--- /dev/null
+++ b/policy/modules/services/firewalld.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,13 @@
+
+/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
+
-+/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
++/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
++
++/lib/systemd/system/firewalld\.service -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
+
+/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
+
+/var/log/firewalld -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
+
-+/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
++/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
+/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if
new file mode 100644
-index 0000000..06462d4
+index 0000000..62acfff
--- /dev/null
+++ b/policy/modules/services/firewalld.if
-@@ -0,0 +1,76 @@
-+
+@@ -0,0 +1,109 @@
+## <summary>policy for firewalld</summary>
+
-+
+########################################
+## <summary>
+## Execute a domain transition to run firewalld.
@@ -97257,6 +98004,29 @@ index 0000000..06462d4
+
+########################################
+## <summary>
++## Execute firewalld server in the firewalld domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`firewalld_systemctl',`
++ gen_require(`
++ type firewalld_t;
++ type firewalld_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 firewalld_unit_file_t:file read_file_perms;
++ allow $1 firewalld_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, firewalld_t)
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an firewalld environment
+## </summary>
@@ -97274,8 +98044,9 @@ index 0000000..06462d4
+#
+interface(`firewalld_admin',`
+ gen_require(`
-+ type firewalld_t;
-+ type firewalld_initrc_exec_t;
++ type firewalld_t, firewalld_initrc_exec_t;
++ type firewall_etc_rw_t, firewalld_var_run_t;
++ type firewalld_var_log_t;
+ ')
+
+ allow $1 firewalld_t:process signal_perms;
@@ -97289,13 +98060,24 @@ index 0000000..06462d4
+ role_transition $2 firewalld_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_search_pids($1)
++ admin_pattern($1, firewalld_var_run_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, firewalld_var_log_t)
++
++ admin_pattern($1, firewall_etc_rw_t)
++
++ admin_pattern($1, firewalld_unit_file_t)
++ firewalld_systemctl($1)
++ allow $1 firewalld_unit_file_t:service all_service_perms;
+')
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
new file mode 100644
-index 0000000..1a5d643
+index 0000000..3b2ff3b
--- /dev/null
+++ b/policy/modules/services/firewalld.te
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,85 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -97320,6 +98102,9 @@ index 0000000..1a5d643
+type firewalld_var_run_t;
+files_pid_file(firewalld_var_run_t)
+
++type firewalld_unit_file_t;
++systemd_unit_file(firewalld_unit_file_t)
++
+########################################
+#
+# firewalld local policy
@@ -97328,7 +98113,8 @@ index 0000000..1a5d643
+allow firewalld_t self:fifo_file rw_fifo_file_perms;
+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
+
-+rw_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
++manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
++manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+
+append_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
+create_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
@@ -97446,7 +98232,7 @@ index 69dcd2a..030dbb6 100644
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
-index 9d3201b..41c2c99 100644
+index 9d3201b..6e75e3d 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -1,5 +1,66 @@
@@ -97508,7 +98294,7 @@ index 9d3201b..41c2c99 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 ftpd_unit_file_t:file read_file_perms;
-+ allow $1 ftpd_unit_file_t:service all_service_perms;
++ allow $1 ftpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ftpd_t)
+')
@@ -97516,8 +98302,11 @@ index 9d3201b..41c2c99 100644
#######################################
## <summary>
## Allow domain dyntransition to sftpd_anon domain.
-@@ -176,8 +237,11 @@ interface(`ftp_admin',`
+@@ -174,10 +235,14 @@ interface(`ftp_admin',`
+ type ftpd_etc_t, ftpd_lock_t;
+ type ftpd_var_run_t, xferlog_t;
type ftpd_initrc_exec_t;
++ type ftpd_unit_file_t;
')
- allow $1 ftpd_t:process { ptrace signal_perms };
@@ -97529,12 +98318,14 @@ index 9d3201b..41c2c99 100644
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -203,4 +267,6 @@ interface(`ftp_admin',`
+@@ -203,4 +268,8 @@ interface(`ftp_admin',`
logging_list_logs($1)
admin_pattern($1, xferlog_t)
+
+ ftp_systemctl($1)
++ admin_pattern($1, ftpd_unit_file_t)
++ allow $1 ftpd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 8a74a83..c183d8c 100644
@@ -101190,10 +101981,10 @@ index 0000000..4917088
+/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
diff --git a/policy/modules/services/keystone.if b/policy/modules/services/keystone.if
new file mode 100644
-index 0000000..f4686e5
+index 0000000..3e1f276
--- /dev/null
+++ b/policy/modules/services/keystone.if
-@@ -0,0 +1,222 @@
+@@ -0,0 +1,224 @@
+
+## <summary>policy for keystone</summary>
+
@@ -101370,7 +102161,7 @@ index 0000000..f4686e5
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 keystone_unit_file_t:file read_file_perms;
-+ allow $1 keystone_unit_file_t:service all_service_perms;
++ allow $1 keystone_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, keystone_t)
+')
@@ -101411,6 +102202,8 @@ index 0000000..f4686e5
+ admin_pattern($1, keystone_var_lib_t)
+
+ keystone_systemctl($1)
++ admin_pattern($1, keystone_unit_file_t)
++ allow $1 keystone_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -101821,7 +102614,7 @@ index c62f23e..63e3be1 100644
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
-index 3aa8fa7..436aace 100644
+index 3aa8fa7..27cb806 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -1,5 +1,64 @@
@@ -101881,7 +102674,7 @@ index 3aa8fa7..436aace 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 slapd_unit_file_t:file read_file_perms;
-+ allow $1 slapd_unit_file_t:service all_service_perms;
++ allow $1 slapd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, slapd_t)
+')
@@ -101934,8 +102727,11 @@ index 3aa8fa7..436aace 100644
')
########################################
-@@ -97,8 +174,11 @@ interface(`ldap_admin',`
+@@ -95,10 +172,14 @@ interface(`ldap_admin',`
+ type slapd_t, slapd_tmp_t, slapd_replog_t;
+ type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t;
++ type ldap_unit_file_t;
')
- allow $1 slapd_t:process { ptrace signal_perms };
@@ -101947,7 +102743,7 @@ index 3aa8fa7..436aace 100644
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +190,7 @@ interface(`ldap_admin',`
+@@ -110,6 +191,7 @@ interface(`ldap_admin',`
admin_pattern($1, slapd_lock_t)
@@ -101955,12 +102751,14 @@ index 3aa8fa7..436aace 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -117,4 +198,6 @@ interface(`ldap_admin',`
+@@ -117,4 +199,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
+
+ ldap_systemctl($1)
++ admin_pattern($1, ldap_unit_file_t)
++ allow $1 ldap_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 64fd1ff..0f5d0b7 100644
@@ -103012,10 +103810,10 @@ index 0000000..cf95c97
+/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if
new file mode 100644
-index 0000000..6eae9c9
+index 0000000..1ec1c97
--- /dev/null
+++ b/policy/modules/services/matahari.if
-@@ -0,0 +1,289 @@
+@@ -0,0 +1,291 @@
+## <summary>policy for matahari</summary>
+
+######################################
@@ -103043,8 +103841,8 @@ index 0000000..6eae9c9
+ type matahari_$1_exec_t;
+ init_daemon_domain(matahari_$1_t, matahari_$1_exec_t)
+
-+ type matahari_$1_unit_file_t;
-+ systemd_unit_file(matahari_$1_unit_file_t)
++ type matahari_$1_unit_file_t;
++ systemd_unit_file(matahari_$1_unit_file_t)
+')
+
+########################################
@@ -103228,14 +104026,15 @@ index 0000000..6eae9c9
+#
+interface(`matahari_systemctl',`
+ gen_require(`
-+ type matahari_hostd_t;
-+ type matahari_netd_t;
-+ type matahari_serviced_t;
-+ type matahari_sysconfigd_t;
++ type matahari_hostd_t;
++ type matahari_netd_t;
++ type matahari_serviced_t;
++ type matahari_sysconfigd_t;
+ type matahari_hostd_unit_file_t;
+ type matahari_netd_unit_file_t;
+ type matahari_serviced_unit_file_t;
+ type matahari_sysconfigd_unit_file_t;
++ attribute matahari_domain;
+ ')
+
+ systemd_exec_systemctl($1)
@@ -103245,15 +104044,12 @@ index 0000000..6eae9c9
+ allow $1 matahari_serviced_unit_file_t:file read_file_perms;
+ allow $1 matahari_sysconfigd_unit_file_t:file read_file_perms;
+
-+ allow $1 matahari_hostd_unit_file_t:service all_service_perms;
-+ allow $1 matahari_netd_unit_file_t:service all_service_perms;
-+ allow $1 matahari_serviced_unit_file_t:service all_service_perms;
-+ allow $1 matahari_sysconfigd_unit_file_t:service all_service_perms;
++ allow $1 matahari_hostd_unit_file_t:service manage_service_perms;
++ allow $1 matahari_netd_unit_file_t:service manage_service_perms;
++ allow $1 matahari_serviced_unit_file_t:service manage_service_perms;
++ allow $1 matahari_sysconfigd_unit_file_t:service manage_service_perms;
+
-+ ps_process_pattern($1, matahari_hostd_t)
-+ ps_process_pattern($1, matahari_netd_t)
-+ ps_process_pattern($1, matahari_serviced_t)
-+ ps_process_pattern($1, matahari_sysconfigd_t)
++ ps_process_pattern($1, matahari_domain)
+')
+
+########################################
@@ -103278,6 +104074,11 @@ index 0000000..6eae9c9
+ type matahari_initrc_exec_t, matahari_hostd_t;
+ type matahari_netd_t, matahari_serviced_t, matahari_sysconfigd_t;
+ type matahari_var_lib_t, matahari_var_run_t;
++ attribute matahari_domain;
++ type matahari_hostd_unit_file_t;
++ type matahari_netd_unit_file_t;
++ type matahari_serviced_unit_file_t;
++ type matahari_sysconfigd_unit_file_t;
+ ')
+
+ init_labeled_script_domtrans($1, matahari_initrc_exec_t)
@@ -103285,17 +104086,8 @@ index 0000000..6eae9c9
+ role_transition $2 matahari_initrc_exec_t system_r;
+ allow $2 system_r;
+
-+ allow $1 matahari_netd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, matahari_netd_t)
-+
-+ allow $1 matahari_hostd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, matahari_hostd_t)
-+
-+ allow $1 matahari_serviced_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, matahari_serviced_t)
-+
-+ allow $1 matahari_sysconfigd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, matahari_sysconfigd_t)
++ allow $1 matahari_domain:process { ptrace signal_perms };
++ ps_process_pattern($1, matahari_domain)
+
+ files_search_var_lib($1)
+ admin_pattern($1, matahari_var_lib_t)
@@ -103304,6 +104096,14 @@ index 0000000..6eae9c9
+ admin_pattern($1, matahari_var_run_t)
+
+ matahari_systemctl($1)
++ admin_pattern($1, matahari_hostd_unit_file_t)
++ allow $1 matahari_hostd_unit_file_t:service all_service_perms;
++ admin_pattern($1, matahari_netd_unit_file_t)
++ allow $1 matahari_netd_unit_file_t:service all_service_perms;
++ admin_pattern($1, matahari_serviced_unit_file_t)
++ allow $1 matahari_serviced_unit_file_t:service all_service_perms;
++ admin_pattern($1, matahari_sysconfigd_unit_file_t)
++ allow $1 matahari_sysconfigd_unit_file_t:service all_service_perms;
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
@@ -105930,7 +106730,7 @@ index cc7192c..eeb72ba 100644
#
/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..67a500f 100644
+index e9c0982..1c07da0 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@@ -106051,7 +106851,7 @@ index e9c0982..67a500f 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 mysqld_unit_file_t:file read_file_perms;
-+ allow $1 mysqld_unit_file_t:service all_service_perms;
++ allow $1 mysqld_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, mysqld_t)
+')
@@ -106099,7 +106899,7 @@ index e9c0982..67a500f 100644
## All of the rules required to administrate an mysql environment
## </summary>
## <param name="domain">
-@@ -329,27 +445,42 @@ interface(`mysql_search_pid_files',`
+@@ -329,27 +445,45 @@ interface(`mysql_search_pid_files',`
#
interface(`mysql_admin',`
gen_require(`
@@ -106111,6 +106911,7 @@ index e9c0982..67a500f 100644
+ type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
+ type mysqld_etc_t;
+ type mysqld_home_t;
++ type mysqld_unit_file_t;
')
- allow $1 mysqld_t:process { ptrace signal_perms };
@@ -106144,6 +106945,8 @@ index e9c0982..67a500f 100644
+ admin_pattern($1, mysqld_home_t)
+
+ mysql_systemctl($1)
++ admin_pattern($1, mysqld_unit_file_t)
++ allow $1 mysqld_unit_file_t:service all_service_perms;
+
+ mysql_stream_connect($1)
')
@@ -106820,7 +107623,7 @@ index 386543b..ea4e5e6 100644
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
-index 2324d9e..8666a3c 100644
+index 2324d9e..6717db4 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
@@ -106856,7 +107659,7 @@ index 2324d9e..8666a3c 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
-+ allow $1 NetworkManager_unit_file_t:service all_service_perms;
++ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, NetworkManager_t)
+')
@@ -107259,7 +108062,7 @@ index 15448d5..62284bf 100644
+/usr/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..4b891ee 100644
+index abe3f7f..8ba3aef 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
@@ -107337,7 +108140,7 @@ index abe3f7f..4b891ee 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 ypbind_unit_file_t:file read_file_perms;
-+ allow $1 ypbind_unit_file_t:service all_service_perms;
++ allow $1 ypbind_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+')
@@ -107354,13 +108157,13 @@ index abe3f7f..4b891ee 100644
+#
+interface(`nis_systemctl',`
+ gen_require(`
-+ type nis_unit_file_t;
++ type nis_unit_file_t, ypbind_unit_file_t;
+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 nis_unit_file_t:file read_file_perms;
-+ allow $1 nis_unit_file_t:service all_service_perms;
++ allow $1 nis_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+ ps_process_pattern($1, yppasswdd_t)
@@ -107373,7 +108176,7 @@ index abe3f7f..4b891ee 100644
## All of the rules required to administrate
## an nis environment
## </summary>
-@@ -354,22 +385,28 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -354,22 +385,30 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -107384,6 +108187,8 @@ index abe3f7f..4b891ee 100644
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
- type ypbind_initrc_exec_t, nis_initrc_exec_t;
+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
++ type nis_unit_file_t;
++ type ypbind_unit_file_t;
')
- allow $1 ypbind_t:process { ptrace signal_perms };
@@ -107409,7 +108214,7 @@ index abe3f7f..4b891ee 100644
ps_process_pattern($1, ypxfr_t)
nis_initrc_domtrans($1)
-@@ -379,18 +416,15 @@ interface(`nis_admin',`
+@@ -379,18 +418,20 @@ interface(`nis_admin',`
role_transition $2 ypbind_initrc_exec_t system_r;
allow $2 system_r;
@@ -107419,6 +108224,8 @@ index abe3f7f..4b891ee 100644
files_list_pids($1)
admin_pattern($1, ypbind_var_run_t)
+ nis_systemctl_ypbind($1)
++ admin_pattern($1, ypbind_unit_file_t)
++ allow $1 ypbind_unit_file_t:service all_service_perms;
admin_pattern($1, yppasswdd_var_run_t)
@@ -107428,7 +108235,10 @@ index abe3f7f..4b891ee 100644
- admin_pattern($1, ypserv_tmp_t)
-
admin_pattern($1, ypserv_var_run_t)
++
+ nis_systemctl($1)
++ admin_pattern($1, nis_unit_file_t)
++ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index 4876cae..e29f5d6 100644
@@ -107939,7 +108749,7 @@ index 0000000..9dd1d72
+')
+
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
-index 85188dc..0a96e14 100644
+index 85188dc..783accb 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
@@ -108025,7 +108835,7 @@ index 85188dc..0a96e14 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 nscd_unit_file_t:file read_file_perms;
-+ allow $1 nscd_unit_file_t:service all_service_perms;
++ allow $1 nscd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, nscd_t)
+')
@@ -108035,8 +108845,11 @@ index 85188dc..0a96e14 100644
## All of the rules required to administrate
## an nscd environment
## </summary>
-@@ -275,8 +321,11 @@ interface(`nscd_admin',`
+@@ -273,10 +319,14 @@ interface(`nscd_admin',`
+ gen_require(`
+ type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
++ type nscd_unit_file_t;
')
- allow $1 nscd_t:process { ptrace signal_perms };
@@ -108048,12 +108861,14 @@ index 85188dc..0a96e14 100644
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -288,4 +337,6 @@ interface(`nscd_admin',`
+@@ -288,4 +338,8 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
+
+ nscd_systemctl($1)
++ admin_pattern($1, ncsd_unit_file_t)
++ allow $1 ncsd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 7936e09..c0538d0 100644
@@ -108402,7 +109217,7 @@ index e79dccc..82a62e9 100644
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..3d17408 100644
+index e80f8c0..0044e73 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -98,6 +98,48 @@ interface(`ntp_initrc_domtrans',`
@@ -108446,7 +109261,7 @@ index e80f8c0..3d17408 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
-+ allow $1 ntpd_unit_file_t:service all_service_perms;
++ allow $1 ntpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ntpd_t)
+')
@@ -108480,13 +109295,14 @@ index e80f8c0..3d17408 100644
## All of the rules required to administrate
## an ntp environment
## </summary>
-@@ -140,12 +201,14 @@ interface(`ntp_rw_shm',`
+@@ -140,12 +201,15 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
- type ntpd_key_t, ntpd_var_run_t;
- type ntpd_initrc_exec_t;
+ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
++ type ntpd_unit_file_t;
')
- allow $1 ntpd_t:process { ptrace signal_perms getattr };
@@ -108498,12 +109314,14 @@ index e80f8c0..3d17408 100644
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -162,4 +225,6 @@ interface(`ntp_admin',`
+@@ -162,4 +226,8 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
+
+ ntp_systemctl($1)
++ admin_pattern($1, ntpd_unit_file_t)
++ allow $1 ntpd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index c61adc8..09bb140 100644
@@ -109273,10 +110091,10 @@ index 0000000..a8693fc
+/var/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_run_t,s0)
diff --git a/policy/modules/services/pacemaker.if b/policy/modules/services/pacemaker.if
new file mode 100644
-index 0000000..7dfb85a
+index 0000000..c02724a
--- /dev/null
+++ b/policy/modules/services/pacemaker.if
-@@ -0,0 +1,206 @@
+@@ -0,0 +1,209 @@
+
+## <summary>policy for pacemaker</summary>
+
@@ -109431,7 +110249,7 @@ index 0000000..7dfb85a
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 pacemaker_unit_file_t:file read_file_perms;
-+ allow $1 pacemaker_unit_file_t:service all_service_perms;
++ allow $1 pacemaker_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pacemaker_t)
+')
@@ -109478,6 +110296,9 @@ index 0000000..7dfb85a
+ admin_pattern($1, pacemaker_var_run_t)
+
+ pacemaker_systemctl($1)
++ admin_pattern($1, pacemaker_unit_file_t)
++ allow $1 pacemaker_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -111207,10 +112028,10 @@ index 0000000..e108c40
+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
diff --git a/policy/modules/services/polipo.if b/policy/modules/services/polipo.if
new file mode 100644
-index 0000000..64a6d26
+index 0000000..d00f6ba
--- /dev/null
+++ b/policy/modules/services/polipo.if
-@@ -0,0 +1,218 @@
+@@ -0,0 +1,219 @@
+## <summary>Caching web proxy.</summary>
+
+########################################
@@ -111375,7 +112196,7 @@ index 0000000..64a6d26
+
+ systemd_exec_systemctl($1)
+ allow $1 polipo_unit_file_t:file read_file_perms;
-+ allow $1 polipo_unit_file_t:service all_service_perms;
++ allow $1 polipo_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, polipo_t)
+')
@@ -111426,8 +112247,9 @@ index 0000000..64a6d26
+ files_list_pids($1)
+ admin_pattern($1, polipo_pid_t)
+
-+ admin_pattern($1, polipo_unit_file_t)
+ polipo_systemctl($1)
++ admin_pattern($1, polipo_unit_file_t)
++ allow $1 polipo_unit_file_t:service all_service_perms;
+')
diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
new file mode 100644
@@ -113138,7 +113960,7 @@ index 2d82c6d..fdee468 100644
-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
-index b524673..3089841 100644
+index b524673..1cca3d2 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
@@ -113197,7 +114019,7 @@ index b524673..3089841 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 pppd_unit_file_t:file read_file_perms;
-+ allow $1 pppd_unit_file_t:service all_service_perms;
++ allow $1 pppd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pppd_t)
+')
@@ -113207,7 +114029,7 @@ index b524673..3089841 100644
## All of the rules required to administrate
## an ppp environment
## </summary>
-@@ -348,20 +371,30 @@ interface(`ppp_initrc_domtrans',`
+@@ -348,20 +371,31 @@ interface(`ppp_initrc_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -113228,6 +114050,7 @@ index b524673..3089841 100644
type pptp_t, pptp_log_t, pptp_var_run_t;
- type pppd_initrc_exec_t;
+ type pppd_initrc_exec_t, pppd_etc_rw_t;
++ type pppd_unit_file_t;
')
- allow $1 pppd_t:process { ptrace signal_perms getattr };
@@ -113243,7 +114066,7 @@ index b524673..3089841 100644
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
-@@ -374,6 +407,7 @@ interface(`ppp_admin',`
+@@ -374,6 +408,7 @@ interface(`ppp_admin',`
logging_list_logs($1)
admin_pattern($1, pppd_log_t)
@@ -113251,7 +114074,7 @@ index b524673..3089841 100644
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
-@@ -386,10 +420,9 @@ interface(`ppp_admin',`
+@@ -386,10 +421,11 @@ interface(`ppp_admin',`
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
@@ -113263,6 +114086,8 @@ index b524673..3089841 100644
admin_pattern($1, pptp_var_run_t)
+
+ ppp_systemctl($1)
++ admin_pattern($1, pppd_unit_file_t)
++ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 2af42e7..20f5d6b 100644
@@ -118051,7 +118876,7 @@ index 5c70c0c..5a75e95 100644
+
+/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
-index cda37bb..617e83f 100644
+index cda37bb..b3469d6 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -32,7 +32,11 @@ interface(`rpc_stub',`
@@ -118105,7 +118930,7 @@ index cda37bb..617e83f 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 nfsd_unit_file_t:file read_file_perms;
-+ allow $1 nfsd_unit_file_t:service all_service_perms;
++ allow $1 nfsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, nfsd_t)
+')
@@ -118168,7 +118993,7 @@ index cda37bb..617e83f 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 rpcd_unit_file_t:file read_file_perms;
-+ allow $1 rpcd_unit_file_t:service all_service_perms;
++ allow $1 rpcd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rpcd_t)
+')
@@ -118890,7 +119715,7 @@ index 69a6074..a314e70 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
-index 82cb169..6cdb535 100644
+index 82cb169..219a8d8 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -60,6 +60,29 @@ interface(`samba_initrc_domtrans',`
@@ -118913,7 +119738,7 @@ index 82cb169..6cdb535 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 samba_unit_file_t:file read_file_perms;
-+ allow $1 samba_unit_file_t:service all_service_perms;
++ allow $1 samba_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, smbd_t)
+')
@@ -119101,7 +119926,7 @@ index 82cb169..6cdb535 100644
## All of the rules required to administrate
## an samba environment
## </summary>
-@@ -661,33 +776,32 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,33 +776,33 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
@@ -119126,6 +119951,7 @@ index 82cb169..6cdb535 100644
+ type samba_etc_t, samba_share_t, winbind_log_t;
+ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
+ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
++ type samba_unit_file_t;
')
- allow $1 smbd_t:process { ptrace signal_perms };
@@ -119155,7 +119981,7 @@ index 82cb169..6cdb535 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -709,9 +823,6 @@ interface(`samba_admin',`
+@@ -709,9 +824,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
@@ -119165,13 +119991,15 @@ index 82cb169..6cdb535 100644
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
-@@ -727,4 +838,7 @@ interface(`samba_admin',`
+@@ -727,4 +839,9 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
+
+ samba_systemctl($1)
++ admin_pattern($1, samba_unit_file_t)
++ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index e30bb63..1fc4dd8 100644
@@ -125584,10 +126412,10 @@ index 7c5d8d8..c542fe7 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..f44c5bd 100644
+index 3eca020..114fbeb 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
-@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
+@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
# Declarations
#
@@ -125677,10 +126505,12 @@ index 3eca020..f44c5bd 100644
virt_domain_template(svirt)
role system_r types svirt_t;
--
++typealias svirt_t alias qemu_t;
+
-type svirt_cache_t;
-files_type(svirt_cache_t)
-+typealias svirt_t alias qemu_t;
++virt_domain_template(svirt_prot_exec)
++role system_r types svirt_prot_exec_t;
attribute virt_domain;
attribute virt_image_type;
@@ -125693,7 +126523,7 @@ index 3eca020..f44c5bd 100644
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -62,23 +90,31 @@ files_config_file(virt_etc_t)
+@@ -62,23 +93,31 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
@@ -125726,7 +126556,7 @@ index 3eca020..f44c5bd 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,6 +125,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +128,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -125738,7 +126568,7 @@ index 3eca020..f44c5bd 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -97,6 +138,34 @@ ifdef(`enable_mls',`
+@@ -97,6 +141,34 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -125773,7 +126603,7 @@ index 3eca020..f44c5bd 100644
########################################
#
# svirt local policy
-@@ -104,15 +173,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +176,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -125790,7 +126620,7 @@ index 3eca020..f44c5bd 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +196,13 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +199,13 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -125804,7 +126634,7 @@ index 3eca020..f44c5bd 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +217,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +220,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -125820,7 +126650,7 @@ index 3eca020..f44c5bd 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +234,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +237,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -125849,7 +126679,7 @@ index 3eca020..f44c5bd 100644
xen_rw_image_files(svirt_t)
')
-@@ -173,22 +264,41 @@ optional_policy(`
+@@ -173,22 +267,41 @@ optional_policy(`
# virtd local policy
#
@@ -125898,7 +126728,7 @@ index 3eca020..f44c5bd 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -199,9 +309,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -199,9 +312,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -125919,7 +126749,7 @@ index 3eca020..f44c5bd 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +336,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +339,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -125935,7 +126765,7 @@ index 3eca020..f44c5bd 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +364,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +367,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -125970,7 +126800,7 @@ index 3eca020..f44c5bd 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +398,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +401,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -125989,7 +126819,7 @@ index 3eca020..f44c5bd 100644
mcs_process_set_categories(virtd_t)
-@@ -276,6 +424,8 @@ term_use_ptmx(virtd_t)
+@@ -276,6 +427,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -125998,7 +126828,7 @@ index 3eca020..f44c5bd 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -285,16 +435,31 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +438,31 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -126030,7 +126860,7 @@ index 3eca020..f44c5bd 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +478,10 @@ optional_policy(`
+@@ -313,6 +481,10 @@ optional_policy(`
')
optional_policy(`
@@ -126041,7 +126871,7 @@ index 3eca020..f44c5bd 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,6 +495,14 @@ optional_policy(`
+@@ -326,6 +498,14 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -126056,7 +126886,7 @@ index 3eca020..f44c5bd 100644
')
optional_policy(`
-@@ -334,11 +511,14 @@ optional_policy(`
+@@ -334,11 +514,14 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
@@ -126071,7 +126901,7 @@ index 3eca020..f44c5bd 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +540,11 @@ optional_policy(`
+@@ -360,11 +543,11 @@ optional_policy(`
')
optional_policy(`
@@ -126088,7 +126918,7 @@ index 3eca020..f44c5bd 100644
')
optional_policy(`
-@@ -394,20 +574,36 @@ optional_policy(`
+@@ -394,20 +577,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -126128,7 +126958,7 @@ index 3eca020..f44c5bd 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +614,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +617,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -126141,7 +126971,7 @@ index 3eca020..f44c5bd 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +626,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +629,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -126154,7 +126984,7 @@ index 3eca020..f44c5bd 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +639,386 @@ files_search_all(virt_domain)
+@@ -440,25 +642,393 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -126162,12 +126992,12 @@ index 3eca020..f44c5bd 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -126503,6 +127333,13 @@ index 3eca020..f44c5bd 100644
+fs_noxattr_type(svirt_lxc_file_t)
+term_pty(svirt_lxc_file_t)
+
++#######################################
++#
++# svirt_prot_exec local policy
++#
++
++allow svirt_prot_exec_t self:process { execmem execstack };
++
+########################################
+#
+# virt_qmf local policy
@@ -132807,7 +133644,7 @@ index 94fd8dd..5a52670 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..043257e 100644
+index 29a9565..e2c5116 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -132953,7 +133790,7 @@ index 29a9565..043257e 100644
mcs_process_set_categories(init_t)
mcs_killall(init_t)
-@@ -151,34 +204,52 @@ mls_file_read_all_levels(init_t)
+@@ -151,34 +204,54 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -132989,6 +133826,8 @@ index 29a9565..043257e 100644
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
+
++userdom_use_user_ttys(init_t)
++
+allow init_t self:process setsched;
ifdef(`distro_gentoo',`
@@ -133008,18 +133847,17 @@ index 29a9565..043257e 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +257,146 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +259,146 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
+storage_raw_rw_fixed_disk(init_t)
+
- optional_policy(`
-- auth_rw_login_records(init_t)
++optional_policy(`
+ modutils_domtrans_insmod(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -133128,11 +133966,12 @@ index 29a9565..043257e 100644
+ systemd_filetrans_named_content(init_t)
+')
+
-+optional_policy(`
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ lvm_rw_pipes(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -133140,24 +133979,24 @@ index 29a9565..043257e 100644
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(init_t)
++')
++
++optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
-@@ -203,6 +404,17 @@ optional_policy(`
+@@ -203,6 +406,17 @@ optional_policy(`
')
optional_policy(`
@@ -133175,7 +134014,7 @@ index 29a9565..043257e 100644
unconfined_domain(init_t)
')
-@@ -212,8 +424,8 @@ optional_policy(`
+@@ -212,8 +426,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -133186,7 +134025,7 @@ index 29a9565..043257e 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +453,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +455,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -133202,7 +134041,7 @@ index 29a9565..043257e 100644
init_write_initctl(initrc_t)
-@@ -258,20 +473,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +475,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -133239,7 +134078,7 @@ index 29a9565..043257e 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +506,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +508,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -133247,7 +134086,7 @@ index 29a9565..043257e 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +517,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +519,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -133258,7 +134097,7 @@ index 29a9565..043257e 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,17 +528,16 @@ dev_manage_generic_files(initrc_t)
+@@ -298,17 +530,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -133278,7 +134117,7 @@ index 29a9565..043257e 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -316,6 +545,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +547,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -133286,7 +134125,7 @@ index 29a9565..043257e 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +553,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +555,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -133298,7 +134137,7 @@ index 29a9565..043257e 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +572,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +574,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -133312,7 +134151,7 @@ index 29a9565..043257e 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,9 +587,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,9 +589,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -133326,7 +134165,7 @@ index 29a9565..043257e 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -363,6 +602,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +604,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -133334,7 +134173,7 @@ index 29a9565..043257e 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +614,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +616,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -133342,7 +134181,7 @@ index 29a9565..043257e 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +635,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +637,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -133364,7 +134203,7 @@ index 29a9565..043257e 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +698,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +700,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -133375,7 +134214,7 @@ index 29a9565..043257e 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +722,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +724,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -133384,7 +134223,7 @@ index 29a9565..043257e 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +737,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +739,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -133392,7 +134231,7 @@ index 29a9565..043257e 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -513,6 +758,7 @@ ifdef(`distro_redhat',`
+@@ -513,6 +760,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -133400,7 +134239,7 @@ index 29a9565..043257e 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -522,8 +768,35 @@ ifdef(`distro_redhat',`
+@@ -522,8 +770,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -133436,7 +134275,7 @@ index 29a9565..043257e 100644
')
optional_policy(`
-@@ -531,14 +804,27 @@ ifdef(`distro_redhat',`
+@@ -531,14 +806,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -133464,7 +134303,7 @@ index 29a9565..043257e 100644
')
')
-@@ -549,6 +835,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +837,39 @@ ifdef(`distro_suse',`
')
')
@@ -133504,7 +134343,7 @@ index 29a9565..043257e 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +880,8 @@ optional_policy(`
+@@ -561,6 +882,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -133513,7 +134352,7 @@ index 29a9565..043257e 100644
')
optional_policy(`
-@@ -577,6 +898,7 @@ optional_policy(`
+@@ -577,6 +900,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -133521,7 +134360,7 @@ index 29a9565..043257e 100644
')
optional_policy(`
-@@ -589,6 +911,17 @@ optional_policy(`
+@@ -589,6 +913,17 @@ optional_policy(`
')
optional_policy(`
@@ -133539,7 +134378,7 @@ index 29a9565..043257e 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +938,13 @@ optional_policy(`
+@@ -605,9 +940,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -133553,7 +134392,7 @@ index 29a9565..043257e 100644
')
optional_policy(`
-@@ -632,6 +969,10 @@ optional_policy(`
+@@ -632,6 +971,10 @@ optional_policy(`
')
optional_policy(`
@@ -133564,7 +134403,7 @@ index 29a9565..043257e 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +990,11 @@ optional_policy(`
+@@ -649,6 +992,11 @@ optional_policy(`
')
optional_policy(`
@@ -133576,7 +134415,7 @@ index 29a9565..043257e 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1035,7 @@ optional_policy(`
+@@ -689,6 +1037,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -133584,7 +134423,7 @@ index 29a9565..043257e 100644
')
optional_policy(`
-@@ -706,7 +1053,13 @@ optional_policy(`
+@@ -706,7 +1055,13 @@ optional_policy(`
')
optional_policy(`
@@ -133598,7 +134437,7 @@ index 29a9565..043257e 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1082,10 @@ optional_policy(`
+@@ -729,6 +1084,10 @@ optional_policy(`
')
optional_policy(`
@@ -133609,7 +134448,7 @@ index 29a9565..043257e 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1095,20 @@ optional_policy(`
+@@ -738,10 +1097,20 @@ optional_policy(`
')
optional_policy(`
@@ -133630,7 +134469,7 @@ index 29a9565..043257e 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1117,10 @@ optional_policy(`
+@@ -750,6 +1119,10 @@ optional_policy(`
')
optional_policy(`
@@ -133641,7 +134480,7 @@ index 29a9565..043257e 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1142,6 @@ optional_policy(`
+@@ -771,8 +1144,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -133650,7 +134489,7 @@ index 29a9565..043257e 100644
')
optional_policy(`
-@@ -781,6 +1150,10 @@ optional_policy(`
+@@ -781,6 +1152,10 @@ optional_policy(`
')
optional_policy(`
@@ -133661,7 +134500,7 @@ index 29a9565..043257e 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -790,10 +1163,12 @@ optional_policy(`
+@@ -790,10 +1165,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -133674,7 +134513,7 @@ index 29a9565..043257e 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1180,6 @@ optional_policy(`
+@@ -805,7 +1182,6 @@ optional_policy(`
')
optional_policy(`
@@ -133682,7 +134521,7 @@ index 29a9565..043257e 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1189,25 @@ optional_policy(`
+@@ -815,11 +1191,25 @@ optional_policy(`
')
optional_policy(`
@@ -133709,7 +134548,7 @@ index 29a9565..043257e 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1217,18 @@ optional_policy(`
+@@ -829,6 +1219,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -133728,7 +134567,7 @@ index 29a9565..043257e 100644
')
optional_policy(`
-@@ -844,6 +1244,10 @@ optional_policy(`
+@@ -844,6 +1246,10 @@ optional_policy(`
')
optional_policy(`
@@ -133739,7 +134578,7 @@ index 29a9565..043257e 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1258,161 @@ optional_policy(`
+@@ -854,3 +1260,161 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -134155,21 +134994,22 @@ index 55a6cd8..02378d2 100644
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 05fb364..dd07f08 100644
+index 05fb364..a01ef9e 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,7 +1,7 @@
+@@ -1,7 +1,8 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+
-+/lib/systemd/system/iptables6?.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/lib/systemd/system/iptables.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/lib/systemd/system/ip6tables.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -12,8 +12,17 @@
+@@ -12,8 +13,17 @@
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -134191,7 +135031,7 @@ index 05fb364..dd07f08 100644
+
+/usr/lib/systemd/system/iptables6?.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index 7ba53db..db118e3 100644
+index 7ba53db..f4a49a0 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
@@ -134227,7 +135067,7 @@ index 7ba53db..db118e3 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 iptables_unit_file_t:file read_file_perms;
-+ allow $1 iptables_unit_file_t:service all_service_perms;
++ allow $1 iptables_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, iptables_t)
+')
@@ -135330,10 +136170,19 @@ index a0b379d..95bf920 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..7bd737a 100644
+index 02f4c97..f9f3c56 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -17,12 +17,28 @@
+@@ -6,6 +6,8 @@
+ /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+
++/lib/systemd/system/auditd\.service -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
++
+ /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+ /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+@@ -17,12 +19,28 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -135363,7 +136212,7 @@ index 02f4c97..7bd737a 100644
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,7 +54,7 @@ ifdef(`distro_suse', `
+@@ -38,7 +56,7 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -135372,7 +136221,7 @@ index 02f4c97..7bd737a 100644
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -46,6 +62,7 @@ ifdef(`distro_suse', `
+@@ -46,6 +64,7 @@ ifdef(`distro_suse', `
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
@@ -135380,7 +136229,7 @@ index 02f4c97..7bd737a 100644
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -54,6 +71,8 @@ ifndef(`distro_gentoo',`
+@@ -54,6 +73,8 @@ ifndef(`distro_gentoo',`
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -135389,7 +136238,7 @@ index 02f4c97..7bd737a 100644
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-@@ -66,6 +85,7 @@ ifdef(`distro_redhat',`
+@@ -66,6 +87,7 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -135397,7 +136246,7 @@ index 02f4c97..7bd737a 100644
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-@@ -73,4 +93,9 @@ ifdef(`distro_redhat',`
+@@ -73,4 +95,9 @@ ifdef(`distro_redhat',`
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -135408,7 +136257,7 @@ index 02f4c97..7bd737a 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 831b909..62b1c59 100644
+index 831b909..b9cff6d 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -135620,8 +136469,11 @@ index 831b909..62b1c59 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -944,9 +1096,13 @@ interface(`logging_admin_audit',`
+@@ -942,11 +1094,16 @@ interface(`logging_admin_audit',`
+ type auditd_t, auditd_etc_t, auditd_log_t;
+ type auditd_var_run_t;
type auditd_initrc_exec_t;
++ type auditd_unit_file_t;
')
- allow $1 auditd_t:process { ptrace signal_perms };
@@ -135635,7 +136487,41 @@ index 831b909..62b1c59 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -990,10 +1146,15 @@ interface(`logging_admin_syslog',`
+@@ -962,6 +1119,33 @@ interface(`logging_admin_audit',`
+ domain_system_change_exemption($1)
+ role_transition $2 auditd_initrc_exec_t system_r;
+ allow $2 system_r;
++
++ logging_systemctl_audit($1)
++ admin_pattern($1, auditd_unit_file_t)
++ allow $1 auditd_unit_file_t:service all_service_perms;
++')
++
++########################################
++## <summary>
++## Execute auditd server in the auditd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`logging_systemctl_audit',`
++ gen_require(`
++ type auditd_t;
++ type auditd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 auditd_unit_file_t:file read_file_perms;
++ allow $1 auditd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, auditd_t)
+ ')
+
+ ########################################
+@@ -990,10 +1174,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -135653,7 +136539,7 @@ index 831b909..62b1c59 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1015,6 +1176,8 @@ interface(`logging_admin_syslog',`
+@@ -1015,6 +1204,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -135662,7 +136548,7 @@ index 831b909..62b1c59 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1043,3 +1206,25 @@ interface(`logging_admin',`
+@@ -1043,3 +1234,25 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -135689,7 +136575,7 @@ index 831b909..62b1c59 100644
+ files_spool_filetrans($1, audit_spool_t, dir, "audit")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..b365df9 100644
+index b6ec597..9ffad65 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,20 @@ policy_module(logging, 1.17.2)
@@ -135721,7 +136607,17 @@ index b6ec597..b365df9 100644
files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t)
-@@ -64,6 +79,7 @@ files_config_file(syslog_conf_t)
+@@ -33,6 +48,9 @@ init_script_file(auditd_initrc_exec_t)
+ type auditd_var_run_t;
+ files_pid_file(auditd_var_run_t)
+
++type auditd_unit_file_t;
++systemd_unit_file(auditd_unit_file_t)
++
+ type audisp_t;
+ type audisp_exec_t;
+ init_system_domain(audisp_t, audisp_exec_t)
+@@ -64,6 +82,7 @@ files_config_file(syslog_conf_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -135729,7 +136625,7 @@ index b6ec597..b365df9 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -111,7 +127,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +130,7 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -135738,7 +136634,7 @@ index b6ec597..b365df9 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -183,16 +199,19 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +202,19 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -135759,7 +136655,7 @@ index b6ec597..b365df9 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,10 +256,17 @@ corecmd_exec_shell(audisp_t)
+@@ -237,10 +259,17 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -135777,7 +136673,7 @@ index b6ec597..b365df9 100644
logging_send_syslog_msg(audisp_t)
-@@ -250,6 +276,10 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -250,6 +279,10 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -135788,7 +136684,7 @@ index b6ec597..b365df9 100644
')
########################################
-@@ -280,11 +310,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,11 +313,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -135809,7 +136705,7 @@ index b6ec597..b365df9 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -354,11 +393,12 @@ optional_policy(`
+@@ -354,11 +396,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -135824,7 +136720,7 @@ index b6ec597..b365df9 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -376,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -376,6 +419,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -135832,7 +136728,7 @@ index b6ec597..b365df9 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -385,9 +426,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -385,9 +429,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -135848,7 +136744,7 @@ index b6ec597..b365df9 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -426,10 +473,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -426,10 +476,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -135876,7 +136772,7 @@ index b6ec597..b365df9 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -447,7 +511,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
+@@ -447,7 +514,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -135886,7 +136782,7 @@ index b6ec597..b365df9 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -459,6 +525,7 @@ init_use_fds(syslogd_t)
+@@ -459,6 +528,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -135894,7 +136790,7 @@ index b6ec597..b365df9 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +563,20 @@ optional_policy(`
+@@ -496,11 +566,20 @@ optional_policy(`
')
optional_policy(`
@@ -145934,7 +146830,7 @@ index 22ca011..18e1b2f 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index f7380b3..fb62555 100644
+index f7380b3..cc007d8 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -146034,12 +146930,17 @@ index f7380b3..fb62555 100644
#
# Sockets
-@@ -317,3 +324,15 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
+@@ -317,3 +324,20 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
+
+#
++# Service
++#
++define(`manage_service_perms', `{ start stop status reload kill load } ')
++
++#
+# All
+#
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
@@ -146048,7 +146949,7 @@ index f7380b3..fb62555 100644
+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
-+define(`all_service_perms', `{ start stop status reload kill } ')
++define(`all_service_perms', `{ enable disable manage_service_perms } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
diff --git a/policy/users b/policy/users
index c4ebc7e..30d6d7a 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bfc1ed8..ba5404e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 103%{?dist}
+Release: 104%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -483,6 +483,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-104
+- More fixes for systemd from Dan Walsh
+
* Mon Mar 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-103
- Add a new type for /etc/firewalld and allow firewalld to write to this directory
- Add definition for ~/Maildir, and allow mail deliver domains to write there
More information about the scm-commits
mailing list