[selinux-policy/f17] * Thu Mar 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-106 - Allow auditctl getcap - Allow vdag
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Mar 22 19:03:46 UTC 2012
commit 5cb3993d592297e84fe104c706d2c9ddf784a97c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Mar 22 20:03:23 2012 +0100
* Thu Mar 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-106
- Allow auditctl getcap
- Allow vdagent to use libsystemd-login
- Allow abrt-dump-oops to search /etc/abrt
- Got these avc's while trying to print a boarding pass from firefo
- Devicekit is now putting the media directory under /run/media
- Allow thumbnailers to create content in ~/.thumbails directory
- Add support for proL2TPd by Dominick Grift
- Allow all domains to call getcap
- wdmd seems to get a random chown capability check that it does no
- Allow vhostmd to read kernel sysctls
policy-F16.patch | 2073 +++++++++++++++++++++++++++++++++++++++++----------
selinux-policy.spec | 14 +-
2 files changed, 1672 insertions(+), 415 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index ce7ada0..5f9ad72 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -8411,6 +8411,163 @@ index 0000000..a20c704
+
+.SH "SEE ALSO"
+selinux(8), corosync(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/couchdb_selinux.8 b/man/man8/couchdb_selinux.8
+new file mode 100644
+index 0000000..61ec71c
+--- /dev/null
++++ b/man/man8/couchdb_selinux.8
+@@ -0,0 +1,151 @@
++.TH "couchdb_selinux" "8" "couchdb" "dwalsh at redhat.com" "couchdb SELinux Policy documentation"
++.SH "NAME"
++couchdb_selinux \- Security Enhanced Linux Policy for the couchdb processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B couchdb
++(policy for couchdb)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
++.PP
++The following file types are defined for couchdb:
++
++
++.EX
++.PP
++.B couchdb_etc_t
++.EE
++
++- Set files with the couchdb_etc_t type, if you want to store couchdb files in the /etc directories.
++
++
++.EX
++.PP
++.B couchdb_exec_t
++.EE
++
++- Set files with the couchdb_exec_t type, if you want to transition an executable to the couchdb_t domain.
++
++
++.EX
++.PP
++.B couchdb_log_t
++.EE
++
++- Set files with the couchdb_log_t type, if you want to treat the data as couchdb log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B couchdb_tmp_t
++.EE
++
++- Set files with the couchdb_tmp_t type, if you want to store couchdb temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B couchdb_unit_file_t
++.EE
++
++- Set files with the couchdb_unit_file_t type, if you want to treat the files as couchdb unit content.
++
++
++.EX
++.PP
++.B couchdb_var_lib_t
++.EE
++
++- Set files with the couchdb_var_lib_t type, if you want to store the couchdb files under the /var/lib directory.
++
++
++.EX
++.PP
++.B couchdb_var_run_t
++.EE
++
++- Set files with the couchdb_var_run_t type, if you want to store the couchdb files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
++.PP
++The following port types are defined for couchdb:
++
++.EX
++.TP 5
++.B couchdb_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
++.PP
++The following process types are defined for couchdb:
++
++.EX
++.B couchdb_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), couchdb(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/courier_selinux.8 b/man/man8/courier_selinux.8
new file mode 100644
index 0000000..3dc9d81
@@ -22562,126 +22719,21 @@ index 0000000..5f3d39d
+
+.SH "SEE ALSO"
+selinux(8), jabberd(8), semanage(8), restorecon(8), chcon(1)
-diff --git a/man/man8/kadmind_selinux.8 b/man/man8/kadmind_selinux.8
+diff --git a/man/man8/jockey_selinux.8 b/man/man8/jockey_selinux.8
new file mode 100644
-index 0000000..b56c5c1
+index 0000000..239af62
--- /dev/null
-+++ b/man/man8/kadmind_selinux.8
-@@ -0,0 +1,99 @@
-+.TH "kadmind_selinux" "8" "kadmind" "dwalsh at redhat.com" "kadmind SELinux Policy documentation"
-+.SH "NAME"
-+kadmind_selinux \- Security Enhanced Linux Policy for the kadmind processes
-+.SH "DESCRIPTION"
-+
-+
-+
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible.
-+.PP
-+The following file types are defined for kadmind:
-+
-+
-+.EX
-+.PP
-+.B kadmind_exec_t
-+.EE
-+
-+- Set files with the kadmind_exec_t type, if you want to transition an executable to the kadmind_t domain.
-+
-+.br
-+.TP 5
-+Paths:
-+/usr/(local/)?(kerberos/)?sbin/kadmind, /usr/kerberos/sbin/kadmin\.local
-+
-+.EX
-+.PP
-+.B kadmind_log_t
-+.EE
-+
-+- Set files with the kadmind_log_t type, if you want to treat the data as kadmind log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B kadmind_tmp_t
-+.EE
-+
-+- Set files with the kadmind_tmp_t type, if you want to store kadmind temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B kadmind_var_run_t
-+.EE
-+
-+- Set files with the kadmind_var_run_t type, if you want to store the kadmind files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kadmind:
-+
-+.EX
-+.B kadmind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was autogenerated by genman.py.
-+
-+.SH "SEE ALSO"
-+selinux(8), kadmind(8), semanage(8), restorecon(8), chcon(1)
-diff --git a/man/man8/kdump_selinux.8 b/man/man8/kdump_selinux.8
-new file mode 100644
-index 0000000..b47a14d
---- /dev/null
-+++ b/man/man8/kdump_selinux.8
-@@ -0,0 +1,121 @@
-+.TH "kdump_selinux" "8" "kdump" "dwalsh at redhat.com" "kdump SELinux Policy documentation"
++++ b/man/man8/jockey_selinux.8
+@@ -0,0 +1,97 @@
++.TH "jockey_selinux" "8" "jockey" "dwalsh at redhat.com" "jockey SELinux Policy documentation"
+.SH "NAME"
-+kdump_selinux \- Security Enhanced Linux Policy for the kdump processes
++jockey_selinux \- Security Enhanced Linux Policy for the jockey processes
+.SH "DESCRIPTION"
+
+
+SELinux Linux secures
-+.B kdump
-+(Kernel crash dumping mechanism)
++.B jockey
++(policy for jockey)
+processes via flexible mandatory access
+control.
+
@@ -22693,62 +22745,38 @@ index 0000000..b47a14d
+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
+.PP
+Policy governs the access confined processes have to these files.
-+SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible.
++SELinux jockey policy is very flexible allowing users to setup their jockey processes in as secure a method as possible.
+.PP
-+The following file types are defined for kdump:
-+
-+
-+.EX
-+.PP
-+.B kdump_etc_t
-+.EE
-+
-+- Set files with the kdump_etc_t type, if you want to store kdump files in the /etc directories.
++The following file types are defined for jockey:
+
+
+.EX
+.PP
-+.B kdump_exec_t
++.B jockey_cache_t
+.EE
+
-+- Set files with the kdump_exec_t type, if you want to transition an executable to the kdump_t domain.
++- Set files with the jockey_cache_t type, if you want to store the files under the /var/cache directory.
+
-+.br
-+.TP 5
-+Paths:
-+/usr/sbin/kdump, /usr/sbin/kexec, /sbin/kdump, /sbin/kexec
+
+.EX
+.PP
-+.B kdump_initrc_exec_t
++.B jockey_exec_t
+.EE
+
-+- Set files with the kdump_initrc_exec_t type, if you want to transition an executable to the kdump_initrc_t domain.
++- Set files with the jockey_exec_t type, if you want to transition an executable to the jockey_t domain.
+
+
+.EX
+.PP
-+.B kdump_unit_file_t
++.B jockey_var_log_t
+.EE
+
-+- Set files with the kdump_unit_file_t type, if you want to treat the files as kdump unit content.
-+
-+
-+.EX
-+.PP
-+.B kdumpgui_exec_t
-+.EE
-+
-+- Set files with the kdumpgui_exec_t type, if you want to transition an executable to the kdumpgui_t domain.
-+
-+
-+.EX
-+.PP
-+.B kdumpgui_tmp_t
-+.EE
-+
-+- Set files with the kdumpgui_tmp_t type, if you want to store kdumpgui temporary files in the /tmp directories.
++- Set files with the jockey_var_log_t type, if you want to treat the data as jockey var log data, usually stored under the /var/log directory.
+
++.br
++.TP 5
++Paths:
++/var/log/jockey\.log, /var/log/jockey(/.*)?
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -22763,12 +22791,244 @@ index 0000000..b47a14d
+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
+.PP
+Policy governs the access confined processes have to files.
-+SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible.
++SELinux jockey policy is very flexible allowing users to setup their jockey processes in as secure a method as possible.
+.PP
-+The following process types are defined for kdump:
++The following process types are defined for jockey:
+
+.EX
-+.B kdumpgui_t, kdump_t
++.B jockey_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), jockey(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/kadmind_selinux.8 b/man/man8/kadmind_selinux.8
+new file mode 100644
+index 0000000..b56c5c1
+--- /dev/null
++++ b/man/man8/kadmind_selinux.8
+@@ -0,0 +1,99 @@
++.TH "kadmind_selinux" "8" "kadmind" "dwalsh at redhat.com" "kadmind SELinux Policy documentation"
++.SH "NAME"
++kadmind_selinux \- Security Enhanced Linux Policy for the kadmind processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible.
++.PP
++The following file types are defined for kadmind:
++
++
++.EX
++.PP
++.B kadmind_exec_t
++.EE
++
++- Set files with the kadmind_exec_t type, if you want to transition an executable to the kadmind_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/(local/)?(kerberos/)?sbin/kadmind, /usr/kerberos/sbin/kadmin\.local
++
++.EX
++.PP
++.B kadmind_log_t
++.EE
++
++- Set files with the kadmind_log_t type, if you want to treat the data as kadmind log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B kadmind_tmp_t
++.EE
++
++- Set files with the kadmind_tmp_t type, if you want to store kadmind temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B kadmind_var_run_t
++.EE
++
++- Set files with the kadmind_var_run_t type, if you want to store the kadmind files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible.
++.PP
++The following process types are defined for kadmind:
++
++.EX
++.B kadmind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), kadmind(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/kdump_selinux.8 b/man/man8/kdump_selinux.8
+new file mode 100644
+index 0000000..b47a14d
+--- /dev/null
++++ b/man/man8/kdump_selinux.8
+@@ -0,0 +1,121 @@
++.TH "kdump_selinux" "8" "kdump" "dwalsh at redhat.com" "kdump SELinux Policy documentation"
++.SH "NAME"
++kdump_selinux \- Security Enhanced Linux Policy for the kdump processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B kdump
++(Kernel crash dumping mechanism)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible.
++.PP
++The following file types are defined for kdump:
++
++
++.EX
++.PP
++.B kdump_etc_t
++.EE
++
++- Set files with the kdump_etc_t type, if you want to store kdump files in the /etc directories.
++
++
++.EX
++.PP
++.B kdump_exec_t
++.EE
++
++- Set files with the kdump_exec_t type, if you want to transition an executable to the kdump_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/kdump, /usr/sbin/kexec, /sbin/kdump, /sbin/kexec
++
++.EX
++.PP
++.B kdump_initrc_exec_t
++.EE
++
++- Set files with the kdump_initrc_exec_t type, if you want to transition an executable to the kdump_initrc_t domain.
++
++
++.EX
++.PP
++.B kdump_unit_file_t
++.EE
++
++- Set files with the kdump_unit_file_t type, if you want to treat the files as kdump unit content.
++
++
++.EX
++.PP
++.B kdumpgui_exec_t
++.EE
++
++- Set files with the kdumpgui_exec_t type, if you want to transition an executable to the kdumpgui_t domain.
++
++
++.EX
++.PP
++.B kdumpgui_tmp_t
++.EE
++
++- Set files with the kdumpgui_tmp_t type, if you want to store kdumpgui temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible.
++.PP
++The following process types are defined for kdump:
++
++.EX
++.B kdumpgui_t, kdump_t
+.EE
+.PP
+Note:
@@ -22968,6 +23228,121 @@ index 0000000..782e48f
+
+.SH "SEE ALSO"
+selinux(8), keyboardd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/keystone_selinux.8 b/man/man8/keystone_selinux.8
+new file mode 100644
+index 0000000..1c2d5b6
+--- /dev/null
++++ b/man/man8/keystone_selinux.8
+@@ -0,0 +1,109 @@
++.TH "keystone_selinux" "8" "keystone" "dwalsh at redhat.com" "keystone SELinux Policy documentation"
++.SH "NAME"
++keystone_selinux \- Security Enhanced Linux Policy for the keystone processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B keystone
++(policy for keystone)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible.
++.PP
++The following file types are defined for keystone:
++
++
++.EX
++.PP
++.B keystone_exec_t
++.EE
++
++- Set files with the keystone_exec_t type, if you want to transition an executable to the keystone_t domain.
++
++
++.EX
++.PP
++.B keystone_log_t
++.EE
++
++- Set files with the keystone_log_t type, if you want to treat the data as keystone log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B keystone_tmp_t
++.EE
++
++- Set files with the keystone_tmp_t type, if you want to store keystone temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B keystone_unit_file_t
++.EE
++
++- Set files with the keystone_unit_file_t type, if you want to treat the files as keystone unit content.
++
++
++.EX
++.PP
++.B keystone_var_lib_t
++.EE
++
++- Set files with the keystone_var_lib_t type, if you want to store the keystone files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible.
++.PP
++The following process types are defined for keystone:
++
++.EX
++.B keystone_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), keystone(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/kismet_selinux.8 b/man/man8/kismet_selinux.8
new file mode 100644
index 0000000..678bdc4
@@ -32264,6 +32639,125 @@ index 0000000..9a9b8b8
+selinux(8), openvpn(8), semanage(8), restorecon(8), chcon(1)
+, setsebool(8)
\ No newline at end of file
+diff --git a/man/man8/pacemaker_selinux.8 b/man/man8/pacemaker_selinux.8
+new file mode 100644
+index 0000000..a43fb5b
+--- /dev/null
++++ b/man/man8/pacemaker_selinux.8
+@@ -0,0 +1,113 @@
++.TH "pacemaker_selinux" "8" "pacemaker" "dwalsh at redhat.com" "pacemaker SELinux Policy documentation"
++.SH "NAME"
++pacemaker_selinux \- Security Enhanced Linux Policy for the pacemaker processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B pacemaker
++(policy for pacemaker)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pacemaker policy is very flexible allowing users to setup their pacemaker processes in as secure a method as possible.
++.PP
++The following file types are defined for pacemaker:
++
++
++.EX
++.PP
++.B pacemaker_exec_t
++.EE
++
++- Set files with the pacemaker_exec_t type, if you want to transition an executable to the pacemaker_t domain.
++
++
++.EX
++.PP
++.B pacemaker_initrc_exec_t
++.EE
++
++- Set files with the pacemaker_initrc_exec_t type, if you want to transition an executable to the pacemaker_initrc_t domain.
++
++
++.EX
++.PP
++.B pacemaker_unit_file_t
++.EE
++
++- Set files with the pacemaker_unit_file_t type, if you want to treat the files as pacemaker unit content.
++
++
++.EX
++.PP
++.B pacemaker_var_lib_t
++.EE
++
++- Set files with the pacemaker_var_lib_t type, if you want to store the pacemaker files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/pengine(/.*)?, /var/lib/heartbeat/crm(/.*)?
++
++.EX
++.PP
++.B pacemaker_var_run_t
++.EE
++
++- Set files with the pacemaker_var_run_t type, if you want to store the pacemaker files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pacemaker policy is very flexible allowing users to setup their pacemaker processes in as secure a method as possible.
++.PP
++The following process types are defined for pacemaker:
++
++.EX
++.B pacemaker_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), pacemaker(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/pads_selinux.8 b/man/man8/pads_selinux.8
new file mode 100644
index 0000000..f2bc8e8
@@ -38298,6 +38792,119 @@ index 0000000..712a06e
+
+.SH "SEE ALSO"
+selinux(8), qpidd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/quantum_selinux.8 b/man/man8/quantum_selinux.8
+new file mode 100644
+index 0000000..779196e
+--- /dev/null
++++ b/man/man8/quantum_selinux.8
+@@ -0,0 +1,107 @@
++.TH "quantum_selinux" "8" "quantum" "dwalsh at redhat.com" "quantum SELinux Policy documentation"
++.SH "NAME"
++quantum_selinux \- Security Enhanced Linux Policy for the quantum processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible.
++.PP
++The following file types are defined for quantum:
++
++
++.EX
++.PP
++.B quantum_exec_t
++.EE
++
++- Set files with the quantum_exec_t type, if you want to transition an executable to the quantum_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/quantum-server, /usr/bin/quantum-ryu-agent, /usr/bin/quantum-linuxbridge-agent, /usr/bin/quantum-openvswitch-agent
++
++.EX
++.PP
++.B quantum_log_t
++.EE
++
++- Set files with the quantum_log_t type, if you want to treat the data as quantum log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B quantum_tmp_t
++.EE
++
++- Set files with the quantum_tmp_t type, if you want to store quantum temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B quantum_unit_file_t
++.EE
++
++- Set files with the quantum_unit_file_t type, if you want to treat the files as quantum unit content.
++
++
++.EX
++.PP
++.B quantum_var_lib_t
++.EE
++
++- Set files with the quantum_var_lib_t type, if you want to store the quantum files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible.
++.PP
++The following process types are defined for quantum:
++
++.EX
++.B quantum_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), quantum(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/quota_selinux.8 b/man/man8/quota_selinux.8
new file mode 100644
index 0000000..b90411d
@@ -57305,20 +57912,21 @@ index 1308871..c994c93 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index bf24160..d62508b 100644
+index bf24160..4d0bdca 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
-@@ -393,6 +393,9 @@ class system
+@@ -393,6 +393,10 @@ class system
syslog_mod
syslog_console
module_request
+ halt
+ reboot
+ status
++ undefined
}
#
-@@ -862,3 +865,20 @@ inherits database
+@@ -862,3 +866,20 @@ inherits database
implement
execute
}
@@ -59692,7 +60300,7 @@ index f387230..e63f9c6 100644
+
+/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
-index bf75d99..2176bf8 100644
+index bf75d99..3fb8575 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
@@ -45,6 +45,24 @@ interface(`quota_run',`
@@ -59720,7 +60328,33 @@ index bf75d99..2176bf8 100644
########################################
## <summary>
## Do not audit attempts to get the attributes
-@@ -83,3 +101,59 @@ interface(`quota_manage_flags',`
+@@ -67,6 +85,25 @@ interface(`quota_dontaudit_getattr_db',`
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete quota
++## db files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`quota_manage_db',`
++ gen_require(`
++ type quota_db_t;
++ ')
++
++ allow $1 quota_db_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete quota
+ ## flag files.
+ ## </summary>
+ ## <param name="domain">
+@@ -83,3 +120,59 @@ interface(`quota_manage_flags',`
files_search_var_lib($1)
manage_files_pattern($1, quota_flag_t, quota_flag_t)
')
@@ -65639,7 +66273,7 @@ index 93ac529..4c0895e 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..094d03b 100644
+index fbb5c5a..637eb37 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -65716,11 +66350,15 @@ index fbb5c5a..094d03b 100644
')
########################################
-@@ -228,6 +262,27 @@ interface(`mozilla_run_plugin',`
+@@ -228,6 +262,35 @@ interface(`mozilla_run_plugin',`
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
+ role $2 types mozilla_plugin_config_t;
++
++ optional_policy(`
++ lpd_run_lpr(mozilla_plugin_t, $2)
++ ')
+')
+
+#######################################
@@ -65741,10 +66379,14 @@ index fbb5c5a..094d03b 100644
+
+ role $1 types mozilla_plugin_t;
+ role $1 types mozilla_plugin_config_t;
++
++ optional_policy(`
++ lpd_run_lpr(mozilla_plugin_t, $1)
++ ')
')
########################################
-@@ -269,9 +324,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -269,9 +332,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -65773,7 +66415,7 @@ index fbb5c5a..094d03b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +352,79 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +360,79 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -65823,12 +66465,11 @@ index fbb5c5a..094d03b 100644
+interface(`mozilla_plugin_manage_rw_files',`
+ gen_require(`
+ type mozilla_plugin_rw_t;
- ')
-
-- allow $1 mozilla_plugin_tmpfs_t:file unlink;
++ ')
++
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
- ')
++')
+
+########################################
+## <summary>
@@ -65845,8 +66486,9 @@ index fbb5c5a..094d03b 100644
+
+ gen_require(`
+ type mozilla_home_t;
-+ ')
-+
+ ')
+
+- allow $1 mozilla_plugin_tmpfs_t:file unlink;
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
@@ -65858,7 +66500,7 @@ index fbb5c5a..094d03b 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
-+')
+ ')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 2e9318b..15a4200 100644
@@ -69631,10 +70273,12 @@ index 2533ea0..92f0ecb 100644
+')
diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc
new file mode 100644
-index 0000000..b43c093
+index 0000000..930fa33
--- /dev/null
+++ b/policy/modules/apps/thumb.fc
-@@ -0,0 +1,12 @@
+@@ -0,0 +1,14 @@
++HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
++
+/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gsf-office-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
@@ -69758,10 +70402,10 @@ index 0000000..79515db
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..a5ba4ff
+index 0000000..4d84806
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,93 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -69778,6 +70422,9 @@ index 0000000..a5ba4ff
+files_tmp_file(thumb_tmp_t)
+ubac_constrained(thumb_tmp_t)
+
++type thumb_home_t;
++userdom_user_home_content(thumb_home_t)
++
+########################################
+#
+# thumb local policy
@@ -69795,6 +70442,10 @@ index 0000000..a5ba4ff
+allow thumb_t self:udp_socket create_socket_perms;
+allow thumb_t self:tcp_socket create_socket_perms;
+
++manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
++manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
++
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
@@ -72427,7 +73078,7 @@ index 4f3b542..63f4e1c 100644
+ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..5ae71f9 100644
+index 99b71cb..949b72f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -72571,7 +73222,7 @@ index 99b71cb..5ae71f9 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +176,27 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +176,28 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -72592,6 +73243,7 @@ index 99b71cb..5ae71f9 100644
+network_port(luci, tcp,8084,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
++network_port(l2tp, tcp,1701,s0, udp,1701,s0)
network_port(mail, tcp,2000,s0, tcp,3905,s0)
+network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
@@ -72602,7 +73254,7 @@ index 99b71cb..5ae71f9 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +206,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +207,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -72635,7 +73287,12 @@ index 99b71cb..5ae71f9 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -179,34 +243,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -175,38 +240,46 @@ network_port(pulseaudio, tcp,4713,s0)
+ network_port(puppet, tcp, 8140, s0)
+ network_port(pxe, udp,4011,s0)
+ network_port(pyzor, udp,24441,s0)
++network_port(quantum, tcp,9696,s0)
+ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -72683,7 +73340,7 @@ index 99b71cb..5ae71f9 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +286,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +288,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -72697,7 +73354,7 @@ index 99b71cb..5ae71f9 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +303,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +305,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -72705,7 +73362,7 @@ index 99b71cb..5ae71f9 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +313,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +315,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -72718,7 +73375,7 @@ index 99b71cb..5ae71f9 100644
########################################
#
-@@ -282,9 +363,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +365,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -74494,7 +75151,7 @@ index 08f01e7..d8c1d48 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..3ded83e 100644
+index 6a1e4d1..ffaa90a 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -75,34 +75,6 @@ interface(`domain_base_type',`
@@ -74550,7 +75207,32 @@ index 6a1e4d1..3ded83e 100644
## </summary>
## </param>
#
-@@ -1530,4 +1502,29 @@ interface(`domain_unconfined',`
+@@ -1356,6 +1328,24 @@ interface(`domain_manage_all_entry_files',`
+
+ ########################################
+ ## <summary>
++## Relabel from domain types on files if a user managed to mislable
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`domain_relabelfrom',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:dir_file_class_set relabelfrom_file_perms;
++')
++
++########################################
++## <summary>
+ ## Relabel to and from all entry point
+ ## file types.
+ ## </summary>
+@@ -1530,4 +1520,29 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@@ -74581,7 +75263,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..c941172 100644
+index fae1ab1..d8ec4d2 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -74621,7 +75303,7 @@ index fae1ab1..c941172 100644
# create child processes in the domain
-allow domain self:process { fork sigchld };
-+allow domain self:process { fork getsched sigchld };
++allow domain self:process { getcap fork getsched sigchld };
# Use trusted objects in /dev
+dev_read_cpu_online(domain)
@@ -74682,7 +75364,7 @@ index fae1ab1..c941172 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +199,245 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +199,252 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -74693,6 +75375,8 @@ index fae1ab1..c941172 100644
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
++files_filetrans_named_content(unconfined_domain_type)
++
+storage_filetrans_all_named_dev(unconfined_domain_type)
+
+term_filetrans_all_named_dev(unconfined_domain_type)
@@ -74701,9 +75385,7 @@ index fae1ab1..c941172 100644
+ init_status(unconfined_domain_type)
+ init_reboot(unconfined_domain_type)
+ init_halt(unconfined_domain_type)
-+ systemd_login_status(unconfined_domain_type)
-+ systemd_login_reboot(unconfined_domain_type)
-+ systemd_login_halt(unconfined_domain_type)
++ init_undefined(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -74798,6 +75480,13 @@ index fae1ab1..c941172 100644
+')
+
+optional_policy(`
++ systemd_login_status(unconfined_domain_type)
++ systemd_login_reboot(unconfined_domain_type)
++ systemd_login_halt(unconfined_domain_type)
++ systemd_login_undefined(unconfined_domain_type)
++')
++
++optional_policy(`
+ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
+ userdom_filetrans_home_content(unconfined_domain_type)
+')
@@ -75051,7 +75740,7 @@ index c19518a..04ef731 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..b733da8 100644
+index ff006ea..0833750 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -76627,7 +77316,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -6117,3 +6899,302 @@ interface(`files_unconfined',`
+@@ -6117,3 +6899,320 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -76930,6 +77619,24 @@ index ff006ea..b733da8 100644
+
+ allow $1 non_security_file_type:file_class_set unlink;
+')
++
++########################################
++## <summary>
++## Transition named content in the var_run_t directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_filetrans_named_content',`
++ gen_require(`
++ type var_run_t, mnt_t;
++ ')
++
++ files_pid_filetrans($1, mnt_t, dir, "media")
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 22821ff..4486d80 100644
--- a/policy/modules/kernel/files.te
@@ -80355,10 +81062,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..508f5b4 100644
+index e14b961..547faa4 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,65 @@ policy_module(sysadm, 2.2.1)
+@@ -5,39 +5,69 @@ policy_module(sysadm, 2.2.1)
# Declarations
#
@@ -80385,12 +81092,15 @@ index e14b961..508f5b4 100644
corecmd_exec_shell(sysadm_t)
++dev_filetrans_all_named_dev(sysadm_t)
++
+domain_dontaudit_read_all_domains_state(sysadm_t)
+
+files_read_kernel_modules(sysadm_t)
++files_filetrans_named_content(sysadm_t)
+
-+dev_filetrans_all_named_dev(sysadm_t)
+storage_filetrans_all_named_dev(sysadm_t)
++
+term_filetrans_all_named_dev(sysadm_t)
+
mls_process_read_up(sysadm_t)
@@ -80412,6 +81122,7 @@ index e14b961..508f5b4 100644
+init_status(sysadm_t)
+init_reboot(sysadm_t)
+init_halt(sysadm_t)
++init_undefined(sysadm_t)
+
+logging_filetrans_named_content(sysadm_t)
+
@@ -80435,7 +81146,7 @@ index e14b961..508f5b4 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -51,13 +77,8 @@ ifdef(`direct_sysadm_daemon',`
+@@ -51,13 +81,8 @@ ifdef(`direct_sysadm_daemon',`
')
')
@@ -80450,7 +81161,7 @@ index e14b961..508f5b4 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -67,9 +88,9 @@ optional_policy(`
+@@ -67,9 +92,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -80461,7 +81172,7 @@ index e14b961..508f5b4 100644
')
optional_policy(`
-@@ -98,6 +119,10 @@ optional_policy(`
+@@ -98,6 +123,10 @@ optional_policy(`
')
optional_policy(`
@@ -80472,7 +81183,7 @@ index e14b961..508f5b4 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -110,11 +135,20 @@ optional_policy(`
+@@ -110,11 +139,20 @@ optional_policy(`
')
optional_policy(`
@@ -80495,7 +81206,7 @@ index e14b961..508f5b4 100644
')
optional_policy(`
-@@ -128,6 +162,10 @@ optional_policy(`
+@@ -128,6 +166,10 @@ optional_policy(`
')
optional_policy(`
@@ -80506,7 +81217,7 @@ index e14b961..508f5b4 100644
dmesg_exec(sysadm_t)
')
-@@ -163,6 +201,13 @@ optional_policy(`
+@@ -163,6 +205,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -80520,7 +81231,7 @@ index e14b961..508f5b4 100644
')
optional_policy(`
-@@ -170,15 +215,20 @@ optional_policy(`
+@@ -170,15 +219,20 @@ optional_policy(`
')
optional_policy(`
@@ -80544,7 +81255,7 @@ index e14b961..508f5b4 100644
')
optional_policy(`
-@@ -198,22 +248,20 @@ optional_policy(`
+@@ -198,22 +252,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -80573,7 +81284,7 @@ index e14b961..508f5b4 100644
')
optional_policy(`
-@@ -225,25 +273,47 @@ optional_policy(`
+@@ -225,25 +277,47 @@ optional_policy(`
')
optional_policy(`
@@ -80621,7 +81332,7 @@ index e14b961..508f5b4 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,31 +323,32 @@ optional_policy(`
+@@ -253,31 +327,32 @@ optional_policy(`
')
optional_policy(`
@@ -80661,7 +81372,7 @@ index e14b961..508f5b4 100644
')
optional_policy(`
-@@ -302,12 +373,18 @@ optional_policy(`
+@@ -302,12 +377,18 @@ optional_policy(`
')
optional_policy(`
@@ -80681,7 +81392,7 @@ index e14b961..508f5b4 100644
')
optional_policy(`
-@@ -332,7 +409,13 @@ optional_policy(`
+@@ -332,7 +413,14 @@ optional_policy(`
')
optional_policy(`
@@ -80693,10 +81404,11 @@ index e14b961..508f5b4 100644
+ systemd_login_status(sysadm_t)
+ systemd_login_reboot(sysadm_t)
+ systemd_login_halt(sysadm_t)
++ systemd_login_undefined(sysadm_t)
')
optional_policy(`
-@@ -343,19 +426,15 @@ optional_policy(`
+@@ -343,19 +431,15 @@ optional_policy(`
')
optional_policy(`
@@ -80718,7 +81430,7 @@ index e14b961..508f5b4 100644
')
optional_policy(`
-@@ -367,45 +446,45 @@ optional_policy(`
+@@ -367,45 +451,45 @@ optional_policy(`
')
optional_policy(`
@@ -80775,7 +81487,7 @@ index e14b961..508f5b4 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +497,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +502,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -80786,7 +81498,7 @@ index e14b961..508f5b4 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +514,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +519,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -80794,7 +81506,7 @@ index e14b961..508f5b4 100644
')
optional_policy(`
-@@ -446,11 +522,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +527,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -80805,8 +81517,9 @@ index e14b961..508f5b4 100644
optional_policy(`
- java_role(sysadm_r, sysadm_t)
+ lockdev_role(sysadm_r, sysadm_t)
-+ ')
-+
+ ')
+-')
+
+ optional_policy(`
+ mock_admin(sysadm_t)
+ ')
@@ -80845,9 +81558,8 @@ index e14b961..508f5b4 100644
+
+ optional_policy(`
+ uml_role(sysadm_r, sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
@@ -82606,7 +83318,7 @@ index 0b827c5..ac79ca6 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..4038dc6 100644
+index 30861ec..07f46bc 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -82978,7 +83690,7 @@ index 30861ec..4038dc6 100644
+read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+
-+allow abrt_dump_oops_t abrt_etc_t:file read_file_perms;
++read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
+
+kernel_read_kernel_sysctls(abrt_dump_oops_t)
+kernel_read_ring_buffer(abrt_dump_oops_t)
@@ -83606,7 +84318,7 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..c5c0af6 100644
+index 9e39aa5..8166ed1 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,21 +1,33 @@
@@ -83697,7 +84409,7 @@ index 9e39aa5..c5c0af6 100644
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,28 +91,40 @@ ifdef(`distro_suse', `
+@@ -73,28 +91,41 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -83725,8 +84437,9 @@ index 9e39aa5..c5c0af6 100644
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/jetty(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/suphp\.log -- gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/suphp\.log -- gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -83742,7 +84455,7 @@ index 9e39aa5..c5c0af6 100644
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -104,8 +134,26 @@ ifdef(`distro_debian', `
+@@ -104,8 +135,26 @@ ifdef(`distro_debian', `
/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -84494,10 +85207,10 @@ index 6480167..4fc1968 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..46c1cf3 100644
+index 3136c6a..0a79c81 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,136 +18,233 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,240 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -84620,17 +85333,17 @@ index 3136c6a..46c1cf3 100644
gen_tunable(httpd_can_sendmail, false)
+
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
+## <p>
+## Allow http daemon to connect to zabbix
+## </p>
+## </desc>
+gen_tunable(httpd_can_connect_zabbix, false)
+
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++## <desc>
+## <p>
+## Allow http daemon to check spam
+## </p>
@@ -84776,6 +85489,13 @@ index 3136c6a..46c1cf3 100644
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
++## <desc>
++## <p>
++## Allow httpd to communicate with oddjob to start up a service
++## </p>
++## </desc>
++gen_tunable(httpd_use_oddjob, false)
++
attribute httpdcontent;
attribute httpd_user_content_type;
+attribute httpd_content_type;
@@ -84787,7 +85507,7 @@ index 3136c6a..46c1cf3 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -166,7 +263,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +270,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -84796,7 +85516,7 @@ index 3136c6a..46c1cf3 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +274,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +281,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -84806,7 +85526,7 @@ index 3136c6a..46c1cf3 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +316,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +323,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -84829,7 +85549,7 @@ index 3136c6a..46c1cf3 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +340,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +347,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -84840,7 +85560,7 @@ index 3136c6a..46c1cf3 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +351,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +358,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -84848,7 +85568,7 @@ index 3136c6a..46c1cf3 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +373,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +380,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -84872,7 +85592,7 @@ index 3136c6a..46c1cf3 100644
########################################
#
# Apache server local policy
-@@ -281,11 +409,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +416,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -84886,7 +85606,7 @@ index 3136c6a..46c1cf3 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +459,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +466,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -84897,7 +85617,7 @@ index 3136c6a..46c1cf3 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +470,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +477,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -84908,7 +85628,7 @@ index 3136c6a..46c1cf3 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +487,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +494,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -84918,7 +85638,7 @@ index 3136c6a..46c1cf3 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +500,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +507,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -84936,7 +85656,7 @@ index 3136c6a..46c1cf3 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +518,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +525,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -84952,7 +85672,7 @@ index 3136c6a..46c1cf3 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +531,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +538,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -84960,7 +85680,7 @@ index 3136c6a..46c1cf3 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +543,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +550,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -85064,7 +85784,7 @@ index 3136c6a..46c1cf3 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +650,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +657,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -85122,7 +85842,7 @@ index 3136c6a..46c1cf3 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +708,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +715,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -85139,7 +85859,7 @@ index 3136c6a..46c1cf3 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +732,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +739,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -85160,7 +85880,7 @@ index 3136c6a..46c1cf3 100644
')
optional_policy(`
-@@ -513,7 +756,13 @@ optional_policy(`
+@@ -513,7 +763,13 @@ optional_policy(`
')
optional_policy(`
@@ -85175,7 +85895,7 @@ index 3136c6a..46c1cf3 100644
')
optional_policy(`
-@@ -528,7 +777,19 @@ optional_policy(`
+@@ -528,7 +784,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -85196,7 +85916,7 @@ index 3136c6a..46c1cf3 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +798,13 @@ optional_policy(`
+@@ -537,8 +805,13 @@ optional_policy(`
')
optional_policy(`
@@ -85211,7 +85931,7 @@ index 3136c6a..46c1cf3 100644
')
')
-@@ -556,7 +822,21 @@ optional_policy(`
+@@ -556,7 +829,21 @@ optional_policy(`
')
optional_policy(`
@@ -85233,7 +85953,7 @@ index 3136c6a..46c1cf3 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +847,7 @@ optional_policy(`
+@@ -567,6 +854,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -85241,7 +85961,7 @@ index 3136c6a..46c1cf3 100644
')
optional_policy(`
-@@ -577,6 +858,20 @@ optional_policy(`
+@@ -577,6 +865,20 @@ optional_policy(`
')
optional_policy(`
@@ -85262,7 +85982,7 @@ index 3136c6a..46c1cf3 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +886,11 @@ optional_policy(`
+@@ -591,6 +893,11 @@ optional_policy(`
')
optional_policy(`
@@ -85274,7 +85994,7 @@ index 3136c6a..46c1cf3 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +903,12 @@ optional_policy(`
+@@ -603,6 +910,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -85287,7 +86007,7 @@ index 3136c6a..46c1cf3 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +922,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +929,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -85300,7 +86020,7 @@ index 3136c6a..46c1cf3 100644
########################################
#
-@@ -654,28 +964,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +971,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -85344,7 +86064,7 @@ index 3136c6a..46c1cf3 100644
')
########################################
-@@ -685,6 +997,8 @@ optional_policy(`
+@@ -685,6 +1004,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -85353,7 +86073,7 @@ index 3136c6a..46c1cf3 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1013,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1020,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -85379,7 +86099,7 @@ index 3136c6a..46c1cf3 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1059,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1066,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -85412,7 +86132,7 @@ index 3136c6a..46c1cf3 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1106,25 @@ optional_policy(`
+@@ -769,6 +1113,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -85438,7 +86158,7 @@ index 3136c6a..46c1cf3 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1145,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1152,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -85456,7 +86176,7 @@ index 3136c6a..46c1cf3 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1164,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1171,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -85513,7 +86233,7 @@ index 3136c6a..46c1cf3 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1215,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1222,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -85544,7 +86264,7 @@ index 3136c6a..46c1cf3 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1250,20 @@ optional_policy(`
+@@ -842,10 +1257,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -85565,7 +86285,7 @@ index 3136c6a..46c1cf3 100644
')
########################################
-@@ -891,11 +1309,135 @@ optional_policy(`
+@@ -891,11 +1316,135 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -95606,7 +96326,7 @@ index f706b99..d41e4fe 100644
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..59b0d53 100644
+index f231f17..f5e84bd 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -16,6 +16,7 @@ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
@@ -95637,7 +96357,7 @@ index f231f17..59b0d53 100644
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -75,10 +80,13 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -75,10 +80,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -95645,13 +96365,14 @@ index f231f17..59b0d53 100644
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
++files_filetrans_named_content(devicekit_disk_t)
+kernel_list_unlabeled(devicekit_disk_t)
+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
-@@ -97,6 +105,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
+@@ -97,6 +106,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -95659,7 +96380,7 @@ index f231f17..59b0d53 100644
domain_getattr_all_pipes(devicekit_disk_t)
domain_getattr_all_sockets(devicekit_disk_t)
-@@ -105,14 +114,17 @@ domain_read_all_domains_state(devicekit_disk_t)
+@@ -105,14 +115,17 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
@@ -95678,7 +96399,7 @@ index f231f17..59b0d53 100644
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
-@@ -127,14 +139,17 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -127,14 +140,17 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -95697,7 +96418,7 @@ index f231f17..59b0d53 100644
optional_policy(`
dbus_system_bus_client(devicekit_disk_t)
-@@ -178,55 +193,84 @@ optional_policy(`
+@@ -178,55 +194,84 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -95787,7 +96508,7 @@ index f231f17..59b0d53 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,7 +279,12 @@ optional_policy(`
+@@ -235,7 +280,12 @@ optional_policy(`
')
optional_policy(`
@@ -95800,7 +96521,7 @@ index f231f17..59b0d53 100644
')
optional_policy(`
-@@ -261,14 +310,21 @@ optional_policy(`
+@@ -261,14 +311,21 @@ optional_policy(`
')
optional_policy(`
@@ -95823,7 +96544,7 @@ index f231f17..59b0d53 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +332,30 @@ optional_policy(`
+@@ -276,9 +333,30 @@ optional_policy(`
')
optional_policy(`
@@ -103598,29 +104319,35 @@ index ca5cfdf..554ad30 100644
diff --git a/policy/modules/services/l2tpd.fc b/policy/modules/services/l2tpd.fc
new file mode 100644
-index 0000000..76d879e
+index 0000000..6b27066
--- /dev/null
+++ b/policy/modules/services/l2tpd.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,18 @@
++/etc/prol2tp(/.*)? gen_context(system_u:object_r:l2tp_etc_t,s0)
+
-+/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/prol2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
+
-+/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+
-+/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/etc/sysconfig/prol2tpd -- gen_context(system_u:object_r:l2tp_etc_t,s0)
+
-+/var/run/xl2tpd\.pid gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/sbin/prol2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+
++/var/run/openl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if
new file mode 100644
-index 0000000..c8b246f
+index 0000000..2021c49
--- /dev/null
+++ b/policy/modules/services/l2tpd.if
-@@ -0,0 +1,118 @@
-+
-+## <summary>policy for l2tpd</summary>
+@@ -0,0 +1,157 @@
++## <summary>Layer 2 Tunneling Protocol daemons.</summary>
+
+########################################
+## <summary>
@@ -103641,7 +104368,6 @@ index 0000000..c8b246f
+ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
+')
+
-+
+########################################
+## <summary>
+## Execute l2tpd server in the l2tpd domain.
@@ -103660,6 +104386,42 @@ index 0000000..c8b246f
+ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+')
+
++########################################
++## <summary>
++## Send to l2tpd via a unix dgram socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_dgram_send',`
++ gen_require(`
++ type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
++ ')
++
++ files_search_tmp($1)
++ dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
++')
++
++########################################
++## <summary>
++## Read and write l2tpd sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_rw_socket',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:socket rw_socket_perms;
++')
+
+########################################
+## <summary>
@@ -103717,13 +104479,13 @@ index 0000000..c8b246f
+#
+interface(`l2tpd_admin',`
+ gen_require(`
-+ type l2tpd_t;
-+ type l2tpd_initrc_exec_t;
-+ type l2tpd_var_run_t;
++ type l2tpd_t, l2tpd_initrc_exec_t. l2tpd_var_run_t;
++ type l2tp_etc_t, l2tpd_tmp_t;
+ ')
+
+ allow $1 l2tpd_t:process signal_perms;
+ ps_process_pattern($1, l2tpd_t)
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 l2tpd_t:process ptrace;
+ ')
@@ -103733,16 +104495,21 @@ index 0000000..c8b246f
+ role_transition $2 l2tpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_search_etc($1)
++ admin_pattern($1, l2tp_etc_t)
++
+ files_search_pids($1)
+ admin_pattern($1, l2tpd_var_run_t)
-+')
+
++ files_search_tmp($1)
++ admin_pattern($1, l2tpd_tmp_t)
++')
diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
new file mode 100644
-index 0000000..de801ff
+index 0000000..deb55ee
--- /dev/null
+++ b/policy/modules/services/l2tpd.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,91 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -103757,19 +104524,31 @@ index 0000000..de801ff
+type l2tpd_initrc_exec_t;
+init_script_file(l2tpd_initrc_exec_t)
+
++type l2tp_etc_t;
++files_config_file(l2tp_etc_t)
++
++type l2tpd_tmp_t;
++files_tmp_file(l2tpd_tmp_t)
++
+type l2tpd_var_run_t;
+files_pid_file(l2tpd_var_run_t)
+
+########################################
+#
-+# l2tpd local policy
++# Local policy
+#
-+allow l2tpd_t self:capability net_bind_service;
-+allow l2tpd_t self:process signal;
+
++allow l2tpd_t self:capability { net_admin net_bind_service };
++allow l2tpd_t self:process signal;
+allow l2tpd_t self:fifo_file rw_fifo_file_perms;
-+allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
++allow l2tpd_t self:netlink_socket create_socket_perms;
++allow l2tpd_t self:rawip_socket create_socket_perms;
++allow l2tpd_t self:socket create_socket_perms;
+allow l2tpd_t self:tcp_socket create_stream_socket_perms;
++allow l2tpd_t self:unix_dgram_socket sendto;
++allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(l2tpd_t, l2tp_etc_t, l2tp_etc_t)
+
+manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
@@ -103777,10 +104556,34 @@ index 0000000..de801ff
+manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
+
++manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
++files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
++
++corenet_all_recvfrom_unlabeled(l2tpd_t)
++corenet_all_recvfrom_netlabel(l2tpd_t)
++corenet_raw_sendrecv_generic_if(l2tpd_t)
++corenet_tcp_sendrecv_generic_if(l2tpd_t)
++corenet_udp_sendrecv_generic_if(l2tpd_t)
++corenet_raw_bind_generic_node(l2tpd_t)
+corenet_tcp_bind_generic_node(l2tpd_t)
+corenet_udp_bind_generic_node(l2tpd_t)
-+corenet_udp_bind_generic_port(l2tpd_t)
++corenet_raw_sendrecv_generic_node(l2tpd_t)
++corenet_tcp_sendrecv_generic_node(l2tpd_t)
++corenet_udp_sendrecv_generic_node(l2tpd_t)
++
+corenet_tcp_bind_all_rpc_ports(l2tpd_t)
++corenet_udp_bind_generic_port(l2tpd_t)
++
++corenet_udp_bind_l2tp_port(l2tpd_t)
++corenet_udp_sendrecv_l2tp_port(l2tpd_t)
++corenet_sendrecv_l2tp_server_packets(l2tpd_t)
++
++kernel_read_network_state(l2tpd_t)
++# net-pf-24 (pppox)
++kernel_request_load_module(l2tpd_t)
++
++# prol2tpc
++corecmd_exec_bin(l2tpd_t)
+
+dev_read_urand(l2tpd_t)
+
@@ -103793,6 +104596,11 @@ index 0000000..de801ff
+miscfiles_read_localization(l2tpd_t)
+
+sysnet_dns_name_resolve(l2tpd_t)
++
++optional_policy(`
++ ppp_domtrans(l2tpd_t)
++ ppp_signal(l2tpd_t)
++')
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index c62f23e..63e3be1 100644
--- a/policy/modules/services/ldap.fc
@@ -104463,7 +105271,7 @@ index 5c9eb68..ca4fd2b 100644
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
+/var/spool/turboprint(/.*)? gen_context(system_u:object_r:lpd_var_run_t,mls_systemhigh)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
-index a4f32f5..32824fb 100644
+index a4f32f5..628b63c 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -14,6 +14,7 @@
@@ -104504,8 +105312,41 @@ index a4f32f5..32824fb 100644
gen_require(`
type lpr_t, lpr_exec_t;
')
+@@ -196,6 +200,32 @@ template(`lpd_domtrans_lpr',`
+
+ ########################################
+ ## <summary>
++## Execute lpr in the lpr domain, and
++## allow the specified role the lpr domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`lpd_run_lpr',`
++ gen_require(`
++ type lpr_t;
++ ')
++
++ lpd_domtrans_lpr($1)
++ role $2 types lpr_t;
++')
++
++########################################
++## <summary>
+ ## Allow the specified domain to execute lpr
+ ## in the caller domain.
+ ## </summary>
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
-index 93c14ca..27d96e1 100644
+index 93c14ca..6abf078 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
@@ -104612,6 +105453,16 @@ index 93c14ca..27d96e1 100644
optional_policy(`
cups_read_config(lpr_t)
+@@ -326,5 +317,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_stream_connect_gkeyringd(lpr_t)
++')
++
++optional_policy(`
+ logging_send_syslog_msg(lpr_t)
+ ')
diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
index 14ad189..c7daa85 100644
--- a/policy/modules/services/mailman.fc
@@ -115293,7 +116144,7 @@ index b524673..1cca3d2 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..20f5d6b 100644
+index 2af42e7..3b8e0fb 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -115403,11 +116254,16 @@ index 2af42e7..20f5d6b 100644
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
-@@ -187,13 +194,15 @@ optional_policy(`
+@@ -187,13 +194,20 @@ optional_policy(`
')
optional_policy(`
- tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
++ l2tpd_dgram_send(pppd_t)
++ l2tpd_rw_socket(pppd_t)
++')
++
++optional_policy(`
+ tunable_policy(`pppd_can_insmod',`
modutils_domtrans_insmod_uncond(pppd_t)
')
@@ -115420,7 +116276,7 @@ index 2af42e7..20f5d6b 100644
')
optional_policy(`
-@@ -243,14 +252,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +257,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -115440,7 +116296,7 @@ index 2af42e7..20f5d6b 100644
dev_read_sysfs(pptp_t)
-@@ -265,9 +278,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
+@@ -265,9 +283,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
corenet_tcp_bind_generic_node(pptp_t)
@@ -117367,6 +118223,323 @@ index cb7ecb5..52cb067 100644
+ matahari_manage_lib_files(qpidd_t)
+ matahari_manage_pid_files(qpidd_t)
+')
+diff --git a/policy/modules/services/quantum.fc b/policy/modules/services/quantum.fc
+new file mode 100644
+index 0000000..0a1d62b
+--- /dev/null
++++ b/policy/modules/services/quantum.fc
+@@ -0,0 +1,10 @@
++/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++
++/usr/lib/systemd/system/quantum.*.service -- gen_context(system_u:object_r:quantum_unit_file_t,s0)
++
++/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
++
++/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
+diff --git a/policy/modules/services/quantum.if b/policy/modules/services/quantum.if
+new file mode 100644
+index 0000000..6bbe437
+--- /dev/null
++++ b/policy/modules/services/quantum.if
+@@ -0,0 +1,224 @@
++## <summary>Quantum is a virtual network service for Openstack</summary>
++
++########################################
++## <summary>
++## Transition to quantum.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`quantum_domtrans',`
++ gen_require(`
++ type quantum_t, quantum_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, quantum_exec_t, quantum_t)
++')
++
++########################################
++## <summary>
++## Read quantum's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`quantum_read_log',`
++ gen_require(`
++ type quantum_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, quantum_log_t, quantum_log_t)
++')
++
++########################################
++## <summary>
++## Append to quantum log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_append_log',`
++ gen_require(`
++ type quantum_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, quantum_log_t, quantum_log_t)
++')
++
++########################################
++## <summary>
++## Manage quantum log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_manage_log',`
++ gen_require(`
++ type quantum_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, quantum_log_t, quantum_log_t)
++ manage_files_pattern($1, quantum_log_t, quantum_log_t)
++ manage_lnk_files_pattern($1, quantum_log_t, quantum_log_t)
++')
++
++########################################
++## <summary>
++## Search quantum lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_search_lib',`
++ gen_require(`
++ type quantum_var_lib_t;
++ ')
++
++ allow $1 quantum_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read quantum lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_read_lib_files',`
++ gen_require(`
++ type quantum_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage quantum lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_manage_lib_files',`
++ gen_require(`
++ type quantum_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage quantum lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_manage_lib_dirs',`
++ gen_require(`
++ type quantum_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++')
++
++########################################
++## <summary>
++## Execute quantum server in the quantum domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`quantum_systemctl',`
++ gen_require(`
++ type quantum_t;
++ type quantum_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 quantum_unit_file_t:file read_file_perms;
++ allow $1 quantum_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, quantum_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an quantum environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`quantum_admin',`
++ gen_require(`
++ type quantum_t;
++ type quantum_log_t;
++ type quantum_var_lib_t;
++ type quantum_unit_file_t;
++ ')
++
++ allow $1 quantum_t:process { ptrace signal_perms };
++ ps_process_pattern($1, quantum_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, quantum_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, quantum_var_lib_t)
++
++ quantum_systemctl($1)
++ admin_pattern($1, quantum_unit_file_t)
++ allow $1 quantum_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/quantum.te b/policy/modules/services/quantum.te
+new file mode 100644
+index 0000000..4bb22d5
+--- /dev/null
++++ b/policy/modules/services/quantum.te
+@@ -0,0 +1,65 @@
++policy_module(quantum, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type quantum_t;
++type quantum_exec_t;
++init_daemon_domain(quantum_t, quantum_exec_t)
++
++type quantum_log_t;
++logging_log_file(quantum_log_t)
++
++type quantum_tmp_t;
++files_tmp_file(quantum_tmp_t)
++
++type quantum_var_lib_t;
++files_type(quantum_var_lib_t)
++
++type quantum_unit_file_t;
++systemd_unit_file(quantum_unit_file_t)
++
++########################################
++#
++# quantum local policy
++#
++allow quantum_t self:fifo_file rw_fifo_file_perms;
++allow quantum_t self:unix_stream_socket create_stream_socket_perms;
++allow quantum_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
++manage_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
++logging_log_filetrans(quantum_t, quantum_log_t, { dir file })
++
++manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
++files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++can_exec(quantum_t, quantum_tmp_t)
++
++manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
++manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
++files_var_lib_filetrans(quantum_t, quantum_var_lib_t, { dir file })
++
++kernel_read_system_state(quantum_t)
++
++corecmd_exec_shell(quantum_t)
++corecmd_exec_bin(quantum_t)
++
++corenet_tcp_bind_generic_node(quantum_t)
++corenet_tcp_bind_quantum_port(quantum_t)
++
++dev_read_urand(quantum_t)
++
++domain_use_interactive_fds(quantum_t)
++
++files_read_etc_files(quantum_t)
++files_read_usr_files(quantum_t)
++
++auth_use_nsswitch(quantum_t)
++
++libs_exec_ldconfig(quantum_t)
++
++logging_send_syslog_msg(quantum_t)
++
++miscfiles_read_localization(quantum_t)
diff --git a/policy/modules/services/rabbitmq.fc b/policy/modules/services/rabbitmq.fc
new file mode 100644
index 0000000..594c110
@@ -120231,7 +121404,7 @@ index cda37bb..b3469d6 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..d36b88c 100644
+index b1468ed..86e1141 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -120300,7 +121473,7 @@ index b1468ed..d36b88c 100644
fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
-@@ -97,21 +105,37 @@ miscfiles_read_generic_certs(rpcd_t)
+@@ -97,21 +105,41 @@ miscfiles_read_generic_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -120317,6 +121490,10 @@ index b1468ed..d36b88c 100644
+')
+
+optional_policy(`
++ quota_manage_db(rpcd_t)
++')
++
++optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
@@ -120338,7 +121515,7 @@ index b1468ed..d36b88c 100644
allow nfsd_t exports_t:file read_file_perms;
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
-@@ -120,9 +144,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,9 +148,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -120353,7 +121530,7 @@ index b1468ed..d36b88c 100644
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
-@@ -148,6 +177,8 @@ storage_raw_read_removable_device(nfsd_t)
+@@ -148,6 +181,8 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
@@ -120362,7 +121539,7 @@ index b1468ed..d36b88c 100644
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
-@@ -158,7 +189,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -158,7 +193,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -120370,7 +121547,7 @@ index b1468ed..d36b88c 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +200,11 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +204,11 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -120384,7 +121561,7 @@ index b1468ed..d36b88c 100644
')
########################################
-@@ -181,7 +214,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +218,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
@@ -120393,7 +121570,7 @@ index b1468ed..d36b88c 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +232,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +236,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -120401,7 +121578,7 @@ index b1468ed..d36b88c 100644
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +244,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +248,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -120418,7 +121595,7 @@ index b1468ed..d36b88c 100644
')
optional_policy(`
-@@ -229,6 +263,10 @@ optional_policy(`
+@@ -229,6 +267,10 @@ optional_policy(`
')
optional_policy(`
@@ -126741,10 +127918,10 @@ index 0000000..c6be180
+')
diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te
new file mode 100644
-index 0000000..4fd2377
+index 0000000..8137e63
--- /dev/null
+++ b/policy/modules/services/vdagent.te
-@@ -0,0 +1,54 @@
+@@ -0,0 +1,61 @@
+policy_module(vdagent,1.0.0)
+
+########################################
@@ -126787,8 +127964,15 @@ index 0000000..4fd2377
+
+files_read_etc_files(vdagent_t)
+
++init_read_state(vdagent_t)
++
++systemd_read_logind_sessions_files(vdagent_t)
++systemd_login_read_pid_files(vdagent_t)
++
+term_use_virtio_console(vdagent_t)
+
++userdom_read_all_users_state(vdagent_t)
++
+miscfiles_read_localization(vdagent_t)
+
+optional_policy(`
@@ -126887,7 +128071,7 @@ index 1f872b5..88a8157 100644
-
')
diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te
-index 32a3c13..e3d91ad 100644
+index 32a3c13..c10e942 100644
--- a/policy/modules/services/vhostmd.te
+++ b/policy/modules/services/vhostmd.te
@@ -24,8 +24,8 @@ files_pid_file(vhostmd_var_run_t)
@@ -126901,7 +128085,15 @@ index 32a3c13..e3d91ad 100644
manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-@@ -44,9 +44,15 @@ corecmd_exec_shell(vhostmd_t)
+@@ -35,6 +35,7 @@ manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+ manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+ files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir })
+
++kernel_read_kernel_sysctls(vhostmd_t)
+ kernel_read_system_state(vhostmd_t)
+ kernel_read_network_state(vhostmd_t)
+ kernel_write_xen_state(vhostmd_t)
+@@ -44,9 +45,15 @@ corecmd_exec_shell(vhostmd_t)
corenet_tcp_connect_soundd_port(vhostmd_t)
@@ -126917,7 +128109,7 @@ index 32a3c13..e3d91ad 100644
dev_read_sysfs(vhostmd_t)
auth_use_nsswitch(vhostmd_t)
-@@ -66,6 +72,7 @@ optional_policy(`
+@@ -66,6 +73,7 @@ optional_policy(`
optional_policy(`
virt_stream_connect(vhostmd_t)
@@ -128699,13 +129891,12 @@ index 0000000..ad47e05
+/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
diff --git a/policy/modules/services/wdmd.if b/policy/modules/services/wdmd.if
new file mode 100644
-index 0000000..1a04747
+index 0000000..8e3570d
--- /dev/null
+++ b/policy/modules/services/wdmd.if
-@@ -0,0 +1,114 @@
-+
-+## <summary>policy for wdmd</summary>
+@@ -0,0 +1,113 @@
+
++## <summary>watchdog multiplexing daemon</summary>
+
+########################################
+## <summary>
@@ -128819,10 +130010,10 @@ index 0000000..1a04747
+')
diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te
new file mode 100644
-index 0000000..11b8863
+index 0000000..c0f3e2f
--- /dev/null
+++ b/policy/modules/services/wdmd.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,45 @@
+policy_module(wdmd,1.0.0)
+
+########################################
@@ -128845,6 +130036,7 @@ index 0000000..11b8863
+# wdmd local policy
+#
+allow wdmd_t self:capability { sys_nice ipc_lock };
++dontaudit wdmd_t self:capability chown;
+allow wdmd_t self:process { setsched signal };
+
+allow wdmd_t self:fifo_file rw_fifo_file_perms;
@@ -133925,7 +135117,7 @@ index 354ce93..4738083 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..43dcb93 100644
+index 94fd8dd..6248940 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -134655,7 +135847,7 @@ index 94fd8dd..43dcb93 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2124,248 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2124,266 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -134904,6 +136096,24 @@ index 94fd8dd..43dcb93 100644
+
+ allow $1 init_t:system halt;
+')
++
++########################################
++## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_undefined',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system undefined;
++')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 29a9565..e2c5116 100644
--- a/policy/modules/system/init.te
@@ -137836,7 +139046,7 @@ index 831b909..b9cff6d 100644
+ files_spool_filetrans($1, audit_spool_t, dir, "audit")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..9ffad65 100644
+index b6ec597..9c495b2 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,20 @@ policy_module(logging, 1.17.2)
@@ -137886,7 +139096,16 @@ index b6ec597..9ffad65 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -111,7 +130,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -94,6 +113,8 @@ ifdef(`enable_mls',`
+ allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+
++allow auditctl_t self:process getcap;
++
+ read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
+ allow auditctl_t auditd_etc_t:dir list_dir_perms;
+
+@@ -111,7 +132,7 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -137895,7 +139114,15 @@ index b6ec597..9ffad65 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -183,16 +202,19 @@ logging_send_syslog_msg(auditd_t)
+@@ -148,6 +169,7 @@ kernel_read_kernel_sysctls(auditd_t)
+ # Needs to be able to run dispatcher. see /etc/audit/auditd.conf
+ # Probably want a transition, and a new auditd_helper app
+ kernel_read_system_state(auditd_t)
++kernel_read_network_state(auditd_t)
+
+ dev_read_sysfs(auditd_t)
+
+@@ -183,16 +205,19 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -137916,7 +139143,7 @@ index b6ec597..9ffad65 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,10 +259,17 @@ corecmd_exec_shell(audisp_t)
+@@ -237,10 +262,17 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -137934,7 +139161,7 @@ index b6ec597..9ffad65 100644
logging_send_syslog_msg(audisp_t)
-@@ -250,6 +279,10 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -250,6 +282,10 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -137945,7 +139172,7 @@ index b6ec597..9ffad65 100644
')
########################################
-@@ -280,11 +313,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,11 +316,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -137966,7 +139193,7 @@ index b6ec597..9ffad65 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -354,11 +396,12 @@ optional_policy(`
+@@ -354,11 +399,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -137981,7 +139208,7 @@ index b6ec597..9ffad65 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -376,6 +419,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -376,6 +422,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -137989,7 +139216,7 @@ index b6ec597..9ffad65 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -385,9 +429,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -385,9 +432,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -138005,7 +139232,7 @@ index b6ec597..9ffad65 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -426,10 +476,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -426,10 +479,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -138033,7 +139260,7 @@ index b6ec597..9ffad65 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -447,7 +514,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
+@@ -447,7 +517,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -138043,7 +139270,7 @@ index b6ec597..9ffad65 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -459,6 +528,7 @@ init_use_fds(syslogd_t)
+@@ -459,6 +531,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -138051,7 +139278,7 @@ index b6ec597..9ffad65 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +566,20 @@ optional_policy(`
+@@ -496,11 +569,20 @@ optional_policy(`
')
optional_policy(`
@@ -140210,7 +141437,7 @@ index 170e2c7..6c56785 100644
+ auth_relabelto_shadow($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..a5062f7 100644
+index 7ed9819..4442617 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,6 +11,7 @@ gen_require(`
@@ -140558,7 +141785,7 @@ index 7ed9819..a5062f7 100644
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
-@@ -493,112 +506,159 @@ ifdef(`distro_ubuntu',`
+@@ -493,112 +506,161 @@ ifdef(`distro_ubuntu',`
')
')
@@ -140697,6 +141924,8 @@ index 7ed9819..a5062f7 100644
+dontaudit setfiles_domain self:file relabelfrom;
+dontaudit setfiles_domain self:lnk_file relabelfrom;
+
++domain_relabelfrom(setfiles_domain)
++
+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
@@ -141485,10 +142714,10 @@ index 0000000..0d3e625
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..6daaa5c
+index 0000000..a7e3666
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,656 @@
+@@ -0,0 +1,675 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -142094,7 +143323,7 @@ index 0000000..6daaa5c
+
+########################################
+## <summary>
-+## Get the system status information from init
++## Get the system status information from systemd_login
+## </summary>
+## <param name="domain">
+## <summary>
@@ -142112,7 +143341,7 @@ index 0000000..6daaa5c
+
+########################################
+## <summary>
-+## Tell init to reboot the system.
++## Tell systemd_login to reboot the system.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -142130,7 +143359,7 @@ index 0000000..6daaa5c
+
+########################################
+## <summary>
-+## Tell init to halt the system.
++## Tell systemd_login to halt the system.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -142145,12 +143374,31 @@ index 0000000..6daaa5c
+
+ allow $1 systemd_logind_t:system halt;
+')
++
++########################################
++## <summary>
++## Tell systemd_login to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_login_undefined',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system undefined;
++')
++
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..7122cd5
+index 0000000..4bddff8
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,398 @@
+@@ -0,0 +1,399 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -142224,6 +143472,7 @@ index 0000000..7122cd5
+init_status(systemd_logind_t)
+init_reboot(systemd_logind_t)
+init_halt(systemd_logind_t)
++init_undefined(systemd_logind_t)
+
+dev_read_sysfs(systemd_logind_t)
+dev_setattr_input_dev(systemd_logind_t)
@@ -143832,7 +145081,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..12759f5 100644
+index 4b2878a..2358d96 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -145090,20 +146339,15 @@ index 4b2878a..12759f5 100644
')
##############################
-@@ -1065,7 +1372,11 @@ template(`userdom_admin_user_template',`
- # $1_t local policy
+@@ -1066,6 +1373,7 @@ template(`userdom_admin_user_template',`
#
-- allow $1_t self:capability ~{ sys_module audit_control audit_write };
-+ allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1_t self:capability sys_ptrace;
-+ ')
+ allow $1_t self:capability ~{ sys_module audit_control audit_write };
+ allow $1_t self:capability2 syslog;
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1385,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1382,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -145113,7 +146357,7 @@ index 4b2878a..12759f5 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1402,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1399,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -145121,7 +146365,7 @@ index 4b2878a..12759f5 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1420,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1417,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -145135,7 +146379,7 @@ index 4b2878a..12759f5 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1437,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1434,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -145178,7 +146422,7 @@ index 4b2878a..12759f5 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1478,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1475,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -145187,7 +146431,7 @@ index 4b2878a..12759f5 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1539,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1536,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -145196,7 +146440,7 @@ index 4b2878a..12759f5 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1553,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1550,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -145207,7 +146451,7 @@ index 4b2878a..12759f5 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1566,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1563,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -145236,7 +146480,7 @@ index 4b2878a..12759f5 100644
')
optional_policy(`
-@@ -1251,12 +1594,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1591,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -145252,7 +146496,7 @@ index 4b2878a..12759f5 100644
')
optional_policy(`
-@@ -1279,11 +1622,60 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1619,60 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -145313,7 +146557,7 @@ index 4b2878a..12759f5 100644
ubac_constrained($1)
')
-@@ -1395,6 +1787,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1784,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -145321,10 +146565,11 @@ index 4b2878a..12759f5 100644
files_search_home($1)
')
-@@ -1441,6 +1834,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,7 +1831,15 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
+-')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
@@ -145333,10 +146578,11 @@ index 4b2878a..12759f5 100644
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ ')
- ')
++')
########################################
-@@ -1456,9 +1857,11 @@ interface(`userdom_list_user_home_dirs',`
+ ## <summary>
+@@ -1456,9 +1854,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -145348,7 +146594,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -1515,6 +1918,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1915,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -145391,7 +146637,7 @@ index 4b2878a..12759f5 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2028,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2025,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -145400,7 +146646,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -1603,10 +2044,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2041,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -145415,7 +146661,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -1649,6 +2092,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2089,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -145459,7 +146705,7 @@ index 4b2878a..12759f5 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2148,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2145,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -145485,7 +146731,7 @@ index 4b2878a..12759f5 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1698,14 +2197,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2194,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -145523,7 +146769,7 @@ index 4b2878a..12759f5 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2237,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2234,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -145541,7 +146787,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -1779,6 +2303,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2300,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -145602,7 +146848,7 @@ index 4b2878a..12759f5 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2388,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2385,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -145612,7 +146858,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -1827,21 +2404,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2401,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -145626,19 +146872,18 @@ index 4b2878a..12759f5 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
-@@ -1941,6 +2512,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2509,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -145663,7 +146908,7 @@ index 4b2878a..12759f5 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2597,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2594,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -145672,7 +146917,7 @@ index 4b2878a..12759f5 100644
files_search_home($1)
')
-@@ -2039,7 +2628,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2625,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -145681,7 +146926,7 @@ index 4b2878a..12759f5 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2747,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2744,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -145696,7 +146941,7 @@ index 4b2878a..12759f5 100644
files_search_tmp($1)
')
-@@ -2182,7 +2771,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2768,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -145705,7 +146950,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -2390,7 +2979,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2976,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -145714,7 +146959,7 @@ index 4b2878a..12759f5 100644
files_search_tmp($1)
')
-@@ -2419,6 +3008,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3005,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -145740,7 +146985,7 @@ index 4b2878a..12759f5 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3043,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3040,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -145756,7 +147001,7 @@ index 4b2878a..12759f5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3071,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3068,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -145765,7 +147010,7 @@ index 4b2878a..12759f5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,14 +3079,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3076,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -145800,7 +147045,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -2572,6 +3197,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +3194,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -145825,7 +147070,7 @@ index 4b2878a..12759f5 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2590,22 +3233,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +3230,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -145868,7 +147113,7 @@ index 4b2878a..12759f5 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2614,14 +3269,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3266,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -145906,7 +147151,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -2640,36 +3314,32 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,36 +3311,32 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -145952,7 +147197,7 @@ index 4b2878a..12759f5 100644
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
-@@ -2679,12 +3349,12 @@ interface(`userdom_spec_domtrans_all_users',`
+@@ -2679,12 +3346,12 @@ interface(`userdom_spec_domtrans_all_users',`
## </summary>
## </param>
#
@@ -145967,7 +147212,7 @@ index 4b2878a..12759f5 100644
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
-@@ -2692,7 +3362,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
+@@ -2692,7 +3359,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
########################################
## <summary>
@@ -145976,7 +147221,7 @@ index 4b2878a..12759f5 100644
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
-@@ -2702,20 +3372,20 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
+@@ -2702,20 +3369,20 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
## </summary>
## </param>
#
@@ -146004,7 +147249,7 @@ index 4b2878a..12759f5 100644
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
-@@ -2725,57 +3395,61 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2725,57 +3392,61 @@ interface(`userdom_spec_domtrans_unpriv_users',`
## </summary>
## </param>
#
@@ -146085,7 +147330,7 @@ index 4b2878a..12759f5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2783,12 +3457,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2783,12 +3454,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -146100,7 +147345,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -2852,7 +3526,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3523,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -146109,7 +147354,7 @@ index 4b2878a..12759f5 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3542,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3539,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -146143,7 +147388,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -2972,7 +3630,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3627,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -146152,7 +147397,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -3027,7 +3685,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3682,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -146199,7 +147444,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -3045,7 +3741,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3738,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -146208,7 +147453,7 @@ index 4b2878a..12759f5 100644
')
########################################
-@@ -3064,6 +3760,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3757,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -146216,7 +147461,7 @@ index 4b2878a..12759f5 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3839,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3836,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -146241,7 +147486,7 @@ index 4b2878a..12759f5 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3160,6 +3875,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3872,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -146266,7 +147511,7 @@ index 4b2878a..12759f5 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3927,1273 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3924,1273 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 925e8cd..7499c0a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 105%{?dist}
+Release: 106%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -484,6 +484,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Mar 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-106
+- Allow auditctl getcap
+- Allow vdagent to use libsystemd-login
+- Allow abrt-dump-oops to search /etc/abrt
+- Got these avc's while trying to print a boarding pass from firefox
+- Devicekit is now putting the media directory under /run/media
+- Allow thumbnailers to create content in ~/.thumbails directory
+- Add support for proL2TPd by Dominick Grift
+- Allow all domains to call getcap
+- wdmd seems to get a random chown capability check that it does not need
+- Allow vhostmd to read kernel sysctls
+
* Wed Mar 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-105
- Allow chronyd to read unix
- Allow hpfax to read /etc/passwd
More information about the scm-commits
mailing list