[selinux-policy/f17] - Fix pulseaudio port definition - Add labeling for condor_starter - Allow chfn_t to creat user_tmp_
Miroslav Grepl
mgrepl at fedoraproject.org
Wed May 16 11:47:05 UTC 2012
commit 7f471e58b56a2849fd8e701a4d168a2f072d3e17
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed May 16 13:46:39 2012 +0200
- Fix pulseaudio port definition
- Add labeling for condor_starter
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Allow prelink_cron_system_t to getpw calls
- Allow sudo domains to manage kerberos rcache files
- Allow user_mail_domains to work with courie
- Port definitions necessary for running jboss apps within openshift
- Add support for openstack-nova-metadata-api
- Add support for nova-console*
- Add support for openstack-nova-xvpvncproxy
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
- Fix auth_role() interface
- Allow numad to read sysfs
- Allow matahari-rpcd to execute shell
- Add label for ~/.spicec
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed wit
- Devicekit_disk wants to read the logind sessions file when writing a cd
- Add fixes for condor to make condor jobs working correctly
- Change label of /var/log/rpmpkgs to cron_log_t
- Access requires to allow systemd-tmpfiles --create to work.
- Fix obex to be a user application started by the session bus.
- Add additional filename trans rules for kerberos
- Fix /var/run/heartbeat labeling
- Allow apps that are managing rcache to file trans correctly
- Allow openvpn to authenticate against ldap server
- Containers need to listen to network starting and stopping events
policy-F16.patch | 1148 +++++++++++++++++++++++++++++----------------------
selinux-policy.spec | 31 ++-
2 files changed, 692 insertions(+), 487 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 726c4a7..8e5aff8 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -60434,7 +60434,7 @@ index 93ec175..0e42018 100644
')
')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..5d940f8 100644
+index af55369..437026a 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -60517,13 +60517,15 @@ index af55369..5d940f8 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +170,29 @@ optional_policy(`
+@@ -148,17 +170,31 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
- init_exec(prelink_cron_system_t)
+ fs_search_cgroup_dirs(prelink_cron_system_t)
+
++ auth_use_nsswitch(prelink_cron_system_t)
++
+ init_telinit(prelink_cron_system_t)
libs_exec_ld_so(prelink_cron_system_t)
@@ -60930,7 +60932,7 @@ index b4ac57e..ef944a4 100644
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index b206bf6..0bc863c 100644
+index b206bf6..3d5caa1 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -6,7 +6,9 @@
@@ -60943,7 +60945,7 @@ index b206bf6..0bc863c 100644
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -19,14 +21,21 @@
+@@ -19,23 +21,31 @@
/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
@@ -60965,8 +60967,10 @@ index b206bf6..0bc863c 100644
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-@@ -36,6 +45,8 @@ ifdef(`distro_redhat', `
- /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+ /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+ /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+
+-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
@@ -62017,7 +62021,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..748db5b 100644
+index 975af1a..0ae7660 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -62061,7 +62065,7 @@ index 975af1a..748db5b 100644
allow $1_sudo_t $3:key search;
-@@ -76,88 +63,19 @@ template(`sudo_role_template',`
+@@ -76,86 +63,25 @@ template(`sudo_role_template',`
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
@@ -62144,19 +62148,19 @@ index 975af1a..748db5b 100644
- fs_manage_cifs_files($1_sudo_t)
- ')
-
-- optional_policy(`
+ optional_policy(`
- dbus_system_bus_client($1_sudo_t)
-- ')
--
-- optional_policy(`
++ mta_role($2, $1_sudo_t)
+ ')
+
+ optional_policy(`
- fprintd_dbus_chat($1_sudo_t)
-- ')
--
-+ mta_role($2, $1_sudo_t)
- ')
++ kerberos_manage_host_rcache($1_sudo_t)
++ kerberos_read_config($1_sudo_t)
+ ')
- ########################################
-@@ -177,3 +95,22 @@ interface(`sudo_sigchld',`
+ ')
+@@ -177,3 +103,22 @@ interface(`sudo_sigchld',`
allow $1 sudodomain:process sigchld;
')
@@ -62662,7 +62666,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..8b16b42 100644
+index 441cf22..b599f68 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -62673,7 +62677,7 @@ index 441cf22..8b16b42 100644
selinux_get_fs_mount(chfn_t)
selinux_validate_context(chfn_t)
-@@ -79,25 +80,25 @@ selinux_compute_create_context(chfn_t)
+@@ -79,25 +80,26 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -62698,6 +62702,7 @@ index 441cf22..8b16b42 100644
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
++corecmd_exec_bin(chfn_t)
domain_use_interactive_fds(chfn_t)
@@ -62705,7 +62710,7 @@ index 441cf22..8b16b42 100644
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
files_dontaudit_search_home(chfn_t)
-@@ -105,6 +106,7 @@ files_dontaudit_search_home(chfn_t)
+@@ -105,6 +107,7 @@ files_dontaudit_search_home(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(chfn_t)
@@ -62713,7 +62718,15 @@ index 441cf22..8b16b42 100644
miscfiles_read_localization(chfn_t)
-@@ -118,6 +120,10 @@ userdom_use_unpriv_users_fds(chfn_t)
+@@ -113,11 +116,18 @@ logging_send_syslog_msg(chfn_t)
+ # uses unix_chkpwd for checking passwords
+ seutil_dontaudit_search_config(chfn_t)
+
++userdom_manage_user_tmp_files(chfn_t)
++userdom_tmp_filetrans_user_tmp(chfn_t, { file })
++
+ userdom_use_unpriv_users_fds(chfn_t)
+ # user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
@@ -62724,7 +62737,7 @@ index 441cf22..8b16b42 100644
########################################
#
# Crack local policy
-@@ -194,8 +200,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -194,8 +204,8 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -62735,7 +62748,7 @@ index 441cf22..8b16b42 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -203,8 +209,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -203,8 +213,8 @@ init_dontaudit_write_utmp(groupadd_t)
domain_use_interactive_fds(groupadd_t)
@@ -62745,7 +62758,7 @@ index 441cf22..8b16b42 100644
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
-@@ -219,9 +225,10 @@ miscfiles_read_localization(groupadd_t)
+@@ -219,9 +229,10 @@ miscfiles_read_localization(groupadd_t)
auth_domtrans_chk_passwd(groupadd_t)
auth_rw_lastlog(groupadd_t)
auth_use_nsswitch(groupadd_t)
@@ -62757,7 +62770,7 @@ index 441cf22..8b16b42 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -269,6 +276,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -269,6 +280,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -62765,7 +62778,7 @@ index 441cf22..8b16b42 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -277,6 +285,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -277,6 +289,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -62773,7 +62786,7 @@ index 441cf22..8b16b42 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -291,26 +300,30 @@ selinux_compute_create_context(passwd_t)
+@@ -291,26 +304,30 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -62809,7 +62822,7 @@ index 441cf22..8b16b42 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -323,7 +336,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +340,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -62818,7 +62831,7 @@ index 441cf22..8b16b42 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +345,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +349,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -62826,7 +62839,7 @@ index 441cf22..8b16b42 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,9 +395,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,9 +399,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -62839,7 +62852,7 @@ index 441cf22..8b16b42 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -396,7 +411,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -396,7 +415,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -62847,7 +62860,7 @@ index 441cf22..8b16b42 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,7 +440,8 @@ optional_policy(`
+@@ -426,7 +444,8 @@ optional_policy(`
# Useradd local policy
#
@@ -62857,7 +62870,7 @@ index 441cf22..8b16b42 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,10 +463,13 @@ corecmd_exec_shell(useradd_t)
+@@ -448,10 +467,13 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -62872,7 +62885,7 @@ index 441cf22..8b16b42 100644
files_search_var_lib(useradd_t)
files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t)
-@@ -460,17 +478,15 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,17 +482,15 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -62897,7 +62910,7 @@ index 441cf22..8b16b42 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -478,6 +494,7 @@ auth_rw_faillog(useradd_t)
+@@ -478,6 +498,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -62905,7 +62918,7 @@ index 441cf22..8b16b42 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -495,24 +512,19 @@ seutil_read_file_contexts(useradd_t)
+@@ -495,24 +516,19 @@ seutil_read_file_contexts(useradd_t)
seutil_read_default_contexts(useradd_t)
seutil_domtrans_semanage(useradd_t)
seutil_domtrans_setfiles(useradd_t)
@@ -66581,10 +66594,10 @@ index dff0f12..ecab36d 100644
init_dbus_chat_script(mono_t)
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
-index 93ac529..4c0895e 100644
+index 93ac529..ff22091 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
-@@ -1,8 +1,14 @@
+@@ -1,8 +1,15 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -66596,10 +66609,11 @@ index 93ac529..4c0895e 100644
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
-@@ -14,16 +20,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -14,16 +21,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -66638,7 +66652,7 @@ index 93ac529..4c0895e 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..637eb37 100644
+index fbb5c5a..ca297bf 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -66679,7 +66693,7 @@ index fbb5c5a..637eb37 100644
')
########################################
-@@ -197,12 +209,34 @@ interface(`mozilla_domtrans',`
+@@ -197,12 +209,35 @@ interface(`mozilla_domtrans',`
#
interface(`mozilla_domtrans_plugin',`
gen_require(`
@@ -66697,6 +66711,7 @@ index fbb5c5a..637eb37 100644
+ allow $1 mozilla_plugin_t:fd use;
+
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
++ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
+ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
+ allow mozilla_plugin_t $1:sem create_sem_perms;
+
@@ -66715,7 +66730,7 @@ index fbb5c5a..637eb37 100644
')
########################################
-@@ -228,6 +262,35 @@ interface(`mozilla_run_plugin',`
+@@ -228,6 +263,35 @@ interface(`mozilla_run_plugin',`
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
@@ -66751,7 +66766,7 @@ index fbb5c5a..637eb37 100644
')
########################################
-@@ -269,9 +332,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -269,9 +333,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -66780,7 +66795,7 @@ index fbb5c5a..637eb37 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +360,79 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +361,80 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -66865,6 +66880,7 @@ index fbb5c5a..637eb37 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
@@ -70989,10 +71005,10 @@ index 0000000..9127cec
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..28f7212
+index 0000000..4b4adba
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,102 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -71004,6 +71020,7 @@ index 0000000..28f7212
+type thumb_exec_t;
+application_domain(thumb_t, thumb_exec_t)
+ubac_constrained(thumb_t)
++userdom_home_manager(thumb_t)
+
+type thumb_tmp_t;
+files_tmp_file(thumb_tmp_t)
@@ -73729,7 +73746,7 @@ index 8e0f9cd..da3b374 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..60d4823 100644
+index 99b71cb..048159a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -73877,7 +73894,7 @@ index 99b71cb..60d4823 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +178,30 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +178,31 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -73885,9 +73902,10 @@ index 99b71cb..60d4823 100644
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(jabber_router, tcp,5347,s0)
++network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
+network_port(jboss_debug, tcp,8787,s0)
+network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0)
-+network_port(jboss_management, tcp,4712,s0, tcp,4447,s0, udp,4712,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0)
++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
@@ -73911,7 +73929,7 @@ index 99b71cb..60d4823 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +211,33 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,61 +212,81 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -73946,7 +73964,9 @@ index 99b71cb..60d4823 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -175,38 +246,46 @@ network_port(pulseaudio, tcp,4713,s0)
+ network_port(ptal, tcp,5703,s0)
+-network_port(pulseaudio, tcp,4713,s0)
++network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
network_port(puppet, tcp, 8140, s0)
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
@@ -73999,7 +74019,7 @@ index 99b71cb..60d4823 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +294,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +295,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -74013,7 +74033,7 @@ index 99b71cb..60d4823 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +311,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +312,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -74021,7 +74041,7 @@ index 99b71cb..60d4823 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +321,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +322,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -74034,7 +74054,7 @@ index 99b71cb..60d4823 100644
########################################
#
-@@ -282,9 +371,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +372,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -93400,10 +93420,10 @@ index 74505cc..dbd4f7f 100644
+')
diff --git a/policy/modules/services/condor.fc b/policy/modules/services/condor.fc
new file mode 100644
-index 0000000..f838fdf
+index 0000000..b3a5b51
--- /dev/null
+++ b/policy/modules/services/condor.fc
-@@ -0,0 +1,20 @@
+@@ -0,0 +1,21 @@
+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
+
+/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
@@ -93411,6 +93431,7 @@ index 0000000..f838fdf
+/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
+/usr/sbin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0)
+/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
++/usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
+/usr/sbin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0)
+
+/var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
@@ -93426,10 +93447,10 @@ index 0000000..f838fdf
+/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0)
diff --git a/policy/modules/services/condor.if b/policy/modules/services/condor.if
new file mode 100644
-index 0000000..2c150a6
+index 0000000..168f664
--- /dev/null
+++ b/policy/modules/services/condor.if
-@@ -0,0 +1,309 @@
+@@ -0,0 +1,327 @@
+
+## <summary>policy for condor</summary>
+
@@ -93699,6 +93720,24 @@ index 0000000..2c150a6
+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
++######################################
++## <summary>
++## Read and write condor_schedd server TCP sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_rw_tcp_sockets_schedd',`
++ gen_require(`
++ type condor_schedd_t;
++ ')
++
++ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -93741,10 +93780,10 @@ index 0000000..2c150a6
+')
diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te
new file mode 100644
-index 0000000..e1f7dcb
+index 0000000..4eb7bd9
--- /dev/null
+++ b/policy/modules/services/condor.te
-@@ -0,0 +1,226 @@
+@@ -0,0 +1,231 @@
+policy_module(condor, 1.0.0)
+
+########################################
@@ -93916,6 +93955,7 @@ index 0000000..e1f7dcb
+#
+
+domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
++domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
+
+# dac_override because of /var/log/condor
+allow condor_schedd_t self:capability { setuid chown setgid dac_override };
@@ -93953,8 +93993,12 @@ index 0000000..e1f7dcb
+manage_files_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t)
+fs_tmpfs_filetrans(condor_startd_t, condor_startd_tmpfs_t, { dir file })
+
++can_exec(condor_startd_t, condor_startd_exec_t)
++
+kernel_read_kernel_sysctls(condor_startd_t)
+
++domain_read_all_domains_state(condor_startd_t)
++
+auth_use_nsswitch(condor_startd_t)
+
+init_domtrans_script(condor_startd_t)
@@ -94214,7 +94258,7 @@ index e67a003..cc813f3 100644
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
-index 3a6d7eb..61eba8f 100644
+index 3a6d7eb..176271c 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
@@ -1,12 +1,23 @@
@@ -94239,7 +94283,7 @@ index 3a6d7eb..61eba8f 100644
/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
-+/var/run/hearbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
++/var/run/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
index 5220c9d..11e5dc4 100644
@@ -95052,7 +95096,7 @@ index 13d2f63..861fad7 100644
')
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..a1af527 100644
+index 2eefc08..f57c986 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -2,6 +2,10 @@
@@ -95066,7 +95110,12 @@ index 2eefc08..a1af527 100644
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-@@ -14,14 +18,15 @@
+@@ -11,17 +15,20 @@
+ /usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+ /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+
++/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
++
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -95084,7 +95133,7 @@ index 2eefc08..a1af527 100644
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/cron/[^/]* -- <<none>>
-@@ -45,3 +50,5 @@ ifdef(`distro_suse', `
+@@ -45,3 +52,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -98391,7 +98440,7 @@ index f706b99..9b9f4ad 100644
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..51d1512 100644
+index f231f17..f6803f2 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -8,14 +8,17 @@ policy_module(devicekit, 1.1.0)
@@ -98493,7 +98542,18 @@ index f231f17..51d1512 100644
optional_policy(`
dbus_system_bus_client(devicekit_disk_t)
-@@ -178,55 +196,85 @@ optional_policy(`
+@@ -170,6 +188,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_read_logind_sessions_files(devicekit_disk_t)
++')
++
++optional_policy(`
+ udev_domtrans(devicekit_disk_t)
+ udev_read_db(devicekit_disk_t)
+ ')
+@@ -178,55 +200,85 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -98584,7 +98644,7 @@ index f231f17..51d1512 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,7 +283,12 @@ optional_policy(`
+@@ -235,7 +287,12 @@ optional_policy(`
')
optional_policy(`
@@ -98597,7 +98657,7 @@ index f231f17..51d1512 100644
')
optional_policy(`
-@@ -261,14 +314,21 @@ optional_policy(`
+@@ -261,14 +318,21 @@ optional_policy(`
')
optional_policy(`
@@ -98620,7 +98680,7 @@ index f231f17..51d1512 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +336,30 @@ optional_policy(`
+@@ -276,9 +340,30 @@ optional_policy(`
')
optional_policy(`
@@ -102371,7 +102431,7 @@ index 9d3201b..6e75e3d 100644
+ allow $1 ftpd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..14b822a 100644
+index 8a74a83..9be06fe 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,27 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -102560,7 +102620,7 @@ index 8a74a83..14b822a 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,6 +353,10 @@ optional_policy(`
+@@ -309,10 +353,34 @@ optional_policy(`
')
optional_policy(`
@@ -102571,10 +102631,12 @@ index 8a74a83..14b822a 100644
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
-@@ -316,6 +364,25 @@ optional_policy(`
- ')
-
- optional_policy(`
+- kerberos_manage_host_rcache(ftpd_t)
++ # this part of auth_use_pam
++ #kerberos_manage_host_rcache(ftpd_t)
++')
++
++optional_policy(`
+ tunable_policy(`ftpd_connect_db',`
+ mysql_stream_connect(ftpd_t)
+ ')
@@ -102591,13 +102653,10 @@ index 8a74a83..14b822a 100644
+ mysql_tcp_connect(ftpd_t)
+ postgresql_tcp_connect(ftpd_t)
+ ')
-+')
-+
-+optional_policy(`
- inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
+ ')
- optional_policy(`
-@@ -347,16 +414,17 @@ optional_policy(`
+ optional_policy(`
+@@ -347,16 +415,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -102617,7 +102676,7 @@ index 8a74a83..14b822a 100644
########################################
#
-@@ -365,18 +433,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +434,33 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -102654,7 +102713,7 @@ index 8a74a83..14b822a 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +477,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +478,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -105812,7 +105871,7 @@ index 0000000..af510ea
+
+# No local policy. This module just contains type definitions
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
-index 3525d24..033de90 100644
+index 3525d24..36582cd 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@@ -105824,7 +105883,7 @@ index 3525d24..033de90 100644
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-@@ -30,4 +30,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+@@ -30,4 +30,12 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
@@ -105832,9 +105891,13 @@ index 3525d24..033de90 100644
+
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..91ef376 100644
+index 604f67b..276cf5f 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -105881,7 +105944,18 @@ index 604f67b..91ef376 100644
')
optional_policy(`
-@@ -218,6 +218,25 @@ interface(`kerberos_rw_keytab',`
+@@ -111,10 +111,6 @@ interface(`kerberos_use',`
+ pcscd_stream_connect($1)
+ ')
+ ')
+-
+- optional_policy(`
+- sssd_read_public_files($1)
+- ')
+ ')
+
+ ########################################
+@@ -218,6 +214,25 @@ interface(`kerberos_rw_keytab',`
########################################
## <summary>
@@ -105907,7 +105981,7 @@ index 604f67b..91ef376 100644
## Create a derived type for kerberos keytab
## </summary>
## <param name="prefix">
-@@ -235,7 +254,7 @@ template(`kerberos_keytab_template',`
+@@ -235,7 +250,7 @@ template(`kerberos_keytab_template',`
type $1_keytab_t;
files_type($1_keytab_t)
@@ -105916,7 +105990,7 @@ index 604f67b..91ef376 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -289,35 +308,14 @@ interface(`kerberos_manage_host_rcache',`
+@@ -289,31 +304,18 @@ interface(`kerberos_manage_host_rcache',`
seutil_read_file_contexts($1)
@@ -105925,10 +105999,10 @@ index 604f67b..91ef376 100644
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
files_search_tmp($1)
')
- ')
-
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
-## Connect to krb524 service
-## </summary>
-## <param name="domain">
@@ -105940,21 +106014,24 @@ index 604f67b..91ef376 100644
-interface(`kerberos_connect_524',`
- tunable_policy(`allow_kerberos',`
- allow $1 self:udp_socket create_socket_perms;
--
+
- corenet_all_recvfrom_unlabeled($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_node($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
- corenet_sendrecv_kerberos_master_client_packets($1)
- ')
--')
--
--########################################
--## <summary>
- ## All of the rules required to administrate
- ## an kerberos environment
- ## </summary>
-@@ -338,18 +336,22 @@ interface(`kerberos_admin',`
++ kerberos_tmp_filetrans_host_rcache($1, "host_0")
++ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
++ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
++ kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
++ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
++ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
++ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
+ ')
+
+ ########################################
+@@ -338,18 +340,22 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -105982,7 +106059,7 @@ index 604f67b..91ef376 100644
ps_process_pattern($1, kpropd_t)
init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-@@ -378,3 +380,109 @@ interface(`kerberos_admin',`
+@@ -378,3 +384,113 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -106090,7 +106167,11 @@ index 604f67b..91ef376 100644
+
+ kerberos_tmp_filetrans_host_rcache($1, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
++ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
++ kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
++ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
++ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
+')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 8edc29b..92dde2c 100644
@@ -108678,10 +108759,10 @@ index 0000000..1ec1c97
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
-index 0000000..3a1b451
+index 0000000..d1ba3e7
--- /dev/null
+++ b/policy/modules/services/matahari.te
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,108 @@
+policy_module(matahari,1.0.0)
+
+########################################
@@ -108710,6 +108791,7 @@ index 0000000..3a1b451
+#
+# matahari_hostd local policy
+#
++
+dev_read_sysfs(matahari_hostd_t)
+dev_rw_mtrr(matahari_hostd_t)
+
@@ -108738,6 +108820,7 @@ index 0000000..3a1b451
+#
+
+corecmd_exec_bin(matahari_rpcd_t)
++corecmd_exec_shell(matahari_rpcd_t)
+
+auth_read_passwd(matahari_rpcd_t)
+
@@ -110566,7 +110649,7 @@ index 343cee3..555300e 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..12e5313 100644
+index 64268e4..da35763 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,19 @@ files_type(etc_aliases_t)
@@ -110777,11 +110860,11 @@ index 64268e4..12e5313 100644
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
--
--read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
+-read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mailserver_delivery)
- fs_manage_cifs_files(mailserver_delivery)
@@ -110855,7 +110938,7 @@ index 64268e4..12e5313 100644
# Read user temporary files.
# postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files(user_mail_t)
-@@ -292,3 +315,117 @@ optional_policy(`
+@@ -292,3 +315,123 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -110935,6 +111018,12 @@ index 64268e4..12e5313 100644
+miscfiles_read_localization(user_mail_domain)
+
+optional_policy(`
++ courier_manage_spool_dirs(user_mail_domain)
++ courier_manage_spool_files(user_mail_domain)
++ courier_rw_spool_pipes(user_mail_domain)
++')
++
++optional_policy(`
+ exim_domtrans(user_mail_domain)
+ exim_manage_log(user_mail_domain)
+ exim_manage_spool_files(user_mail_domain)
@@ -113071,43 +113160,48 @@ index 4876cae..9f3b09b 100644
diff --git a/policy/modules/services/nova.fc b/policy/modules/services/nova.fc
new file mode 100644
-index 0000000..03d78ae
+index 0000000..d4e64d8
--- /dev/null
+++ b/policy/modules/services/nova.fc
-@@ -0,0 +1,40 @@
-+
+@@ -0,0 +1,45 @@
+
+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0)
-+#/usr/bin/nova-compute -- gen_context(system_u:object_r:nova_compute_exec_t,s0)
++/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_console_exec_t,s0)
+/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0)
+/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0)
+/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_cert_exec_t,s0)
++/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_api_exec_t,s0)
+/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0)
+/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0)
+/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0)
+/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
+/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0)
++/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
+
-+/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_ajax_unit_file_t,s0)
+/lib/systemd/system/openstack-nova-api.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
+/lib/systemd/system/openstack-nova-cert.* -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
-+#/lib/systemd/system/openstack-nova-compute.service
++/lib/systemd/system/openstack-nova-console.* -- gen_context(system_u:object_r:nova_console_unit_file_t,s0)
+/lib/systemd/system/openstack-nova-direct-api.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-metadata-api.service.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
+/lib/systemd/system/openstack-nova-network.* -- gen_context(system_u:object_r:nova_network_unit_file_t,s0)
+/lib/systemd/system/openstack-nova-objectstore.* -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0)
+/lib/systemd/system/openstack-nova-scheduler.* -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0)
+/lib/systemd/system/openstack-nova-vncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-xvpvncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
+/lib/systemd/system/openstack-nova-volume.* -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0)
+
-+/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_ajax_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-api.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-cert.* -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
-+#/lib/systemd/system/openstack-nova-compute.service
++/usr/lib/systemd/system/openstack-nova-console.* -- gen_context(system_u:object_r:nova_console_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-direct-api.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-metadata-api.service.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-network.* -- gen_context(system_u:object_r:nova_network_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-objectstore.* -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-scheduler.* -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-vncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-xvpvncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-volume.* -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0)
+
+/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0)
@@ -113156,10 +113250,10 @@ index 0000000..0d11800
+')
diff --git a/policy/modules/services/nova.te b/policy/modules/services/nova.te
new file mode 100644
-index 0000000..9dd1d72
+index 0000000..b0d25bb
--- /dev/null
+++ b/policy/modules/services/nova.te
-@@ -0,0 +1,315 @@
+@@ -0,0 +1,328 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -113178,6 +113272,7 @@ index 0000000..9dd1d72
+nova_domain_template(api)
+nova_domain_template(cert)
+nova_domain_template(compute)
++nova_domain_template(console)
+nova_domain_template(direct)
+nova_domain_template(network)
+nova_domain_template(objectstore)
@@ -113252,6 +113347,8 @@ index 0000000..9dd1d72
+
+allow nova_api_t self:process setfscreate;
+
++allow nova_api_t self:key write;
++
+allow nova_api_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow nova_api_t self:udp_socket create_socket_perms;
@@ -113264,6 +113361,8 @@ index 0000000..9dd1d72
+corenet_tcp_connect_all_ports(nova_api_t)
+corenet_tcp_bind_all_unreserved_ports(nova_api_t)
+
++auth_read_passwd(nova_api_t)
++
+logging_send_syslog_msg(nova_api_t)
+
+miscfiles_read_certs(nova_api_t)
@@ -113326,6 +113425,14 @@ index 0000000..9dd1d72
+ virt_stream_connect(nova_compute_t)
+')
+
++######################################
++#
++# nova console local policy
++#
++
++allow nova_console_t self:udp_socket create_socket_perms;
++
++auth_use_nsswitch(nova_console_t)
+
+#######################################
+#
@@ -114179,10 +114286,10 @@ index 0000000..77a3112
+')
diff --git a/policy/modules/services/numad.te b/policy/modules/services/numad.te
new file mode 100644
-index 0000000..e3ac955
+index 0000000..e18b767
--- /dev/null
+++ b/policy/modules/services/numad.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,45 @@
+policy_module(numad, 1.0.0)
+
+########################################
@@ -114221,6 +114328,8 @@ index 0000000..e3ac955
+
+kernel_read_system_state(numad_t)
+
++dev_read_sysfs(numad_t)
++
+domain_use_interactive_fds(numad_t)
+
+files_read_etc_files(numad_t)
@@ -114386,14 +114495,13 @@ index b4c5f86..0f1549d 100644
cron_system_entry(oav_update_t, oav_update_exec_t)
diff --git a/policy/modules/services/obex.fc b/policy/modules/services/obex.fc
new file mode 100644
-index 0000000..eebfda8
+index 0000000..7b31529
--- /dev/null
+++ b/policy/modules/services/obex.fc
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,3 @@
+
+
+/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
-+
diff --git a/policy/modules/services/obex.if b/policy/modules/services/obex.if
new file mode 100644
index 0000000..d3b9544
@@ -114479,10 +114587,10 @@ index 0000000..d3b9544
+')
diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
new file mode 100644
-index 0000000..5285bef
+index 0000000..3689d8a
--- /dev/null
+++ b/policy/modules/services/obex.te
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,30 @@
+policy_module(obex,1.0.0)
+
+########################################
@@ -114492,8 +114600,8 @@ index 0000000..5285bef
+
+type obex_t;
+type obex_exec_t;
-+dbus_system_domain(obex_t, obex_exec_t)
-+init_daemon_domain(obex_t, obex_exec_t)
++application_domain(obex_t, obex_exec_t)
++ubac_constrained(obex_t)
+
+########################################
+#
@@ -114511,6 +114619,8 @@ index 0000000..5285bef
+
+miscfiles_read_localization(obex_t)
+
++userdom_search_user_home_content(obex_t)
++
diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc
index bdf8c89..0132b08 100644
--- a/policy/modules/services/oddjob.fc
@@ -115070,7 +115180,7 @@ index d883214..d6afa87 100644
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..3075607 100644
+index 8b550f4..cae4941 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@@ -115145,7 +115255,7 @@ index 8b550f4..3075607 100644
corenet_tcp_connect_http_cache_port(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
-@@ -100,8 +108,12 @@ dev_read_urand(openvpn_t)
+@@ -100,33 +108,40 @@ dev_read_urand(openvpn_t)
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
@@ -115158,7 +115268,11 @@ index 8b550f4..3075607 100644
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
-@@ -112,21 +124,23 @@ sysnet_exec_ifconfig(openvpn_t)
+ miscfiles_read_all_certs(openvpn_t)
+
+ sysnet_dns_name_resolve(openvpn_t)
++sysnet_use_ldap(openvpn_t)
+ sysnet_exec_ifconfig(openvpn_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
@@ -115190,7 +115304,7 @@ index 8b550f4..3075607 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +152,7 @@ optional_policy(`
+@@ -138,3 +153,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -124264,7 +124378,7 @@ index 63e78c6..fdd8228 100644
type rlogind_home_t;
')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..91c8ee8 100644
+index 779fa44..1570864 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -124304,7 +124418,7 @@ index 779fa44..91c8ee8 100644
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
-@@ -88,29 +88,24 @@ seutil_read_config(rlogind_t)
+@@ -88,27 +88,23 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
@@ -124329,21 +124443,20 @@ index 779fa44..91c8ee8 100644
- fs_list_cifs(rlogind_t)
- fs_read_cifs_files(rlogind_t)
- fs_read_cifs_symlinks(rlogind_t)
--')
--
- optional_policy(`
- kerberos_keytab_template(rlogind, rlogind_t)
- kerberos_manage_host_rcache(rlogind_t)
++optional_policy(`
++ kerberos_keytab_template(rlogind, rlogind_t)
++ #part of auth_use_pam
++ #kerberos_manage_host_rcache(rlogind_t)
')
optional_policy(`
+- kerberos_keytab_template(rlogind, rlogind_t)
+- kerberos_manage_host_rcache(rlogind_t)
+ remotelogin_domtrans(rlogind_t)
+ remotelogin_signal(rlogind_t)
-+')
-+
-+optional_policy(`
- tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
')
+
+ optional_policy(`
diff --git a/policy/modules/services/roundup.if b/policy/modules/services/roundup.if
index 30c4b75..e07c2ff 100644
--- a/policy/modules/services/roundup.if
@@ -124362,7 +124475,7 @@ index 30c4b75..e07c2ff 100644
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
-index 5c70c0c..5a75e95 100644
+index 5c70c0c..ce7da4f 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
@@ -6,6 +6,12 @@
@@ -124393,12 +124506,11 @@ index 5c70c0c..5a75e95 100644
#
# /var
-@@ -29,3 +37,5 @@
+@@ -29,3 +37,4 @@
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
-+/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index cda37bb..b3469d6 100644
--- a/policy/modules/services/rpc.if
@@ -124552,7 +124664,7 @@ index cda37bb..b3469d6 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..d9b4001 100644
+index b1468ed..f30c62e 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -124767,17 +124879,18 @@ index b1468ed..d9b4001 100644
')
optional_policy(`
-@@ -229,6 +270,10 @@ optional_policy(`
- ')
+@@ -226,6 +267,11 @@ optional_policy(`
optional_policy(`
-+ mount_signal(gssd_t)
+ kerberos_keytab_template(gssd, gssd_t)
++ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
+')
+
+optional_policy(`
- pcscd_read_pub_files(gssd_t)
++ mount_signal(gssd_t)
')
+ optional_policy(`
diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc
index f5c47d6..482b584 100644
--- a/policy/modules/services/rpcbind.fc
@@ -124897,7 +125010,7 @@ index d6d76e1..9cb5e25 100644
+ nis_use_ypbind(rpcbind_t)
+')
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
-index 0b405d1..e91eb53 100644
+index 0b405d1..d55394c 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -39,6 +39,8 @@ corenet_sendrecv_rsh_server_packets(rshd_t)
@@ -124909,7 +125022,7 @@ index 0b405d1..e91eb53 100644
selinux_get_fs_mount(rshd_t)
selinux_validate_context(rshd_t)
selinux_compute_access_vector(rshd_t)
-@@ -66,16 +68,9 @@ seutil_read_config(rshd_t)
+@@ -66,20 +68,13 @@ seutil_read_config(rshd_t)
seutil_read_default_contexts(rshd_t)
userdom_search_user_home_content(rshd_t)
@@ -124928,6 +125041,11 @@ index 0b405d1..e91eb53 100644
optional_policy(`
kerberos_keytab_template(rshd, rshd_t)
+- kerberos_manage_host_rcache(rshd_t)
++ #kerberos_manage_host_rcache(rshd_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
index 3386f29..b28cae5 100644
--- a/policy/modules/services/rsync.if
@@ -126385,7 +126503,7 @@ index f1aea88..3e6a93f 100644
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index cfc60dd..71d76cf 100644
+index cfc60dd..8908145 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
@@ -126434,7 +126552,7 @@ index cfc60dd..71d76cf 100644
optional_policy(`
kerberos_keytab_template(saslauthd, saslauthd_t)
-+ kerberos_manage_host_rcache(saslauthd_t)
++ #kerberos_manage_host_rcache(saslauthd_t)
')
optional_policy(`
@@ -128643,7 +128761,7 @@ index 078bcd7..21ff471 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..60103b5 100644
+index 22adaca..7f010a4 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -128807,7 +128925,7 @@ index 22adaca..60103b5 100644
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -243,21 +276,13 @@ template(`ssh_server_template', `
+@@ -243,31 +276,31 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
@@ -128831,7 +128949,11 @@ index 22adaca..60103b5 100644
optional_policy(`
kerberos_use($1_t)
-@@ -268,6 +293,14 @@ template(`ssh_server_template', `
+- kerberos_manage_host_rcache($1_t)
++ #kerberos_manage_host_rcache($1_t)
+ ')
+
+ optional_policy(`
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
@@ -129203,7 +129325,7 @@ index 22adaca..60103b5 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..5ad9960 100644
+index 2dad3c8..6dbec51 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0)
@@ -129435,7 +129557,7 @@ index 2dad3c8..5ad9960 100644
#################################
#
# sshd local policy
-@@ -232,33 +244,45 @@ optional_policy(`
+@@ -232,33 +244,46 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -129487,10 +129609,11 @@ index 2dad3c8..5ad9960 100644
+optional_policy(`
+ condor_rw_lib_files(sshd_t)
+ condor_rw_tcp_sockets_startd(sshd_t)
++ condor_rw_tcp_sockets_schedd(sshd_t)
')
optional_policy(`
-@@ -266,11 +290,24 @@ optional_policy(`
+@@ -266,11 +291,24 @@ optional_policy(`
')
optional_policy(`
@@ -129516,7 +129639,7 @@ index 2dad3c8..5ad9960 100644
')
optional_policy(`
-@@ -284,6 +321,15 @@ optional_policy(`
+@@ -284,6 +322,15 @@ optional_policy(`
')
optional_policy(`
@@ -129532,7 +129655,7 @@ index 2dad3c8..5ad9960 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +338,26 @@ optional_policy(`
+@@ -292,26 +339,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -129578,7 +129701,7 @@ index 2dad3c8..5ad9960 100644
') dnl endif TODO
########################################
-@@ -322,19 +368,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +369,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -129606,7 +129729,7 @@ index 2dad3c8..5ad9960 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +404,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +405,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -129620,7 +129743,7 @@ index 2dad3c8..5ad9960 100644
')
optional_policy(`
-@@ -363,3 +418,76 @@ optional_policy(`
+@@ -363,3 +419,76 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -132353,7 +132476,7 @@ index 7c5d8d8..85b7d8b 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..0900b33 100644
+index 3eca020..58ea3c0 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -132935,7 +133058,7 @@ index 3eca020..0900b33 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +652,427 @@ files_search_all(virt_domain)
+@@ -440,25 +652,428 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -133216,7 +133339,6 @@ index 3eca020..0900b33 100644
+allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+dontaudit svirt_lxc_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
-+
+manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -133244,6 +133366,7 @@ index 3eca020..0900b33 100644
+files_read_config_files(svirt_lxc_domain)
+files_read_usr_files(svirt_lxc_domain)
+files_read_usr_symlinks(svirt_lxc_domain)
++files_search_locks(svirt_lxc_domain)
+
+fs_getattr_all_fs(svirt_lxc_domain)
+fs_list_inotifyfs(svirt_lxc_domain)
@@ -133276,7 +133399,7 @@ index 3eca020..0900b33 100644
+
+virt_lxc_domain_template(svirt_lxc_net)
+
-+allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service sys_nice };
++allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service sys_nice chown dac_read_search dac_override fowner };
+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
+allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
+allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms;
@@ -133284,6 +133407,7 @@ index 3eca020..0900b33 100644
+allow svirt_lxc_net_t self:socket create_socket_perms;
+allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
++allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+corenet_tcp_bind_generic_node(svirt_lxc_net_t)
+corenet_udp_bind_generic_node(svirt_lxc_net_t)
@@ -135096,7 +135220,7 @@ index 130ced9..56cb1f8 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..479bf53 100644
+index 143c893..b657135 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -135422,13 +135546,14 @@ index 143c893..479bf53 100644
')
optional_policy(`
-@@ -304,20 +400,37 @@ optional_policy(`
+@@ -304,20 +400,38 @@ optional_policy(`
# XDM Local policy
#
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
++dontaudit xserver_t self:capability sys_admin;
+
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
allow xdm_t self:fifo_file rw_fifo_file_perms;
@@ -135464,7 +135589,7 @@ index 143c893..479bf53 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +438,63 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +439,63 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -135534,7 +135659,7 @@ index 143c893..479bf53 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +503,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +504,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -135562,7 +135687,7 @@ index 143c893..479bf53 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +534,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +535,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -135615,7 +135740,7 @@ index 143c893..479bf53 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +586,25 @@ files_list_mnt(xdm_t)
+@@ -435,9 +587,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -135641,7 +135766,7 @@ index 143c893..479bf53 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +613,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +614,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -135683,7 +135808,7 @@ index 143c893..479bf53 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,24 +653,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +654,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -135733,7 +135858,7 @@ index 143c893..479bf53 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +703,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +704,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -135755,7 +135880,7 @@ index 143c893..479bf53 100644
')
optional_policy(`
-@@ -519,12 +725,63 @@ optional_policy(`
+@@ -519,12 +726,63 @@ optional_policy(`
')
optional_policy(`
@@ -135819,7 +135944,7 @@ index 143c893..479bf53 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +799,69 @@ optional_policy(`
+@@ -542,28 +800,69 @@ optional_policy(`
')
optional_policy(`
@@ -135898,7 +136023,7 @@ index 143c893..479bf53 100644
')
optional_policy(`
-@@ -575,6 +873,14 @@ optional_policy(`
+@@ -575,6 +874,14 @@ optional_policy(`
')
optional_policy(`
@@ -135913,7 +136038,7 @@ index 143c893..479bf53 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +905,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +906,8 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -135923,7 +136048,7 @@ index 143c893..479bf53 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +920,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +921,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -135939,7 +136064,7 @@ index 143c893..479bf53 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +947,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +948,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -135961,7 +136086,7 @@ index 143c893..479bf53 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +967,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +968,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -135969,7 +136094,7 @@ index 143c893..479bf53 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,21 +994,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +995,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -136000,7 +136125,7 @@ index 143c893..479bf53 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1026,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1027,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -136014,7 +136139,7 @@ index 143c893..479bf53 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1045,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1046,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -136023,7 +136148,7 @@ index 143c893..479bf53 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1052,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1053,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -136038,7 +136163,7 @@ index 143c893..479bf53 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1111,40 @@ optional_policy(`
+@@ -778,16 +1112,40 @@ optional_policy(`
')
optional_policy(`
@@ -136080,7 +136205,7 @@ index 143c893..479bf53 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1153,10 @@ optional_policy(`
+@@ -796,6 +1154,10 @@ optional_policy(`
')
optional_policy(`
@@ -136091,7 +136216,7 @@ index 143c893..479bf53 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1172,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1173,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -136105,7 +136230,7 @@ index 143c893..479bf53 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1183,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1184,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -136114,7 +136239,7 @@ index 143c893..479bf53 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,26 +1196,21 @@ init_use_fds(xserver_t)
+@@ -835,26 +1197,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -136149,7 +136274,7 @@ index 143c893..479bf53 100644
')
optional_policy(`
-@@ -862,6 +1218,10 @@ optional_policy(`
+@@ -862,6 +1219,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -136160,7 +136285,7 @@ index 143c893..479bf53 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1265,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1266,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -136169,7 +136294,7 @@ index 143c893..479bf53 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1319,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1320,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -136201,7 +136326,7 @@ index 143c893..479bf53 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1365,43 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1366,43 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -137438,10 +137563,29 @@ index 28ad538..82def3d 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..3fcce09 100644
+index 73554ec..a0bd29b 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
-@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
+@@ -23,11 +23,17 @@ interface(`auth_role',`
+ role $1 types chkpwd_t;
+
+ # Transition from the user domain to this domain.
+- domtrans_pattern($2, chkpwd_exec_t, chkpwd_t)
++ auth_domtrans_chkpwd($2)
+
+ ps_process_pattern($2, chkpwd_t)
+
+ dontaudit $2 shadow_t:file read_file_perms;
++
++ logging_send_syslog_msg($2)
++ logging_send_audit_msgs($2)
++
++ usermanage_read_crack_db($2)
++
+ ')
+
+ ########################################
+@@ -57,6 +63,8 @@ interface(`auth_use_pam',`
auth_exec_pam($1)
auth_use_nsswitch($1)
@@ -137450,7 +137594,7 @@ index 73554ec..3fcce09 100644
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
-@@ -78,8 +80,19 @@ interface(`auth_use_pam',`
+@@ -78,8 +86,19 @@ interface(`auth_use_pam',`
')
optional_policy(`
@@ -137470,7 +137614,7 @@ index 73554ec..3fcce09 100644
')
########################################
-@@ -95,9 +108,13 @@ interface(`auth_use_pam',`
+@@ -95,9 +114,13 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -137484,7 +137628,7 @@ index 73554ec..3fcce09 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -105,14 +122,17 @@ interface(`auth_login_pgm_domain',`
+@@ -105,14 +128,17 @@ interface(`auth_login_pgm_domain',`
# Needed for pam_selinux_permit to cleanup properly
domain_read_all_domains_state($1)
@@ -137502,7 +137646,7 @@ index 73554ec..3fcce09 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -120,16 +140,29 @@ interface(`auth_login_pgm_domain',`
+@@ -120,16 +146,29 @@ interface(`auth_login_pgm_domain',`
manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
files_var_filetrans($1, auth_cache_t, dir)
@@ -137533,7 +137677,7 @@ index 73554ec..3fcce09 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -145,6 +178,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +184,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -137542,7 +137686,7 @@ index 73554ec..3fcce09 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,13 +190,87 @@ interface(`auth_login_pgm_domain',`
+@@ -155,9 +196,83 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -137587,11 +137731,11 @@ index 73554ec..3fcce09 100644
+ optional_policy(`
+ ssh_agent_exec($1)
+ ssh_read_user_home_files($1)
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Read authlogin state files.
+## </summary>
+## <param name="domain">
@@ -137622,17 +137766,13 @@ index 73554ec..3fcce09 100644
+interface(`authlogin_rw_pipes',`
+ gen_require(`
+ attribute polydomain;
-+ ')
+ ')
+
+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Use the login program as an entry point program.
- ## </summary>
- ## <param name="domain">
-@@ -368,13 +477,15 @@ interface(`auth_domtrans_chk_passwd',`
+ ')
+
+ ########################################
+@@ -368,13 +483,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -137649,7 +137789,7 @@ index 73554ec..3fcce09 100644
')
########################################
-@@ -421,6 +532,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +538,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -137675,7 +137815,7 @@ index 73554ec..3fcce09 100644
')
########################################
-@@ -440,7 +570,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -440,7 +576,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -137683,7 +137823,7 @@ index 73554ec..3fcce09 100644
')
########################################
-@@ -637,6 +766,10 @@ interface(`auth_manage_shadow',`
+@@ -637,6 +772,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -137694,7 +137834,7 @@ index 73554ec..3fcce09 100644
')
#######################################
-@@ -736,7 +869,50 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +875,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -137746,7 +137886,7 @@ index 73554ec..3fcce09 100644
')
#######################################
-@@ -932,9 +1108,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1114,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -137780,7 +137920,7 @@ index 73554ec..3fcce09 100644
')
########################################
-@@ -1013,6 +1210,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1013,6 +1216,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -137791,7 +137931,7 @@ index 73554ec..3fcce09 100644
')
########################################
-@@ -1130,6 +1331,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1130,6 +1337,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -137799,7 +137939,7 @@ index 73554ec..3fcce09 100644
')
#######################################
-@@ -1387,6 +1589,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1595,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -137825,7 +137965,7 @@ index 73554ec..3fcce09 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1537,37 +1758,49 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1764,49 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -137885,7 +138025,7 @@ index 73554ec..3fcce09 100644
## </p>
## </desc>
## <param name="domain">
-@@ -1575,87 +1808,206 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1814,206 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
## </summary>
## </param>
@@ -138143,7 +138283,7 @@ index 73554ec..3fcce09 100644
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..a22fe6d 100644
+index b7a5f00..b2a6592 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,22 +5,42 @@ policy_module(authlogin, 2.2.1)
@@ -138252,7 +138392,7 @@ index b7a5f00..a22fe6d 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +416,75 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -138323,6 +138463,7 @@ index b7a5f00..a22fe6d 100644
+
+optional_policy(`
+ sssd_stream_connect(nsswitch_domain)
++ sssd_read_public_files(nsswitch_domain)
+')
+
+optional_policy(`
@@ -148969,7 +149110,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..917240b 100644
+index 4b2878a..e3e0e4f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -149620,15 +149761,15 @@ index 4b2878a..917240b 100644
- alsa_relabel_home_files($1_t)
+ # Allow graphical boot to check battery lifespan
+ apm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ canna_stream_connect($1_usertype)
')
optional_policy(`
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
++ canna_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
+ chrome_role($1_r, $1_usertype)
')
@@ -149646,57 +149787,57 @@ index 4b2878a..917240b 100644
+ optional_policy(`
+ avahi_dbus_chat($1_usertype)
+ ')
++
++ optional_policy(`
++ policykit_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ bluetooth_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ ')
++
++ optional_policy(`
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ policykit_dbus_chat($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ bluetooth_dbus_chat($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
++ kde_dbus_chat_backlighthelper($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
- ')
-+
-+ optional_policy(`
-+ gnome_dbus_chat_gconfdefault($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ hal_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ kde_dbus_chat_backlighthelper($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ modemmanager_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ networkmanager_dbus_chat($1_usertype)
+ networkmanager_read_lib_files($1_usertype)
-+ ')
+ ')
+
+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
@@ -149826,12 +149967,14 @@ index 4b2878a..917240b 100644
+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable(allow_$1_exec_content, true)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable(allow_$1_exec_content, true)
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -149839,9 +149982,7 @@ index 4b2878a..917240b 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -149849,12 +149990,18 @@ index 4b2878a..917240b 100644
userdom_change_password_template($1)
-@@ -730,78 +911,89 @@ template(`userdom_login_user_template', `
- allow $1_t self:capability { setgid chown fowner };
+@@ -727,81 +908,98 @@ template(`userdom_login_user_template', `
+ # User domain Local policy
+ #
+
+- allow $1_t self:capability { setgid chown fowner };
++ allow $1_t self:capability { setgid setuid chown fowner };
++ allow $1_t self:process setcurrent;
++ domain_dyntrans_type($1_t)
dontaudit $1_t self:capability { sys_nice fsetid };
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
-+ allow $1_t self:process ~{ ptrace setcurrent setrlimit execmem execstack execheap };
++ allow $1_t self:process ~{ ptrace setrlimit execmem execstack execheap };
dontaudit $1_t self:process setrlimit;
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -149867,6 +150014,7 @@ index 4b2878a..917240b 100644
- dev_read_sysfs($1_t)
- dev_read_urand($1_t)
+ dev_read_sysfs($1_usertype)
++ dev_read_rand($1_usertype)
+ dev_read_urand($1_usertype)
- domain_use_interactive_fds($1_t)
@@ -149897,8 +150045,11 @@ index 4b2878a..917240b 100644
+ fs_list_inotifyfs($1_usertype)
+ fs_rw_anon_inodefs_files($1_usertype)
- auth_dontaudit_write_login_records($1_t)
++ auth_role($1_r, $1_t)
+ auth_rw_cache($1_t)
++ auth_search_pam_console_data($1_t)
++ auth_dontaudit_read_login_records($1_t)
+ auth_dontaudit_write_login_records($1_t)
application_exec_all($1_t)
-
@@ -149929,14 +150080,14 @@ index 4b2878a..917240b 100644
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_exec_setfiles($1_usertype)
-
-- seutil_read_config($1_t)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
+ ')
-+
+
+- seutil_read_config($1_t)
+ optional_policy(`
+ kerberos_use($1_usertype)
+ kerberos_filetrans_home_content($1_usertype)
@@ -149973,7 +150124,7 @@ index 4b2878a..917240b 100644
')
')
-@@ -833,6 +1025,12 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1031,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -149986,14 +150137,13 @@ index 4b2878a..917240b 100644
##############################
#
# Local policy
-@@ -874,45 +1072,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -873,46 +1077,115 @@ template(`userdom_restricted_xwindows_user_template',`
+ # Local policy
#
- auth_role($1_r, $1_t)
+- auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
-+ auth_search_pam_console_data($1_usertype)
-+ auth_dontaudit_read_login_records($1_usertype)
-
+-
- dev_read_sound($1_t)
- dev_write_sound($1_t)
+ dev_read_sound($1_usertype)
@@ -150116,7 +150266,7 @@ index 4b2878a..917240b 100644
')
')
-@@ -947,7 +1218,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1220,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -150125,7 +150275,7 @@ index 4b2878a..917240b 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1227,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1229,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -150143,7 +150293,7 @@ index 4b2878a..917240b 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1252,60 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1254,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -150174,11 +150324,9 @@ index 4b2878a..917240b 100644
+
+ optional_policy(`
+ cdrecord_role($1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ cron_role($1_r, $1_t)
+ ')
+
@@ -150201,9 +150349,11 @@ index 4b2878a..917240b 100644
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ wine_role_template($1, $1_r, $1_t)
+ ')
+
@@ -150213,7 +150363,7 @@ index 4b2878a..917240b 100644
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1314,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1316,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -150224,7 +150374,7 @@ index 4b2878a..917240b 100644
')
')
-@@ -1039,7 +1352,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1354,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -150233,7 +150383,7 @@ index 4b2878a..917240b 100644
')
##############################
-@@ -1066,6 +1379,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1381,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -150241,7 +150391,7 @@ index 4b2878a..917240b 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1388,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1390,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -150251,7 +150401,7 @@ index 4b2878a..917240b 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1405,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1407,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -150259,7 +150409,7 @@ index 4b2878a..917240b 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1423,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1425,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -150273,7 +150423,7 @@ index 4b2878a..917240b 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1440,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1442,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -150316,7 +150466,7 @@ index 4b2878a..917240b 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1481,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1483,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -150325,7 +150475,7 @@ index 4b2878a..917240b 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1542,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1544,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -150334,7 +150484,7 @@ index 4b2878a..917240b 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1556,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1558,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -150345,7 +150495,7 @@ index 4b2878a..917240b 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1569,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1571,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -150374,7 +150524,7 @@ index 4b2878a..917240b 100644
')
optional_policy(`
-@@ -1251,12 +1597,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1599,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -150390,7 +150540,7 @@ index 4b2878a..917240b 100644
')
optional_policy(`
-@@ -1279,11 +1625,60 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1627,66 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -150399,59 +150549,126 @@ index 4b2878a..917240b 100644
allow $1 user_home_t:filesystem associate;
files_type($1)
-+ ubac_constrained($1)
+- files_poly_member($1)
+ ubac_constrained($1)
+
- files_poly_member($1)
++ files_poly_member($1)
+ typeattribute $1 user_home_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow domain to attach to TUN devices created by administrative users.
+## Make the specified type usable in a
+## generic temporary directory.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type to be used as a file in the
+## generic temporary directory.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_attach_admin_tun_iface',`
+interface(`userdom_user_tmp_content',`
-+ gen_require(`
+ gen_require(`
+- attribute admindomain;
+ attribute user_tmp_type;
-+ ')
-+
+ ')
+
+- allow $1 admindomain:tun_socket relabelfrom;
+- allow $1 self:tun_socket relabelto;
+ typeattribute $1 user_tmp_type;
+
+ files_tmp_file($1)
+ ubac_constrained($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of a user pty.
++## Make the specified type usable in a
++## generic tmpfs_t directory.
+ ## </summary>
+-## <param name="domain">
++## <param name="type">
+ ## <summary>
+-## Domain allowed access.
++## Type to be used as a file in the
++## generic temporary directory.
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_setattr_user_ptys',`
++interface(`userdom_user_tmpfs_content',`
+ gen_require(`
+- type user_devpts_t;
++ attribute user_tmpfs_type;
+ ')
+
+- allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++ typeattribute $1 user_tmpfs_type;
++
++ files_tmpfs_file($1)
++ ubac_constrained($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create a user pty.
++## Allow domain to attach to TUN devices created by administrative users.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1334,7 +1694,44 @@ interface(`userdom_setattr_user_ptys',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_create_user_pty',`
++interface(`userdom_attach_admin_tun_iface',`
++ gen_require(`
++ attribute admindomain;
++ ')
++
++ allow $1 admindomain:tun_socket relabelfrom;
++ allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
-+## Make the specified type usable in a
-+## generic tmpfs_t directory.
++## Set the attributes of a user pty.
+## </summary>
-+## <param name="type">
++## <param name="domain">
+## <summary>
-+## Type to be used as a file in the
-+## generic temporary directory.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_user_tmpfs_content',`
++interface(`userdom_setattr_user_ptys',`
+ gen_require(`
-+ attribute user_tmpfs_type;
++ type user_devpts_t;
+ ')
+
-+ typeattribute $1 user_tmpfs_type;
++ allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++')
+
-+ files_tmpfs_file($1)
- ubac_constrained($1)
- ')
-
-@@ -1395,11 +1790,31 @@ interface(`userdom_search_user_home_dirs',`
++########################################
++## <summary>
++## Create a user pty.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_create_user_pty',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+@@ -1395,11 +1792,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -150483,7 +150700,7 @@ index 4b2878a..917240b 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1441,6 +1856,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1858,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -150498,7 +150715,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -1456,9 +1879,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1881,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -150510,7 +150727,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -1515,6 +1940,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1942,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -150553,7 +150770,7 @@ index 4b2878a..917240b 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2050,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2052,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -150562,7 +150779,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -1603,10 +2066,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2068,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -150577,7 +150794,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -1649,6 +2114,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2116,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -150621,7 +150838,7 @@ index 4b2878a..917240b 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2170,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2172,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -150647,7 +150864,7 @@ index 4b2878a..917240b 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1698,14 +2219,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2221,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -150685,7 +150902,7 @@ index 4b2878a..917240b 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2259,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2261,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -150703,7 +150920,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -1779,6 +2325,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2327,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -150764,7 +150981,7 @@ index 4b2878a..917240b 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2410,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2412,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -150774,7 +150991,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -1827,21 +2426,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2428,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -150788,19 +151005,18 @@ index 4b2878a..917240b 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
-@@ -1941,6 +2534,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2536,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -150825,7 +151041,7 @@ index 4b2878a..917240b 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2619,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2621,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -150834,7 +151050,7 @@ index 4b2878a..917240b 100644
files_search_home($1)
')
-@@ -2039,7 +2650,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2652,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -150843,7 +151059,7 @@ index 4b2878a..917240b 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2769,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2771,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -150858,7 +151074,7 @@ index 4b2878a..917240b 100644
files_search_tmp($1)
')
-@@ -2182,7 +2793,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2795,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -150867,7 +151083,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -2390,7 +3001,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +3003,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -150876,7 +151092,7 @@ index 4b2878a..917240b 100644
files_search_tmp($1)
')
-@@ -2419,6 +3030,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3032,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -150902,7 +151118,7 @@ index 4b2878a..917240b 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3065,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3067,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -150918,7 +151134,7 @@ index 4b2878a..917240b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3093,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3095,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -150927,7 +151143,7 @@ index 4b2878a..917240b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,14 +3101,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3103,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -150962,7 +151178,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -2572,7 +3219,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3221,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -150971,113 +151187,89 @@ index 4b2878a..917240b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,75 +3227,143 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,7 +3229,25 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
-interface(`userdom_use_user_ptys',`
+interface(`userdom_use_inherited_user_ttys',`
- gen_require(`
-- type user_devpts_t;
++ gen_require(`
+ type user_tty_device_t;
- ')
-
-- allow $1 user_devpts_t:chr_file rw_term_perms;
++ ')
++
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
- ')
++')
++
++########################################
++## <summary>
++## Read and write a user domain pty.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_use_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+@@ -2590,22 +3257,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
-## Read and write a user TTYs and PTYs.
-+## Read and write a user domain pty.
++## Read and write a inherited user domain pty.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_use_inherited_user_ptys',`
++ gen_require(`
++ type user_devpts_t;
++ ')
++
++ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++########################################
++## <summary>
++## Read and write a inherited user TTYs and PTYs.
## </summary>
--## <desc>
--## <p>
+ ## <desc>
+ ## <p>
-## Allow the specified domain to read and write user
--## TTYs and PTYs. This will allow the domain to
--## interact with the user via the terminal. Typically
--## all interactive applications will require this
--## access.
--## </p>
++## Allow the specified domain to read and write inherited user
+ ## TTYs and PTYs. This will allow the domain to
+ ## interact with the user via the terminal. Typically
+ ## all interactive applications will require this
+ ## access.
+ ## </p>
-## <p>
-## However, this also allows the applications to spy
-## on user sessions or inject information into the
-## user session. Thus, this access should likely
-## not be allowed for non-interactive domains.
-## </p>
--## </desc>
+ ## </desc>
## <param name="domain">
## <summary>
- ## Domain allowed access.
- ## </summary>
+@@ -2614,14 +3293,33 @@ interface(`userdom_use_user_ptys',`
## </param>
--## <infoflow type="both" weight="10"/>
+ ## <infoflow type="both" weight="10"/>
#
-interface(`userdom_use_user_terminals',`
-+interface(`userdom_use_user_ptys',`
++interface(`userdom_use_inherited_user_terminals',`
gen_require(`
-- type user_tty_device_t, user_devpts_t;
-+ type user_devpts_t;
+ type user_tty_device_t, user_devpts_t;
')
- allow $1 user_tty_device_t:chr_file rw_term_perms;
- allow $1 user_devpts_t:chr_file rw_term_perms;
+- allow $1 user_devpts_t:chr_file rw_term_perms;
- term_list_ptys($1)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to read and write
--## a user domain tty and pty.
-+## Read and write a inherited user domain pty.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_use_user_terminals',`
-+interface(`userdom_use_inherited_user_ptys',`
- gen_require(`
-- type user_tty_device_t, user_devpts_t;
-+ type user_devpts_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
-- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
-+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
- ')
-
- ########################################
- ## <summary>
--## Execute a shell in all user domains. This
--## is an explicit transition, requiring the
--## caller to use setexeccon().
-+## Read and write a inherited user TTYs and PTYs.
-+## </summary>
-+## <desc>
-+## <p>
-+## Allow the specified domain to read and write inherited user
-+## TTYs and PTYs. This will allow the domain to
-+## interact with the user via the terminal. Typically
-+## all interactive applications will require this
-+## access.
-+## </p>
-+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <infoflow type="both" weight="10"/>
-+#
-+interface(`userdom_use_inherited_user_terminals',`
-+ gen_require(`
-+ type user_tty_device_t, user_devpts_t;
-+ ')
-+
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
@@ -151100,24 +151292,15 @@ index 4b2878a..917240b 100644
+
+ allow $1 user_tty_device_t:chr_file rw_term_perms;
+ allow $1 user_devpts_t:chr_file rw_term_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to read and write
-+## a user domain tty and pty.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_dontaudit_use_user_terminals',`
-+ gen_require(`
-+ type user_tty_device_t, user_devpts_t;
-+ ')
-+
+ ')
+
+ ########################################
+@@ -2640,8 +3338,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
@@ -151139,17 +151322,10 @@ index 4b2878a..917240b 100644
+ ')
+
+ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Execute a shell in all user domains. This
-+## is an explicit transition, requiring the
-+## caller to use setexeccon().
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2713,69 +3428,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+ ')
+
+ ########################################
+@@ -2713,69 +3430,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -151250,7 +151426,7 @@ index 4b2878a..917240b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2783,12 +3497,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2783,12 +3499,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -151265,7 +151441,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -2852,7 +3566,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3568,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -151274,7 +151450,7 @@ index 4b2878a..917240b 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3582,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3584,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -151308,7 +151484,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -2972,7 +3670,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3672,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -151317,7 +151493,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -3027,7 +3725,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3727,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -151364,7 +151540,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -3045,7 +3781,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3783,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -151373,7 +151549,7 @@ index 4b2878a..917240b 100644
')
########################################
-@@ -3064,6 +3800,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3802,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -151381,7 +151557,7 @@ index 4b2878a..917240b 100644
kernel_search_proc($1)
')
-@@ -3140,6 +3877,42 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3879,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -151424,7 +151600,7 @@ index 4b2878a..917240b 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3160,6 +3933,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3935,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -151449,7 +151625,7 @@ index 4b2878a..917240b 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3985,1292 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3987,1292 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 87d5518..18117b0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 124%{?dist}
+Release: 125%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,35 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed May 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-125
+- Fix pulseaudio port definition
+- Add labeling for condor_starter
+- Allow chfn_t to creat user_tmp_files
+- Allow chfn_t to execute bin_t
+- Allow prelink_cron_system_t to getpw calls
+- Allow sudo domains to manage kerberos rcache files
+- Allow user_mail_domains to work with courie
+- Port definitions necessary for running jboss apps within openshift
+- Add support for openstack-nova-metadata-api
+- Add support for nova-console*
+- Add support for openstack-nova-xvpvncproxy
+- Fixes to make privsep+SELinux working if we try to use chage to change passwd
+- Fix auth_role() interface
+- Allow numad to read sysfs
+- Allow matahari-rpcd to execute shell
+- Add label for ~/.spicec
+- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
+- Devicekit_disk wants to read the logind sessions file when writing a cd
+- Add fixes for condor to make condor jobs working correctly
+- Change label of /var/log/rpmpkgs to cron_log_t
+- Access requires to allow systemd-tmpfiles --create to work.
+- Fix obex to be a user application started by the session bus.
+- Add additional filename trans rules for kerberos
+- Fix /var/run/heartbeat labeling
+- Allow apps that are managing rcache to file trans correctly
+- Allow openvpn to authenticate against ldap server
+- Containers need to listen to network starting and stopping events
+
* Wed May 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-124
- Make systemd unit files less specific
More information about the scm-commits
mailing list