[selinux-policy/f18] * Wed Nov 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-57 - Add support for 4567/tcp port - Ran
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Nov 28 20:18:46 UTC 2012
commit cde029087ef1c7bcea80e2212ad061e022a5ffe3
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Nov 28 21:17:29 2012 +0100
* Wed Nov 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-57
- Add support for 4567/tcp port
- Random fixes from Tuomo Soini
- xdm wants to get init status
- Allow programs to run in fips_mode
- Add interface to allow the reading of all blk device nodes
- Allow init to relabel rpcbind sock_file
- Fix labeling for lastlog and faillog related to logrotate
- ALlow aeolus_configserver to use TRAM port
- Add fixes for aeolus_configserver
- Allow snmpd to connect to snmp port
- Allow spamd_update to create spamd_var_lib_t directories
- Allow domains that can read sssd_public_t files to also list the directory
- Remove miscfiles_read_localization, this is defined for all domains
policy-rawhide.patch | 799 ++++++++++++++++++++++++++++--------------
policy_contrib-rawhide.patch | 530 ++++++++++++++++++++--------
selinux-policy.spec | 17 +-
3 files changed, 929 insertions(+), 417 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 5ff6a43..20d327c 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -110904,10 +110904,10 @@ index 72bc6d8..ff164b3 100644
optional_policy(`
seutil_sigchld_newrole(dmesg_t)
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
-index 407078f..56cc947 100644
+index 407078f..1a09bea 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
-@@ -1,15 +1,20 @@
+@@ -1,15 +1,22 @@
/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
-/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
@@ -110923,6 +110923,8 @@ index 407078f..56cc947 100644
/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/lib/heartbeat/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
++
+/usr/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
+/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
@@ -110993,7 +110995,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..f0c6208 100644
+index e0791b9..db9ddf7 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.0)
@@ -111065,8 +111067,10 @@ index e0791b9..f0c6208 100644
+
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
- allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
- allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
+-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+-allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
++allow ping_t self:rawip_socket create_socket_perms;
++allow ping_t self:packet_socket create_socket_perms;
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
-corenet_all_recvfrom_unlabeled(ping_t)
@@ -112380,7 +112384,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..1d3222c 100644
+index db981df..ade50ce 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -112461,7 +112465,7 @@ index db981df..1d3222c 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -174,53 +184,79 @@ ifdef(`distro_gentoo',`
+@@ -174,53 +184,81 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -112521,6 +112525,7 @@ index db981df..1d3222c 100644
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112533,13 +112538,17 @@ index db981df..1d3222c 100644
-/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ocf(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
@@ -112558,7 +112567,7 @@ index db981df..1d3222c 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -235,10 +271,15 @@ ifdef(`distro_gentoo',`
+@@ -235,10 +273,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -112574,7 +112583,7 @@ index db981df..1d3222c 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +292,17 @@ ifdef(`distro_gentoo',`
+@@ -251,11 +294,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -112596,7 +112605,7 @@ index db981df..1d3222c 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,6 +318,10 @@ ifdef(`distro_gentoo',`
+@@ -271,6 +320,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -112607,11 +112616,14 @@ index db981df..1d3222c 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -290,15 +341,19 @@ ifdef(`distro_gentoo',`
+@@ -289,16 +342,21 @@ ifdef(`distro_gentoo',`
+ /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall6?/configpath -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall6?/wait4ifup -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112628,7 +112640,7 @@ index db981df..1d3222c 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +369,12 @@ ifdef(`distro_redhat', `
+@@ -314,8 +372,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -112641,7 +112653,7 @@ index db981df..1d3222c 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +384,11 @@ ifdef(`distro_redhat', `
+@@ -325,9 +387,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112653,7 +112665,7 @@ index db981df..1d3222c 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +437,14 @@ ifdef(`distro_suse', `
+@@ -376,11 +440,14 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -112669,7 +112681,7 @@ index db981df..1d3222c 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +454,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +457,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -114336,7 +114348,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index fe2ee5e..a12a577 100644
+index fe2ee5e..651978f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0)
@@ -114467,7 +114479,7 @@ index fe2ee5e..a12a577 100644
network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
-@@ -123,103 +163,137 @@ network_port(hadoop_datanode, tcp,50010,s0)
+@@ -123,104 +163,139 @@ network_port(hadoop_datanode, tcp,50010,s0)
network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
@@ -114622,9 +114634,11 @@ index fe2ee5e..a12a577 100644
+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9051,s0)
+network_port(tor_socks, tcp,9050,s0)
network_port(traceroute, udp,64000-64010,s0)
++network_port(tram, tcp, 4567, s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -228,9 +302,12 @@ network_port(uucpd, tcp,540,s0)
+ network_port(utcpserver) # no defined portcon
+@@ -228,9 +303,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -114638,7 +114652,7 @@ index fe2ee5e..a12a577 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -242,17 +319,22 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -242,17 +320,22 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -114663,7 +114677,7 @@ index fe2ee5e..a12a577 100644
########################################
#
-@@ -297,9 +379,22 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -297,9 +380,22 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -114790,7 +114804,7 @@ index 02b7ac1..b30f7b8 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index d820975..6a4d016 100644
+index d820975..a8b5aa9 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -115026,7 +115040,34 @@ index d820975..6a4d016 100644
')
########################################
-@@ -1034,6 +1143,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
+@@ -1003,6 +1112,26 @@ interface(`dev_getattr_all_blk_files',`
+
+ ########################################
+ ## <summary>
++## Read on all block file device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`dev_read_all_blk_files',`
++ gen_require(`
++ attribute device_node;
++ type device_t;
++ ')
++
++ read_blk_files_pattern($1, device_t, device_node)
++')
++
++########################################
++## <summary>
+ ## Dontaudit getattr on all block file device nodes.
+ ## </summary>
+ ## <param name="domain">
+@@ -1034,6 +1163,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
interface(`dev_getattr_all_chr_files',`
gen_require(`
attribute device_node;
@@ -115034,7 +115075,7 @@ index d820975..6a4d016 100644
')
getattr_chr_files_pattern($1, device_t, device_node)
-@@ -1206,6 +1316,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1206,6 +1336,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -115077,7 +115118,7 @@ index d820975..6a4d016 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1663,6 +1809,26 @@ interface(`dev_filetrans_cardmgr',`
+@@ -1663,6 +1829,26 @@ interface(`dev_filetrans_cardmgr',`
########################################
## <summary>
@@ -115104,7 +115145,7 @@ index d820975..6a4d016 100644
## Get the attributes of the CPU
## microcode and id interfaces.
## </summary>
-@@ -1772,6 +1938,24 @@ interface(`dev_rw_crypto',`
+@@ -1772,6 +1958,24 @@ interface(`dev_rw_crypto',`
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
@@ -115129,48 +115170,259 @@ index d820975..6a4d016 100644
#######################################
## <summary>
## Set the attributes of the dlm control devices.
-@@ -2383,7 +2567,97 @@ interface(`dev_filetrans_lirc',`
+@@ -2383,7 +2587,7 @@ interface(`dev_filetrans_lirc',`
########################################
## <summary>
-## Get the attributes of the lvm comtrol device.
+## Get the attributes of the loop comtrol device.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2391,17 +2595,17 @@ interface(`dev_filetrans_lirc',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_getattr_lvm_control',`
+interface(`dev_getattr_loop_control',`
-+ gen_require(`
+ gen_require(`
+- type device_t, lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, lvm_control_t)
++ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read the lvm comtrol device.
++## Read the loop comtrol device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2409,17 +2613,17 @@ interface(`dev_getattr_lvm_control',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_read_lvm_control',`
++interface(`dev_read_loop_control',`
+ gen_require(`
+- type device_t, lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, lvm_control_t)
++ read_chr_files_pattern($1, device_t, loop_control_device_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write the lvm control device.
++## Read and write the loop control device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2427,17 +2631,17 @@ interface(`dev_read_lvm_control',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_rw_lvm_control',`
++interface(`dev_rw_loop_control',`
+ gen_require(`
+- type device_t, lvm_control_t;
+ type device_t, loop_control_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, lvm_control_t)
++ rw_chr_files_pattern($1, device_t, loop_control_device_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and write lvm control device.
++## Do not audit attempts to read and write loop control device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2445,17 +2649,17 @@ interface(`dev_rw_lvm_control',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_rw_lvm_control',`
++interface(`dev_dontaudit_rw_loop_control',`
+ gen_require(`
+- type lvm_control_t;
++ type loop_control_device_t;
+ ')
+
+- dontaudit $1 lvm_control_t:chr_file rw_file_perms;
++ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete the lvm control device.
++## Delete the loop control device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2463,35 +2667,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_delete_lvm_control_dev',`
++interface(`dev_delete_loop_control_dev',`
+ gen_require(`
+- type device_t, lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
+- delete_chr_files_pattern($1, device_t, lvm_control_t)
++ delete_chr_files_pattern($1, device_t, loop_control_device_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## dontaudit getattr raw memory devices (e.g. /dev/mem).
++## Get the attributes of the loop comtrol device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_getattr_memory_dev',`
++interface(`dev_getattr_lvm_control',`
+ gen_require(`
+- type memory_device_t;
++ type device_t, lvm_control_t;
+ ')
+
+- dontaudit $1 memory_device_t:chr_file getattr;
++ getattr_chr_files_pattern($1, device_t, lvm_control_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read raw memory devices (e.g. /dev/mem).
++## Read the lvm comtrol device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2499,62 +2703,53 @@ interface(`dev_dontaudit_getattr_memory_dev',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_read_raw_memory',`
++interface(`dev_read_lvm_control',`
+ gen_require(`
+- type device_t, memory_device_t;
+- attribute memory_raw_read;
++ type device_t, lvm_control_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, memory_device_t)
+-
+- allow $1 self:capability sys_rawio;
+- typeattribute $1 memory_raw_read;
++ read_chr_files_pattern($1, device_t, lvm_control_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read raw memory devices
+-## (e.g. /dev/mem).
++## Read and write the lvm control device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_read_raw_memory',`
++interface(`dev_rw_lvm_control',`
+ gen_require(`
+- type memory_device_t;
++ type device_t, lvm_control_t;
+ ')
+
+- dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
++ rw_chr_files_pattern($1, device_t, lvm_control_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Write raw memory devices (e.g. /dev/mem).
++## Do not audit attempts to read and write lvm control device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_write_raw_memory',`
++interface(`dev_dontaudit_rw_lvm_control',`
+ gen_require(`
+- type device_t, memory_device_t;
+- attribute memory_raw_write;
++ type lvm_control_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, memory_device_t)
+-
+- allow $1 self:capability sys_rawio;
+- typeattribute $1 memory_raw_write;
++ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and execute raw memory devices (e.g. /dev/mem).
++## Delete the lvm control device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2562,7 +2757,106 @@ interface(`dev_write_raw_memory',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_rx_raw_memory',`
++interface(`dev_delete_lvm_control_dev',`
++ gen_require(`
++ type device_t, lvm_control_t;
+ ')
+
-+ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
++ delete_chr_files_pattern($1, device_t, lvm_control_t)
+')
+
+########################################
+## <summary>
-+## Read the loop comtrol device.
++## dontaudit getattr raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`dev_read_loop_control',`
++interface(`dev_dontaudit_getattr_memory_dev',`
+ gen_require(`
-+ type device_t, loop_control_device_t;
++ type memory_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, loop_control_device_t)
++ dontaudit $1 memory_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
-+## Read and write the loop control device.
++## Read raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -115178,17 +115430,22 @@ index d820975..6a4d016 100644
+## </summary>
+## </param>
+#
-+interface(`dev_rw_loop_control',`
++interface(`dev_read_raw_memory',`
+ gen_require(`
-+ type device_t, loop_control_device_t;
++ type device_t, memory_device_t;
++ attribute memory_raw_read;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, loop_control_device_t)
++ read_chr_files_pattern($1, device_t, memory_device_t)
++
++ allow $1 self:capability sys_rawio;
++ typeattribute $1 memory_raw_read;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read and write loop control device.
++## Do not audit attempts to read raw memory devices
++## (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -115196,17 +115453,17 @@ index d820975..6a4d016 100644
+## </summary>
+## </param>
+#
-+interface(`dev_dontaudit_rw_loop_control',`
++interface(`dev_dontaudit_read_raw_memory',`
+ gen_require(`
-+ type loop_control_device_t;
++ type memory_device_t;
+ ')
+
-+ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
++ dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
-+## Delete the loop control device.
++## Write raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -115214,21 +115471,33 @@ index d820975..6a4d016 100644
+## </summary>
+## </param>
+#
-+interface(`dev_delete_loop_control_dev',`
++interface(`dev_write_raw_memory',`
+ gen_require(`
-+ type device_t, loop_control_device_t;
++ type device_t, memory_device_t;
++ attribute memory_raw_write;
+ ')
+
-+ delete_chr_files_pattern($1, device_t, loop_control_device_t)
++ write_chr_files_pattern($1, device_t, memory_device_t)
++
++ allow $1 self:capability sys_rawio;
++ typeattribute $1 memory_raw_write;
+')
+
+########################################
+## <summary>
-+## Get the attributes of the loop comtrol device.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2706,7 +2980,7 @@ interface(`dev_write_misc',`
++## Read and execute raw memory devices (e.g. /dev/mem).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rx_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ ')
+@@ -2706,7 +3000,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -115237,7 +115506,7 @@ index d820975..6a4d016 100644
## </summary>
## </param>
#
-@@ -2956,8 +3230,8 @@ interface(`dev_dontaudit_write_mtrr',`
+@@ -2956,8 +3250,8 @@ interface(`dev_dontaudit_write_mtrr',`
type mtrr_device_t;
')
@@ -115248,79 +115517,55 @@ index d820975..6a4d016 100644
')
########################################
-@@ -3125,45 +3399,81 @@ interface(`dev_create_null_dev',`
+@@ -3125,6 +3419,42 @@ interface(`dev_create_null_dev',`
########################################
## <summary>
--## Do not audit attempts to get the attributes
--## of the BIOS non-volatile RAM device.
+## Get the status of a null device service.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`dev_dontaudit_getattr_nvram_dev',`
++## </summary>
++## </param>
++#
+interface(`dev_service_status_null_dev',`
- gen_require(`
-- type nvram_device_t;
++ gen_require(`
+ type null_device_t;
- ')
-
-- dontaudit $1 nvram_device_t:chr_file getattr;
++ ')
++
+ allow $1 null_device_t:service status;
- ')
-
- ########################################
- ## <summary>
--## Read and write BIOS non-volatile RAM.
++')
++
++########################################
++## <summary>
+## Configure null_device as a unit files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain allowed to transition.
- ## </summary>
- ## </param>
- #
--interface(`dev_rw_nvram',`
-+interface(`dev_config_null_dev_service',`
- gen_require(`
-- type nvram_device_t;
-+ type null_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, nvram_device_t)
-+ allow $1 null_device_t:service manage_service_perms;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of the printer device nodes.
--## </summary>
-+## Do not audit attempts to get the attributes
-+## of the BIOS non-volatile RAM device.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
-+interface(`dev_dontaudit_getattr_nvram_dev',`
++interface(`dev_config_null_dev_service',`
+ gen_require(`
-+ type nvram_device_t;
++ type null_device_t;
+ ')
+
-+ dontaudit $1 nvram_device_t:chr_file getattr;
++ allow $1 null_device_t:service manage_service_perms;
+')
+
+########################################
+## <summary>
-+## Read and write BIOS non-volatile RAM.
+ ## Do not audit attempts to get the attributes
+ ## of the BIOS non-volatile RAM device.
+ ## </summary>
+@@ -3235,7 +3565,25 @@ interface(`dev_rw_printer',`
+
+ ########################################
+ ## <summary>
+-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
++## Relabel the printer device node.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -115328,66 +115573,38 @@ index d820975..6a4d016 100644
+## </summary>
+## </param>
+#
-+interface(`dev_rw_nvram',`
++interface(`dev_relabel_printer',`
+ gen_require(`
-+ type nvram_device_t;
++ type printer_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, nvram_device_t)
++ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
+')
+
+########################################
+## <summary>
-+## Get the attributes of the printer device nodes.
-+## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
-@@ -3235,7 +3545,7 @@ interface(`dev_rw_printer',`
-
- ########################################
- ## <summary>
--## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
-+## Relabel the printer device node.
++## Read and write the printer device.
## </summary>
## <param name="domain">
## <summary>
-@@ -3243,12 +3553,31 @@ interface(`dev_rw_printer',`
+@@ -3243,12 +3591,13 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
-interface(`dev_read_printk',`
-+interface(`dev_relabel_printer',`
++interface(`dev_manage_printer',`
gen_require(`
- type device_t, printk_device_t;
-+ type printer_device_t;
++ type device_t, printer_device_t;
')
- read_chr_files_pattern($1, device_t, printk_device_t)
-+ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read and write the printer device.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_manage_printer',`
-+ gen_require(`
-+ type device_t, printer_device_t;
-+ ')
-+
+ manage_chr_files_pattern($1, device_t, printer_device_t)
+ dev_filetrans_printer_named_dev($1)
')
########################################
-@@ -3836,6 +4165,42 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3836,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -115430,7 +115647,7 @@ index d820975..6a4d016 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3885,6 +4250,7 @@ interface(`dev_list_sysfs',`
+@@ -3885,6 +4270,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
@@ -115438,7 +115655,7 @@ index d820975..6a4d016 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3927,23 +4293,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3927,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -115492,7 +115709,7 @@ index d820975..6a4d016 100644
########################################
## <summary>
## Read hardware state information.
-@@ -3997,6 +4389,62 @@ interface(`dev_rw_sysfs',`
+@@ -3997,6 +4409,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -115555,7 +115772,7 @@ index d820975..6a4d016 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4094,6 +4542,25 @@ interface(`dev_write_urand',`
+@@ -4094,6 +4562,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -115581,7 +115798,7 @@ index d820975..6a4d016 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4128,6 +4595,24 @@ interface(`dev_setattr_generic_usb_dev',`
+@@ -4128,6 +4615,24 @@ interface(`dev_setattr_generic_usb_dev',`
setattr_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -115606,7 +115823,7 @@ index d820975..6a4d016 100644
########################################
## <summary>
## Read generic the USB devices.
-@@ -4520,6 +5005,24 @@ interface(`dev_rw_vhost',`
+@@ -4520,6 +5025,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -115631,7 +115848,7 @@ index d820975..6a4d016 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4725,6 +5228,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4725,6 +5248,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -115658,7 +115875,7 @@ index d820975..6a4d016 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4814,3 +5337,917 @@ interface(`dev_unconfined',`
+@@ -4814,3 +5357,917 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -116798,10 +117015,10 @@ index 6a1e4d1..eee8419 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..2cb854a 100644
+index cf04cb5..dde12bc 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
-@@ -4,6 +4,21 @@ policy_module(domain, 1.11.0)
+@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
#
# Declarations
#
@@ -116815,6 +117032,14 @@ index cf04cb5..2cb854a 100644
+
+## <desc>
+## <p>
++## Allow all domains to execute in fips_mode
++## </p>
++## </desc>
++#
++gen_tunable(fips_mode, true)
++
++## <desc>
++## <p>
+## Allow all domains to have the kernel load modules
+## </p>
+## </desc>
@@ -116823,7 +117048,7 @@ index cf04cb5..2cb854a 100644
## <desc>
## <p>
-@@ -86,23 +101,43 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +109,43 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
@@ -116868,7 +117093,7 @@ index cf04cb5..2cb854a 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +156,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +164,18 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -116887,7 +117112,7 @@ index cf04cb5..2cb854a 100644
')
optional_policy(`
-@@ -133,6 +178,8 @@ optional_policy(`
+@@ -133,6 +186,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -116896,7 +117121,7 @@ index cf04cb5..2cb854a 100644
')
########################################
-@@ -147,12 +194,18 @@ optional_policy(`
+@@ -147,12 +202,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -116916,7 +117141,7 @@ index cf04cb5..2cb854a 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +219,262 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,274 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -117179,6 +117404,18 @@ index cf04cb5..2cb854a 100644
+')
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
++
++
++tunable_policy(`fips_mode',`
++ allow domain self:fifo_file manage_fifo_file_perms;
++ kernel_read_kernel_sysctls(domain)
++')
++
++optional_policy(`
++ tunable_policy(`fips_mode',`
++ prelink_exec(domain)
++ ')
++')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 8796ca3..c2055b3 100644
--- a/policy/modules/kernel/files.fc
@@ -127151,7 +127388,7 @@ index fe0c682..6395fe1 100644
+ allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl };
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index b17e27a..b027591 100644
+index b17e27a..3354b8f 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
@@ -127486,7 +127723,18 @@ index b17e27a..b027591 100644
')
optional_policy(`
-@@ -283,6 +332,28 @@ optional_policy(`
+@@ -273,6 +322,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ munin_read_var_lib_files(sshd_t)
++')
++
++optional_policy(`
+ rpm_use_script_fds(sshd_t)
+ ')
+
+@@ -283,6 +336,28 @@ optional_policy(`
')
optional_policy(`
@@ -127515,7 +127763,7 @@ index b17e27a..b027591 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -290,6 +361,29 @@ optional_policy(`
+@@ -290,6 +365,29 @@ optional_policy(`
xserver_domtrans_xauth(sshd_t)
')
@@ -127545,7 +127793,7 @@ index b17e27a..b027591 100644
########################################
#
# ssh_keygen local policy
-@@ -298,19 +392,26 @@ optional_policy(`
+@@ -298,19 +396,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -127573,7 +127821,7 @@ index b17e27a..b027591 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -327,9 +428,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -327,9 +432,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -127587,7 +127835,7 @@ index b17e27a..b027591 100644
')
optional_policy(`
-@@ -339,3 +442,121 @@ optional_policy(`
+@@ -339,3 +446,121 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -129197,7 +129445,7 @@ index 130ced9..a75282a 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..4734bb3 100644
+index d40f750..b89d276 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -129753,7 +130001,7 @@ index d40f750..4734bb3 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +619,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +619,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -129779,6 +130027,7 @@ index d40f750..4734bb3 100644
init_telinit(xdm_t)
+init_dbus_chat(xdm_t)
+init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
++init_status(xdm_t)
+
+systemd_write_inhibit_pipes(xdm_t)
@@ -129798,7 +130047,7 @@ index d40f750..4734bb3 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +662,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -129848,7 +130097,7 @@ index d40f750..4734bb3 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +712,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -129875,7 +130124,7 @@ index d40f750..4734bb3 100644
')
optional_policy(`
-@@ -514,12 +739,71 @@ optional_policy(`
+@@ -514,12 +740,71 @@ optional_policy(`
')
optional_policy(`
@@ -129947,7 +130196,7 @@ index d40f750..4734bb3 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +821,74 @@ optional_policy(`
+@@ -537,28 +822,74 @@ optional_policy(`
')
optional_policy(`
@@ -130031,7 +130280,7 @@ index d40f750..4734bb3 100644
')
optional_policy(`
-@@ -570,6 +900,14 @@ optional_policy(`
+@@ -570,6 +901,14 @@ optional_policy(`
')
optional_policy(`
@@ -130046,7 +130295,7 @@ index d40f750..4734bb3 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +932,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +933,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -130059,7 +130308,7 @@ index d40f750..4734bb3 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +949,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -130075,7 +130324,7 @@ index d40f750..4734bb3 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +976,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -130097,7 +130346,7 @@ index d40f750..4734bb3 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +996,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +997,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -130111,7 +130360,7 @@ index d40f750..4734bb3 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1022,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1023,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -130143,7 +130392,7 @@ index d40f750..4734bb3 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1054,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1055,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -130157,7 +130406,7 @@ index d40f750..4734bb3 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1073,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1074,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -130181,7 +130430,7 @@ index d40f750..4734bb3 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1138,40 @@ optional_policy(`
+@@ -775,16 +1139,40 @@ optional_policy(`
')
optional_policy(`
@@ -130223,7 +130472,7 @@ index d40f750..4734bb3 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1180,10 @@ optional_policy(`
+@@ -793,6 +1181,10 @@ optional_policy(`
')
optional_policy(`
@@ -130234,7 +130483,7 @@ index d40f750..4734bb3 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1199,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -130248,7 +130497,7 @@ index d40f750..4734bb3 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1210,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -130257,7 +130506,7 @@ index d40f750..4734bb3 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1223,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1224,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -130292,7 +130541,7 @@ index d40f750..4734bb3 100644
')
optional_policy(`
-@@ -859,6 +1245,10 @@ optional_policy(`
+@@ -859,6 +1246,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -130303,7 +130552,7 @@ index d40f750..4734bb3 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1292,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1293,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -130312,7 +130561,7 @@ index d40f750..4734bb3 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1346,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1347,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -130344,7 +130593,7 @@ index d40f750..4734bb3 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1392,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1393,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -130525,7 +130774,7 @@ index c6fdab7..0118d30 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..300fec0 100644
+index 28ad538..ffa1f8f 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,14 +1,25 @@
@@ -130585,7 +130834,7 @@ index 28ad538..300fec0 100644
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-@@ -30,6 +52,8 @@ ifdef(`distro_gentoo', `
+@@ -30,20 +52,24 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -130594,8 +130843,13 @@ index 28ad538..300fec0 100644
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -39,11 +63,13 @@ ifdef(`distro_gentoo', `
- /var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
+-/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)
+-/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0)
++/var/log/faillog.* -- gen_context(system_u:object_r:faillog_t,s0)
++/var/log/lastlog.* -- gen_context(system_u:object_r:lastlog_t,s0)
+ /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
+-/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
++/var/log/tallylog.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
+/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -133468,7 +133722,7 @@ index d26fe81..95c1bd8 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..e9fb239 100644
+index 4a88fa1..d164f2b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -133890,11 +134144,12 @@ index 4a88fa1..e9fb239 100644
')
optional_policy(`
-@@ -213,6 +447,26 @@ optional_policy(`
+@@ -213,6 +447,27 @@ optional_policy(`
')
optional_policy(`
+ rpcbind_filetrans_named_content(init_t)
++ rpcbind_relabel_sock_file(init_t)
+')
+
+optional_policy(`
@@ -133917,7 +134172,7 @@ index 4a88fa1..e9fb239 100644
unconfined_domain(init_t)
')
-@@ -222,8 +476,9 @@ optional_policy(`
+@@ -222,8 +477,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -133929,7 +134184,7 @@ index 4a88fa1..e9fb239 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +506,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +507,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -133946,7 +134201,7 @@ index 4a88fa1..e9fb239 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +531,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +532,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -133989,7 +134244,7 @@ index 4a88fa1..e9fb239 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,6 +568,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,6 +569,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -133997,7 +134252,7 @@ index 4a88fa1..e9fb239 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -306,8 +579,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +580,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -134008,7 +134263,7 @@ index 4a88fa1..e9fb239 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +590,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +591,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -134028,7 +134283,7 @@ index 4a88fa1..e9fb239 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +607,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +608,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -134036,7 +134291,7 @@ index 4a88fa1..e9fb239 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +615,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +616,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -134048,7 +134303,7 @@ index 4a88fa1..e9fb239 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +634,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +635,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -134062,7 +134317,7 @@ index 4a88fa1..e9fb239 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +649,12 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +650,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -134076,7 +134331,7 @@ index 4a88fa1..e9fb239 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +664,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +665,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -134084,7 +134339,7 @@ index 4a88fa1..e9fb239 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +676,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +677,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -134092,7 +134347,7 @@ index 4a88fa1..e9fb239 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -409,20 +695,18 @@ logging_read_all_logs(initrc_t)
+@@ -409,20 +696,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -134116,7 +134371,7 @@ index 4a88fa1..e9fb239 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +760,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +761,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -134127,7 +134382,7 @@ index 4a88fa1..e9fb239 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +784,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +785,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -134136,7 +134391,7 @@ index 4a88fa1..e9fb239 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +799,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +800,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -134144,7 +134399,7 @@ index 4a88fa1..e9fb239 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +820,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +821,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -134152,7 +134407,7 @@ index 4a88fa1..e9fb239 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +830,40 @@ ifdef(`distro_redhat',`
+@@ -540,8 +831,40 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -134193,7 +134448,7 @@ index 4a88fa1..e9fb239 100644
')
optional_policy(`
-@@ -549,14 +871,31 @@ ifdef(`distro_redhat',`
+@@ -549,14 +872,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -134225,7 +134480,7 @@ index 4a88fa1..e9fb239 100644
')
')
-@@ -567,6 +906,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +907,39 @@ ifdef(`distro_suse',`
')
')
@@ -134265,7 +134520,7 @@ index 4a88fa1..e9fb239 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +951,8 @@ optional_policy(`
+@@ -579,6 +952,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -134274,7 +134529,7 @@ index 4a88fa1..e9fb239 100644
')
optional_policy(`
-@@ -600,6 +974,7 @@ optional_policy(`
+@@ -600,6 +975,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -134282,7 +134537,7 @@ index 4a88fa1..e9fb239 100644
')
optional_policy(`
-@@ -612,6 +987,17 @@ optional_policy(`
+@@ -612,6 +988,17 @@ optional_policy(`
')
optional_policy(`
@@ -134300,7 +134555,7 @@ index 4a88fa1..e9fb239 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +1014,13 @@ optional_policy(`
+@@ -628,9 +1015,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -134314,7 +134569,7 @@ index 4a88fa1..e9fb239 100644
')
optional_policy(`
-@@ -655,6 +1045,10 @@ optional_policy(`
+@@ -655,6 +1046,10 @@ optional_policy(`
')
optional_policy(`
@@ -134325,7 +134580,7 @@ index 4a88fa1..e9fb239 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1066,15 @@ optional_policy(`
+@@ -672,6 +1067,15 @@ optional_policy(`
')
optional_policy(`
@@ -134341,7 +134596,7 @@ index 4a88fa1..e9fb239 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1115,7 @@ optional_policy(`
+@@ -712,6 +1116,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -134349,7 +134604,7 @@ index 4a88fa1..e9fb239 100644
')
optional_policy(`
-@@ -729,7 +1133,14 @@ optional_policy(`
+@@ -729,7 +1134,14 @@ optional_policy(`
')
optional_policy(`
@@ -134364,7 +134619,7 @@ index 4a88fa1..e9fb239 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1163,10 @@ optional_policy(`
+@@ -752,6 +1164,10 @@ optional_policy(`
')
optional_policy(`
@@ -134375,7 +134630,7 @@ index 4a88fa1..e9fb239 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1176,20 @@ optional_policy(`
+@@ -761,10 +1177,20 @@ optional_policy(`
')
optional_policy(`
@@ -134396,7 +134651,7 @@ index 4a88fa1..e9fb239 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1198,10 @@ optional_policy(`
+@@ -773,6 +1199,10 @@ optional_policy(`
')
optional_policy(`
@@ -134407,7 +134662,7 @@ index 4a88fa1..e9fb239 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1223,6 @@ optional_policy(`
+@@ -794,8 +1224,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -134416,7 +134671,7 @@ index 4a88fa1..e9fb239 100644
')
optional_policy(`
-@@ -804,6 +1231,10 @@ optional_policy(`
+@@ -804,6 +1232,10 @@ optional_policy(`
')
optional_policy(`
@@ -134427,7 +134682,7 @@ index 4a88fa1..e9fb239 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1244,12 @@ optional_policy(`
+@@ -813,10 +1245,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -134440,7 +134695,7 @@ index 4a88fa1..e9fb239 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1261,6 @@ optional_policy(`
+@@ -828,8 +1262,6 @@ optional_policy(`
')
optional_policy(`
@@ -134449,7 +134704,7 @@ index 4a88fa1..e9fb239 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1271,30 @@ optional_policy(`
+@@ -840,12 +1272,30 @@ optional_policy(`
')
optional_policy(`
@@ -134482,7 +134737,7 @@ index 4a88fa1..e9fb239 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1304,18 @@ optional_policy(`
+@@ -855,6 +1305,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -134501,7 +134756,7 @@ index 4a88fa1..e9fb239 100644
')
optional_policy(`
-@@ -870,6 +1331,10 @@ optional_policy(`
+@@ -870,6 +1332,10 @@ optional_policy(`
')
optional_policy(`
@@ -134512,7 +134767,7 @@ index 4a88fa1..e9fb239 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1345,185 @@ optional_policy(`
+@@ -880,3 +1346,185 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -135054,7 +135309,7 @@ index c42fbc3..7071460 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 0646ee7..f0e41a1 100644
+index 0646ee7..da1337a 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -5,26 +5,27 @@ policy_module(iptables, 1.13.0)
@@ -135110,17 +135365,18 @@ index 0646ee7..f0e41a1 100644
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
-@@ -64,6 +66,9 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,6 +66,10 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
++dev_read_urand(iptables_t)
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_write_mtrr(iptables_t)
+')
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +77,13 @@ fs_list_inotifyfs(iptables_t)
+@@ -72,11 +78,13 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -135135,7 +135391,7 @@ index 0646ee7..f0e41a1 100644
auth_use_nsswitch(iptables_t)
-@@ -85,15 +92,16 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +93,16 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -135155,7 +135411,7 @@ index 0646ee7..f0e41a1 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,6 +110,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +111,8 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -135164,7 +135420,7 @@ index 0646ee7..f0e41a1 100644
')
optional_policy(`
-@@ -110,7 +120,8 @@ optional_policy(`
+@@ -110,7 +121,8 @@ optional_policy(`
')
optional_policy(`
@@ -135174,7 +135430,7 @@ index 0646ee7..f0e41a1 100644
')
optional_policy(`
-@@ -124,6 +135,7 @@ optional_policy(`
+@@ -124,6 +136,7 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -135182,7 +135438,7 @@ index 0646ee7..f0e41a1 100644
')
optional_policy(`
-@@ -137,6 +149,7 @@ optional_policy(`
+@@ -137,6 +150,7 @@ optional_policy(`
optional_policy(`
shorewall_read_tmp_files(iptables_t)
shorewall_rw_lib_files(iptables_t)
@@ -136040,10 +136296,15 @@ index 9fd5be7..7e2a02e 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..ca96e28 100644
+index 02f4c97..70248c6 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -6,6 +6,8 @@
+@@ -2,10 +2,13 @@
+
+ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
++/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
@@ -136052,7 +136313,7 @@ index 02f4c97..ca96e28 100644
/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
-@@ -17,12 +19,25 @@
+@@ -17,12 +20,25 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -136079,7 +136340,7 @@ index 02f4c97..ca96e28 100644
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -34,11 +49,10 @@ ifdef(`distro_suse', `
+@@ -34,11 +50,10 @@ ifdef(`distro_suse', `
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -136092,7 +136353,7 @@ index 02f4c97..ca96e28 100644
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -46,6 +60,8 @@ ifdef(`distro_suse', `
+@@ -46,6 +61,8 @@ ifdef(`distro_suse', `
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
@@ -136101,7 +136362,7 @@ index 02f4c97..ca96e28 100644
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -54,6 +70,7 @@ ifndef(`distro_gentoo',`
+@@ -54,6 +71,7 @@ ifndef(`distro_gentoo',`
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -136109,7 +136370,7 @@ index 02f4c97..ca96e28 100644
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-@@ -66,11 +83,16 @@ ifdef(`distro_redhat',`
+@@ -66,11 +84,16 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -136527,7 +136788,7 @@ index 321bb13..0c0933b 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 0034021..5f3ec55 100644
+index 0034021..c62bd95 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.0)
@@ -136726,7 +136987,15 @@ index 0034021..5f3ec55 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -377,6 +414,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -369,6 +406,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+
+ allow syslogd_t syslog_conf_t:file read_file_perms;
++allow syslogd_t syslog_conf_t:dir list_dir_perms;
+
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+@@ -377,6 +415,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -136734,7 +137003,7 @@ index 0034021..5f3ec55 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,22 +424,35 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,22 +425,35 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -136771,7 +137040,7 @@ index 0034021..5f3ec55 100644
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)
corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,10 +478,28 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,10 +479,28 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -136800,7 +137069,7 @@ index 0034021..5f3ec55 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -441,14 +510,18 @@ files_dontaudit_search_isid_type_dirs(syslogd_t)
+@@ -441,14 +511,18 @@ files_dontaudit_search_isid_type_dirs(syslogd_t)
files_read_kernel_symbol_table(syslogd_t)
fs_getattr_all_fs(syslogd_t)
@@ -136819,7 +137088,7 @@ index 0034021..5f3ec55 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -460,8 +533,8 @@ init_use_fds(syslogd_t)
+@@ -460,11 +534,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -136828,8 +137097,12 @@ index 0034021..5f3ec55 100644
-miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
- userdom_dontaudit_search_user_home_dirs(syslogd_t)
-@@ -493,15 +566,36 @@ optional_policy(`
+-userdom_dontaudit_search_user_home_dirs(syslogd_t)
++userdom_search_user_home_dirs(syslogd_t)
+
+ ifdef(`distro_gentoo',`
+ # default gentoo syslog-ng config appends kernel
+@@ -493,15 +567,36 @@ optional_policy(`
')
optional_policy(`
@@ -136866,7 +137139,7 @@ index 0034021..5f3ec55 100644
')
optional_policy(`
-@@ -512,3 +606,24 @@ optional_policy(`
+@@ -512,3 +607,24 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index f6c69e1..b25450f 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index 1bd5812..b5fe639 100644
+index 1bd5812..ad5baf5 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,12 +1,16 @@
+@@ -1,20 +1,37 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -22,7 +22,9 @@ index 1bd5812..b5fe639 100644
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-@@ -15,6 +19,19 @@
+
+-/var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0)
++/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -1759,10 +1761,45 @@ index 446ee16..2346f65 100644
/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
diff --git a/amavis.if b/amavis.if
-index e31d92a..1aa0718 100644
+index e31d92a..5cb091a 100644
--- a/amavis.if
+++ b/amavis.if
-@@ -202,6 +202,7 @@ interface(`amavis_create_pid_files',`
+@@ -57,6 +57,7 @@ interface(`amavis_read_spool_files',`
+
+ files_search_spool($1)
+ read_files_pattern($1, amavis_spool_t, amavis_spool_t)
++ allow $1 amavis_spool_t:dir list_dir_perms;
+ ')
+
+ ########################################
+@@ -150,6 +151,26 @@ interface(`amavis_read_lib_files',`
+
+ ########################################
+ ## <summary>
++## Read and write amavis lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`amavis_rw_lib_files',`
++ gen_require(`
++ type amavis_var_lib_t;
++ ')
++
++ rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
++ allow $1 amavis_var_lib_t:dir list_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete
+ ## amavis lib files.
+ ## </summary>
+@@ -202,6 +223,7 @@ interface(`amavis_create_pid_files',`
type amavis_var_run_t;
')
@@ -1770,7 +1807,7 @@ index e31d92a..1aa0718 100644
allow $1 amavis_var_run_t:file create_file_perms;
files_search_pids($1)
')
-@@ -231,9 +232,13 @@ interface(`amavis_admin',`
+@@ -231,9 +253,13 @@ interface(`amavis_admin',`
type amavis_initrc_exec_t;
')
@@ -1786,7 +1823,7 @@ index e31d92a..1aa0718 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
-index 505309b..209a2ba 100644
+index 505309b..58c37b3 100644
--- a/amavis.te
+++ b/amavis.te
@@ -5,6 +5,13 @@ policy_module(amavis, 1.14.0)
@@ -1834,7 +1871,17 @@ index 505309b..209a2ba 100644
# var/lib files for amavis
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
-@@ -107,7 +116,6 @@ kernel_dontaudit_read_system_state(amavis_t)
+@@ -98,16 +107,15 @@ manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
+ files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file })
+
+ kernel_read_kernel_sysctls(amavis_t)
++kernel_read_system_state(amavis_t)
+ # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
+ kernel_dontaudit_list_proc(amavis_t)
+ kernel_dontaudit_read_proc_symlinks(amavis_t)
+-kernel_dontaudit_read_system_state(amavis_t)
+
+ # find perl
corecmd_exec_bin(amavis_t)
corecmd_exec_shell(amavis_t)
@@ -2082,10 +2129,10 @@ index 0000000..feabdf3
+ files_getattr_all_sockets(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index fd9fa07..3a26b0f 100644
+index fd9fa07..12398f6 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,20 +1,36 @@
+@@ -1,20 +1,37 @@
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
@@ -2097,6 +2144,7 @@ index fd9fa07..3a26b0f 100644
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/owncloud/config\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
@@ -2123,7 +2171,7 @@ index fd9fa07..3a26b0f 100644
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -22,20 +38,25 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+@@ -22,20 +39,25 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -2156,7 +2204,7 @@ index fd9fa07..3a26b0f 100644
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -43,8 +64,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +65,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -2168,7 +2216,7 @@ index fd9fa07..3a26b0f 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,9 +76,13 @@ ifdef(`distro_suse', `
+@@ -54,9 +77,13 @@ ifdef(`distro_suse', `
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2182,7 +2230,7 @@ index fd9fa07..3a26b0f 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,31 +99,50 @@ ifdef(`distro_suse', `
+@@ -73,31 +100,50 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2218,7 +2266,7 @@ index fd9fa07..3a26b0f 100644
+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
')
@@ -2238,7 +2286,7 @@ index fd9fa07..3a26b0f 100644
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +154,26 @@ ifdef(`distro_debian', `
+@@ -109,3 +155,26 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -9247,9 +9295,16 @@ index 8e1ef38..08b238c 100644
userdom_dontaudit_use_unpriv_user_fds(ciped_t)
diff --git a/clamav.fc b/clamav.fc
-index e8e9a21..22986ef 100644
+index e8e9a21..9c47777 100644
--- a/clamav.fc
+++ b/clamav.fc
+@@ -1,5 +1,5 @@
+ /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
+-/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
+
+ /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+ /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
@@ -8,9 +8,13 @@
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
@@ -9400,7 +9455,7 @@ index bbac14a..99c5cca 100644
+
')
diff --git a/clamav.te b/clamav.te
-index a10350e..c67bb4d 100644
+index a10350e..a28f16e 100644
--- a/clamav.te
+++ b/clamav.te
@@ -1,9 +1,23 @@
@@ -9493,7 +9548,7 @@ index a10350e..c67bb4d 100644
files_read_etc_runtime_files(clamd_t)
files_search_spool(clamd_t)
-@@ -125,15 +145,6 @@ auth_use_nsswitch(clamd_t)
+@@ -125,30 +145,51 @@ auth_use_nsswitch(clamd_t)
logging_send_syslog_msg(clamd_t)
@@ -9509,7 +9564,9 @@ index a10350e..c67bb4d 100644
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
-@@ -142,13 +153,43 @@ optional_policy(`
+- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
++ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
+ amavis_create_pid_files(clamd_t)
')
optional_policy(`
@@ -9554,7 +9611,7 @@ index a10350e..c67bb4d 100644
')
########################################
-@@ -178,17 +219,26 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,17 +219,27 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -9565,6 +9622,7 @@ index a10350e..c67bb4d 100644
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
-corenet_all_recvfrom_unlabeled(freshclam_t)
++kernel_dontaudit_list_proc(freshclam_t)
+kernel_read_kernel_sysctls(freshclam_t)
+kernel_read_network_state(freshclam_t)
+kernel_read_system_state(freshclam_t)
@@ -9584,11 +9642,12 @@ index a10350e..c67bb4d 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -196,27 +246,31 @@ dev_read_urand(freshclam_t)
+@@ -196,27 +247,32 @@ dev_read_urand(freshclam_t)
domain_use_interactive_fds(freshclam_t)
-files_read_etc_files(freshclam_t)
++files_search_var_lib(freshclam_t)
files_read_etc_runtime_files(freshclam_t)
+files_read_usr_files(freshclam_t)
@@ -9623,7 +9682,7 @@ index a10350e..c67bb4d 100644
########################################
#
# clamscam local policy
-@@ -242,15 +296,38 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +298,39 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -9631,6 +9690,7 @@ index a10350e..c67bb4d 100644
+read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t)
+allow clamscan_t clamd_var_run_t:dir list_dir_perms;
+
++kernel_dontaudit_list_proc(clamscan_t)
+kernel_read_system_state(clamscan_t)
+
corenet_all_recvfrom_netlabel(clamscan_t)
@@ -9663,7 +9723,7 @@ index a10350e..c67bb4d 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -259,15 +336,15 @@ files_search_var_lib(clamscan_t)
+@@ -259,15 +339,15 @@ files_search_var_lib(clamscan_t)
init_read_utmp(clamscan_t)
init_dontaudit_write_utmp(clamscan_t)
@@ -14069,10 +14129,10 @@ index b357856..2a711bd 100644
+')
diff --git a/ctdbd.fc b/ctdbd.fc
new file mode 100644
-index 0000000..2db6b61
+index 0000000..255568d
--- /dev/null
+++ b/ctdbd.fc
-@@ -0,0 +1,18 @@
+@@ -0,0 +1,19 @@
+
+/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
+
@@ -14080,7 +14140,8 @@ index 0000000..2db6b61
+
+/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
-+/var/log/log\.ctdb -- gen_context(system_u:object_r:ctdbd_log_t,s0)
++/var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
++/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+
+/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
+
@@ -14668,7 +14729,7 @@ index 305ddf4..f3cd95f 100644
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
')
diff --git a/cups.te b/cups.te
-index e5a8924..9d4c4e0 100644
+index e5a8924..d999430 100644
--- a/cups.te
+++ b/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -14784,20 +14845,21 @@ index e5a8924..9d4c4e0 100644
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
miscfiles_setattr_fonts_cache_dirs(cupsd_t)
-@@ -270,12 +281,6 @@ files_dontaudit_list_home(cupsd_t)
+@@ -269,12 +280,7 @@ sysnet_exec_ifconfig(cupsd_t)
+ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
-
+-
-# Write to /var/spool/cups.
-lpd_manage_spool(cupsd_t)
-lpd_read_config(cupsd_t)
-lpd_exec_lpr(cupsd_t)
-lpd_relabel_spool(cupsd_t)
--
++userdom_search_admin_dir(cupsd_t)
+
optional_policy(`
apm_domtrans_client(cupsd_t)
- ')
-@@ -287,6 +292,8 @@ optional_policy(`
+@@ -287,6 +293,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -14806,7 +14868,7 @@ index e5a8924..9d4c4e0 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -297,8 +304,10 @@ optional_policy(`
+@@ -297,8 +305,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -14817,7 +14879,7 @@ index e5a8924..9d4c4e0 100644
')
')
-@@ -311,10 +320,23 @@ optional_policy(`
+@@ -311,10 +321,23 @@ optional_policy(`
')
optional_policy(`
@@ -14841,7 +14903,7 @@ index e5a8924..9d4c4e0 100644
mta_send_mail(cupsd_t)
')
-@@ -322,6 +344,8 @@ optional_policy(`
+@@ -322,6 +345,8 @@ optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -14850,7 +14912,7 @@ index e5a8924..9d4c4e0 100644
')
optional_policy(`
-@@ -341,7 +365,7 @@ optional_policy(`
+@@ -341,7 +366,7 @@ optional_policy(`
# Cups configuration daemon local policy
#
@@ -14859,7 +14921,7 @@ index e5a8924..9d4c4e0 100644
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process { getsched signal_perms };
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -371,8 +395,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +396,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -14870,7 +14932,7 @@ index e5a8924..9d4c4e0 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -381,7 +406,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+@@ -381,7 +407,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
@@ -14878,7 +14940,7 @@ index e5a8924..9d4c4e0 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -407,7 +431,6 @@ domain_use_interactive_fds(cupsd_config_t)
+@@ -407,7 +432,6 @@ domain_use_interactive_fds(cupsd_config_t)
domain_dontaudit_search_all_domains_state(cupsd_config_t)
files_read_usr_files(cupsd_config_t)
@@ -14886,7 +14948,7 @@ index e5a8924..9d4c4e0 100644
files_read_etc_runtime_files(cupsd_config_t)
files_read_var_symlinks(cupsd_config_t)
-@@ -418,18 +441,15 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -418,18 +442,15 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -14907,7 +14969,7 @@ index e5a8924..9d4c4e0 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +473,10 @@ optional_policy(`
+@@ -453,6 +474,10 @@ optional_policy(`
')
optional_policy(`
@@ -14918,7 +14980,7 @@ index e5a8924..9d4c4e0 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +491,10 @@ optional_policy(`
+@@ -467,6 +492,10 @@ optional_policy(`
')
optional_policy(`
@@ -14929,7 +14991,7 @@ index e5a8924..9d4c4e0 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -526,7 +554,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
+@@ -526,7 +555,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
kernel_read_network_state(cupsd_lpd_t)
@@ -14937,7 +14999,7 @@ index e5a8924..9d4c4e0 100644
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
-@@ -537,19 +564,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,19 +565,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -14958,7 +15020,7 @@ index e5a8924..9d4c4e0 100644
miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
cups_stream_connect(cupsd_lpd_t)
-@@ -577,7 +603,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
+@@ -577,7 +604,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -14966,7 +15028,7 @@ index e5a8924..9d4c4e0 100644
files_read_usr_files(cups_pdf_t)
corecmd_exec_shell(cups_pdf_t)
-@@ -585,25 +610,23 @@ corecmd_exec_bin(cups_pdf_t)
+@@ -585,25 +611,23 @@ corecmd_exec_bin(cups_pdf_t)
auth_use_nsswitch(cups_pdf_t)
@@ -15001,7 +15063,7 @@ index e5a8924..9d4c4e0 100644
')
########################################
-@@ -635,9 +658,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+@@ -635,9 +659,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -15018,7 +15080,7 @@ index e5a8924..9d4c4e0 100644
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -647,7 +677,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -647,7 +678,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
@@ -15029,7 +15091,7 @@ index e5a8924..9d4c4e0 100644
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -661,10 +693,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +694,10 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -15043,7 +15105,7 @@ index e5a8924..9d4c4e0 100644
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-@@ -673,31 +705,34 @@ dev_read_rand(hplip_t)
+@@ -673,31 +706,34 @@ dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
dev_rw_usbfs(hplip_t)
@@ -15089,7 +15151,7 @@ index e5a8924..9d4c4e0 100644
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -743,7 +778,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,7 +779,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -15097,7 +15159,7 @@ index e5a8924..9d4c4e0 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,13 +794,10 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -760,13 +795,10 @@ fs_search_auto_mountpoints(ptal_t)
domain_use_interactive_fds(ptal_t)
@@ -16597,7 +16659,7 @@ index 9af85c8..5483806 100644
+/var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/devicekit.if b/devicekit.if
-index f706b99..aa049fc 100644
+index f706b99..3b4f593 100644
--- a/devicekit.if
+++ b/devicekit.if
@@ -20,6 +20,24 @@ interface(`devicekit_domtrans',`
@@ -16884,8 +16946,8 @@ index f706b99..aa049fc 100644
+ ')
+
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
-+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
-+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
++ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
++ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
index 1819518..1363f96 100644
@@ -30242,10 +30304,10 @@ index 0000000..562d25b
+')
diff --git a/l2tpd.te b/l2tpd.te
new file mode 100644
-index 0000000..363eeba
+index 0000000..1e292d4
--- /dev/null
+++ b/l2tpd.te
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,99 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -30321,6 +30383,7 @@ index 0000000..363eeba
+
+term_use_ptmx(l2tpd_t)
+term_use_generic_ptys(l2tpd_t)
++term_setattr_generic_ptys(l2tpd_t)
+
+# prol2tpc
+corecmd_exec_bin(l2tpd_t)
@@ -35087,6 +35150,17 @@ index 0cdea57..321a21a 100644
')
optional_policy(`
+diff --git a/mrtg.fc b/mrtg.fc
+index 37fb953..7e9773a 100644
+--- a/mrtg.fc
++++ b/mrtg.fc
+@@ -14,5 +14,6 @@
+ #
+ /var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0)
+ /var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
++/var/lock/mrtg-rrd(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
+ /var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0)
+ /var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0)
diff --git a/mrtg.te b/mrtg.te
index 0e19d80..c203717 100644
--- a/mrtg.te
@@ -36338,7 +36412,7 @@ index fd71d69..5987e1c 100644
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
diff --git a/munin.if b/munin.if
-index c358d8f..3cd66f7 100644
+index c358d8f..1cc176c 100644
--- a/munin.if
+++ b/munin.if
@@ -13,10 +13,11 @@
@@ -36385,7 +36459,7 @@ index c358d8f..3cd66f7 100644
')
#######################################
-@@ -88,10 +80,28 @@ interface(`munin_read_config',`
+@@ -88,12 +80,50 @@ interface(`munin_read_config',`
allow $1 munin_etc_t:dir list_dir_perms;
allow $1 munin_etc_t:file read_file_perms;
@@ -36394,6 +36468,26 @@ index c358d8f..3cd66f7 100644
files_search_etc($1)
')
+ #######################################
+ ## <summary>
++## Read munin library files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`munin_read_var_lib_files',`
++ gen_require(`
++ type munin_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
++
++')
++
+######################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
@@ -36412,10 +36506,12 @@ index c358d8f..3cd66f7 100644
+ dontaudit $1 munin_t:tcp_socket { read write };
+')
+
- #######################################
- ## <summary>
++#######################################
++## <summary>
## Append to the munin log.
-@@ -172,12 +182,14 @@ interface(`munin_admin',`
+ ## </summary>
+ ## <param name="domain">
+@@ -172,12 +202,14 @@ interface(`munin_admin',`
gen_require(`
type munin_t, munin_etc_t, munin_tmp_t;
type munin_log_t, munin_var_lib_t, munin_var_run_t;
@@ -36434,7 +36530,7 @@ index c358d8f..3cd66f7 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index f17583b..022bd91 100644
+index f17583b..dad742b 100644
--- a/munin.te
+++ b/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -36541,7 +36637,7 @@ index f17583b..022bd91 100644
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -190,15 +203,14 @@ corecmd_exec_shell(disk_munin_plugin_t)
+@@ -190,15 +203,15 @@ corecmd_exec_shell(disk_munin_plugin_t)
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
@@ -36554,13 +36650,14 @@ index f17583b..022bd91 100644
+dev_getattr_lvm_control(disk_munin_plugin_t)
dev_read_sysfs(disk_munin_plugin_t)
dev_read_urand(disk_munin_plugin_t)
++dev_read_all_blk_files(munin_disk_plugin_t)
-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
sysnet_read_config(disk_munin_plugin_t)
-@@ -221,30 +233,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -221,30 +234,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
@@ -36614,7 +36711,7 @@ index f17583b..022bd91 100644
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +284,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -255,13 +285,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -36629,7 +36726,7 @@ index f17583b..022bd91 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -279,6 +305,10 @@ optional_policy(`
+@@ -279,6 +306,10 @@ optional_policy(`
')
optional_policy(`
@@ -36640,7 +36737,7 @@ index f17583b..022bd91 100644
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +316,10 @@ optional_policy(`
+@@ -286,6 +317,14 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -36648,10 +36745,14 @@ index f17583b..022bd91 100644
+ varnishd_read_lib_files(services_munin_plugin_t)
+')
+
++optional_policy(`
++ bind_read_config(munin_services_plugin_t)
++')
++
##################################
#
# local policy for system plugins
-@@ -295,12 +329,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,12 +334,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -36660,14 +36761,14 @@ index f17583b..022bd91 100644
-
-corecmd_exec_shell(system_munin_plugin_t)
+# needed by munin_* plugins
-+allow system_munin_plugin_t munin_log_t:file read_file_perms;
++read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
-fs_getattr_all_fs(system_munin_plugin_t)
+kernel_read_network_state(system_munin_plugin_t)
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +345,45 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +350,45 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -39445,8 +39546,38 @@ index 53cc800..5348e92 100644
/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
+diff --git a/nsd.if b/nsd.if
+index a1371d5..ad4f14a 100644
+--- a/nsd.if
++++ b/nsd.if
+@@ -2,6 +2,25 @@
+
+ ########################################
+ ## <summary>
++## Read NSD pid file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nsd_read_pid',`
++ gen_require(`
++ type nsd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, nsd_var_run_t, nsd_var_run_t)
++')
++
++########################################
++## <summary>
+ ## Send and receive datagrams from NSD. (Deprecated)
+ ## </summary>
+ ## <param name="domain">
diff --git a/nsd.te b/nsd.te
-index 4b15536..0015de4 100644
+index 4b15536..82e97aa 100644
--- a/nsd.te
+++ b/nsd.te
@@ -18,15 +18,11 @@ domain_type(nsd_crond_t)
@@ -39506,7 +39637,7 @@ index 4b15536..0015de4 100644
corenet_all_recvfrom_netlabel(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
-@@ -79,17 +73,18 @@ dev_read_sysfs(nsd_t)
+@@ -79,17 +73,17 @@ dev_read_sysfs(nsd_t)
domain_use_interactive_fds(nsd_t)
@@ -39517,18 +39648,18 @@ index 4b15536..0015de4 100644
fs_getattr_all_fs(nsd_t)
fs_search_auto_mountpoints(nsd_t)
+-logging_send_syslog_msg(nsd_t)
+auth_use_nsswitch(nsd_t)
-+
- logging_send_syslog_msg(nsd_t)
-miscfiles_read_localization(nsd_t)
++logging_send_syslog_msg(nsd_t)
-sysnet_read_config(nsd_t)
+sysnet_dns_name_resolve(nsd_t)
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
userdom_dontaudit_search_user_home_dirs(nsd_t)
-@@ -121,8 +116,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms;
+@@ -121,8 +115,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms;
allow nsd_crond_t nsd_conf_t:file read_file_perms;
@@ -39537,7 +39668,7 @@ index 4b15536..0015de4 100644
files_search_var_lib(nsd_crond_t)
allow nsd_crond_t nsd_t:process signal;
-@@ -139,7 +132,6 @@ kernel_read_system_state(nsd_crond_t)
+@@ -139,7 +131,6 @@ kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
@@ -39545,7 +39676,7 @@ index 4b15536..0015de4 100644
corenet_all_recvfrom_netlabel(nsd_crond_t)
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
corenet_udp_sendrecv_generic_if(nsd_crond_t)
-@@ -155,13 +147,13 @@ dev_read_urand(nsd_crond_t)
+@@ -155,13 +146,13 @@ dev_read_urand(nsd_crond_t)
domain_dontaudit_read_all_domains_state(nsd_crond_t)
@@ -41702,10 +41833,10 @@ index 0000000..c9a5f74
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..64a303b
+index 0000000..bf37353
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,574 @@
+@@ -0,0 +1,608 @@
+
+## <summary> policy for openshift </summary>
+
@@ -41982,6 +42113,40 @@ index 0000000..64a303b
+ manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
++#######################################
++## <summary>
++## Create private objects in the
++## mail lib directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`openshift_lib_filetrans',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4)
++')
+
+########################################
+## <summary>
@@ -42282,10 +42447,10 @@ index 0000000..64a303b
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..333a974
+index 0000000..e6e4738
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,377 @@
+@@ -0,0 +1,378 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -42336,6 +42501,7 @@ index 0000000..333a974
+type openshift_var_lib_t, openshift_file_type;
+files_poly(openshift_var_lib_t)
+files_poly_parent(openshift_var_lib_t)
++files_mountpoint(openshift_var_lib_t)
+
+type openshift_rw_file_t, openshift_file_type;
+files_poly(openshift_rw_file_t)
@@ -43084,10 +43250,10 @@ index 0000000..e2c300a
+')
diff --git a/openvswitch.te b/openvswitch.te
new file mode 100644
-index 0000000..41542fd
+index 0000000..31370ed
--- /dev/null
+++ b/openvswitch.te
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,83 @@
+policy_module(openvswitch, 1.0.0)
+
+########################################
@@ -43165,8 +43331,6 @@ index 0000000..41542fd
+
+logging_send_syslog_msg(openvswitch_t)
+
-+miscfiles_read_localization(openvswitch_t)
-+
+sysnet_dns_name_resolve(openvswitch_t)
+
+optional_policy(`
@@ -47788,7 +47952,7 @@ index 46bee12..8ef270f 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index a1e0f60..000794e 100644
+index a1e0f60..22a3efd 100644
--- a/postfix.te
+++ b/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -48008,7 +48172,7 @@ index a1e0f60..000794e 100644
allow postfix_local_t self:process { setsched setrlimit };
# connect to master process
-@@ -272,13 +305,15 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -272,28 +305,51 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -48022,10 +48186,10 @@ index a1e0f60..000794e 100644
corecmd_exec_bin(postfix_local_t)
-files_read_etc_files(postfix_local_t)
-
+-
logging_dontaudit_search_logs(postfix_local_t)
-@@ -286,14 +321,36 @@ mta_read_aliases(postfix_local_t)
+ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -48065,7 +48229,7 @@ index a1e0f60..000794e 100644
')
optional_policy(`
-@@ -304,9 +361,26 @@ optional_policy(`
+@@ -304,9 +360,26 @@ optional_policy(`
')
optional_policy(`
@@ -48092,7 +48256,7 @@ index a1e0f60..000794e 100644
########################################
#
# Postfix map local policy
-@@ -329,7 +403,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -329,7 +402,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -48100,7 +48264,7 @@ index a1e0f60..000794e 100644
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_generic_if(postfix_map_t)
corenet_udp_sendrecv_generic_if(postfix_map_t)
-@@ -348,7 +421,6 @@ corecmd_read_bin_sockets(postfix_map_t)
+@@ -348,7 +420,6 @@ corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
files_read_usr_files(postfix_map_t)
@@ -48108,7 +48272,7 @@ index a1e0f60..000794e 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -356,8 +428,6 @@ auth_use_nsswitch(postfix_map_t)
+@@ -356,8 +427,6 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -48117,7 +48281,7 @@ index a1e0f60..000794e 100644
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
-@@ -379,18 +449,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +448,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -48143,7 +48307,7 @@ index a1e0f60..000794e 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +477,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +476,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -48152,7 +48316,7 @@ index a1e0f60..000794e 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +498,7 @@ optional_policy(`
+@@ -420,6 +497,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -48160,7 +48324,7 @@ index a1e0f60..000794e 100644
')
optional_policy(`
-@@ -436,11 +515,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +514,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -48178,7 +48342,7 @@ index a1e0f60..000794e 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +572,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +571,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -48189,7 +48353,7 @@ index a1e0f60..000794e 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +604,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +603,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -48202,7 +48366,7 @@ index a1e0f60..000794e 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +628,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +627,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -48213,7 +48377,7 @@ index a1e0f60..000794e 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +649,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +648,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -48225,7 +48389,7 @@ index a1e0f60..000794e 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +661,14 @@ optional_policy(`
+@@ -565,6 +660,14 @@ optional_policy(`
')
optional_policy(`
@@ -48240,7 +48404,7 @@ index a1e0f60..000794e 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +685,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +684,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -48267,7 +48431,7 @@ index a1e0f60..000794e 100644
')
optional_policy(`
-@@ -599,6 +711,11 @@ optional_policy(`
+@@ -599,6 +710,11 @@ optional_policy(`
')
optional_policy(`
@@ -48279,7 +48443,7 @@ index a1e0f60..000794e 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +728,6 @@ optional_policy(`
+@@ -611,7 +727,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -48287,7 +48451,7 @@ index a1e0f60..000794e 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +738,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +737,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
@@ -48295,7 +48459,7 @@ index a1e0f60..000794e 100644
files_read_usr_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +745,76 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +744,76 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -48687,7 +48851,7 @@ index de4bdb7..a4cad0b 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index bcbf9ac..291e831 100644
+index bcbf9ac..c4607d4 100644
--- a/ppp.te
+++ b/ppp.te
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
@@ -48885,11 +49049,13 @@ index bcbf9ac..291e831 100644
corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_generic_if(pptp_t)
corenet_raw_sendrecv_generic_if(pptp_t)
-@@ -273,7 +294,6 @@ corenet_tcp_connect_generic_port(pptp_t)
+@@ -272,8 +293,7 @@ corenet_tcp_bind_generic_node(pptp_t)
+ corenet_tcp_connect_generic_port(pptp_t)
corenet_tcp_connect_all_reserved_ports(pptp_t)
corenet_sendrecv_generic_client_packets(pptp_t)
-
+-
-files_read_etc_files(pptp_t)
++corenet_tcp_connect_pptp_port(pptp_t)
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
@@ -52427,7 +52593,7 @@ index bf75d99..3fb8575 100644
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
+')
diff --git a/quota.te b/quota.te
-index 5dd42f5..8f0100a 100644
+index 5dd42f5..0df6e21 100644
--- a/quota.te
+++ b/quota.te
@@ -7,7 +7,8 @@ policy_module(quota, 1.5.0)
@@ -52454,7 +52620,7 @@ index 5dd42f5..8f0100a 100644
########################################
#
# Local policy
-@@ -34,6 +42,13 @@ files_home_filetrans(quota_t, quota_db_t, file)
+@@ -34,6 +42,17 @@ files_home_filetrans(quota_t, quota_db_t, file)
files_usr_filetrans(quota_t, quota_db_t, file)
files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)
@@ -52465,10 +52631,14 @@ index 5dd42f5..8f0100a 100644
+ mta_spool_filetrans(quota_t, quota_db_t, file)
+ mta_spool_filetrans_queue(quota_t, quota_db_t, file)
+')
++
++optional_policy(`
++ openshift_lib_filetrans(quota_t, quota_db_t, file)
++')
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
-@@ -72,7 +87,7 @@ init_use_script_ptys(quota_t)
+@@ -72,7 +91,7 @@ init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
@@ -52477,7 +52647,7 @@ index 5dd42f5..8f0100a 100644
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
-@@ -82,3 +97,31 @@ optional_policy(`
+@@ -82,3 +101,30 @@ optional_policy(`
optional_policy(`
udev_read_db(quota_t)
')
@@ -52496,7 +52666,6 @@ index 5dd42f5..8f0100a 100644
+
+kernel_read_network_state(quota_nld_t)
+
-+
+auth_use_nsswitch(quota_nld_t)
+
+init_read_utmp(quota_nld_t)
@@ -52638,7 +52807,7 @@ index 0000000..4cb2ad8
+
+logging_send_syslog_msg(rabbitmq_epmd_t)
diff --git a/radius.fc b/radius.fc
-index 09f7b50..3ef25cd 100644
+index 09f7b50..61c6d34 100644
--- a/radius.fc
+++ b/radius.fc
@@ -9,6 +9,8 @@
@@ -52650,6 +52819,15 @@ index 09f7b50..3ef25cd 100644
/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+@@ -16,7 +18,7 @@
+ /var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+ /var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+ /var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+-/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0)
++/var/log/radutmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+ /var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+
+ /var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
diff --git a/radius.if b/radius.if
index 75e5dc4..a366f85 100644
--- a/radius.if
@@ -56025,7 +56203,7 @@ index 0000000..8b505d5
+')
diff --git a/rngd.te b/rngd.te
new file mode 100644
-index 0000000..868faed
+index 0000000..50b6196
--- /dev/null
+++ b/rngd.te
@@ -0,0 +1,37 @@
@@ -56056,7 +56234,7 @@ index 0000000..868faed
+allow rngd_t self:fifo_file rw_fifo_file_perms;
+allow rngd_t self:unix_stream_socket create_stream_socket_perms;
+
-+kernel_read_kernel_sysctls(rngd_t)
++kernel_rw_kernel_sysctl(rngd_t)
+
+dev_read_rand(rngd_t)
+dev_read_urand(rngd_t)
@@ -56640,7 +56818,7 @@ index f5c47d6..164ce1f 100644
-/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+/var/run/rpcbind.* gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/rpcbind.if b/rpcbind.if
-index a96249c..54e6f2d 100644
+index a96249c..ff1163f 100644
--- a/rpcbind.if
+++ b/rpcbind.if
@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',`
@@ -56653,7 +56831,7 @@ index a96249c..54e6f2d 100644
')
########################################
-@@ -117,6 +116,42 @@ interface(`rpcbind_manage_lib_files',`
+@@ -117,6 +116,60 @@ interface(`rpcbind_manage_lib_files',`
########################################
## <summary>
@@ -56693,10 +56871,28 @@ index a96249c..54e6f2d 100644
+
+########################################
+## <summary>
++## Relabel from rpcbind sock file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpcbind_relabel_sock_file',`
++ gen_require(`
++ type rpcbind_var_run_t;
++ ')
++
++ allow $1 rpcbind_var_run_t:sock_file relabel_sock_file_perms;
++')
++
++########################################
++## <summary>
## All of the rules required to administrate
## an rpcbind environment
## </summary>
-@@ -138,11 +173,20 @@ interface(`rpcbind_admin',`
+@@ -138,11 +191,20 @@ interface(`rpcbind_admin',`
type rpcbind_initrc_exec_t;
')
@@ -60749,16 +60945,18 @@ index c8ef84b..ffa81dd 100644
optional_policy(`
mount_exec(sectoolm_t)
diff --git a/sendmail.fc b/sendmail.fc
-index a86ec50..ef4199b 100644
+index a86ec50..da5d41d 100644
--- a/sendmail.fc
+++ b/sendmail.fc
-@@ -1,4 +1,6 @@
+@@ -1,5 +1,7 @@
+-/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
+/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
+
- /var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
++/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0)
/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
+ /var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/sendmail.if b/sendmail.if
index 7e94c7c..ca74cd9 100644
--- a/sendmail.if
@@ -61702,7 +61900,7 @@ index 781ad7e..d5ce40a 100644
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/shorewall.te b/shorewall.te
-index 4723c6b..3ae4ead 100644
+index 4723c6b..c55fcaa 100644
--- a/shorewall.te
+++ b/shorewall.te
@@ -37,9 +37,10 @@ logging_log_file(shorewall_log_t)
@@ -61727,7 +61925,13 @@ index 4723c6b..3ae4ead 100644
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
-@@ -75,7 +79,6 @@ dev_read_urand(shorewall_t)
+@@ -70,12 +74,12 @@ kernel_rw_net_sysctls(shorewall_t)
+ corecmd_exec_bin(shorewall_t)
+ corecmd_exec_shell(shorewall_t)
+
++dev_read_sysfs(shorewall_t)
+ dev_read_urand(shorewall_t)
+
domain_read_all_domains_state(shorewall_t)
files_getattr_kernel_modules(shorewall_t)
@@ -61735,7 +61939,7 @@ index 4723c6b..3ae4ead 100644
files_read_usr_files(shorewall_t)
files_search_kernel_modules(shorewall_t)
-@@ -83,13 +86,20 @@ fs_getattr_all_fs(shorewall_t)
+@@ -83,13 +87,20 @@ fs_getattr_all_fs(shorewall_t)
init_rw_utmp(shorewall_t)
@@ -62823,7 +63027,7 @@ index 275f9fb..f1343b7 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 56f074c..51ad0eb 100644
+index 56f074c..4909ce8 100644
--- a/snmp.te
+++ b/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.13.0)
@@ -62880,7 +63084,15 @@ index 56f074c..51ad0eb 100644
corenet_all_recvfrom_netlabel(snmpd_t)
corenet_tcp_sendrecv_generic_if(snmpd_t)
corenet_udp_sendrecv_generic_if(snmpd_t)
-@@ -83,10 +86,8 @@ dev_getattr_usbfs_dirs(snmpd_t)
+@@ -73,6 +76,7 @@ corenet_sendrecv_snmp_server_packets(snmpd_t)
+ corenet_tcp_connect_agentx_port(snmpd_t)
+ corenet_tcp_bind_agentx_port(snmpd_t)
+ corenet_udp_bind_agentx_port(snmpd_t)
++corenet_tcp_connect_snmp_port(snmpd_t)
+
+ dev_list_sysfs(snmpd_t)
+ dev_read_sysfs(snmpd_t)
+@@ -83,10 +87,8 @@ dev_getattr_usbfs_dirs(snmpd_t)
domain_use_interactive_fds(snmpd_t)
domain_signull_all_domains(snmpd_t)
domain_read_all_domains_state(snmpd_t)
@@ -62891,7 +63103,7 @@ index 56f074c..51ad0eb 100644
files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
-@@ -94,28 +95,28 @@ files_search_home(snmpd_t)
+@@ -94,28 +96,28 @@ files_search_home(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
fs_search_auto_mountpoints(snmpd_t)
@@ -62926,7 +63138,7 @@ index 56f074c..51ad0eb 100644
optional_policy(`
rpm_read_db(snmpd_t)
rpm_dontaudit_manage_db(snmpd_t)
-@@ -131,6 +132,10 @@ optional_policy(`
+@@ -131,6 +133,10 @@ optional_policy(`
')
optional_policy(`
@@ -62937,7 +63149,7 @@ index 56f074c..51ad0eb 100644
cups_read_rw_config(snmpd_t)
')
-@@ -140,6 +145,10 @@ optional_policy(`
+@@ -140,6 +146,10 @@ optional_policy(`
')
optional_policy(`
@@ -63158,7 +63370,7 @@ index 3217605..e9a4381 100644
userdom_dontaudit_use_unpriv_user_fds(soundd_t)
diff --git a/spamassassin.fc b/spamassassin.fc
-index 6b3abf9..3dfa27b 100644
+index 6b3abf9..80c9e56 100644
--- a/spamassassin.fc
+++ b/spamassassin.fc
@@ -1,15 +1,53 @@
@@ -63190,7 +63402,7 @@ index 6b3abf9..3dfa27b 100644
+/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
+
+/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
-+/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0)
++/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
@@ -63434,7 +63646,7 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 1bbf73b..92b6730 100644
+index 1bbf73b..dd3e5e1 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -6,52 +6,40 @@ policy_module(spamassassin, 2.5.0)
@@ -63956,7 +64168,7 @@ index 1bbf73b..92b6730 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -447,3 +555,52 @@ optional_policy(`
+@@ -447,3 +555,54 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -63968,6 +64180,7 @@ index 1bbf73b..92b6730 100644
+
+allow spamd_update_t self:fifo_file manage_fifo_file_perms;
+allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
++allow spamd_update_t self:capability dac_read_search;
+dontaudit spamd_update_t self:capability dac_override;
+
+manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
@@ -63975,6 +64188,7 @@ index 1bbf73b..92b6730 100644
+files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
+
+allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
++manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+
@@ -64246,7 +64460,7 @@ index 4271815..45291bb 100644
/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
diff --git a/sssd.if b/sssd.if
-index 941380a..62e4b12 100644
+index 941380a..54c45f6 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,13 +1,31 @@
@@ -64390,7 +64604,11 @@ index 941380a..62e4b12 100644
## Read sssd public files.
## </summary>
## <param name="domain">
-@@ -55,6 +173,25 @@ interface(`sssd_read_public_files',`
+@@ -52,9 +170,29 @@ interface(`sssd_read_public_files',`
+ ')
+
+ sssd_search_lib($1)
++ list_dirs_pattern($1, sssd_public_t, sssd_public_t)
read_files_pattern($1, sssd_public_t, sssd_public_t)
')
@@ -64416,7 +64634,7 @@ index 941380a..62e4b12 100644
########################################
## <summary>
## Read sssd PID files.
-@@ -89,6 +226,7 @@ interface(`sssd_manage_pids',`
+@@ -89,6 +227,7 @@ interface(`sssd_manage_pids',`
type sssd_var_run_t;
')
@@ -64424,7 +64642,7 @@ index 941380a..62e4b12 100644
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
')
-@@ -128,7 +266,6 @@ interface(`sssd_dontaudit_search_lib',`
+@@ -128,7 +267,6 @@ interface(`sssd_dontaudit_search_lib',`
')
dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
@@ -64432,7 +64650,7 @@ index 941380a..62e4b12 100644
')
########################################
-@@ -148,6 +285,7 @@ interface(`sssd_read_lib_files',`
+@@ -148,6 +286,7 @@ interface(`sssd_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
@@ -64440,7 +64658,7 @@ index 941380a..62e4b12 100644
')
########################################
-@@ -168,6 +306,7 @@ interface(`sssd_manage_lib_files',`
+@@ -168,6 +307,7 @@ interface(`sssd_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
@@ -64448,7 +64666,7 @@ index 941380a..62e4b12 100644
')
########################################
-@@ -193,7 +332,7 @@ interface(`sssd_dbus_chat',`
+@@ -193,7 +333,7 @@ interface(`sssd_dbus_chat',`
########################################
## <summary>
@@ -64457,7 +64675,7 @@ index 941380a..62e4b12 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -225,21 +364,19 @@ interface(`sssd_stream_connect',`
+@@ -225,21 +365,19 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
@@ -64486,7 +64704,7 @@ index 941380a..62e4b12 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
-@@ -252,4 +389,9 @@ interface(`sssd_admin',`
+@@ -252,4 +390,9 @@ interface(`sssd_admin',`
sssd_manage_lib_files($1)
admin_pattern($1, sssd_public_t)
@@ -66395,10 +66613,10 @@ index 0000000..d000122
+')
diff --git a/thin.te b/thin.te
new file mode 100644
-index 0000000..d5b0ebc
+index 0000000..2b878d8
--- /dev/null
+++ b/thin.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,110 @@
+policy_module(thin, 1.0)
+
+########################################
@@ -66444,6 +66662,8 @@ index 0000000..d5b0ebc
+corecmd_exec_bin(thin_domain)
+corecmd_exec_shell(thin_domain)
+
++corenet_tcp_bind_generic_node(thin_domain)
++
+dev_read_rand(thin_domain)
+dev_read_urand(thin_domain)
+
@@ -66483,7 +66703,6 @@ index 0000000..d5b0ebc
+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+files_pid_filetrans(thin_t, thin_var_run_t, { file })
+
-+corenet_tcp_bind_generic_node(thin_t)
+corenet_tcp_bind_ntop_port(thin_t)
+corenet_tcp_connect_postgresql_port(thin_t)
+
@@ -66493,6 +66712,10 @@ index 0000000..d5b0ebc
+# thin aeolus configserver local policy
+#
+
++allow thin_aeolus_configserver_t self:capability { setuid setgid };
++
++corenet_tcp_bind_tram_port(thin_aeolus_configserver_t)
++
+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
+files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir })
@@ -66659,10 +66882,10 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..649731a
+index 0000000..2a72b2f
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,124 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -66745,7 +66968,7 @@ index 0000000..649731a
+fs_read_dos_files(thumb_t)
+fs_rw_inherited_tmpfs_files(thumb_t)
+
-+auth_use_nsswitch(thumb_t)
++auth_read_passwd(thumb_t)
+
+tunable_policy(`selinuxuser_execmod',`
+ libs_legacy_use_shared_libs(thumb_t)
@@ -66755,6 +66978,7 @@ index 0000000..649731a
+
+sysnet_read_config(thumb_t)
+
++userdom_dontaudit_setattr_user_tmp(thumb_t)
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
+userdom_write_user_tmp_files(thumb_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5df642c..1792497 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 56%{?dist}
+Release: 57%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,21 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Nov 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-57
+- Add support for 4567/tcp port
+- Random fixes from Tuomo Soini
+- xdm wants to get init status
+- Allow programs to run in fips_mode
+- Add interface to allow the reading of all blk device nodes
+- Allow init to relabel rpcbind sock_file
+- Fix labeling for lastlog and faillog related to logrotate
+- ALlow aeolus_configserver to use TRAM port
+- Add fixes for aeolus_configserver
+- Allow snmpd to connect to snmp port
+- Allow spamd_update to create spamd_var_lib_t directories
+- Allow domains that can read sssd_public_t files to also list the directory
+- Remove miscfiles_read_localization, this is defined for all domains
+
* Mon Nov 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-56
- Allow syslogd to request the kernel to load a module
- Allow syslogd_t to read the network state information
More information about the scm-commits
mailing list