[selinux-policy/f16] * Fri Oct 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-92 - Backport openshift policy
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Oct 12 20:44:06 UTC 2012
commit 0ab0cdb9509b9e4b52fc3b6c7f7aba50a40600d6
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Oct 12 22:43:46 2012 +0200
* Fri Oct 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-92
- Backport openshift policy
modules-targeted.conf | 13 +
policy-F16.patch | 1946 ++++++++++++++++++++++++++++++++++++++++---------
selinux-policy.spec | 5 +-
3 files changed, 1618 insertions(+), 346 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 9bc67cd..f178bea 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2493,3 +2493,16 @@ cloudform = module
# policy for jockey-backend
#
jockey = module
+
+# Layer: contrib
+# Module: openshift-origin
+#
+# Origin version of openshift policy
+#
+openshift-origin = module
+# Layer: contrib
+# Module: openshift
+#
+# Core openshift policy
+#
+openshift = module
diff --git a/policy-F16.patch b/policy-F16.patch
index 5e5e3c5..17d9f3a 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1815,7 +1815,7 @@ index c6ca761..46e0767 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..9f49d01 100644
+index e0791b9..d84d16a 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
@@ -1864,7 +1864,7 @@ index e0791b9..9f49d01 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -145,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -145,11 +150,29 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -1887,10 +1887,14 @@ index e0791b9..9f49d01 100644
+')
+
+optional_policy(`
++ openshift_rw_inherited_content(ping_t)
++')
++
++optional_policy(`
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -157,6 +176,10 @@ optional_policy(`
+@@ -157,6 +180,10 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -1901,7 +1905,7 @@ index e0791b9..9f49d01 100644
########################################
#
# Traceroute local policy
-@@ -194,6 +217,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +221,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -1909,7 +1913,7 @@ index e0791b9..9f49d01 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -204,9 +228,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +232,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
@@ -2581,15 +2585,18 @@ index af55369..ec838bd 100644
+ miscfiles_read_man_pages(prelink_t)
+')
diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc
-index f387230..e13dbdd 100644
+index f387230..4955933 100644
--- a/policy/modules/admin/quota.fc
+++ b/policy/modules/admin/quota.fc
-@@ -10,10 +10,14 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+@@ -10,10 +10,17 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
-/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
++
++/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
++/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
ifdef(`distro_redhat',`
/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
@@ -3121,7 +3128,7 @@ index d33daa8..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..4b78d5b 100644
+index 47a8f7d..22aa79f 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -3306,7 +3313,7 @@ index 47a8f7d..4b78d5b 100644
')
')
-@@ -368,6 +402,11 @@ optional_policy(`
+@@ -368,6 +402,15 @@ optional_policy(`
')
optional_policy(`
@@ -3315,10 +3322,14 @@ index 47a8f7d..4b78d5b 100644
+')
+
+optional_policy(`
++ openshift_initrc_domtrans(rpm_script_t)
++')
++
++optional_policy(`
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -377,8 +416,9 @@ optional_policy(`
+@@ -377,8 +420,9 @@ optional_policy(`
')
optional_policy(`
@@ -4470,7 +4481,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..8d23813 100644
+index 441cf22..26eada8 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -4613,7 +4624,7 @@ index 441cf22..8d23813 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,8 +460,12 @@ corecmd_exec_shell(useradd_t)
+@@ -448,29 +460,32 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -4626,7 +4637,11 @@ index 441cf22..8d23813 100644
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -460,17 +476,15 @@ fs_search_auto_mountpoints(useradd_t)
+ files_relabel_etc_files(useradd_t)
+ files_read_etc_runtime_files(useradd_t)
++files_manage_etc_files(useradd_t)
+
+ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -4651,7 +4666,7 @@ index 441cf22..8d23813 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -495,24 +509,19 @@ seutil_read_file_contexts(useradd_t)
+@@ -495,24 +510,19 @@ seutil_read_file_contexts(useradd_t)
seutil_read_default_contexts(useradd_t)
seutil_domtrans_semanage(useradd_t)
seutil_domtrans_setfiles(useradd_t)
@@ -4957,10 +4972,10 @@ index 0000000..a03aec4
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..1957119
+index 0000000..7773c55
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,189 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -5013,6 +5028,7 @@ index 0000000..1957119
+
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
++fs_read_dos_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
@@ -8186,10 +8202,10 @@ index 0000000..2a83f6e
+')
diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
new file mode 100644
-index 0000000..6de888a
+index 0000000..62cb869
--- /dev/null
+++ b/policy/modules/apps/jockey.te
-@@ -0,0 +1,37 @@
+@@ -0,0 +1,40 @@
+policy_module(jockey, 1.0.0)
+
+########################################
@@ -8222,6 +8238,9 @@ index 0000000..6de888a
+manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
+logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
+
++corecmd_exec_shell(jockey_t)
++corecmd_exec_bin(jockey_t)
++
+domain_use_interactive_fds(jockey_t)
+
+files_read_etc_files(jockey_t)
@@ -17133,7 +17152,7 @@ index fae1ab1..b062dce 100644
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c19518a..12e8e9c 100644
+index c19518a..5f6f62d 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -17218,7 +17237,7 @@ index c19518a..12e8e9c 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -230,17 +245,20 @@ ifndef(`distro_redhat',`
+@@ -230,17 +245,27 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -17228,6 +17247,13 @@ index c19518a..12e8e9c 100644
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
++/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++
++/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++/var/lib/openshift/.openshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++
/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
@@ -17240,14 +17266,14 @@ index c19518a..12e8e9c 100644
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
-@@ -257,3 +275,5 @@ ifndef(`distro_redhat',`
+@@ -257,3 +282,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..c0f363c 100644
+index ff006ea..75e4835 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -17258,7 +17284,52 @@ index ff006ea..c0f363c 100644
## <li>files_tmp_file()</li>
## <li>files_tmpfs_file()</li>
## <li>logging_log_file()</li>
-@@ -663,12 +664,63 @@ interface(`files_read_non_security_files',`
+@@ -598,6 +599,44 @@ interface(`files_dontaudit_getattr_non_security_files',`
+ dontaudit $1 non_security_file_type:file getattr;
+ ')
+
++######################################
++## <summary>
++## Do not audit attempts to set the attributes
++## of non security files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_setattr_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:file setattr;
++')
++
++######################################
++## <summary>
++## Do not audit attempts to set the attributes
++## of non security directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_setattr_non_security_dirs',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:dir setattr;
++')
++
+ ########################################
+ ## <summary>
+ ## Read all files.
+@@ -663,12 +702,63 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -17322,7 +17393,7 @@ index ff006ea..c0f363c 100644
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
-@@ -1053,10 +1105,8 @@ interface(`files_relabel_all_files',`
+@@ -1053,10 +1143,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -17335,7 +17406,7 @@ index ff006ea..c0f363c 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1482,6 +1532,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1482,6 +1570,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -17378,7 +17449,7 @@ index ff006ea..c0f363c 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1562,7 +1648,7 @@ interface(`files_root_filetrans',`
+@@ -1562,7 +1686,7 @@ interface(`files_root_filetrans',`
type root_t;
')
@@ -17387,7 +17458,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -1660,6 +1746,42 @@ interface(`files_delete_root_dir_entry',`
+@@ -1660,6 +1784,42 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -17430,7 +17501,7 @@ index ff006ea..c0f363c 100644
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -1678,6 +1800,24 @@ interface(`files_unmount_rootfs',`
+@@ -1678,6 +1838,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -17455,7 +17526,7 @@ index ff006ea..c0f363c 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -1848,7 +1988,7 @@ interface(`files_boot_filetrans',`
+@@ -1848,7 +2026,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -17464,7 +17535,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -2372,6 +2512,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2550,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -17489,7 +17560,7 @@ index ff006ea..c0f363c 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2451,7 +2609,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2647,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -17498,7 +17569,7 @@ index ff006ea..c0f363c 100644
## </summary>
## </param>
#
-@@ -2507,6 +2665,25 @@ interface(`files_manage_etc_files',`
+@@ -2507,6 +2703,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -17524,7 +17595,7 @@ index ff006ea..c0f363c 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2525,6 +2702,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2740,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -17549,7 +17620,7 @@ index ff006ea..c0f363c 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2624,7 +2819,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2857,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -17558,7 +17629,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -2680,24 +2875,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2913,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -17583,7 +17654,7 @@ index ff006ea..c0f363c 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2738,6 +2915,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2953,24 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -17608,7 +17679,7 @@ index ff006ea..c0f363c 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2775,6 +2970,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +3008,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -17616,7 +17687,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -2796,6 +2992,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -2796,6 +3030,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -17624,7 +17695,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -3364,7 +3561,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3599,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -17633,7 +17704,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -3502,20 +3699,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3737,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -17677,7 +17748,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -3804,7 +4019,7 @@ interface(`files_kernel_modules_filetrans',`
+@@ -3804,7 +4057,7 @@ interface(`files_kernel_modules_filetrans',`
type modules_object_t;
')
@@ -17686,7 +17757,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -3900,82 +4115,224 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,53 +4153,194 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -17766,18 +17837,13 @@ index ff006ea..c0f363c 100644
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_tmp_dirs',`
-- gen_require(`
-- type tmp_t;
-- ')
++## </param>
++#
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- dontaudit $1 tmp_t:dir getattr;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old")
@@ -17788,37 +17854,26 @@ index ff006ea..c0f363c 100644
+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
- ')
-
--########################################
++')
++
+######################################
- ## <summary>
--## Search the tmp directory (/tmp).
++## <summary>
+## Relabel manageable system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++## </param>
++#
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- allow $1 tmp_t:dir search_dir_perms;
++
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+######################################
+## <summary>
+## Relabel manageable system configuration files in /etc.
@@ -17923,40 +17978,18 @@ index ff006ea..c0f363c 100644
+## <summary>
+## Domain to not audit.
+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_getattr_tmp_dirs',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ dontaudit $1 tmp_t:dir getattr;
-+')
-+
-+########################################
-+## <summary>
-+## Search the tmp directory (/tmp).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_search_tmp',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
+ ## </param>
+ #
+ interface(`files_dontaudit_getattr_tmp_dirs',`
+@@ -3972,6 +4366,7 @@ interface(`files_search_tmp',`
+ type tmp_t;
+ ')
+
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir search_dir_perms;
-+')
-+
-+########################################
- ## <summary>
- ## Do not audit attempts to search the tmp directory (/tmp).
- ## </summary>
-@@ -4017,7 +4374,7 @@ interface(`files_list_tmp',`
+ allow $1 tmp_t:dir search_dir_perms;
+ ')
+
+@@ -4017,7 +4412,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -17965,7 +17998,7 @@ index ff006ea..c0f363c 100644
## </summary>
## </param>
#
-@@ -4029,6 +4386,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4424,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -17990,7 +18023,7 @@ index ff006ea..c0f363c 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4085,6 +4460,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4498,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -18023,7 +18056,7 @@ index ff006ea..c0f363c 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4139,6 +4540,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4578,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -18066,7 +18099,7 @@ index ff006ea..c0f363c 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4202,7 +4639,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4677,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -18075,7 +18108,7 @@ index ff006ea..c0f363c 100644
## </summary>
## </param>
#
-@@ -4262,7 +4699,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4737,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -18084,7 +18117,7 @@ index ff006ea..c0f363c 100644
## </summary>
## </param>
#
-@@ -4318,7 +4755,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4793,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -18093,7 +18126,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -4342,6 +4779,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4817,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -18110,7 +18143,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -4681,7 +5128,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5166,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -18119,7 +18152,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -5084,7 +5531,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5569,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -18128,7 +18161,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -5219,7 +5666,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5704,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18137,7 +18170,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -5259,6 +5706,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5259,6 +5744,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -18163,7 +18196,7 @@ index ff006ea..c0f363c 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5304,6 +5770,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5808,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -18189,7 +18222,7 @@ index ff006ea..c0f363c 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5802,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5840,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -18198,7 +18231,7 @@ index ff006ea..c0f363c 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5823,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5861,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -18214,7 +18247,7 @@ index ff006ea..c0f363c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5838,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5876,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -18247,7 +18280,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -5373,6 +5880,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5918,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -18255,7 +18288,7 @@ index ff006ea..c0f363c 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5893,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5931,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -18263,7 +18296,7 @@ index ff006ea..c0f363c 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5919,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5957,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -18272,7 +18305,7 @@ index ff006ea..c0f363c 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5935,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5973,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -18289,7 +18322,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -5452,7 +5959,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5997,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -18298,7 +18331,7 @@ index ff006ea..c0f363c 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +6000,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +6038,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -18307,7 +18340,7 @@ index ff006ea..c0f363c 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +6022,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +6060,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -18316,7 +18349,7 @@ index ff006ea..c0f363c 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +6054,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6092,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -18327,7 +18360,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -5608,6 +6115,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6153,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -18371,18 +18404,15 @@ index ff006ea..c0f363c 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5629,12 +6173,31 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,6 +6211,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
--## List the contents of the runtime process
--## ID directories (/var/run).
+## Do not audit attempts to search
+## the all /var/run directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
@@ -18397,16 +18427,10 @@ index ff006ea..c0f363c 100644
+
+########################################
+## <summary>
-+## List the contents of the runtime process
-+## ID directories (/var/run).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
-@@ -5736,7 +6299,7 @@ interface(`files_pid_filetrans',`
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ## </summary>
+@@ -5736,7 +6337,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18415,18 +18439,21 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -5815,6 +6378,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,16 +6416,126 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
+-## Read all process ID files.
+## Relable all pid directories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_read_all_pids',`
+interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
@@ -18529,10 +18556,20 @@ index ff006ea..c0f363c 100644
+
+########################################
+## <summary>
- ## Read all process ID files.
- ## </summary>
- ## <param name="domain">
-@@ -5832,6 +6505,62 @@ interface(`files_read_all_pids',`
++## Read all process ID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_read_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ type var_t;
+@@ -5832,6 +6543,62 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -18595,7 +18632,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -5900,6 +6629,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6667,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -18686,7 +18723,7 @@ index ff006ea..c0f363c 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6042,7 +6855,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6893,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18695,7 +18732,7 @@ index ff006ea..c0f363c 100644
')
########################################
-@@ -6117,3 +6930,302 @@ interface(`files_unconfined',`
+@@ -6117,3 +6968,303 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -18996,10 +19033,11 @@ index ff006ea..c0f363c 100644
+ attribute non_security_file_type;
+ ')
+
-+ allow $1 non_security_file_type:file_class_set unlink;
++ allow $1 non_security_file_type:dir del_entry_dir_perms;
++ allow $1 non_security_file_type:file_class_set delete_file_perms;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 22821ff..20251b0 100644
+index 22821ff..247583e 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -10,7 +10,9 @@ attribute files_unconfined_type;
@@ -19035,7 +19073,15 @@ index 22821ff..20251b0 100644
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
-@@ -167,6 +178,7 @@ files_mountpoint(var_lib_t)
+@@ -96,6 +107,7 @@ files_type(lost_found_t)
+ # mnt_t is the type for mount points such as /mnt/cdrom
+ #
+ type mnt_t;
++files_type(mnt_t)
+ files_mountpoint(mnt_t)
+
+ #
+@@ -167,6 +179,7 @@ files_mountpoint(var_lib_t)
#
type var_lock_t;
files_lock_file(var_lock_t)
@@ -19043,7 +19089,7 @@ index 22821ff..20251b0 100644
#
# var_run_t is the type of /var/run, usually
-@@ -181,6 +193,7 @@ files_mountpoint(var_run_t)
+@@ -181,6 +194,7 @@ files_mountpoint(var_run_t)
#
type var_spool_t;
files_tmp_file(var_spool_t)
@@ -23454,10 +23500,10 @@ index 0000000..5832252
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..a03e788
+index 0000000..4ca5160
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,446 @@
+@@ -0,0 +1,450 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -23796,7 +23842,11 @@ index 0000000..a03e788
+')
+
+optional_policy(`
++<<<<<<< HEAD
+ ncftool_run(unconfined_t, unconfined_r)
++=======
++ openshift_run(unconfined_usertype, unconfined_r)
++>>>>>>> 65dea3b... Changes needed by openshift policy
+')
+
+optional_policy(`
@@ -25462,7 +25512,7 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..51593ea 100644
+index 9e39aa5..726e9d6 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,21 +1,30 @@
@@ -25547,7 +25597,7 @@ index 9e39aa5..51593ea 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,26 +87,34 @@ ifdef(`distro_suse', `
+@@ -73,26 +87,36 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25561,6 +25611,8 @@ index 9e39aa5..51593ea 100644
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
++/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/openshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25584,7 +25636,7 @@ index 9e39aa5..51593ea 100644
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -105,7 +127,30 @@ ifdef(`distro_debian', `
+@@ -105,7 +129,30 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -25616,7 +25668,7 @@ index 9e39aa5..51593ea 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..6ecc96d 100644
+index 6480167..eeb2953 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -25808,7 +25860,7 @@ index 6480167..6ecc96d 100644
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -317,6 +317,25 @@ interface(`apache_domtrans',`
+@@ -317,6 +317,43 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -25831,10 +25883,28 @@ index 6480167..6ecc96d 100644
+ can_exec($1, httpd_exec_t)
+')
+
++######################################
++## <summary>
++## Allow any httpd_exec_t to be an entrypoint of this domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_entrypoint',`
++ gen_require(`
++ type httpd_exec_t;
++ ')
++ allow $1 httpd_exec_t:file entrypoint;
++')
++
#######################################
## <summary>
## Send a generic signal to apache.
-@@ -405,7 +424,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -405,7 +442,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -25843,7 +25913,7 @@ index 6480167..6ecc96d 100644
')
########################################
-@@ -487,7 +506,7 @@ interface(`apache_setattr_cache_dirs',`
+@@ -487,7 +524,7 @@ interface(`apache_setattr_cache_dirs',`
type httpd_cache_t;
')
@@ -25852,7 +25922,7 @@ index 6480167..6ecc96d 100644
')
########################################
-@@ -531,6 +550,25 @@ interface(`apache_rw_cache_files',`
+@@ -531,6 +568,25 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
## Allow the specified domain to delete
@@ -25878,7 +25948,7 @@ index 6480167..6ecc96d 100644
## Apache cache.
## </summary>
## <param name="domain">
-@@ -549,6 +587,26 @@ interface(`apache_delete_cache_files',`
+@@ -549,6 +605,26 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@@ -25905,7 +25975,7 @@ index 6480167..6ecc96d 100644
## Allow the specified domain to read
## apache configuration files.
## </summary>
-@@ -699,7 +757,7 @@ interface(`apache_dontaudit_append_log',`
+@@ -699,7 +775,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
@@ -25914,7 +25984,7 @@ index 6480167..6ecc96d 100644
')
########################################
-@@ -745,6 +803,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -745,6 +821,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -25940,7 +26010,7 @@ index 6480167..6ecc96d 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -761,6 +838,7 @@ interface(`apache_list_modules',`
+@@ -761,6 +856,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -25948,7 +26018,7 @@ index 6480167..6ecc96d 100644
')
########################################
-@@ -802,6 +880,43 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -802,6 +898,43 @@ interface(`apache_domtrans_rotatelogs',`
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
@@ -25992,7 +26062,7 @@ index 6480167..6ecc96d 100644
########################################
## <summary>
## Allow the specified domain to list
-@@ -819,6 +934,7 @@ interface(`apache_list_sys_content',`
+@@ -819,6 +952,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -26000,7 +26070,7 @@ index 6480167..6ecc96d 100644
files_search_var($1)
')
-@@ -846,6 +962,74 @@ interface(`apache_manage_sys_content',`
+@@ -846,6 +980,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -26075,7 +26145,7 @@ index 6480167..6ecc96d 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -862,7 +1046,12 @@ interface(`apache_manage_sys_content',`
+@@ -862,7 +1064,12 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -26089,7 +26159,7 @@ index 6480167..6ecc96d 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1110,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -921,9 +1128,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@@ -26101,7 +26171,7 @@ index 6480167..6ecc96d 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -950,7 +1140,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -950,7 +1158,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -26110,7 +26180,7 @@ index 6480167..6ecc96d 100644
')
########################################
-@@ -1091,6 +1281,25 @@ interface(`apache_read_tmp_files',`
+@@ -1091,6 +1299,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -26136,7 +26206,7 @@ index 6480167..6ecc96d 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1107,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1107,7 +1334,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -26145,7 +26215,7 @@ index 6480167..6ecc96d 100644
')
########################################
-@@ -1150,12 +1359,6 @@ interface(`apache_cgi_domain',`
+@@ -1150,12 +1377,6 @@ interface(`apache_cgi_domain',`
## <summary>
## All of the rules required to administrate an apache environment
## </summary>
@@ -26158,7 +26228,7 @@ index 6480167..6ecc96d 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1170,17 +1373,15 @@ interface(`apache_cgi_domain',`
+@@ -1170,17 +1391,15 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -26181,7 +26251,7 @@ index 6480167..6ecc96d 100644
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1191,10 +1392,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1410,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -26194,7 +26264,7 @@ index 6480167..6ecc96d 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1406,91 @@ interface(`apache_admin',`
+@@ -1205,14 +1424,91 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -26292,7 +26362,7 @@ index 6480167..6ecc96d 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..fcccdde 100644
+index 3136c6a..7bb71e2 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,239 @@ policy_module(apache, 2.2.1)
@@ -26425,10 +26495,7 @@ index 3136c6a..fcccdde 100644
gen_tunable(httpd_can_sendmail, false)
+
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++## <desc>
+## <p>
+## Allow http daemon to connect to zabbix
+## </p>
@@ -26442,7 +26509,10 @@ index 3136c6a..fcccdde 100644
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
@@ -27056,13 +27126,32 @@ index 3136c6a..fcccdde 100644
')
optional_policy(`
-@@ -577,6 +879,20 @@ optional_policy(`
+@@ -577,6 +879,39 @@ optional_policy(`
')
optional_policy(`
-+ passenger_domtrans(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+ passenger_read_lib_files(httpd_t)
++ pwauth_domtrans(httpd_t)
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_stickshift', `
++ allow httpd_t self:capability { fowner fsetid sys_resource };
++ dontaudit httpd_t self:capability sys_ptrace;
++ allow httpd_t self:process setexec;
++ passenger_exec(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_manage_lib_files(httpd_t)
++ files_dontaudit_getattr_all_files(httpd_t)
++ domain_dontaudit_read_all_domains_state(httpd_t)
++ domain_getpgid_all_domains(httpd_t)
++ openshift_read_lib_files(httpd_t)
++ ',`
++ passenger_domtrans(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_read_lib_files(httpd_t)
++ passenger_stream_connect(httpd_t)
++ passenger_manage_tmp_files(httpd_t)
++ ')
+')
+
+optional_policy(`
@@ -27077,7 +27166,7 @@ index 3136c6a..fcccdde 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +907,11 @@ optional_policy(`
+@@ -591,6 +926,11 @@ optional_policy(`
')
optional_policy(`
@@ -27089,7 +27178,7 @@ index 3136c6a..fcccdde 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +924,12 @@ optional_policy(`
+@@ -603,6 +943,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -27102,7 +27191,7 @@ index 3136c6a..fcccdde 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +943,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +962,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -27115,7 +27204,7 @@ index 3136c6a..fcccdde 100644
########################################
#
-@@ -654,28 +985,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1004,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -27159,7 +27248,7 @@ index 3136c6a..fcccdde 100644
')
########################################
-@@ -685,6 +1018,8 @@ optional_policy(`
+@@ -685,6 +1037,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -27168,7 +27257,7 @@ index 3136c6a..fcccdde 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1034,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1053,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -27194,7 +27283,7 @@ index 3136c6a..fcccdde 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1080,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1099,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -27227,7 +27316,7 @@ index 3136c6a..fcccdde 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1127,25 @@ optional_policy(`
+@@ -769,6 +1146,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27253,7 +27342,7 @@ index 3136c6a..fcccdde 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1166,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1185,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27271,7 +27360,7 @@ index 3136c6a..fcccdde 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1185,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1204,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27328,7 +27417,7 @@ index 3136c6a..fcccdde 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1236,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1255,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27369,7 +27458,7 @@ index 3136c6a..fcccdde 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1281,20 @@ optional_policy(`
+@@ -842,10 +1300,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27390,7 +27479,7 @@ index 3136c6a..fcccdde 100644
')
########################################
-@@ -891,11 +1340,49 @@ optional_policy(`
+@@ -891,11 +1359,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -30537,7 +30626,7 @@ index 1f11572..9eb2461 100644
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..146313e 100644
+index f758323..d866dc3 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,23 @@
@@ -30671,16 +30760,17 @@ index f758323..146313e 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +226,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +226,9 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
++corenet_tcp_connect_http_cache_port(freshclam_t)
+corenet_tcp_connect_clamd_port(freshclam_t)
+corenet_tcp_connect_squid_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +246,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +247,18 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -30703,7 +30793,7 @@ index f758323..146313e 100644
########################################
#
# clamscam local policy
-@@ -242,15 +283,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +284,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -30737,7 +30827,7 @@ index f758323..146313e 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +323,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +324,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -32606,7 +32696,7 @@ index 2eefc08..6ea5693 100644
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..e3c2bf4 100644
+index 35241ed..52ca716 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -32687,17 +32777,18 @@ index 35241ed..e3c2bf4 100644
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -83,9 +99,6 @@ template(`cron_common_crontab_template',`
- dontaudit $1_t crond_t:process signal;
+@@ -84,8 +100,9 @@ template(`cron_common_crontab_template',`
')
-- optional_policy(`
+ optional_policy(`
- nscd_socket_use($1_t)
-- ')
++ openshift_dontaudit_rw_inherited_fifo_files($1_t)
+ ')
++
')
########################################
-@@ -102,10 +115,12 @@ template(`cron_common_crontab_template',`
+@@ -102,10 +119,12 @@ template(`cron_common_crontab_template',`
## User domain for the role
## </summary>
## </param>
@@ -32710,7 +32801,7 @@ index 35241ed..e3c2bf4 100644
')
role $1 types { cronjob_t crontab_t };
-@@ -116,9 +131,16 @@ interface(`cron_role',`
+@@ -116,9 +135,16 @@ interface(`cron_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
@@ -32728,7 +32819,7 @@ index 35241ed..e3c2bf4 100644
# Run helper programs as the user domain
#corecmd_bin_domtrans(crontab_t, $2)
-@@ -132,9 +154,8 @@ interface(`cron_role',`
+@@ -132,9 +158,8 @@ interface(`cron_role',`
')
dbus_stub(cronjob_t)
@@ -32739,7 +32830,7 @@ index 35241ed..e3c2bf4 100644
')
########################################
-@@ -151,29 +172,18 @@ interface(`cron_role',`
+@@ -151,29 +176,18 @@ interface(`cron_role',`
## User domain for the role
## </summary>
## </param>
@@ -32773,7 +32864,7 @@ index 35241ed..e3c2bf4 100644
optional_policy(`
gen_require(`
-@@ -181,9 +191,8 @@ interface(`cron_unconfined_role',`
+@@ -181,9 +195,8 @@ interface(`cron_unconfined_role',`
')
dbus_stub(unconfined_cronjob_t)
@@ -32784,7 +32875,7 @@ index 35241ed..e3c2bf4 100644
')
########################################
-@@ -200,6 +209,7 @@ interface(`cron_unconfined_role',`
+@@ -200,6 +213,7 @@ interface(`cron_unconfined_role',`
## User domain for the role
## </summary>
## </param>
@@ -32792,7 +32883,7 @@ index 35241ed..e3c2bf4 100644
#
interface(`cron_admin_role',`
gen_require(`
-@@ -220,7 +230,7 @@ interface(`cron_admin_role',`
+@@ -220,7 +234,7 @@ interface(`cron_admin_role',`
# crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
@@ -32801,7 +32892,7 @@ index 35241ed..e3c2bf4 100644
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)
-@@ -234,9 +244,8 @@ interface(`cron_admin_role',`
+@@ -234,9 +248,8 @@ interface(`cron_admin_role',`
')
dbus_stub(admin_cronjob_t)
@@ -32812,7 +32903,7 @@ index 35241ed..e3c2bf4 100644
')
########################################
-@@ -304,7 +313,7 @@ interface(`cron_exec',`
+@@ -304,7 +317,7 @@ interface(`cron_exec',`
########################################
## <summary>
@@ -32821,7 +32912,7 @@ index 35241ed..e3c2bf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -322,6 +331,29 @@ interface(`cron_initrc_domtrans',`
+@@ -322,6 +335,29 @@ interface(`cron_initrc_domtrans',`
########################################
## <summary>
@@ -32851,7 +32942,7 @@ index 35241ed..e3c2bf4 100644
## Inherit and use a file descriptor
## from the cron daemon.
## </summary>
-@@ -359,6 +391,24 @@ interface(`cron_sigchld',`
+@@ -359,6 +395,24 @@ interface(`cron_sigchld',`
########################################
## <summary>
@@ -32876,7 +32967,7 @@ index 35241ed..e3c2bf4 100644
## Read a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
-@@ -377,6 +427,47 @@ interface(`cron_read_pipes',`
+@@ -377,6 +431,47 @@ interface(`cron_read_pipes',`
########################################
## <summary>
@@ -32924,7 +33015,7 @@ index 35241ed..e3c2bf4 100644
## Do not audit attempts to write cron daemon unnamed pipes.
## </summary>
## <param name="domain">
-@@ -390,6 +481,7 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -390,6 +485,7 @@ interface(`cron_dontaudit_write_pipes',`
type crond_t;
')
@@ -32932,7 +33023,7 @@ index 35241ed..e3c2bf4 100644
dontaudit $1 crond_t:fifo_file write;
')
-@@ -408,7 +500,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +504,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -32977,7 +33068,7 @@ index 35241ed..e3c2bf4 100644
')
########################################
-@@ -468,6 +596,25 @@ interface(`cron_search_spool',`
+@@ -468,6 +600,25 @@ interface(`cron_search_spool',`
########################################
## <summary>
@@ -33003,7 +33094,7 @@ index 35241ed..e3c2bf4 100644
## Manage pid files used by cron
## </summary>
## <param name="domain">
-@@ -481,6 +628,7 @@ interface(`cron_manage_pid_files',`
+@@ -481,6 +632,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -33011,7 +33102,7 @@ index 35241ed..e3c2bf4 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -536,7 +684,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +688,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -33020,7 +33111,7 @@ index 35241ed..e3c2bf4 100644
')
########################################
-@@ -554,7 +702,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +706,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -33029,7 +33120,7 @@ index 35241ed..e3c2bf4 100644
')
########################################
-@@ -587,11 +735,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +739,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -33045,7 +33136,7 @@ index 35241ed..e3c2bf4 100644
')
########################################
-@@ -627,7 +778,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +782,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -33094,7 +33185,7 @@ index 35241ed..e3c2bf4 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..9b5a52f 100644
+index f7583ab..f3efafd 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -33497,7 +33588,7 @@ index f7583ab..9b5a52f 100644
')
optional_policy(`
-@@ -472,6 +583,10 @@ optional_policy(`
+@@ -472,6 +583,14 @@ optional_policy(`
')
optional_policy(`
@@ -33505,10 +33596,14 @@ index f7583ab..9b5a52f 100644
+')
+
+optional_policy(`
++ openshift_transition(system_cronjob_t)
++')
++
++optional_policy(`
postfix_read_config(system_cronjob_t)
')
-@@ -480,7 +595,7 @@ optional_policy(`
+@@ -480,7 +599,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -33517,7 +33612,7 @@ index f7583ab..9b5a52f 100644
')
optional_policy(`
-@@ -495,6 +610,7 @@ optional_policy(`
+@@ -495,6 +614,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -33525,7 +33620,7 @@ index f7583ab..9b5a52f 100644
')
optional_policy(`
-@@ -502,7 +618,13 @@ optional_policy(`
+@@ -502,7 +622,13 @@ optional_policy(`
')
optional_policy(`
@@ -33539,7 +33634,7 @@ index f7583ab..9b5a52f 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +717,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +721,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -33960,7 +34055,7 @@ index 0000000..5a15b82
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
-index 1b492ed..c79454d 100644
+index 1b492ed..004c79a 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
@@ -28,11 +28,8 @@
@@ -33975,7 +34070,7 @@ index 1b492ed..c79454d 100644
/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-@@ -56,6 +53,7 @@
+@@ -56,18 +53,27 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -33983,8 +34078,11 @@ index 1b492ed..c79454d 100644
/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-@@ -64,10 +62,16 @@
+ /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+ /var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/log/hp(/.*)? gen_context(system_u:object_r:hplip_var_log_t,s0)
++
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
@@ -34065,7 +34163,7 @@ index 305ddf4..173cd16 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..d9ca30f 100644
+index 0f28095..b3839be 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -34076,7 +34174,17 @@ index 0f28095..d9ca30f 100644
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
-@@ -123,6 +124,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -75,6 +76,9 @@ files_tmp_file(hplip_tmp_t)
+ type hplip_var_lib_t;
+ files_type(hplip_var_lib_t)
+
++type hplip_var_log_t;
++logging_log_file(hplip_var_log_t)
++
+ type hplip_var_run_t;
+ files_pid_file(hplip_var_run_t)
+
+@@ -123,6 +127,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -34084,7 +34192,7 @@ index 0f28095..d9ca30f 100644
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -137,6 +139,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+@@ -137,6 +142,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
@@ -34092,7 +34200,7 @@ index 0f28095..d9ca30f 100644
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
-@@ -146,11 +149,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+@@ -146,11 +152,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
@@ -34107,7 +34215,7 @@ index 0f28095..d9ca30f 100644
allow cupsd_t hplip_t:process { signal sigkill };
-@@ -159,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+@@ -159,7 +166,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -34116,7 +34224,7 @@ index 0f28095..d9ca30f 100644
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
-@@ -211,6 +215,7 @@ mls_rangetrans_target(cupsd_t)
+@@ -211,6 +218,7 @@ mls_rangetrans_target(cupsd_t)
mls_socket_write_all_levels(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
@@ -34124,7 +34232,7 @@ index 0f28095..d9ca30f 100644
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-@@ -220,11 +225,13 @@ corecmd_exec_bin(cupsd_t)
+@@ -220,11 +228,13 @@ corecmd_exec_bin(cupsd_t)
domain_use_interactive_fds(cupsd_t)
@@ -34138,7 +34246,7 @@ index 0f28095..d9ca30f 100644
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
files_list_world_readable(cupsd_t)
-@@ -270,12 +277,6 @@ files_dontaudit_list_home(cupsd_t)
+@@ -270,12 +280,6 @@ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
@@ -34151,7 +34259,7 @@ index 0f28095..d9ca30f 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
')
-@@ -297,8 +298,10 @@ optional_policy(`
+@@ -297,8 +301,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -34162,7 +34270,7 @@ index 0f28095..d9ca30f 100644
')
')
-@@ -311,10 +314,22 @@ optional_policy(`
+@@ -311,10 +317,22 @@ optional_policy(`
')
optional_policy(`
@@ -34185,7 +34293,7 @@ index 0f28095..d9ca30f 100644
mta_send_mail(cupsd_t)
')
-@@ -322,6 +337,8 @@ optional_policy(`
+@@ -322,6 +340,8 @@ optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -34194,7 +34302,7 @@ index 0f28095..d9ca30f 100644
')
optional_policy(`
-@@ -371,8 +388,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +391,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -34205,7 +34313,7 @@ index 0f28095..d9ca30f 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +411,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +414,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -34216,7 +34324,7 @@ index 0f28095..d9ca30f 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +447,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +450,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -34230,7 +34338,7 @@ index 0f28095..d9ca30f 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +475,10 @@ optional_policy(`
+@@ -453,6 +478,10 @@ optional_policy(`
')
optional_policy(`
@@ -34241,7 +34349,7 @@ index 0f28095..d9ca30f 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +493,10 @@ optional_policy(`
+@@ -467,6 +496,10 @@ optional_policy(`
')
optional_policy(`
@@ -34252,7 +34360,7 @@ index 0f28095..d9ca30f 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -537,6 +567,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +570,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -34260,7 +34368,7 @@ index 0f28095..d9ca30f 100644
dev_read_urand(cupsd_lpd_t)
dev_read_rand(cupsd_lpd_t)
-@@ -587,13 +618,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +621,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -34280,7 +34388,7 @@ index 0f28095..d9ca30f 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +641,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +644,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
@@ -34291,16 +34399,22 @@ index 0f28095..d9ca30f 100644
########################################
#
# HPLIP local policy
-@@ -639,7 +678,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -638,8 +680,13 @@ files_search_etc(hplip_t)
+ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
++manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
++manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
++manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
++logging_log_filetrans(hplip_t,hplip_var_log_t,{ dirs fifo_file file })
++
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +724,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +732,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -34308,7 +34422,7 @@ index 0f28095..d9ca30f 100644
logging_send_syslog_msg(hplip_t)
-@@ -695,9 +735,12 @@ sysnet_read_config(hplip_t)
+@@ -695,9 +743,12 @@ sysnet_read_config(hplip_t)
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -44678,10 +44792,10 @@ index b681608..0934c95 100644
kernel_read_kernel_sysctls(memcached_t)
kernel_read_system_state(memcached_t)
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
-index 55a3e2f..bc489e0 100644
+index 55a3e2f..c453b2b 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
-@@ -1,10 +1,15 @@
+@@ -1,10 +1,16 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
@@ -44692,6 +44806,7 @@ index 55a3e2f..bc489e0 100644
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
++/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
@@ -46205,7 +46320,7 @@ index 343cee3..4099451 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..705498f 100644
+index 64268e4..cdeb21e 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -46383,7 +46498,7 @@ index 64268e4..705498f 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,15 +209,16 @@ optional_policy(`
+@@ -199,15 +209,20 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -46396,6 +46511,10 @@ index 64268e4..705498f 100644
')
')
++optional_policy(`
++ openshift_rw_inherited_content(mta_user_agent)
++')
++
+ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(user_mail_domain)
+ domain_dontaudit_leaks(mta_user_agent)
@@ -46404,7 +46523,7 @@ index 64268e4..705498f 100644
########################################
#
# Mailserver delivery local policy
-@@ -220,7 +231,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +235,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -46414,7 +46533,7 @@ index 64268e4..705498f 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +254,10 @@ optional_policy(`
+@@ -242,6 +258,10 @@ optional_policy(`
')
optional_policy(`
@@ -46425,7 +46544,7 @@ index 64268e4..705498f 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +265,25 @@ optional_policy(`
+@@ -249,16 +269,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -46453,7 +46572,7 @@ index 64268e4..705498f 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -277,14 +302,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+@@ -277,14 +306,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files(mta_user_agent)
@@ -46470,7 +46589,7 @@ index 64268e4..705498f 100644
# Read user temporary files.
# postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files(user_mail_t)
-@@ -292,3 +317,114 @@ optional_policy(`
+@@ -292,3 +321,114 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -49703,6 +49822,987 @@ index 7f8fdc2..047d985 100644
optional_policy(`
seutil_sigchld_newrole(openct_t)
+diff --git a/policy/modules/services/openshift-origin.fc b/policy/modules/services/openshift-origin.fc
+new file mode 100644
+index 0000000..30ca148
+--- /dev/null
++++ b/policy/modules/services/openshift-origin.fc
+@@ -0,0 +1 @@
++# Left Blank
+diff --git a/policy/modules/services/openshift-origin.if b/policy/modules/services/openshift-origin.if
+new file mode 100644
+index 0000000..3eb6a30
+--- /dev/null
++++ b/policy/modules/services/openshift-origin.if
+@@ -0,0 +1 @@
++## <summary></summary>
+diff --git a/policy/modules/services/openshift-origin.te b/policy/modules/services/openshift-origin.te
+new file mode 100644
+index 0000000..966d0b3
+--- /dev/null
++++ b/policy/modules/services/openshift-origin.te
+@@ -0,0 +1,14 @@
++policy_module(openshift-origin,1.0.0)
++gen_require(`
++ attribute openshift_domain;
++')
++
++########################################
++#
++# openshift origin standard local policy
++#
++allow openshift_domain self:socket_class_set create_socket_perms;
++corenet_tcp_connect_all_ports(openshift_domain)
++corenet_tcp_bind_all_ports(openshift_domain)
++dev_read_sysfs(openshift_domain)
++files_read_config_files(openshift_domain)
+diff --git a/policy/modules/services/openshift.fc b/policy/modules/services/openshift.fc
+new file mode 100644
+index 0000000..fdff8eb
+--- /dev/null
++++ b/policy/modules/services/openshift.fc
+@@ -0,0 +1,22 @@
++/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++
++/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
++/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
++/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
++/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
++
++/var/lib/stickshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++/var/lib/stickshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++
++/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
++
++/usr/bin/rhc-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
++
++/usr/bin/rhc-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/usr/bin/rhc-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
++
++/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
++/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
+diff --git a/policy/modules/services/openshift.if b/policy/modules/services/openshift.if
+new file mode 100644
+index 0000000..681f8a0
+--- /dev/null
++++ b/policy/modules/services/openshift.if
+@@ -0,0 +1,556 @@
++
++## <summary> policy for openshift </summary>
++
++########################################
++## <summary>
++## Execute openshift server in the openshift domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`openshift_initrc_domtrans',`
++ gen_require(`
++ type openshift_initrc_t;
++ type openshift_initrc_exec_t;
++ ')
++
++ domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
++')
++
++########################################
++## <summary>
++## Search openshift cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_search_cache',`
++ gen_require(`
++ type openshift_cache_t;
++ ')
++
++ allow $1 openshift_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read openshift cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_read_cache_files',`
++ gen_require(`
++ type openshift_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, openshift_cache_t, openshift_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## openshift cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_cache_files',`
++ gen_require(`
++ type openshift_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, openshift_cache_t, openshift_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## openshift cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_cache_dirs',`
++ gen_require(`
++ type openshift_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, openshift_cache_t, openshift_cache_t)
++')
++
++
++########################################
++## <summary>
++## Allow the specified domain to read openshift's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openshift_read_log',`
++ gen_require(`
++ type openshift_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, openshift_log_t, openshift_log_t)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to append
++## openshift log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`openshift_append_log',`
++ gen_require(`
++ type openshift_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, openshift_log_t, openshift_log_t)
++')
++
++########################################
++## <summary>
++## Allow domain to manage openshift log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_log',`
++ gen_require(`
++ type openshift_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, openshift_log_t, openshift_log_t)
++ manage_files_pattern($1, openshift_log_t, openshift_log_t)
++ manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t)
++')
++
++########################################
++## <summary>
++## Search openshift lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_search_lib',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ allow $1 openshift_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read openshift lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_read_lib_files',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read openshift lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_append_lib_files',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## openshift lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_lib_files',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage openshift lib dirs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_lib_dirs',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Read openshift PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_read_pid_files',`
++ gen_require(`
++ type openshift_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 openshift_var_run_t:file read_file_perms;
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an openshift environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openshift_admin',`
++ gen_require(`
++ type openshift_t;
++ type openshift_initrc_exec_t;
++ type openshift_cache_t;
++ type openshift_log_t;
++ type openshift_var_lib_t;
++ type openshift_var_run_t;
++ ')
++
++ allow $1 openshift_t:process { ptrace signal_perms };
++ ps_process_pattern($1, openshift_t)
++
++ openshift_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 openshift_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var($1)
++ admin_pattern($1, openshift_cache_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, openshift_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, openshift_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, openshift_var_run_t)
++
++')
++
++########################################
++## <summary>
++## Make the specified type usable as a openshift domain.
++## </summary>
++## <param name="openshiftdomain_prefix">
++## <summary>
++## The prefix of the domain (e.g., openshift
++## is the prefix for openshift_t).
++## </summary>
++## </param>
++#
++template(`openshift_service_domain_template',`
++ gen_require(`
++ attribute openshift_domain;
++ attribute openshift_user_domain;
++ ')
++
++ type $1_t;
++ typeattribute $1_t openshift_domain, openshift_user_domain;
++ domain_type($1_t)
++ role system_r types $1_t;
++ mcs_untrusted_proc($1_t)
++ domain_user_exemption_target($1_t)
++ auth_use_nsswitch($1_t)
++ domain_subj_id_change_exemption($1_t)
++ domain_obj_id_change_exemption($1_t)
++ domain_dyntrans_type($1_t)
++
++ kernel_read_system_state($1_t)
++
++ logging_send_syslog_msg($1_t)
++
++ type $1_app_t;
++ typeattribute $1_app_t openshift_domain;
++ domain_type($1_app_t)
++ role system_r types $1_app_t;
++ mcs_untrusted_proc($1_app_t)
++ domain_user_exemption_target($1_app_t)
++ domain_obj_id_change_exemption($1_app_t)
++ domain_dyntrans_type($1_app_t)
++
++ kernel_read_system_state($1_app_t)
++
++ logging_send_syslog_msg($1_app_t)
++')
++
++########################################
++## <summary>
++## Make the specified type usable as a openshift domain.
++## </summary>
++## <param name="type">
++## <summary>
++## Type to be used as a openshift domain type.
++## </summary>
++## </param>
++#
++template(`openshift_net_type',`
++ gen_require(`
++ attribute openshift_net_domain;
++ ')
++
++ typeattribute $1 openshift_net_domain;
++')
++
++########################################
++## <summary>
++## Read and write inherited openshift files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_rw_inherited_content',`
++ gen_require(`
++ attribute openshift_file_type;
++ ')
++
++ allow $1 openshift_file_type:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Manage openshift tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_tmp_files',`
++ gen_require(`
++ type openshift_tmp_t;
++ ')
++
++ manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
++')
++
++########################################
++## <summary>
++## Manage openshift tmp sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_tmp_sockets',`
++ gen_require(`
++ type openshift_tmp_t;
++ ')
++
++ manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
++')
++
++########################################
++## <summary>
++## Mounton openshift tmp directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_mounton_tmp',`
++ gen_require(`
++ type openshift_tmp_t;
++ ')
++
++ allow $1 openshift_tmp_t:dir mounton;
++')
++
++########################################
++## <summary>
++## Dontaudit Read and write inherited script fifo files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_dontaudit_rw_inherited_fifo_files',`
++ gen_require(`
++ type openshift_initrc_t;
++ ')
++
++ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## Allow calling app to transition to an openshift domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openshift_transition',`
++ gen_require(`
++ attribute openshift_user_domain;
++ ')
++
++ allow $1 openshift_user_domain:process transition;
++ dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh };
++ allow openshift_user_domain $1:fd use;
++ allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms;
++ allow openshift_user_domain $1:process sigchld;
++ dontaudit $1 openshift_user_domain:socket_class_set { read write };
++')
++
++########################################
++## <summary>
++## Allow calling app to transition to an openshift domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openshift_dyntransition',`
++ gen_require(`
++ attribute openshift_domain;
++ attribute openshift_user_domain;
++ ')
++
++ allow $1 openshift_user_domain:process dyntransition;
++ dontaudit openshift_user_domain $1:key view;
++ allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms };
++ allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms;
++ allow $1 openshift_user_domain:process { rlimitinh signal };
++ dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown };
++')
++
++########################################
++## <summary>
++## Execute openshift in the openshift domain, and
++## allow the specified role the openshift domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_run',`
++ gen_require(`
++ type openshift_initrc_exec_t;
++ ')
++
++ openshift_initrc_domtrans($1)
++ role_transition $2 openshift_initrc_exec_t system_r;
++ openshift_transition($1)
++')
+diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te
+new file mode 100644
+index 0000000..91c558e
+--- /dev/null
++++ b/policy/modules/services/openshift.te
+@@ -0,0 +1,351 @@
++policy_module(openshift,1.0.0)
++
++gen_require(`
++ role system_r;
++')
++
++########################################
++#
++# Declarations
++#
++
++# openshift applications that can use the network.
++attribute openshift_net_domain;
++# Attribute representing all openshift user processes (excludes apache processes)
++attribute openshift_user_domain;
++# Attribute representing all openshift processes
++attribute openshift_domain;
++
++# Attribute for all openshift content
++attribute openshift_file_type;
++
++# Type of openshift init script
++type openshift_initrc_t;
++type openshift_initrc_exec_t;
++init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t)
++init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
++oddjob_system_entry(openshift_initrc_t, openshift_initrc_exec_t)
++domain_obj_id_change_exemption(openshift_initrc_t)
++
++type openshift_initrc_tmp_t;
++files_tmp_file(openshift_initrc_tmp_t)
++
++type openshift_tmp_t, openshift_file_type;
++files_tmp_file(openshift_tmp_t)
++files_mountpoint(openshift_tmp_t)
++files_poly(openshift_tmp_t)
++files_poly_parent(openshift_tmp_t)
++
++type openshift_var_run_t;
++files_pid_file(openshift_var_run_t)
++
++type openshift_var_lib_t, openshift_file_type;
++files_poly(openshift_var_lib_t)
++files_poly_parent(openshift_var_lib_t)
++
++type openshift_rw_file_t, openshift_file_type;
++files_poly(openshift_rw_file_t)
++files_poly_parent(openshift_rw_file_t)
++
++type openshift_log_t;
++logging_log_file(openshift_log_t)
++
++type openshift_port_t;
++corenet_port(openshift_port_t)
++corenet_reserved_port(openshift_port_t)
++
++type openshift_cgroup_read_t;
++type openshift_cgroup_read_exec_t;
++application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
++
++########################################
++#
++# Template to create openshift_t and openshift_app_t
++#
++openshift_service_domain_template(openshift)
++
++########################################
++#
++# openshift initrc local policy
++#
++unconfined_domain_noaudit(openshift_initrc_t)
++mcs_process_set_categories(openshift_initrc_t)
++
++manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
++manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
++manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
++files_tmp_filetrans(openshift_initrc_t, openshift_initrc_tmp_t, { file dir })
++
++manage_dirs_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
++manage_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
++manage_lnk_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
++files_pid_filetrans(openshift_initrc_t, openshift_var_run_t, { file dir })
++
++manage_dirs_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
++manage_files_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
++logging_log_filetrans(openshift_initrc_t, openshift_log_t, { file dir })
++
++allow openshift_initrc_t openshift_domain:process { getattr getsched setsched transition signal signull sigkill };
++allow openshift_domain openshift_initrc_t:fd use;
++allow openshift_domain openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++allow openshift_domain openshift_initrc_t:process sigchld;
++dontaudit openshift_domain openshift_initrc_t:key view;
++dontaudit openshift_domain openshift_initrc_t:process signull;
++dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write };
++
++#######################################################
++#
++# Policy for all openshift domains
++#
++allow openshift_domain self:process all_process_perms;
++allow openshift_domain self:msg all_msg_perms;
++allow openshift_domain self:msgq create_msgq_perms;
++allow openshift_domain self:shm create_shm_perms;
++allow openshift_domain self:sem create_sem_perms;
++dontaudit openshift_domain self:dir write;
++
++dontaudit openshift_domain self:netlink_tcpdiag_socket create;
++allow openshift_domain self:tcp_socket create_stream_socket_perms;
++allow openshift_domain self:fifo_file manage_fifo_file_perms;
++allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto };
++allow openshift_domain self:unix_dgram_socket { create_socket_perms sendto };
++dontaudit openshift_domain self:netlink_audit_socket { create_socket_perms nlmsg_relay };
++
++manage_dirs_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++manage_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++manage_fifo_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++manage_sock_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++manage_lnk_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++allow openshift_domain openshift_rw_file_t:dir_file_class_set { relabelfrom relabelto };
++
++list_dirs_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++read_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++rw_fifo_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++rw_sock_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++read_lnk_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++allow openshift_domain openshift_file_type:file execmod;
++can_exec(openshift_domain, openshift_file_type)
++allow openshift_domain openshift_file_type:file entrypoint;
++# Allow users to execute files in their home dir
++allow openshift_domain openshift_file_type:file { execute execute_no_trans };
++
++# Dontaudit openshift domains trying to search other openshift domains directories,
++# this happens just when users are probing the system
++dontaudit openshift_domain openshift_file_type:dir search_dir_perms
++;
++
++manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++manage_lnk_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++manage_sock_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++files_tmp_filetrans(openshift_domain, openshift_tmp_t, { lnk_file file dir sock_file fifo_file })
++allow openshift_domain openshift_tmp_t:dir_file_class_set { relabelfrom relabelto };
++
++allow openshift_domain openshift_log_t:file { getattr append lock ioctl };
++
++#lsof
++allow openshift_domain openshift_initrc_t:tcp_socket getattr;
++
++dontaudit openshift_domain openshift_initrc_tmp_t:file append;
++dontaudit openshift_domain openshift_var_run_t:file append;
++dontaudit openshift_domain openshift_file_type:sock_file execute;
++
++kernel_read_network_state(openshift_domain)
++kernel_dontaudit_list_all_proc(openshift_domain)
++kernel_dontaudit_list_all_sysctls(openshift_domain)
++kernel_dontaudit_request_load_module(openshift_domain)
++kernel_get_sysvipc_info(openshift_domain)
++
++corecmd_shell_entry_type(openshift_domain)
++corecmd_bin_entry_type(openshift_domain)
++corecmd_exec_all_executables(openshift_domain)
++
++dev_list_sysfs(openshift_domain)
++dev_read_rand(openshift_domain)
++dev_dontaudit_append_rand(openshift_domain)
++dev_dontaudit_write_urand(openshift_domain)
++dev_dontaudit_getattr_all_blk_files(openshift_domain)
++dev_dontaudit_getattr_all_chr_files(openshift_domain)
++
++domain_use_interactive_fds(openshift_domain)
++domain_dontaudit_read_all_domains_state(openshift_domain)
++
++files_read_var_lib_symlinks(openshift_domain)
++
++fs_rw_hugetlbfs_files(openshift_domain)
++fs_rw_anon_inodefs_files(openshift_domain)
++fs_search_tmpfs(openshift_domain)
++fs_getattr_xattr_fs(openshift_domain)
++fs_dontaudit_getattr_all_fs(openshift_domain)
++fs_list_inotifyfs(openshift_domain)
++fs_dontaudit_list_auto_mountpoints(openshift_domain)
++fs_dontaudit_list_tmpfs(openshift_domain)
++storage_dontaudit_getattr_fixed_disk_dev(openshift_domain)
++storage_getattr_fixed_disk_dev(openshift_domain)
++fs_get_xattr_fs_quotas(openshift_domain)
++fs_rw_inherited_tmpfs_files(openshift_domain)
++fs_dontaudit_rw_anon_inodefs_files(openshift_domain)
++
++dontaudit openshift_domain file_type:dir read;
++files_dontaudit_list_home(openshift_domain)
++files_dontaudit_search_all_pids(openshift_domain)
++files_dontaudit_getattr_all_dirs(openshift_domain)
++files_dontaudit_getattr_all_files(openshift_domain)
++files_dontaudit_list_mnt(openshift_domain)
++files_dontaudit_list_var(openshift_domain)
++files_dontaudit_getattr_lost_found_dirs(openshift_domain)
++files_dontaudit_search_all_mountpoints(openshift_domain)
++files_dontaudit_search_spool(openshift_domain)
++files_dontaudit_search_all_dirs(openshift_domain)
++files_dontaudit_list_var(openshift_domain)
++files_read_etc_files(openshift_domain)
++files_exec_etc_files(openshift_domain)
++files_read_usr_files(openshift_domain)
++files_exec_usr_files(openshift_domain)
++files_dontaudit_getattr_non_security_sockets(openshift_domain)
++files_dontaudit_setattr_non_security_dirs(openshift_domain)
++files_dontaudit_setattr_non_security_files(openshift_domain)
++
++libs_exec_lib_files(openshift_domain)
++libs_exec_ld_so(openshift_domain)
++
++term_use_ptmx(openshift_domain)
++
++selinux_validate_context(openshift_domain)
++
++logging_inherit_append_all_logs(openshift_domain)
++
++init_dontaudit_read_utmp(openshift_domain)
++
++miscfiles_read_fonts(openshift_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain)
++
++mta_dontaudit_read_spool_symlinks(openshift_domain)
++
++term_dontaudit_search_ptys(openshift_domain)
++term_use_ptmx(openshift_domain)
++
++userdom_use_inherited_user_ptys(openshift_domain)
++userdom_dontaudit_search_admin_dir(openshift_domain)
++
++application_exec(openshift_domain)
++
++optional_policy(`
++ apache_exec_modules(openshift_domain)
++ apache_list_modules(openshift_domain)
++ apache_read_config(openshift_domain)
++ apache_search_config(openshift_domain)
++ apache_read_sys_content(openshift_domain)
++ apache_exec_sys_script(openshift_domain)
++ apache_entrypoint(openshift_domain)
++
++ #############################################
++ #
++ # openshift cgi script policy
++ #
++ apache_content_template(openshift)
++ domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
++ optional_policy(`
++ dbus_system_bus_client(httpd_openshift_script_t)
++ optional_policy(`
++ oddjob_dbus_chat(httpd_openshift_script_t)
++ oddjob_dontaudit_rw_fifo_file(openshift_domain)
++ ')
++ ')
++')
++
++optional_policy(`
++ cron_role(system_r, openshift_domain)
++')
++
++optional_policy(`
++ gpg_entry_type(openshift_domain)
++')
++
++optional_policy(`
++ mysql_search_db(openshift_domain)
++')
++
++optional_policy(`
++ ssh_use_ptys(openshift_domain)
++ ssh_getattr_user_home_dir(openshift_domain)
++ ssh_dontaudit_search_user_home_dir(openshift_domain)
++')
++
++#######################################################
++#
++# Policy for openshift user domain process
++#
++manage_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++manage_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++manage_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++manage_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++manage_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++allow openshift_user_domain openshift_file_type:dir_file_class_set { relabelfrom relabelto };
++
++allow openshift_user_domain openshift_domain:process transition;
++allow openshift_domain openshift_user_domain:fd use;
++allow openshift_domain openshift_user_domain:fifo_file rw_inherited_fifo_file_perms;
++allow openshift_domain openshift_user_domain:process sigchld;
++dontaudit openshift_domain openshift_user_domain:key view;
++dontaudit openshift_domain openshift_user_domain:process signull;
++dontaudit openshift_domain openshift_user_domain:socket_class_set { read write };
++
++allow openshift_user_domain openshift_domain:process ptrace;
++
++############################################################################
++#
++# Rules specific to openshift and openshift_app_t
++#
++kernel_read_vm_sysctls(openshift_t)
++kernel_read_vm_sysctls(openshift_app_t)
++kernel_search_vm_sysctl(openshift_t)
++kernel_search_vm_sysctl(openshift_app_t)
++netutils_domtrans_ping(openshift_t)
++netutils_kill_ping(openshift_t)
++netutils_signal_ping(openshift_t)
++
++openshift_net_type(openshift_app_t)
++openshift_net_type(openshift_t)
++
++optional_policy(`
++ postfix_rw_public_pipes(openshift_t)
++ postfix_manage_spool_maildrop_files(openshift_t)
++')
++
++########################################
++#
++# openshift_cgroup_read local policy
++#
++
++allow openshift_cgroup_read_t self:process { getattr signal_perms };
++allow openshift_cgroup_read_t self:fifo_file rw_fifo_file_perms;
++allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
++allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++
++ssh_dontaudit_use_ptys(openshift_cgroup_read_t)
++
++corecmd_exec_bin(openshift_cgroup_read_t)
++
++dev_read_urand(openshift_cgroup_read_t)
++
++domain_use_interactive_fds(openshift_cgroup_read_t)
++
++files_read_etc_files(openshift_cgroup_read_t)
++
++fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
++
++userdom_use_inherited_user_ptys(openshift_cgroup_read_t)
++
++miscfiles_read_generic_certs(openshift_cgroup_read_t)
++
++domtrans_pattern(openshift_domain, openshift_cgroup_read_exec_t, openshift_cgroup_read_t)
++role system_r types openshift_cgroup_read_t;
++
++allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
++
++fs_read_cgroup_files(openshift_cgroup_read_t)
++
++allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
++read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 8b550f4..3075607 100644
--- a/policy/modules/services/openvpn.te
@@ -51976,7 +53076,7 @@ index a3e85c9..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..76b68b5 100644
+index 46bee12..43581ae 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,11 +34,13 @@ template(`postfix_domain_template',`
@@ -52038,7 +53138,33 @@ index 46bee12..76b68b5 100644
')
########################################
-@@ -272,7 +277,8 @@ interface(`postfix_read_local_state',`
+@@ -257,6 +262,25 @@ interface(`postfix_rw_local_pipes',`
+ allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
+ ')
+
++######################################
++## <summary>
++## Allow read/write postfix public pipes
++## TCP sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_rw_public_pipes',`
++ gen_require(`
++ type postfix_public_t;
++ ')
++
++ allow $1 postfix_public_t:fifo_file rw_fifo_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Allow domain to read postfix local process state
+@@ -272,7 +296,8 @@ interface(`postfix_read_local_state',`
type postfix_local_t;
')
@@ -52048,7 +53174,7 @@ index 46bee12..76b68b5 100644
')
########################################
-@@ -290,7 +296,27 @@ interface(`postfix_read_master_state',`
+@@ -290,7 +315,27 @@ interface(`postfix_read_master_state',`
type postfix_master_t;
')
@@ -52077,7 +53203,7 @@ index 46bee12..76b68b5 100644
')
########################################
-@@ -376,6 +402,25 @@ interface(`postfix_domtrans_master',`
+@@ -376,6 +421,25 @@ interface(`postfix_domtrans_master',`
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@@ -52103,7 +53229,7 @@ index 46bee12..76b68b5 100644
########################################
## <summary>
## Execute the master postfix program in the
-@@ -404,7 +449,6 @@ interface(`postfix_exec_master',`
+@@ -404,7 +468,6 @@ interface(`postfix_exec_master',`
## Domain allowed access.
## </summary>
## </param>
@@ -52111,7 +53237,7 @@ index 46bee12..76b68b5 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -416,6 +460,24 @@ interface(`postfix_stream_connect_master',`
+@@ -416,6 +479,24 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
@@ -52136,7 +53262,7 @@ index 46bee12..76b68b5 100644
## Execute the master postdrop in the
## postfix_postdrop domain.
## </summary>
-@@ -462,7 +524,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -462,7 +543,7 @@ interface(`postfix_domtrans_postqueue',`
## </summary>
## </param>
#
@@ -52145,7 +53271,7 @@ index 46bee12..76b68b5 100644
gen_require(`
type postfix_postqueue_exec_t;
')
-@@ -529,6 +591,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +610,25 @@ interface(`postfix_domtrans_smtp',`
########################################
## <summary>
@@ -52171,7 +53297,7 @@ index 46bee12..76b68b5 100644
## Search postfix mail spool directories.
## </summary>
## <param name="domain">
-@@ -539,10 +620,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +639,10 @@ interface(`postfix_domtrans_smtp',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -52184,7 +53310,7 @@ index 46bee12..76b68b5 100644
files_search_spool($1)
')
-@@ -558,10 +639,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +658,10 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -52197,7 +53323,7 @@ index 46bee12..76b68b5 100644
files_search_spool($1)
')
-@@ -577,11 +658,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +677,11 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -52211,7 +53337,7 @@ index 46bee12..76b68b5 100644
')
########################################
-@@ -596,11 +677,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +696,31 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -52222,10 +53348,30 @@ index 46bee12..76b68b5 100644
files_search_spool($1)
- manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
++')
++
++######################################
++## <summary>
++## Create, read, write, and delete postfix maildrop spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_manage_spool_maildrop_files',`
++ gen_require(`
++ type postfix_spool_maildrop_t;
++ ')
++
++ files_search_spool($1)
++ manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++ manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
')
########################################
-@@ -621,3 +702,125 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +741,125 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -52352,7 +53498,7 @@ index 46bee12..76b68b5 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..fc74b0a 100644
+index a32c4b3..7330e74 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -52581,7 +53727,7 @@ index a32c4b3..fc74b0a 100644
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
-@@ -304,9 +346,22 @@ optional_policy(`
+@@ -304,9 +346,26 @@ optional_policy(`
')
optional_policy(`
@@ -52589,6 +53735,10 @@ index a32c4b3..fc74b0a 100644
+')
+
+optional_policy(`
++ openshift_search_lib(postfix_local_t)
++')
++
++optional_policy(`
procmail_domtrans(postfix_local_t)
')
@@ -52604,7 +53754,7 @@ index a32c4b3..fc74b0a 100644
########################################
#
# Postfix map local policy
-@@ -379,18 +434,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +438,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -52630,7 +53780,7 @@ index a32c4b3..fc74b0a 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +462,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +466,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -52639,7 +53789,7 @@ index a32c4b3..fc74b0a 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +483,7 @@ optional_policy(`
+@@ -420,6 +487,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -52647,7 +53797,7 @@ index a32c4b3..fc74b0a 100644
')
optional_policy(`
-@@ -436,11 +500,18 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +504,18 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -52666,7 +53816,7 @@ index a32c4b3..fc74b0a 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +562,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -52677,7 +53827,7 @@ index a32c4b3..fc74b0a 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +590,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +594,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -52690,7 +53840,7 @@ index a32c4b3..fc74b0a 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +614,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +618,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -52701,7 +53851,7 @@ index a32c4b3..fc74b0a 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +635,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +639,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -52713,7 +53863,7 @@ index a32c4b3..fc74b0a 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +647,14 @@ optional_policy(`
+@@ -565,6 +651,14 @@ optional_policy(`
')
optional_policy(`
@@ -52728,7 +53878,7 @@ index a32c4b3..fc74b0a 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +671,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +675,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -52755,7 +53905,7 @@ index a32c4b3..fc74b0a 100644
')
optional_policy(`
-@@ -599,6 +697,11 @@ optional_policy(`
+@@ -599,6 +701,11 @@ optional_policy(`
')
optional_policy(`
@@ -52767,7 +53917,7 @@ index a32c4b3..fc74b0a 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +714,6 @@ optional_policy(`
+@@ -611,7 +718,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -52775,7 +53925,7 @@ index a32c4b3..fc74b0a 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +732,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +736,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -54082,7 +55232,7 @@ index 2855a44..58bb459 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..cc8c6d6 100644
+index 64c5f95..c7d9eed 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -54176,7 +55326,7 @@ index 64c5f95..cc8c6d6 100644
')
optional_policy(`
-@@ -144,6 +167,14 @@ optional_policy(`
+@@ -144,6 +167,18 @@ optional_policy(`
')
optional_policy(`
@@ -54188,10 +55338,14 @@ index 64c5f95..cc8c6d6 100644
+')
+
+optional_policy(`
++ openshift_initrc_domtrans(puppet_t)
++')
++
++optional_policy(`
files_rw_var_files(puppet_t)
rpm_domtrans(puppet_t)
-@@ -162,7 +193,60 @@ optional_policy(`
+@@ -162,7 +197,60 @@ optional_policy(`
########################################
#
@@ -54253,7 +55407,7 @@ index 64c5f95..cc8c6d6 100644
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -171,29 +255,36 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+@@ -171,29 +259,36 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
@@ -54293,7 +55447,7 @@ index 64c5f95..cc8c6d6 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +297,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +301,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
@@ -54343,7 +55497,7 @@ index 64c5f95..cc8c6d6 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +347,9 @@ optional_policy(`
+@@ -231,3 +351,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -57082,10 +58236,10 @@ index 0000000..811c52e
+
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..0a36c2b
+index 0000000..67798b8
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
-@@ -0,0 +1,67 @@
+@@ -0,0 +1,71 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
@@ -57153,6 +58307,10 @@ index 0000000..0a36c2b
+sysnet_dns_name_resolve(rhsmcertd_t)
+
+rpm_read_db(rhsmcertd_t)
++
++optional_policy(`
++ gnome_dontaudit_search_config(rhsmcertd_t)
++')
diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
index 5b08327..ed5dc05 100644
--- a/policy/modules/services/ricci.fc
@@ -59839,7 +60997,7 @@ index 7e94c7c..5700fb8 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
-index 22dac1f..e2f2d7d 100644
+index 22dac1f..39f24b3 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@@ -59904,8 +61062,14 @@ index 22dac1f..e2f2d7d 100644
')
optional_policy(`
-@@ -149,7 +161,9 @@ optional_policy(`
+@@ -147,9 +159,15 @@ optional_policy(`
+ optional_policy(`
+ munin_dontaudit_search_lib(sendmail_t)
')
++optional_policy(`
++ openshift_dontaudit_rw_inherited_fifo_files(sendmail_t)
++ openshift_rw_inherited_content(sendmail_t)
++')
optional_policy(`
+ postfix_domtrans_postdrop(sendmail_t)
@@ -59914,7 +61078,7 @@ index 22dac1f..e2f2d7d 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,20 +182,13 @@ optional_policy(`
+@@ -168,20 +186,13 @@ optional_policy(`
')
optional_policy(`
@@ -61356,7 +62520,7 @@ index 4b2230e..51dc8d8 100644
+ kerberos_manage_host_rcache(squid_t)
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..84d29ee 100644
+index 078bcd7..dea7898 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,4 +1,11 @@
@@ -61371,7 +62535,7 @@ index 078bcd7..84d29ee 100644
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -14,3 +21,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+@@ -14,3 +21,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
@@ -61379,8 +62543,11 @@ index 078bcd7..84d29ee 100644
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
++
++/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..8cbaa9a 100644
+index 22adaca..50adc73 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -61712,7 +62879,7 @@ index 22adaca..8cbaa9a 100644
files_search_pids($1)
')
-@@ -643,6 +721,42 @@ interface(`ssh_agent_exec',`
+@@ -643,6 +721,79 @@ interface(`ssh_agent_exec',`
########################################
## <summary>
@@ -61750,12 +62917,49 @@ index 22adaca..8cbaa9a 100644
+ dontaudit $1 ssh_home_t:dir search_dir_perms;
+')
+
++######################################
++## <summary>
++## Do not audit attempts to read and
++## write the sshd pty type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`ssh_dontaudit_use_ptys',`
++ gen_require(`
++ type sshd_devpts_t;
++ ')
++
++ dontaudit $1 sshd_devpts_t:chr_file { getattr read write ioctl };
++')
++
++######################################
++## <summary>
++## Read and write inherited sshd pty type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`ssh_use_ptys',`
++ gen_require(`
++ type sshd_devpts_t;
++ ')
++
++ allow $1 sshd_devpts_t:chr_file { open getattr read write ioctl };
++')
++
+########################################
+## <summary>
## Read ssh home directory content
## </summary>
## <param name="domain">
-@@ -682,6 +796,50 @@ interface(`ssh_domtrans_keygen',`
+@@ -682,6 +833,50 @@ interface(`ssh_domtrans_keygen',`
########################################
## <summary>
@@ -61806,7 +63010,7 @@ index 22adaca..8cbaa9a 100644
## Read ssh server keys
## </summary>
## <param name="domain">
-@@ -695,7 +853,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +890,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -61815,7 +63019,7 @@ index 22adaca..8cbaa9a 100644
')
######################################
-@@ -735,3 +893,82 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +930,82 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -61899,7 +63103,7 @@ index 22adaca..8cbaa9a 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..7ef3f55 100644
+index 2dad3c8..e3ed2da 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
@@ -62208,7 +63412,7 @@ index 2dad3c8..7ef3f55 100644
')
optional_policy(`
-@@ -284,6 +339,15 @@ optional_policy(`
+@@ -284,6 +339,24 @@ optional_policy(`
')
optional_policy(`
@@ -62221,10 +63425,19 @@ index 2dad3c8..7ef3f55 100644
+')
+
+optional_policy(`
++ openshift_dyntransition(sshd_t)
++ openshift_transition(sshd_t)
++ openshift_manage_tmp_files(sshd_t)
++ openshift_manage_tmp_sockets(sshd_t)
++ openshift_mounton_tmp(sshd_t)
++ openshift_search_lib(sshd_t)
++')
++
++optional_policy(`
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +356,26 @@ optional_policy(`
+@@ -292,26 +365,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -62270,7 +63483,7 @@ index 2dad3c8..7ef3f55 100644
') dnl endif TODO
########################################
-@@ -322,19 +386,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +395,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -62298,7 +63511,7 @@ index 2dad3c8..7ef3f55 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +422,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +431,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -62312,7 +63525,7 @@ index 2dad3c8..7ef3f55 100644
')
optional_policy(`
-@@ -363,3 +436,81 @@ optional_policy(`
+@@ -363,3 +445,81 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -68618,7 +69831,7 @@ index 21ae664..cb3a098 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..bd73b2a 100644
+index 9fb4747..b88c305 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -68632,7 +69845,16 @@ index 9fb4747..bd73b2a 100644
zarafa_domain_template(monitor)
zarafa_domain_template(server)
-@@ -57,6 +61,21 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -46,7 +50,7 @@ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+ # zarafa_gateway local policy
+ #
+
+-allow zarafa_gateway_t self:capability { chown kill };
++allow zarafa_gateway_t self:capability { kill };
+ allow zarafa_gateway_t self:process setrlimit;
+
+ corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
+@@ -57,12 +61,25 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -68641,7 +69863,6 @@ index 9fb4747..bd73b2a 100644
+# zarafa-indexer local policy
+#
+
-+allow zarafa_indexer_t self:capability chown;
+
+manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
@@ -68654,7 +69875,29 @@ index 9fb4747..bd73b2a 100644
#######################################
#
# zarafa-ical local policy
-@@ -93,7 +112,8 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
+ #
+
+-allow zarafa_ical_t self:capability chown;
+
+ corenet_all_recvfrom_unlabeled(zarafa_ical_t)
+ corenet_all_recvfrom_netlabel(zarafa_ical_t)
+@@ -77,14 +94,13 @@ corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+ # zarafa-monitor local policy
+ #
+
+-allow zarafa_monitor_t self:capability chown;
+
+ ########################################
+ #
+ # zarafa_server local policy
+ #
+
+-allow zarafa_server_t self:capability { chown kill net_bind_service };
++allow zarafa_server_t self:capability { kill net_bind_service };
+ allow zarafa_server_t self:process setrlimit;
+
+ manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
+@@ -93,7 +109,8 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
@@ -68664,7 +69907,7 @@ index 9fb4747..bd73b2a 100644
stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
-@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
+@@ -107,7 +124,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
files_read_usr_files(zarafa_server_t)
@@ -68672,14 +69915,23 @@ index 9fb4747..bd73b2a 100644
logging_send_audit_msgs(zarafa_server_t)
sysnet_dns_name_resolve(zarafa_server_t)
-@@ -138,6 +157,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+@@ -125,7 +141,7 @@ optional_policy(`
+ # zarafa_spooler local policy
+ #
+
+-allow zarafa_spooler_t self:capability { chown kill };
++allow zarafa_spooler_t self:capability { kill };
+
+ can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
+
+@@ -138,11 +154,35 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
########################################
#
+# zarafa_gateway local policy
+#
+
-+allow zarafa_gateway_t self:capability { chown kill };
++allow zarafa_gateway_t self:capability { kill };
+allow zarafa_gateway_t self:process setrlimit;
+
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -68689,7 +69941,6 @@ index 9fb4747..bd73b2a 100644
+# zarafa-ical local policy
+#
+
-+allow zarafa_ical_t self:capability chown;
+
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+
@@ -68698,14 +69949,19 @@ index 9fb4747..bd73b2a 100644
+# zarafa-monitor local policy
+#
+
-+allow zarafa_monitor_t self:capability chown;
+
+########################################
+#
# zarafa domains local policy
#
-@@ -152,10 +197,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+ # bad permission on /etc/zarafa
+-allow zarafa_domain self:capability { dac_override setgid setuid };
++allow zarafa_domain self:capability { dac_override chown setgid setuid };
+ allow zarafa_domain self:process signal;
+ allow zarafa_domain self:fifo_file rw_fifo_file_perms;
+ allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+@@ -152,10 +192,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e649847..9f379ab 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 91%{?dist}
+Release: 92%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Oct 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-92
+- Backport openshift policy
+
* Mon Aug 1 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-91
- Allow postfix to connect to spampd
- Add spamd_port_t for 10026, 10027 ports
More information about the scm-commits
mailing list