[selinux-policy/f18] * Wed Jan 30 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-74 - Dontaudit r/w cache_home_t for thum
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 30 11:18:03 UTC 2013
commit dfabfa9458cbd9a54828714f81db8673a34e6367
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Jan 30 12:16:36 2013 +0100
* Wed Jan 30 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-74
- Dontaudit r/w cache_home_t for thumb_t
- Allow rsync to getattr any file in rsync_data_t
- Allow l2tpd_t to read network manager content in /run directory
- Allow named to block_suspend capability
- Allow gnomesystemmm_t caps because of ioprio_set
- Allow NM rawip socket
- Add interface to thumb_t dbus_chat to allow it to read remote proce
- ALlow logrotate to domtrans to mdadm_t
- kde gnomeclock wants to write content to /tmp
- kde gnomeclock wants to write content to /tmp
- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde
- Allow blueman_t to rwx zero_device_t, for some kind of jre
- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre
- Ftp full access should be allowed to create directories as well as
- Add boolean to allow rsync_full_acces, so that an rsync server can
- over the local machine
- logrotate needs to rotate logs in openshift directories
- comment files_relabel_non_security_files for now, it does not work
- boinc_cliean wants also execmem as boinc projecs have
- Allow sa-update to search admin home for /root/.spamassassin
- Allow sa-update to search admin home for /root/.spamassassin
- Allow antivirus domain to read net sysctl
- Dontaudit attempts from thumb_t to connect to ssd
- Dontaudit attempts by readahead to read sock_files
- Dontaudit attempts by readahead to read sock_files
- Allow application_domains to send sigchld to login programs
- Change ssh_use_pts to use macro and only inherited sshd_devpts_t
- Allow confined users to read systemd_logind seat information
policy-f18-base.patch | 566 ++++++++++++++++++++++++----------------------
policy-f18-contrib.patch | 466 +++++++++++++++++++++++++++-----------
selinux-policy.spec | 32 +++-
3 files changed, 651 insertions(+), 413 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 1de0bf5..4333428 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -117736,7 +117736,7 @@ index 8796ca3..cb02728 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..e9ebe7b 100644
+index e1e814d..c291c5a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -117929,7 +117929,33 @@ index e1e814d..e9ebe7b 100644
## Get the attributes of all named sockets.
## </summary>
## <param name="domain">
-@@ -1073,10 +1220,8 @@ interface(`files_relabel_all_files',`
+@@ -991,6 +1138,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to read
++## of all named sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_read_all_sockets',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:sock_file read;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to get the attributes
+ ## of non security named sockets.
+ ## </summary>
+@@ -1073,10 +1239,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -117942,7 +117968,7 @@ index e1e814d..e9ebe7b 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1655,6 +1800,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1655,6 +1819,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -117967,7 +117993,7 @@ index e1e814d..e9ebe7b 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1673,6 +1836,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1673,6 +1855,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
@@ -117992,7 +118018,7 @@ index e1e814d..e9ebe7b 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1856,6 +2037,42 @@ interface(`files_delete_root_dir_entry',`
+@@ -1856,6 +2056,42 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -118035,7 +118061,7 @@ index e1e814d..e9ebe7b 100644
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -1874,6 +2091,24 @@ interface(`files_unmount_rootfs',`
+@@ -1874,6 +2110,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -118060,7 +118086,7 @@ index e1e814d..e9ebe7b 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2573,6 +2808,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2573,6 +2827,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -118085,7 +118111,7 @@ index e1e814d..e9ebe7b 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2644,6 +2897,7 @@ interface(`files_read_etc_files',`
+@@ -2644,6 +2916,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -118093,7 +118119,7 @@ index e1e814d..e9ebe7b 100644
')
########################################
-@@ -2652,7 +2906,7 @@ interface(`files_read_etc_files',`
+@@ -2652,7 +2925,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -118102,7 +118128,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## </param>
#
-@@ -2708,6 +2962,25 @@ interface(`files_manage_etc_files',`
+@@ -2708,6 +2981,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -118128,7 +118154,7 @@ index e1e814d..e9ebe7b 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2726,6 +2999,24 @@ interface(`files_delete_etc_files',`
+@@ -2726,6 +3018,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -118153,7 +118179,7 @@ index e1e814d..e9ebe7b 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2891,24 +3182,6 @@ interface(`files_delete_boot_flag',`
+@@ -2891,26 +3201,8 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -118175,37 +118201,18 @@ index e1e814d..e9ebe7b 100644
-
-########################################
-## <summary>
- ## Read files in /etc that are dynamically
- ## created on boot, such as mtab.
+-## Read files in /etc that are dynamically
+-## created on boot, such as mtab.
++## Read files in /etc that are dynamically
++## created on boot, such as mtab.
## </summary>
-@@ -2949,9 +3222,7 @@ interface(`files_read_etc_runtime_files',`
+ ## <desc>
+ ## <p>
+@@ -2949,6 +3241,42 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
--## Do not audit attempts to read files
--## in /etc that are dynamically
--## created on boot, such as mtab.
+## Do not audit attempts to set the attributes of the etc_runtime files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2959,12 +3230,50 @@ interface(`files_read_etc_runtime_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_read_etc_runtime_files',`
-+interface(`files_dontaudit_setattr_etc_runtime_files',`
- gen_require(`
- type etc_runtime_t;
- ')
-
-- dontaudit $1 etc_runtime_t:file { getattr read };
-+ dontaudit $1 etc_runtime_t:file setattr;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to write etc_runtime files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -118213,19 +118220,17 @@ index e1e814d..e9ebe7b 100644
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_write_etc_runtime_files',`
++interface(`files_dontaudit_setattr_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
-+ dontaudit $1 etc_runtime_t:file write;
++ dontaudit $1 etc_runtime_t:file setattr;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read files
-+## in /etc that are dynamically
-+## created on boot, such as mtab.
++## Do not audit attempts to write etc_runtime files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -118233,16 +118238,20 @@ index e1e814d..e9ebe7b 100644
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_read_etc_runtime_files',`
++interface(`files_dontaudit_write_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
-+ dontaudit $1 etc_runtime_t:file { getattr read };
- ')
-
- ########################################
-@@ -2986,6 +3295,7 @@ interface(`files_rw_etc_runtime_files',`
++ dontaudit $1 etc_runtime_t:file write;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read files
+ ## in /etc that are dynamically
+ ## created on boot, such as mtab.
+@@ -2986,6 +3314,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -118250,7 +118259,7 @@ index e1e814d..e9ebe7b 100644
')
########################################
-@@ -3007,6 +3317,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3007,6 +3336,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -118258,7 +118267,7 @@ index e1e814d..e9ebe7b 100644
')
########################################
-@@ -3059,6 +3370,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3059,6 +3389,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -118284,7 +118293,7 @@ index e1e814d..e9ebe7b 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3135,6 +3465,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3135,6 +3484,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
## <summary>
@@ -118310,7 +118319,7 @@ index e1e814d..e9ebe7b 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3382,6 +3731,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3382,6 +3750,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -118336,7 +118345,7 @@ index e1e814d..e9ebe7b 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3723,20 +4091,38 @@ interface(`files_list_mnt',`
+@@ -3723,20 +4110,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -118380,7 +118389,7 @@ index e1e814d..e9ebe7b 100644
')
########################################
-@@ -4126,6 +4512,133 @@ interface(`files_read_world_readable_sockets',`
+@@ -4126,6 +4531,133 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -118514,7 +118523,7 @@ index e1e814d..e9ebe7b 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4148,6 +4661,26 @@ interface(`files_associate_tmp',`
+@@ -4148,6 +4680,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -118541,7 +118550,7 @@ index e1e814d..e9ebe7b 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4161,17 +4694,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4161,17 +4713,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -118580,7 +118589,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## </param>
#
-@@ -4198,6 +4751,7 @@ interface(`files_search_tmp',`
+@@ -4198,6 +4770,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -118588,7 +118597,7 @@ index e1e814d..e9ebe7b 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4234,6 +4788,7 @@ interface(`files_list_tmp',`
+@@ -4234,6 +4807,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -118596,7 +118605,7 @@ index e1e814d..e9ebe7b 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4243,7 +4798,7 @@ interface(`files_list_tmp',`
+@@ -4243,7 +4817,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -118605,7 +118614,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## </param>
#
-@@ -4255,6 +4810,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4255,6 +4829,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -118631,7 +118640,7 @@ index e1e814d..e9ebe7b 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4270,6 +4844,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4270,6 +4863,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -118639,7 +118648,7 @@ index e1e814d..e9ebe7b 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4311,6 +4886,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4311,6 +4905,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -118672,7 +118681,7 @@ index e1e814d..e9ebe7b 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4365,7 +4966,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4365,7 +4985,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -118681,7 +118690,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4373,17 +4974,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4373,17 +4993,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -118703,7 +118712,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4391,59 +4992,53 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4391,53 +5011,125 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -118764,129 +118773,87 @@ index e1e814d..e9ebe7b 100644
- dontaudit $1 tmpfile:file getattr;
+ allow $1 tmpfile:file { append read_inherited_file_perms };
- ')
-
- ########################################
- ## <summary>
--## Allow attempts to get the attributes
--## of all tmp files.
-+## Allow caller to append inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4451,27 +5046,105 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_getattr_all_tmp_files',`
-+interface(`files_append_inherited_tmp_files',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- allow $1 tmpfile:file getattr;
-+ allow $1 tmpfile:file append_inherited_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Relabel to and from all temporary
--## file types.
-+## List all tmp directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_relabel_all_tmp_files',`
-+interface(`files_list_all_tmp',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
-+## Relabel to and from all temporary
-+## directory types.
++## Allow caller to append inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_tmp_dirs',`
++interface(`files_append_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
-+ type var_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
++## List all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_list_all_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ dontaudit $1 tmpfile:file getattr;
++ allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
-+## Allow attempts to get the attributes
-+## of all tmp files.
++## Relabel to and from all temporary
++## directory types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_getattr_all_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
++ type var_t;
+ ')
+
-+ allow $1 tmpfile:file getattr;
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+## <summary>
-+## Relabel to and from all temporary
-+## file types.
++## Do not audit attempts to get the attributes
++## of all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_tmp_files',`
- gen_require(`
- attribute tmpfile;
- type var_t;
-@@ -4488,7 +5161,7 @@ interface(`files_relabel_all_tmp_files',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ dontaudit $1 tmpfile:file getattr;
+ ')
+
+ ########################################
+@@ -4488,7 +5180,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -118895,7 +118862,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## </param>
#
-@@ -4573,6 +5246,16 @@ interface(`files_purge_tmp',`
+@@ -4573,6 +5265,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -118912,7 +118879,7 @@ index e1e814d..e9ebe7b 100644
')
########################################
-@@ -5150,6 +5833,24 @@ interface(`files_list_var',`
+@@ -5150,6 +5852,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -118937,7 +118904,7 @@ index e1e814d..e9ebe7b 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5505,6 +6206,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5505,6 +6225,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -118963,7 +118930,7 @@ index e1e814d..e9ebe7b 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5550,7 +6270,7 @@ interface(`files_manage_mounttab',`
+@@ -5550,7 +6289,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -118972,7 +118939,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5558,12 +6278,13 @@ interface(`files_manage_mounttab',`
+@@ -5558,12 +6297,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -118988,7 +118955,7 @@ index e1e814d..e9ebe7b 100644
')
########################################
-@@ -5581,6 +6302,7 @@ interface(`files_search_locks',`
+@@ -5581,6 +6321,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -118996,7 +118963,7 @@ index e1e814d..e9ebe7b 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5607,7 +6329,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5607,7 +6348,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -119024,7 +118991,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5615,13 +6356,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5615,13 +6375,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -119041,7 +119008,7 @@ index e1e814d..e9ebe7b 100644
')
########################################
-@@ -5640,7 +6380,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5640,7 +6399,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -119050,7 +119017,7 @@ index e1e814d..e9ebe7b 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5673,7 +6413,6 @@ interface(`files_create_lock_dirs',`
+@@ -5673,7 +6432,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -119058,7 +119025,7 @@ index e1e814d..e9ebe7b 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5701,8 +6440,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5701,8 +6459,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -119068,7 +119035,7 @@ index e1e814d..e9ebe7b 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5718,13 +6456,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5718,13 +6475,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -119086,7 +119053,7 @@ index e1e814d..e9ebe7b 100644
')
########################################
-@@ -5743,8 +6480,7 @@ interface(`files_manage_generic_locks',`
+@@ -5743,8 +6499,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -119096,7 +119063,7 @@ index e1e814d..e9ebe7b 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5786,8 +6522,7 @@ interface(`files_read_all_locks',`
+@@ -5786,8 +6541,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -119106,7 +119073,7 @@ index e1e814d..e9ebe7b 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6544,7 @@ interface(`files_manage_all_locks',`
+@@ -5809,8 +6563,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -119116,7 +119083,7 @@ index e1e814d..e9ebe7b 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6581,7 @@ interface(`files_lock_filetrans',`
+@@ -5847,8 +6600,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -119126,7 +119093,7 @@ index e1e814d..e9ebe7b 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5911,6 +6644,43 @@ interface(`files_search_pids',`
+@@ -5911,6 +6663,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -119170,7 +119137,7 @@ index e1e814d..e9ebe7b 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5933,6 +6703,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5933,6 +6722,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -119196,7 +119163,7 @@ index e1e814d..e9ebe7b 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6048,7 +6837,6 @@ interface(`files_pid_filetrans',`
+@@ -6048,7 +6856,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -119204,7 +119171,7 @@ index e1e814d..e9ebe7b 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6157,30 +6945,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6157,30 +6964,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -119239,7 +119206,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6188,43 +6971,35 @@ interface(`files_read_all_pids',`
+@@ -6188,43 +6990,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -119290,7 +119257,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6232,21 +7007,17 @@ interface(`files_delete_all_pids',`
+@@ -6232,21 +7026,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -119315,7 +119282,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6254,56 +7025,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6254,56 +7044,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
@@ -119391,7 +119358,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6311,18 +7085,17 @@ interface(`files_list_spool',`
+@@ -6311,18 +7104,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -119414,7 +119381,7 @@ index e1e814d..e9ebe7b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,9 +7103,273 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6330,19 +7122,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -119423,24 +119390,30 @@ index e1e814d..e9ebe7b 100644
gen_require(`
- type var_t, var_spool_t;
+ type var_run_t;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
+ exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool files.
+## manage all pidfiles
+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6350,9 +7141,274 @@ interface(`files_read_generic_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool',`
+interface(`files_manage_all_pids',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
+ ')
+
@@ -119687,10 +119660,30 @@ index e1e814d..e9ebe7b 100644
+interface(`files_read_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete generic
++## spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
')
- list_dirs_pattern($1, var_t, var_spool_t)
-@@ -6467,3 +7504,459 @@ interface(`files_unconfined',`
+ allow $1 var_t:dir search_dir_perms;
+@@ -6467,3 +7523,459 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -124823,10 +124816,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 44c198a..e34ec36 100644
+index 44c198a..4555c4b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.0)
+@@ -5,39 +5,74 @@ policy_module(sysadm, 2.5.0)
# Declarations
#
@@ -124900,6 +124893,7 @@ index 44c198a..e34ec36 100644
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
+userdom_manage_tmp_role(sysadm_r, sysadm_t)
++userdom_exec_admin_home_files(sysadm_t)
+
+optional_policy(`
+ alsa_filetrans_named_content(sysadm_t)
@@ -124911,7 +124905,7 @@ index 44c198a..e34ec36 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +89,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +90,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -124926,7 +124920,7 @@ index 44c198a..e34ec36 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +99,9 @@ optional_policy(`
+@@ -71,9 +100,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -124937,7 +124931,7 @@ index 44c198a..e34ec36 100644
')
optional_policy(`
-@@ -110,6 +138,10 @@ optional_policy(`
+@@ -110,6 +139,10 @@ optional_policy(`
')
optional_policy(`
@@ -124948,7 +124942,7 @@ index 44c198a..e34ec36 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -122,11 +154,20 @@ optional_policy(`
+@@ -122,11 +155,20 @@ optional_policy(`
')
optional_policy(`
@@ -124971,7 +124965,7 @@ index 44c198a..e34ec36 100644
')
optional_policy(`
-@@ -140,6 +181,10 @@ optional_policy(`
+@@ -140,6 +182,10 @@ optional_policy(`
')
optional_policy(`
@@ -124982,7 +124976,7 @@ index 44c198a..e34ec36 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +201,15 @@ optional_policy(`
+@@ -156,11 +202,15 @@ optional_policy(`
')
optional_policy(`
@@ -124999,7 +124993,7 @@ index 44c198a..e34ec36 100644
')
optional_policy(`
-@@ -179,6 +228,13 @@ optional_policy(`
+@@ -179,6 +229,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -125013,7 +125007,7 @@ index 44c198a..e34ec36 100644
')
optional_policy(`
-@@ -186,15 +242,20 @@ optional_policy(`
+@@ -186,15 +243,20 @@ optional_policy(`
')
optional_policy(`
@@ -125037,7 +125031,7 @@ index 44c198a..e34ec36 100644
')
optional_policy(`
-@@ -214,22 +275,20 @@ optional_policy(`
+@@ -214,22 +276,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -125066,7 +125060,7 @@ index 44c198a..e34ec36 100644
')
optional_policy(`
-@@ -241,25 +300,47 @@ optional_policy(`
+@@ -241,25 +301,47 @@ optional_policy(`
')
optional_policy(`
@@ -125114,7 +125108,7 @@ index 44c198a..e34ec36 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +351,36 @@ optional_policy(`
+@@ -270,31 +352,36 @@ optional_policy(`
')
optional_policy(`
@@ -125158,7 +125152,7 @@ index 44c198a..e34ec36 100644
')
optional_policy(`
-@@ -319,12 +405,18 @@ optional_policy(`
+@@ -319,12 +406,18 @@ optional_policy(`
')
optional_policy(`
@@ -125178,7 +125172,7 @@ index 44c198a..e34ec36 100644
')
optional_policy(`
-@@ -349,7 +441,18 @@ optional_policy(`
+@@ -349,7 +442,18 @@ optional_policy(`
')
optional_policy(`
@@ -125198,7 +125192,7 @@ index 44c198a..e34ec36 100644
')
optional_policy(`
-@@ -360,19 +463,15 @@ optional_policy(`
+@@ -360,19 +464,15 @@ optional_policy(`
')
optional_policy(`
@@ -125220,7 +125214,7 @@ index 44c198a..e34ec36 100644
')
optional_policy(`
-@@ -384,10 +483,6 @@ optional_policy(`
+@@ -384,10 +484,6 @@ optional_policy(`
')
optional_policy(`
@@ -125231,7 +125225,7 @@ index 44c198a..e34ec36 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +490,9 @@ optional_policy(`
+@@ -395,6 +491,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -125241,7 +125235,7 @@ index 44c198a..e34ec36 100644
')
optional_policy(`
-@@ -402,31 +500,34 @@ optional_policy(`
+@@ -402,31 +501,34 @@ optional_policy(`
')
optional_policy(`
@@ -125282,7 +125276,7 @@ index 44c198a..e34ec36 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +540,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +541,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -125293,7 +125287,7 @@ index 44c198a..e34ec36 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -460,6 +557,7 @@ ifndef(`distro_redhat',`
+@@ -460,6 +558,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -125301,7 +125295,7 @@ index 44c198a..e34ec36 100644
')
optional_policy(`
-@@ -467,11 +565,66 @@ ifndef(`distro_redhat',`
+@@ -467,11 +566,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -127041,7 +127035,7 @@ index 078bcd7..022c7db 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..2b21421 100644
+index fe0c682..da12170 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -127670,7 +127664,7 @@ index fe0c682..2b21421 100644
+ type sshd_devpts_t;
+ ')
+
-+ allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl };
++ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index b17e27a..2ef4a93 100644
@@ -131099,10 +131093,10 @@ index 1b6619e..be02b96 100644
+ allow $1 application_domain_type:socket_class_set getattr;
+')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..c59902a 100644
+index c6fdab7..8571add 100644
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
-@@ -6,6 +6,30 @@ attribute application_domain_type;
+@@ -6,6 +6,32 @@ attribute application_domain_type;
# Executables to be run by user
attribute application_exec_type;
@@ -131117,6 +131111,8 @@ index c6fdab7..c59902a 100644
+
+files_dontaudit_search_non_security_dirs(application_domain_type)
+
++auth_login_pgm_sigchld(application_domain_type)
++
+optional_policy(`
+ afs_rw_udp_sockets(application_domain_type)
+')
@@ -131225,7 +131221,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f416ce9..424d494 100644
+index f416ce9..80df5a7 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -131742,7 +131738,7 @@ index f416ce9..424d494 100644
')
########################################
-@@ -1755,3 +1923,200 @@ interface(`auth_unconfined',`
+@@ -1755,3 +1923,219 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -131943,6 +131939,25 @@ index f416ce9..424d494 100644
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+')
++
++########################################
++## <summary>
++## Send a SIGCHLD signal to login programs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_login_pgm_sigchld',`
++ gen_require(`
++ attribute login_pgm;
++ ')
++
++ allow $1 login_pgm:process sigchld;
++')
++
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index f145ccb..499ee40 100644
--- a/policy/modules/system/authlogin.te
@@ -144327,7 +144342,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..53ea674 100644
+index e720dcd..e293651 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -144343,7 +144358,7 @@ index e720dcd..53ea674 100644
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -44,79 +46,131 @@ template(`userdom_base_user_template',`
+@@ -44,79 +46,132 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -144499,6 +144514,7 @@ index e720dcd..53ea674 100644
+ systemd_read_logind_sessions_files($1_usertype)
+ systemd_write_inhibit_pipes($1_usertype)
+ systemd_write_inherited_logind_sessions_pipes($1_usertype)
++ systemd_login_read_pid_files($1_usertype)
+
+ tunable_policy(`deny_execmem',`', `
# Allow loading DSOs that require executable stack.
@@ -144527,7 +144543,7 @@ index e720dcd..53ea674 100644
')
#######################################
-@@ -150,6 +204,8 @@ interface(`userdom_ro_home_role',`
+@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -144536,7 +144552,7 @@ index e720dcd..53ea674 100644
##############################
#
# Domain access to home dir
-@@ -167,27 +223,6 @@ interface(`userdom_ro_home_role',`
+@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -144564,7 +144580,7 @@ index e720dcd..53ea674 100644
')
#######################################
-@@ -219,8 +254,11 @@ interface(`userdom_ro_home_role',`
+@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -144576,7 +144592,7 @@ index e720dcd..53ea674 100644
##############################
#
# Domain access to home dir
-@@ -229,43 +267,47 @@ interface(`userdom_manage_home_role',`
+@@ -229,43 +268,47 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -144640,7 +144656,7 @@ index e720dcd..53ea674 100644
')
')
-@@ -273,6 +315,25 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +316,25 @@ interface(`userdom_manage_home_role',`
## <summary>
## Manage user temporary files
## </summary>
@@ -144666,7 +144682,7 @@ index e720dcd..53ea674 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,17 +348,64 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +349,64 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -144736,7 +144752,7 @@ index e720dcd..53ea674 100644
')
#######################################
-@@ -317,11 +425,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +426,31 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -144768,7 +144784,7 @@ index e720dcd..53ea674 100644
## Role access for the user tmpfs type
## that the user has full access.
## </summary>
-@@ -348,59 +476,60 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -348,59 +477,60 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -144859,7 +144875,7 @@ index e720dcd..53ea674 100644
')
#######################################
-@@ -431,6 +560,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +561,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -144867,7 +144883,7 @@ index e720dcd..53ea674 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +593,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +594,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -144878,7 +144894,7 @@ index e720dcd..53ea674 100644
')
')
-@@ -491,7 +621,8 @@ template(`userdom_common_user_template',`
+@@ -491,7 +622,8 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -144888,7 +144904,7 @@ index e720dcd..53ea674 100644
##############################
#
-@@ -501,41 +632,51 @@ template(`userdom_common_user_template',`
+@@ -501,41 +633,51 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -144963,7 +144979,7 @@ index e720dcd..53ea674 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,100 +687,140 @@ template(`userdom_common_user_template',`
+@@ -546,100 +688,140 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -145142,7 +145158,7 @@ index e720dcd..53ea674 100644
mysql_stream_connect($1_t)
')
')
-@@ -651,40 +832,52 @@ template(`userdom_common_user_template',`
+@@ -651,40 +833,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -145207,7 +145223,7 @@ index e720dcd..53ea674 100644
')
')
-@@ -709,17 +902,33 @@ template(`userdom_common_user_template',`
+@@ -709,17 +903,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -145246,7 +145262,7 @@ index e720dcd..53ea674 100644
userdom_change_password_template($1)
-@@ -727,82 +936,100 @@ template(`userdom_login_user_template', `
+@@ -727,82 +937,100 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -145383,7 +145399,7 @@ index e720dcd..53ea674 100644
')
')
-@@ -834,6 +1061,12 @@ template(`userdom_restricted_user_template',`
+@@ -834,6 +1062,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -145396,7 +145412,7 @@ index e720dcd..53ea674 100644
##############################
#
# Local policy
-@@ -874,46 +1107,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,46 +1108,118 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -145528,7 +145544,7 @@ index e720dcd..53ea674 100644
')
')
-@@ -948,27 +1253,33 @@ template(`userdom_unpriv_user_template', `
+@@ -948,27 +1254,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -145566,7 +145582,7 @@ index e720dcd..53ea674 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -979,54 +1290,89 @@ template(`userdom_unpriv_user_template', `
+@@ -979,54 +1291,89 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -145689,7 +145705,7 @@ index e720dcd..53ea674 100644
## </ul>
## </p>
## </desc>
-@@ -1040,7 +1386,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1040,7 +1387,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -145698,7 +145714,7 @@ index e720dcd..53ea674 100644
')
##############################
-@@ -1067,6 +1413,7 @@ template(`userdom_admin_user_template',`
+@@ -1067,6 +1414,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -145706,7 +145722,7 @@ index e720dcd..53ea674 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1075,6 +1422,9 @@ template(`userdom_admin_user_template',`
+@@ -1075,6 +1423,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -145716,7 +145732,7 @@ index e720dcd..53ea674 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1439,7 @@ template(`userdom_admin_user_template',`
+@@ -1089,6 +1440,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -145724,7 +145740,7 @@ index e720dcd..53ea674 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,10 +1457,14 @@ template(`userdom_admin_user_template',`
+@@ -1106,10 +1458,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -145739,7 +145755,7 @@ index e720dcd..53ea674 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1120,29 +1475,38 @@ template(`userdom_admin_user_template',`
+@@ -1120,29 +1476,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -145782,7 +145798,7 @@ index e720dcd..53ea674 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1152,6 +1516,8 @@ template(`userdom_admin_user_template',`
+@@ -1152,6 +1517,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -145791,7 +145807,7 @@ index e720dcd..53ea674 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1159,13 +1525,17 @@ template(`userdom_admin_user_template',`
+@@ -1159,13 +1526,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -145810,7 +145826,7 @@ index e720dcd..53ea674 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1581,8 @@ template(`userdom_security_admin_template',`
+@@ -1211,6 +1582,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -145819,7 +145835,7 @@ index e720dcd..53ea674 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1223,8 +1595,10 @@ template(`userdom_security_admin_template',`
+@@ -1223,8 +1596,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -145831,7 +145847,7 @@ index e720dcd..53ea674 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1235,29 +1609,31 @@ template(`userdom_security_admin_template',`
+@@ -1235,29 +1610,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -145874,7 +145890,7 @@ index e720dcd..53ea674 100644
')
optional_policy(`
-@@ -1317,12 +1693,15 @@ interface(`userdom_user_application_domain',`
+@@ -1317,12 +1694,15 @@ interface(`userdom_user_application_domain',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -145891,7 +145907,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -1363,6 +1742,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1363,6 +1743,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -145943,7 +145959,7 @@ index e720dcd..53ea674 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1467,11 +1891,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1467,11 +1892,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -145975,7 +145991,7 @@ index e720dcd..53ea674 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1513,6 +1957,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1513,6 +1958,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -145990,7 +146006,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -1528,9 +1980,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1528,9 +1981,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -146002,7 +146018,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -1587,6 +2041,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1587,6 +2042,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -146045,7 +146061,7 @@ index e720dcd..53ea674 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1666,6 +2156,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1666,6 +2157,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -146054,7 +146070,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -1680,10 +2172,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1680,10 +2173,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -146069,7 +146085,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -1726,6 +2220,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1726,6 +2221,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -146113,7 +146129,7 @@ index e720dcd..53ea674 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1745,6 +2276,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1745,6 +2277,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -146139,7 +146155,7 @@ index e720dcd..53ea674 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1775,14 +2325,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1775,14 +2326,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -146177,7 +146193,7 @@ index e720dcd..53ea674 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1793,11 +2365,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1793,11 +2366,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -146195,7 +146211,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -1856,25 +2431,25 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1856,25 +2432,25 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -146227,7 +146243,7 @@ index e720dcd..53ea674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1882,46 +2457,53 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+@@ -1882,46 +2458,53 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
## </summary>
## </param>
#
@@ -146297,7 +146313,7 @@ index e720dcd..53ea674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1929,18 +2511,17 @@ interface(`userdom_exec_user_home_content_files',`
+@@ -1929,18 +2512,17 @@ interface(`userdom_exec_user_home_content_files',`
## </summary>
## </param>
#
@@ -146319,7 +146335,7 @@ index e720dcd..53ea674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1948,7 +2529,66 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
+@@ -1948,7 +2530,66 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
## </summary>
## </param>
#
@@ -146387,7 +146403,7 @@ index e720dcd..53ea674 100644
gen_require(`
type user_home_dir_t, user_home_t;
')
-@@ -2018,6 +2658,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -2018,6 +2659,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -146412,7 +146428,7 @@ index e720dcd..53ea674 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2250,11 +2908,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2250,11 +2909,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -146427,7 +146443,7 @@ index e720dcd..53ea674 100644
files_search_tmp($1)
')
-@@ -2274,7 +2932,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2274,7 +2933,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -146436,7 +146452,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -2521,6 +3179,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2521,6 +3180,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -146462,7 +146478,7 @@ index e720dcd..53ea674 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2537,13 +3214,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2537,13 +3215,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -146478,7 +146494,7 @@ index e720dcd..53ea674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3242,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3243,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -146487,7 +146503,7 @@ index e720dcd..53ea674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,14 +3250,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,14 +3251,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -146522,7 +146538,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -2674,6 +3368,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2674,6 +3369,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -146547,7 +146563,7 @@ index e720dcd..53ea674 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3404,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3405,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -146590,7 +146606,7 @@ index e720dcd..53ea674 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3440,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3441,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -146628,7 +146644,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -2742,8 +3485,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3486,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -146658,7 +146674,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -2815,69 +3577,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3578,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -146759,7 +146775,7 @@ index e720dcd..53ea674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3646,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3647,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -146774,7 +146790,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -2954,7 +3715,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3716,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -146783,7 +146799,7 @@ index e720dcd..53ea674 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3731,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,29 +3732,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -146817,7 +146833,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -3074,7 +3819,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3820,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -146826,7 +146842,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -3129,12 +3874,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,12 +3875,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -146842,7 +146858,7 @@ index e720dcd..53ea674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3142,36 +3888,37 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3142,36 +3889,37 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -146890,7 +146906,7 @@ index e720dcd..53ea674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3179,40 +3926,96 @@ interface(`userdom_read_all_users_state',`
+@@ -3179,40 +3927,96 @@ interface(`userdom_read_all_users_state',`
## </summary>
## </param>
#
@@ -146997,7 +147013,7 @@ index e720dcd..53ea674 100644
## </summary>
## </param>
#
-@@ -3242,6 +4045,42 @@ interface(`userdom_signal_all_users',`
+@@ -3242,6 +4046,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -147040,7 +147056,7 @@ index e720dcd..53ea674 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4101,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4102,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -147065,7 +147081,7 @@ index e720dcd..53ea674 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4153,1365 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4154,1365 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 0cf57d6..46b5ed0 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -367,7 +367,7 @@ index 0b827c5..cce58bb 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..e143a71 100644
+index 30861ec..d183b7e 100644
--- a/abrt.te
+++ b/abrt.te
@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
@@ -406,7 +406,14 @@ index 30861ec..e143a71 100644
# etc files
type abrt_etc_t;
files_config_file(abrt_etc_t)
-@@ -27,15 +47,26 @@ files_tmp_file(abrt_tmp_t)
+@@ -20,22 +40,32 @@ files_config_file(abrt_etc_t)
+ type abrt_var_log_t;
+ logging_log_file(abrt_var_log_t)
+
+-# tmp files
+ type abrt_tmp_t;
+ files_tmp_file(abrt_tmp_t)
+
# var/cache files
type abrt_var_cache_t;
files_type(abrt_var_cache_t)
@@ -435,7 +442,7 @@ index 30861ec..e143a71 100644
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
-@@ -43,14 +74,36 @@ ifdef(`enable_mcs',`
+@@ -43,14 +73,36 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -474,7 +481,7 @@ index 30861ec..e143a71 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +112,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +111,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
@@ -482,7 +489,7 @@ index 30861ec..e143a71 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -68,7 +122,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +121,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -492,7 +499,7 @@ index 30861ec..e143a71 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -76,16 +132,18 @@ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -76,16 +131,18 @@ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
@@ -513,7 +520,7 @@ index 30861ec..e143a71 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -93,7 +151,6 @@ corecmd_exec_shell(abrt_t)
+@@ -93,7 +150,6 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -521,7 +528,7 @@ index 30861ec..e143a71 100644
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
corenet_tcp_sendrecv_generic_port(abrt_t)
-@@ -104,6 +161,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +160,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -530,7 +537,7 @@ index 30861ec..e143a71 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +172,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +171,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -540,7 +547,7 @@ index 30861ec..e143a71 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +181,9 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +180,9 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -550,7 +557,7 @@ index 30861ec..e143a71 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +194,37 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +193,37 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -592,7 +599,7 @@ index 30861ec..e143a71 100644
')
optional_policy(`
-@@ -167,6 +245,7 @@ optional_policy(`
+@@ -167,6 +244,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -600,7 +607,7 @@ index 30861ec..e143a71 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,9 +257,36 @@ optional_policy(`
+@@ -178,9 +256,36 @@ optional_policy(`
')
optional_policy(`
@@ -637,7 +644,7 @@ index 30861ec..e143a71 100644
########################################
#
# abrt--helper local policy
-@@ -196,13 +302,16 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -196,13 +301,16 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -655,7 +662,7 @@ index 30861ec..e143a71 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -211,12 +320,11 @@ auth_use_nsswitch(abrt_helper_t)
+@@ -211,12 +319,11 @@ auth_use_nsswitch(abrt_helper_t)
logging_send_syslog_msg(abrt_helper_t)
@@ -670,7 +677,7 @@ index 30861ec..e143a71 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +332,150 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +331,150 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -2110,10 +2117,10 @@ index 0000000..fe0cdf0
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..feabdf3
+index 0000000..adcd6f4
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,36 @@
+@@ -0,0 +1,38 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2141,6 +2148,8 @@ index 0000000..feabdf3
+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+
++kernel_read_net_sysctls(antivirus_domain)
++
+optional_policy(`
+ amavis_manage_spool_files(antivirus_domain)
+')
@@ -6042,7 +6051,7 @@ index 44a1e3d..bc50fd6 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 0968cb4..70bebb1 100644
+index 0968cb4..b68812a 100644
--- a/bind.te
+++ b/bind.te
@@ -6,6 +6,13 @@ policy_module(bind, 1.11.0)
@@ -6086,7 +6095,15 @@ index 0968cb4..70bebb1 100644
type named_log_t;
logging_log_file(named_log_t)
-@@ -89,9 +100,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -62,6 +73,7 @@ role system_r types ndc_t;
+
+ allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+ dontaudit named_t self:capability sys_tty_config;
++allow named_t self:capability2 block_suspend;
+ allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
+ allow named_t self:fifo_file rw_fifo_file_perms;
+ allow named_t self:unix_stream_socket create_stream_socket_perms;
+@@ -89,9 +101,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
@@ -6098,7 +6115,7 @@ index 0968cb4..70bebb1 100644
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
-@@ -104,7 +116,6 @@ kernel_read_network_state(named_t)
+@@ -104,7 +117,6 @@ kernel_read_network_state(named_t)
corecmd_search_bin(named_t)
@@ -6106,7 +6123,7 @@ index 0968cb4..70bebb1 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -131,7 +142,6 @@ dev_read_urand(named_t)
+@@ -131,7 +143,6 @@ dev_read_urand(named_t)
domain_use_interactive_fds(named_t)
@@ -6114,7 +6131,7 @@ index 0968cb4..70bebb1 100644
files_read_etc_runtime_files(named_t)
fs_getattr_all_fs(named_t)
-@@ -141,12 +151,15 @@ auth_use_nsswitch(named_t)
+@@ -141,12 +152,15 @@ auth_use_nsswitch(named_t)
logging_send_syslog_msg(named_t)
@@ -6131,7 +6148,7 @@ index 0968cb4..70bebb1 100644
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -154,6 +167,12 @@ tunable_policy(`named_write_master_zones',`
+@@ -154,6 +168,12 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -6144,7 +6161,7 @@ index 0968cb4..70bebb1 100644
init_dbus_chat_script(named_t)
sysnet_dbus_chat_dhcpc(named_t)
-@@ -168,6 +187,7 @@ optional_policy(`
+@@ -168,6 +188,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(named, named_t)
@@ -6152,7 +6169,7 @@ index 0968cb4..70bebb1 100644
')
optional_policy(`
-@@ -199,6 +219,7 @@ optional_policy(`
+@@ -199,6 +220,7 @@ optional_policy(`
# cjp: why net_admin?!
allow ndc_t self:capability { dac_override net_admin };
@@ -6160,7 +6177,7 @@ index 0968cb4..70bebb1 100644
allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
-@@ -211,13 +232,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
+@@ -211,13 +233,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
allow ndc_t named_conf_t:file read_file_perms;
@@ -6176,7 +6193,7 @@ index 0968cb4..70bebb1 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -228,28 +249,26 @@ corenet_sendrecv_rndc_client_packets(ndc_t)
+@@ -228,28 +250,26 @@ corenet_sendrecv_rndc_client_packets(ndc_t)
domain_use_interactive_fds(ndc_t)
@@ -6350,11 +6367,23 @@ index 6355318..98ba16a 100644
/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
+diff --git a/blueman.if b/blueman.if
+index 6b081c4..bd44bc6 100644
+--- a/blueman.if
++++ b/blueman.if
+@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',`
+
+ allow $1 blueman_t:dbus send_msg;
+ allow blueman_t $1:dbus send_msg;
++ ps_process_pattern(blueman_t, $1)
+ ')
+
+ ########################################
diff --git a/blueman.te b/blueman.te
-index 70969fa..63ed14f 100644
+index 70969fa..24a4ba7 100644
--- a/blueman.te
+++ b/blueman.te
-@@ -7,23 +7,35 @@ policy_module(blueman, 1.0.0)
+@@ -7,40 +7,76 @@ policy_module(blueman, 1.0.0)
type blueman_t;
type blueman_exec_t;
@@ -6391,7 +6420,11 @@ index 70969fa..63ed14f 100644
corecmd_exec_bin(blueman_t)
-@@ -34,13 +46,36 @@ dev_rw_wireless(blueman_t)
+ dev_read_rand(blueman_t)
+ dev_read_urand(blueman_t)
+ dev_rw_wireless(blueman_t)
++dev_rwx_zero(blueman_t)
+
domain_use_interactive_fds(blueman_t)
files_read_usr_files(blueman_t)
@@ -6898,10 +6931,10 @@ index 0000000..fbcef10
+')
diff --git a/boinc.te b/boinc.te
new file mode 100644
-index 0000000..0a7e857
+index 0000000..a88fbf8
--- /dev/null
+++ b/boinc.te
-@@ -0,0 +1,199 @@
+@@ -0,0 +1,200 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -6950,6 +6983,7 @@ index 0000000..0a7e857
+
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:sem create_sem_perms;
++allow boinc_domain self:process execmem;
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
@@ -7059,7 +7093,7 @@ index 0000000..0a7e857
+allow boinc_t boinc_project_t:process noatsecure;
+
+allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop };
-+allow boinc_project_t self:process { execmem execstack };
++allow boinc_project_t self:process { execstack };
+
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
@@ -11143,7 +11177,7 @@ index 733e4e6..825f537 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 74505cc..e21138f 100644
+index 74505cc..cb3cd99 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
@@ -11154,7 +11188,7 @@ index 74505cc..e21138f 100644
type colord_tmp_t;
files_tmp_file(colord_tmp_t)
-@@ -18,14 +19,20 @@ files_tmpfs_file(colord_tmpfs_t)
+@@ -18,14 +19,21 @@ files_tmpfs_file(colord_tmpfs_t)
type colord_var_lib_t;
files_type(colord_var_lib_t)
@@ -11165,6 +11199,7 @@ index 74505cc..e21138f 100644
#
# colord local policy
#
++
allow colord_t self:capability { dac_read_search dac_override };
+dontaudit colord_t self:capability sys_admin;
allow colord_t self:process signal;
@@ -11175,7 +11210,7 @@ index 74505cc..e21138f 100644
allow colord_t self:udp_socket create_socket_perms;
allow colord_t self:unix_dgram_socket create_socket_perms;
-@@ -41,15 +48,22 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+@@ -41,15 +49,22 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@@ -11200,7 +11235,7 @@ index 74505cc..e21138f 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -62,22 +76,36 @@ dev_rw_generic_usb_dev(colord_t)
+@@ -62,22 +77,39 @@ dev_rw_generic_usb_dev(colord_t)
domain_use_interactive_fds(colord_t)
files_list_mnt(colord_t)
@@ -11212,7 +11247,8 @@ index 74505cc..e21138f 100644
+fs_dontaudit_getattr_all_fs(colord_t)
+fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
-
++fs_read_cgroup_files(colord_t)
++
+storage_getattr_fixed_disk_dev(colord_t)
+storage_getattr_removable_dev(colord_t)
+storage_read_scsi_generic(colord_t)
@@ -11220,6 +11256,8 @@ index 74505cc..e21138f 100644
+
+auth_use_nsswitch(colord_t)
+
++init_read_state(colord_t)
+
logging_send_syslog_msg(colord_t)
-miscfiles_read_localization(colord_t)
@@ -11240,7 +11278,7 @@ index 74505cc..e21138f 100644
fs_read_cifs_files(colord_t)
')
-@@ -86,6 +114,13 @@ optional_policy(`
+@@ -86,6 +118,13 @@ optional_policy(`
cups_read_rw_config(colord_t)
cups_stream_connect(colord_t)
cups_dbus_chat(colord_t)
@@ -11254,7 +11292,7 @@ index 74505cc..e21138f 100644
')
optional_policy(`
-@@ -96,5 +131,20 @@ optional_policy(`
+@@ -96,5 +135,20 @@ optional_policy(`
')
optional_policy(`
@@ -21975,7 +22013,7 @@ index 9d3201b..6e75e3d 100644
+ allow $1 ftpd_unit_file_t:service all_service_perms;
')
diff --git a/ftp.te b/ftp.te
-index 80026bb..30968b3 100644
+index 80026bb..4772c87 100644
--- a/ftp.te
+++ b/ftp.te
@@ -12,7 +12,7 @@ policy_module(ftp, 1.14.0)
@@ -22148,7 +22186,7 @@ index 80026bb..30968b3 100644
init_rw_utmp(ftpd_t)
-@@ -226,42 +257,47 @@ logging_send_audit_msgs(ftpd_t)
+@@ -226,42 +257,48 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -22194,6 +22232,7 @@ index 80026bb..30968b3 100644
+tunable_policy(`ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
- files_manage_non_auth_files(ftpd_t)
++ files_manage_non_security_dirs(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
+')
+
@@ -22206,7 +22245,7 @@ index 80026bb..30968b3 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -270,10 +306,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +307,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -22224,7 +22263,7 @@ index 80026bb..30968b3 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,10 +348,35 @@ optional_policy(`
+@@ -309,10 +349,35 @@ optional_policy(`
')
optional_policy(`
@@ -22261,7 +22300,7 @@ index 80026bb..30968b3 100644
')
optional_policy(`
-@@ -347,16 +411,17 @@ optional_policy(`
+@@ -347,16 +412,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -22281,7 +22320,7 @@ index 80026bb..30968b3 100644
########################################
#
-@@ -365,18 +430,34 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +431,35 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -22294,6 +22333,7 @@ index 80026bb..30968b3 100644
+tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
++ files_manage_non_security_dirs(sftpd_t)
+ files_manage_non_security_files(sftpd_t)
+')
+
@@ -22319,7 +22359,7 @@ index 80026bb..30968b3 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +475,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +477,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -25329,7 +25369,7 @@ index f5afe78..f73c152 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/gnome.te b/gnome.te
-index 783c5fb..92214c3 100644
+index 783c5fb..404e92c 100644
--- a/gnome.te
+++ b/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0)
@@ -25462,7 +25502,7 @@ index 783c5fb..92214c3 100644
+# gnome-system-monitor-mechanisms local policy
+#
+
-+allow gnomesystemmm_t self:capability sys_nice;
++allow gnomesystemmm_t self:capability { sys_admin sys_nice };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t)
@@ -25619,15 +25659,18 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/gnomeclock.te b/gnomeclock.te
-index 4fde46b..d58acfc 100644
+index 4fde46b..bcaea08 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
-@@ -7,38 +7,84 @@ policy_module(gnomeclock, 1.0.0)
+@@ -7,38 +7,93 @@ policy_module(gnomeclock, 1.0.0)
type gnomeclock_t;
type gnomeclock_exec_t;
-dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
++
++type gnomeclock_tmp_t;
++files_tmp_file(gnomeclock_tmp_t)
########################################
#
@@ -25642,20 +25685,25 @@ index 4fde46b..d58acfc 100644
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
+
++manage_dirs_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
++manage_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
++manage_lnk_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
++files_tmp_filetrans(gnomeclock_t, gnomeclock_tmp_t, { file dir })
++
+kernel_read_system_state(gnomeclock_t)
corecmd_exec_bin(gnomeclock_t)
+corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
-+
+
+-files_read_etc_files(gnomeclock_t)
+corenet_tcp_connect_time_port(gnomeclock_t)
+
+dev_rw_realtime_clock(gnomeclock_t)
+dev_read_urand(gnomeclock_t)
+dev_write_kmsg(gnomeclock_t)
+dev_read_sysfs(gnomeclock_t)
-
--files_read_etc_files(gnomeclock_t)
++
+files_read_etc_runtime_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
@@ -25699,6 +25747,7 @@ index 4fde46b..d58acfc 100644
+optional_policy(`
+ gnome_manage_usr_config(gnomeclock_t)
+ gnome_manage_home_config(gnomeclock_t)
++ gnome_filetrans_admin_home_content(gnomeclock_t)
+')
+
+optional_policy(`
@@ -27121,7 +27170,7 @@ index 10f25d3..ec4cd54 100644
optional_policy(`
diff --git a/inn.if b/inn.if
-index ebc9e0d..617f52f 100644
+index ebc9e0d..4843239 100644
--- a/inn.if
+++ b/inn.if
@@ -13,7 +13,7 @@
@@ -27149,7 +27198,34 @@ index ebc9e0d..617f52f 100644
allow $1 innd_var_lib_t:dir list_dir_perms;
allow $1 innd_var_lib_t:file read_file_perms;
allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
-@@ -133,6 +135,7 @@ interface(`inn_read_news_spool',`
+@@ -120,7 +122,25 @@ interface(`inn_read_news_lib',`
+
+ ########################################
+ ## <summary>
+-## Read innd news library files.
++## Write innd inherited news library content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`inn_write_inherited_news_lib',`
++ gen_require(`
++ type innd_var_lib_t;
++ ')
++
++ allow $1 innd_var_lib_t:file write_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Read innd news spool content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -133,6 +153,7 @@ interface(`inn_read_news_spool',`
type news_spool_t;
')
@@ -27157,7 +27233,7 @@ index ebc9e0d..617f52f 100644
allow $1 news_spool_t:dir list_dir_perms;
allow $1 news_spool_t:file read_file_perms;
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
-@@ -195,12 +198,15 @@ interface(`inn_domtrans',`
+@@ -195,12 +216,15 @@ interface(`inn_domtrans',`
interface(`inn_admin',`
gen_require(`
type innd_t, innd_etc_t, innd_log_t;
@@ -30821,10 +30897,10 @@ index 0000000..562d25b
+')
diff --git a/l2tpd.te b/l2tpd.te
new file mode 100644
-index 0000000..1e292d4
+index 0000000..21d242b
--- /dev/null
+++ b/l2tpd.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,103 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -30920,6 +30996,10 @@ index 0000000..1e292d4
+sysnet_dns_name_resolve(l2tpd_t)
+
+optional_policy(`
++ networkmanager_read_pid_files(l2tpd_t)
++')
++
++optional_policy(`
+ ppp_domtrans(l2tpd_t)
+ ppp_signal(l2tpd_t)
+ ppp_kill(l2tpd_t)
@@ -31788,7 +31868,7 @@ index 572b5db..1e55f43 100644
+userdom_use_inherited_user_terminals(lockdev_t)
+
diff --git a/logrotate.te b/logrotate.te
-index 7090dae..8a2583b 100644
+index 7090dae..e3ece9b 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -29,9 +29,8 @@ files_type(logrotate_var_lib_t)
@@ -31935,7 +32015,7 @@ index 7090dae..8a2583b 100644
icecast_signal(logrotate_t)
')
-@@ -194,15 +215,19 @@ optional_policy(`
+@@ -194,15 +215,23 @@ optional_policy(`
')
optional_policy(`
@@ -31946,20 +32026,27 @@ index 7090dae..8a2583b 100644
')
optional_policy(`
-- psad_domtrans(logrotate_t)
+ polipo_named_filetrans_log_files(logrotate_t)
++')
++
++optional_policy(`
+ psad_domtrans(logrotate_t)
')
+optional_policy(`
-+ psad_domtrans(logrotate_t)
++ raid_domtrans_mdadm(logrotate_t)
+')
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -217,6 +242,11 @@ optional_policy(`
+@@ -217,6 +246,15 @@ optional_policy(`
')
optional_policy(`
++ openshift_manage_lib_files(logrotate_t)
++')
++
++optional_policy(`
+ openvswitch_read_pid_files(logrotate_t)
+ openvswitch_domtrans(logrotate_t)
+')
@@ -31968,7 +32055,7 @@ index 7090dae..8a2583b 100644
squid_domtrans(logrotate_t)
')
-@@ -228,3 +258,14 @@ optional_policy(`
+@@ -228,3 +266,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -34942,7 +35029,7 @@ index b397fde..eda9218 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..95b8be3 100644
+index d4fcb75..f8135a0 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -35105,7 +35192,7 @@ index d4fcb75..95b8be3 100644
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
-@@ -297,65 +317,102 @@ optional_policy(`
+@@ -297,65 +317,103 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -35218,12 +35305,13 @@ index d4fcb75..95b8be3 100644
dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
++dev_rwx_zero(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
+dev_dontaudit_getattr_all(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +420,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +421,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -35305,7 +35393,7 @@ index d4fcb75..95b8be3 100644
')
optional_policy(`
-@@ -422,24 +483,39 @@ optional_policy(`
+@@ -422,24 +484,39 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -35349,7 +35437,7 @@ index d4fcb75..95b8be3 100644
')
optional_policy(`
-@@ -447,10 +523,117 @@ optional_policy(`
+@@ -447,10 +524,117 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -39052,7 +39140,7 @@ index 2324d9e..96dbf6f 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/networkmanager.te b/networkmanager.te
-index 0619395..c0e8f13 100644
+index 0619395..52574f2 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -39071,7 +39159,7 @@ index 0619395..c0e8f13 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -35,26 +44,49 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -35,26 +44,50 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -39101,6 +39189,7 @@ index 0619395..c0e8f13 100644
+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
++allow NetworkManager_t self:rawip_socket create_socket_perms;
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
@@ -39125,7 +39214,7 @@ index 0619395..c0e8f13 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -75,7 +107,6 @@ kernel_request_load_module(NetworkManager_t)
+@@ -75,7 +108,6 @@ kernel_request_load_module(NetworkManager_t)
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
@@ -39133,7 +39222,7 @@ index 0619395..c0e8f13 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -95,11 +126,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
+@@ -95,11 +127,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
corenet_rw_tun_tap_dev(NetworkManager_t)
corenet_getattr_ppp_dev(NetworkManager_t)
@@ -39147,7 +39236,7 @@ index 0619395..c0e8f13 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,10 +145,10 @@ corecmd_exec_shell(NetworkManager_t)
+@@ -113,10 +146,10 @@ corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
@@ -39160,7 +39249,7 @@ index 0619395..c0e8f13 100644
files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
-@@ -128,35 +160,51 @@ init_domtrans_script(NetworkManager_t)
+@@ -128,35 +161,51 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -39215,7 +39304,7 @@ index 0619395..c0e8f13 100644
')
optional_policy(`
-@@ -176,10 +224,17 @@ optional_policy(`
+@@ -176,10 +225,17 @@ optional_policy(`
')
optional_policy(`
@@ -39233,7 +39322,7 @@ index 0619395..c0e8f13 100644
')
')
-@@ -191,6 +246,7 @@ optional_policy(`
+@@ -191,6 +247,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -39241,7 +39330,7 @@ index 0619395..c0e8f13 100644
')
optional_policy(`
-@@ -202,23 +258,49 @@ optional_policy(`
+@@ -202,23 +259,49 @@ optional_policy(`
')
optional_policy(`
@@ -39291,7 +39380,7 @@ index 0619395..c0e8f13 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -234,6 +316,10 @@ optional_policy(`
+@@ -234,6 +317,10 @@ optional_policy(`
')
optional_policy(`
@@ -39302,7 +39391,7 @@ index 0619395..c0e8f13 100644
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +327,7 @@ optional_policy(`
+@@ -241,6 +328,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -39310,7 +39399,7 @@ index 0619395..c0e8f13 100644
')
optional_policy(`
-@@ -254,6 +341,12 @@ optional_policy(`
+@@ -254,6 +342,12 @@ optional_policy(`
')
optional_policy(`
@@ -39323,7 +39412,7 @@ index 0619395..c0e8f13 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +356,7 @@ optional_policy(`
+@@ -263,6 +357,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -39331,7 +39420,7 @@ index 0619395..c0e8f13 100644
')
########################################
-@@ -284,6 +378,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -284,6 +379,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -40264,7 +40353,7 @@ index 85188dc..7b8f5ad 100644
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
-index 7936e09..2814186 100644
+index 7936e09..00cabc7 100644
--- a/nscd.te
+++ b/nscd.te
@@ -4,6 +4,13 @@ gen_require(`
@@ -40345,7 +40434,7 @@ index 7936e09..2814186 100644
cron_read_system_job_tmp_files(nscd_t)
')
-@@ -127,3 +141,19 @@ optional_policy(`
+@@ -127,3 +141,20 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -40360,6 +40449,7 @@ index 7936e09..2814186 100644
+optional_policy(`
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
++ samba_stream_connect_nmbd(nscd_t)
+')
+
+optional_policy(`
@@ -54826,7 +54916,7 @@ index 47c4723..64c8889 100644
+')
+
diff --git a/readahead.te b/readahead.te
-index b4ac57e..e384d8e 100644
+index b4ac57e..7b76aa2 100644
--- a/readahead.te
+++ b/readahead.te
@@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -54867,7 +54957,7 @@ index b4ac57e..e384d8e 100644
dev_getattr_generic_chr_files(readahead_t)
dev_getattr_generic_blk_files(readahead_t)
dev_getattr_all_chr_files(readahead_t)
-@@ -53,10 +60,19 @@ domain_read_all_domains_state(readahead_t)
+@@ -53,10 +60,21 @@ domain_read_all_domains_state(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
@@ -54878,6 +54968,8 @@ index b4ac57e..e384d8e 100644
files_dontaudit_getattr_all_sockets(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_dontaudit_all_access_check(readahead_t)
++files_dontaudit_read_security_files(readahead_t)
++files_dontaudit_read_all_sockets(readahead_t)
+
+ifdef(`hide_broken_symptoms', `
+ files_dontaudit_write_all_files(readahead_t)
@@ -54887,7 +54979,7 @@ index b4ac57e..e384d8e 100644
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
-@@ -66,12 +82,14 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,12 +84,14 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
@@ -54902,7 +54994,7 @@ index b4ac57e..e384d8e 100644
storage_raw_read_fixed_disk(readahead_t)
-@@ -82,13 +100,13 @@ auth_dontaudit_read_shadow(readahead_t)
+@@ -82,13 +102,13 @@ auth_dontaudit_read_shadow(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
@@ -58948,7 +59040,7 @@ index 3386f29..8d8f6c5 100644
+ files_etc_filetrans($1, rsync_etc_t, $2)
+')
diff --git a/rsync.te b/rsync.te
-index 2834d86..8fdd060 100644
+index 2834d86..a6bb0b5 100644
--- a/rsync.te
+++ b/rsync.te
@@ -7,6 +7,27 @@ policy_module(rsync, 1.12.0)
@@ -58979,16 +59071,24 @@ index 2834d86..8fdd060 100644
## Allow rsync to export any files/directories read only.
## </p>
## </desc>
-@@ -19,7 +40,7 @@ gen_tunable(rsync_export_all_ro, false)
+@@ -19,7 +40,15 @@ gen_tunable(rsync_export_all_ro, false)
## labeled public_content_rw_t.
## </p>
## </desc>
-gen_tunable(allow_rsync_anon_write, false)
+gen_tunable(rsync_anon_write, false)
++
++## <desc>
++## <p>
++## Allow rsync server to manage all files/directories on the system.
++## </p>
++## </desc>
++gen_tunable(rsync_full_access, false)
++
type rsync_t;
type rsync_exec_t;
-@@ -59,7 +80,7 @@ allow rsync_t self:udp_socket connected_socket_perms;
+@@ -59,11 +88,12 @@ allow rsync_t self:udp_socket connected_socket_perms;
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
#end for identd
@@ -58997,7 +59097,12 @@ index 2834d86..8fdd060 100644
allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
-@@ -79,7 +100,6 @@ kernel_read_kernel_sysctls(rsync_t)
+ read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
++allow rsync_t rsync_data_t:dir_file_class_set getattr;
+
+ manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
+ logging_log_filetrans(rsync_t, rsync_log_t, file)
+@@ -79,7 +109,6 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -59005,7 +59110,7 @@ index 2834d86..8fdd060 100644
corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_generic_if(rsync_t)
corenet_udp_sendrecv_generic_if(rsync_t)
-@@ -94,18 +114,19 @@ corenet_sendrecv_rsync_server_packets(rsync_t)
+@@ -94,20 +123,17 @@ corenet_sendrecv_rsync_server_packets(rsync_t)
dev_read_urand(rsync_t)
fs_getattr_xattr_fs(rsync_t)
@@ -59022,15 +59127,27 @@ index 2834d86..8fdd060 100644
miscfiles_read_public_files(rsync_t)
-tunable_policy(`allow_rsync_anon_write',`
+- miscfiles_manage_public_files(rsync_t)
+-')
+userdom_home_manager(rsync_t)
-+
-+tunable_policy(`rsync_anon_write',`
- miscfiles_manage_public_files(rsync_t)
- ')
-@@ -122,12 +143,26 @@ optional_policy(`
+ optional_policy(`
+ daemontools_service_domain(rsync_t, rsync_exec_t)
+@@ -121,13 +147,38 @@ optional_policy(`
+ inetd_service_domain(rsync_t, rsync_exec_t)
')
++tunable_policy(`rsync_anon_write',`
++ miscfiles_manage_public_files(rsync_t)
++')
++
++tunable_policy(`rsync_full_access',`
++ allow rsync_t self:capability { dac_override dac_read_search };
++ files_manage_non_security_dirs(rsync_t)
++ files_manage_non_security_files(rsync_t)
++ #files_relabel_non_security_files(rsync_t)
++')
++
tunable_policy(`rsync_export_all_ro',`
- fs_read_noxattr_fs_files(rsync_t)
+ files_getattr_all_pipes(rsync_t)
@@ -59226,10 +59343,10 @@ index 69a6074..2ccac49 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
-index 82cb169..a6bab06 100644
+index 82cb169..4f6fe4a 100644
--- a/samba.if
+++ b/samba.if
-@@ -42,6 +42,44 @@ interface(`samba_signal_nmbd',`
+@@ -42,6 +42,45 @@ interface(`samba_signal_nmbd',`
########################################
## <summary>
@@ -59262,11 +59379,12 @@ index 82cb169..a6bab06 100644
+#
+interface(`samba_stream_connect_nmbd',`
+ gen_require(`
-+ type nmbd_t, nmbd_var_run_t;
++ type nmbd_t, nmbd_var_run_t, samba_var_t;
+ ')
+
+ samba_search_pid($1)
+ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++ stream_connect_pattern($1, samba_var_t, samba_var_t, nmbd_t)
+')
+
+########################################
@@ -59274,7 +59392,7 @@ index 82cb169..a6bab06 100644
## Execute samba server in the samba domain.
## </summary>
## <param name="domain">
-@@ -60,6 +98,29 @@ interface(`samba_initrc_domtrans',`
+@@ -60,6 +99,29 @@ interface(`samba_initrc_domtrans',`
########################################
## <summary>
@@ -59304,7 +59422,7 @@ index 82cb169..a6bab06 100644
## Execute samba net in the samba_net domain.
## </summary>
## <param name="domain">
-@@ -79,6 +140,25 @@ interface(`samba_domtrans_net',`
+@@ -79,6 +141,25 @@ interface(`samba_domtrans_net',`
########################################
## <summary>
@@ -59330,7 +59448,7 @@ index 82cb169..a6bab06 100644
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
-@@ -103,6 +183,51 @@ interface(`samba_run_net',`
+@@ -103,6 +184,51 @@ interface(`samba_run_net',`
role $2 types samba_net_t;
')
@@ -59382,7 +59500,7 @@ index 82cb169..a6bab06 100644
########################################
## <summary>
## Execute smbmount in the smbmount domain.
-@@ -166,6 +291,7 @@ interface(`samba_read_config',`
+@@ -166,6 +292,7 @@ interface(`samba_read_config',`
')
files_search_etc($1)
@@ -59390,7 +59508,7 @@ index 82cb169..a6bab06 100644
read_files_pattern($1, samba_etc_t, samba_etc_t)
')
-@@ -409,9 +535,10 @@ interface(`samba_manage_var_files',`
+@@ -409,9 +536,10 @@ interface(`samba_manage_var_files',`
type samba_var_t;
')
@@ -59402,7 +59520,7 @@ index 82cb169..a6bab06 100644
')
########################################
-@@ -548,6 +675,24 @@ interface(`samba_rw_smbmount_tcp_sockets',`
+@@ -548,6 +676,24 @@ interface(`samba_rw_smbmount_tcp_sockets',`
allow $1 smbmount_t:tcp_socket { read write };
')
@@ -59427,7 +59545,7 @@ index 82cb169..a6bab06 100644
########################################
## <summary>
## Execute winbind_helper in the winbind_helper domain.
-@@ -564,6 +709,7 @@ interface(`samba_domtrans_winbind_helper',`
+@@ -564,6 +710,7 @@ interface(`samba_domtrans_winbind_helper',`
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -59435,7 +59553,7 @@ index 82cb169..a6bab06 100644
')
########################################
-@@ -607,7 +753,7 @@ interface(`samba_read_winbind_pid',`
+@@ -607,7 +754,7 @@ interface(`samba_read_winbind_pid',`
type winbind_var_run_t;
')
@@ -59444,7 +59562,7 @@ index 82cb169..a6bab06 100644
allow $1 winbind_var_run_t:file read_file_perms;
')
-@@ -626,9 +772,10 @@ interface(`samba_stream_connect_winbind',`
+@@ -626,9 +773,10 @@ interface(`samba_stream_connect_winbind',`
type samba_var_t, winbind_t, winbind_var_run_t;
')
@@ -59456,7 +59574,7 @@ index 82cb169..a6bab06 100644
ifndef(`distro_redhat',`
gen_require(`
-@@ -644,6 +791,37 @@ interface(`samba_stream_connect_winbind',`
+@@ -644,6 +792,37 @@ interface(`samba_stream_connect_winbind',`
########################################
## <summary>
@@ -59494,7 +59612,7 @@ index 82cb169..a6bab06 100644
## All of the rules required to administrate
## an samba environment
## </summary>
-@@ -661,33 +839,33 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,33 +840,33 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
@@ -59549,7 +59667,7 @@ index 82cb169..a6bab06 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -709,9 +887,6 @@ interface(`samba_admin',`
+@@ -709,9 +888,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
@@ -59559,7 +59677,7 @@ index 82cb169..a6bab06 100644
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
-@@ -727,4 +902,9 @@ interface(`samba_admin',`
+@@ -727,4 +903,9 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
@@ -62336,7 +62454,7 @@ index 7e94c7c..ca74cd9 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/sendmail.te b/sendmail.te
-index 22dac1f..43db349 100644
+index 22dac1f..1d904cd 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@@ -62426,7 +62544,18 @@ index 22dac1f..43db349 100644
')
optional_policy(`
-@@ -149,7 +160,14 @@ optional_policy(`
+@@ -141,6 +152,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ inn_write_inherited_news_lib(sendmail_t)
++')
++
++optional_policy(`
+ milter_stream_connect_all(sendmail_t)
+ ')
+
+@@ -149,7 +164,14 @@ optional_policy(`
')
optional_policy(`
@@ -62441,7 +62570,7 @@ index 22dac1f..43db349 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,20 +186,13 @@ optional_policy(`
+@@ -168,20 +190,13 @@ optional_policy(`
')
optional_policy(`
@@ -64922,7 +65051,7 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 1bbf73b..40e04ae 100644
+index 1bbf73b..3a41f66 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -6,52 +6,40 @@ policy_module(spamassassin, 2.5.0)
@@ -65444,7 +65573,7 @@ index 1bbf73b..40e04ae 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -447,3 +555,55 @@ optional_policy(`
+@@ -447,3 +555,57 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -65468,6 +65597,7 @@ index 1bbf73b..40e04ae 100644
+manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+
++allow spamd_update_t spamc_home_t:dir search_dir_perms;
+allow spamd_update_t spamd_tmp_t:file read_file_perms;
+
+kernel_read_system_state(spamd_update_t)
@@ -65489,6 +65619,7 @@ index 1bbf73b..40e04ae 100644
+
+mta_read_config(spamd_update_t)
+
++userdom_search_admin_dir(spamd_update_t)
+userdom_use_inherited_user_ptys(spamd_update_t)
+
+optional_policy(`
@@ -65737,7 +65868,7 @@ index 4271815..45291bb 100644
/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
diff --git a/sssd.if b/sssd.if
-index 941380a..54c45f6 100644
+index 941380a..6c2da43 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,13 +1,31 @@
@@ -65952,7 +66083,32 @@ index 941380a..54c45f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -225,21 +365,19 @@ interface(`sssd_stream_connect',`
+@@ -212,6 +352,24 @@ interface(`sssd_stream_connect',`
+
+ ########################################
+ ## <summary>
++## Dontaudit attempts to connect to sssd over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_dontaudit_stream_connect',`
++ gen_require(`
++ type sssd_t;
++ ')
++
++ dontaudit $1 sssd_t:unix_stream_socket connectto;
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an sssd environment
+ ## </summary>
+@@ -225,21 +383,19 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
@@ -65981,7 +66137,7 @@ index 941380a..54c45f6 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
-@@ -252,4 +390,9 @@ interface(`sssd_admin',`
+@@ -252,4 +408,9 @@ interface(`sssd_admin',`
sssd_manage_lib_files($1)
admin_pattern($1, sssd_public_t)
@@ -66297,10 +66453,10 @@ index 0000000..80c6480
+')
diff --git a/stapserver.te b/stapserver.te
new file mode 100644
-index 0000000..b87c79c
+index 0000000..d275f11
--- /dev/null
+++ b/stapserver.te
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,108 @@
+policy_module(stapserver, 1.0.0)
+
+########################################
@@ -66321,6 +66477,9 @@ index 0000000..b87c79c
+type stapserver_var_run_t;
+files_pid_file(stapserver_var_run_t)
+
++type stapserver_tmp_t;
++files_tmp_file(stapserver_tmp_t)
++
+########################################
+#
+# stapserver local policy
@@ -66346,6 +66505,11 @@ index 0000000..b87c79c
+manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
+logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
+
++manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
++manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
++manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
++files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir })
++
+manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
+manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
+files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
@@ -68031,10 +68195,10 @@ index 0000000..601aea3
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
-index 0000000..9127cec
+index 0000000..951ef50
--- /dev/null
+++ b/thumb.if
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,126 @@
+
+## <summary>policy for thumb</summary>
+
@@ -68138,6 +68302,7 @@ index 0000000..9127cec
+
+ allow $1 thumb_t:dbus send_msg;
+ allow thumb_t $1:dbus send_msg;
++ ps_process_pattern(thumb_t, $1)
+')
+
+########################################
@@ -68162,10 +68327,10 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..57708c1
+index 0000000..6eb48e3
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,140 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -68286,6 +68451,7 @@ index 0000000..57708c1
+ gnome_dontaudit_search_config(thumb_t)
+ gnome_append_generic_cache_files(thumb_t)
+ gnome_read_generic_data_home_files(thumb_t)
++ gnome_dontaudit_rw_generic_cache_files(thumb_t)
+ gnome_manage_gstreamer_home_files(thumb_t)
+ gnome_manage_gstreamer_home_dirs(thumb_t)
+ gnome_exec_gstreamer_home_files(thumb_t)
@@ -68294,6 +68460,10 @@ index 0000000..57708c1
+')
+
+optional_policy(`
++ sssd_dontaudit_stream_connect(thumb_t)
++')
++
++optional_policy(`
+ nscd_dontaudit_write_sock_file(thumb_t)
+')
+
@@ -73556,10 +73726,12 @@ index 32b4f76..b00362b 100644
optional_policy(`
cron_system_entry(webalizer_t, webalizer_exec_t)
diff --git a/wine.fc b/wine.fc
-index 9d24449..2666317 100644
+index 9d24449..008bba1 100644
--- a/wine.fc
+++ b/wine.fc
-@@ -2,6 +2,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
+@@ -1,7 +1,9 @@
++HOME_DIR/\.wine(/.*)? gen_context(system_u:object_r:wine_home_t,s0)
+ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
@@ -73567,7 +73739,7 @@ index 9d24449..2666317 100644
/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
-@@ -10,6 +11,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
+@@ -10,6 +12,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
@@ -73662,10 +73834,30 @@ index f9a73d0..4b83bb0 100644
xserver_role($1_r, $1_wine_t)
')
diff --git a/wine.te b/wine.te
-index 7a17516..56fbcc2 100644
+index 7a17516..371077e 100644
--- a/wine.te
+++ b/wine.te
-@@ -38,7 +38,7 @@ domain_mmap_low(wine_t)
+@@ -17,6 +17,9 @@ type wine_exec_t;
+ userdom_user_application_domain(wine_t, wine_exec_t)
+ role system_r types wine_t;
+
++type wine_home_t;
++userdom_user_home_content(wine_home_t)
++
+ type wine_tmp_t;
+ userdom_user_tmp_file(wine_tmp_t)
+
+@@ -30,6 +33,9 @@ allow wine_t self:fifo_file manage_fifo_file_perms;
+
+ can_exec(wine_t, wine_exec_t)
+
++userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
++userdom_tmpfs_filetrans(wine_t, file)
++
+ manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+ manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+ files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
+@@ -38,7 +44,7 @@ domain_mmap_low(wine_t)
files_execmod_all_files(wine_t)
@@ -73674,7 +73866,7 @@ index 7a17516..56fbcc2 100644
tunable_policy(`wine_mmap_zero_ignore',`
dontaudit wine_t self:memprotect mmap_zero;
-@@ -53,6 +53,10 @@ optional_policy(`
+@@ -53,6 +59,10 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 536c6d6..8298163 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 73%{?dist}
+Release: 74%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,36 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 30 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-74
+- Dontaudit r/w cache_home_t for thumb_t
+- Allow rsync to getattr any file in rsync_data_t
+- Allow l2tpd_t to read network manager content in /run directory
+- Allow named to block_suspend capability
+- Allow gnomesystemmm_t caps because of ioprio_set
+- Allow NM rawip socket
+- Add interface to thumb_t dbus_chat to allow it to read remote process state
+- ALlow logrotate to domtrans to mdadm_t
+- kde gnomeclock wants to write content to /tmp
+- kde gnomeclock wants to write content to /tmp
+- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde
+- Allow blueman_t to rwx zero_device_t, for some kind of jre
+- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre
+- Ftp full access should be allowed to create directories as well as files
+- Add boolean to allow rsync_full_acces, so that an rsync server can write all
+- over the local machine
+- logrotate needs to rotate logs in openshift directories
+- comment files_relabel_non_security_files for now, it does not work with boolean
+- boinc_cliean wants also execmem as boinc projecs have
+- Allow sa-update to search admin home for /root/.spamassassin
+- Allow sa-update to search admin home for /root/.spamassassin
+- Allow antivirus domain to read net sysctl
+- Dontaudit attempts from thumb_t to connect to ssd
+- Dontaudit attempts by readahead to read sock_files
+- Dontaudit attempts by readahead to read sock_files
+- Allow application_domains to send sigchld to login programs
+- Change ssh_use_pts to use macro and only inherited sshd_devpts_t
+- Allow confined users to read systemd_logind seat information
+
* Mon Jan 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-73
- Allow gnome keyring to create keyrings dir in ~/.local/share
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
More information about the scm-commits
mailing list