[selinux-policy] - Allow gluster to get attrs on all fs - New access required for virt-sandbox - Allow dnsmasq to exe
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Feb 20 13:48:15 UTC 2013
commit 26cbc57930af9eec36341f9ed6173747d735e07a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Feb 20 14:47:02 2013 +0100
- Allow gluster to get attrs on all fs
- New access required for virt-sandbox
- Allow dnsmasq to execute bin_t
- Allow dnsmasq to create content in /var/run/NetworkManager
- Fix openshift_initrc_signal() interface
- Dontaudit openshift domains doing getattr on other domains
- Allow consolehelper domain to communicate with session bus
- Mock should not be transitioning to any other domains, we should ke
- Update virt_qemu_ga_t policy
- Allow authconfig running from realmd to restart oddjob service
- Add systemd support for oddjob
- Add initial policy for realmd_consolehelper_t which if for authconfi
- Add labeling for gnashpluginrc
- Allow chrome_nacl to execute /dev/zero
- Allow condor domains to read /proc
- mozilla_plugin_t will getattr on /core if firefox crashes
- Allow condor domains to read /etc/passwd
- Allow dnsmasq to execute shell scripts, openstack requires this acce
- Fix glusterd labeling
- Allow virtd_t to interact with the socket type
- Allow nmbd_t to override dac if you turned on sharing all files
- Allow tuned to created kobject_uevent socket
- Allow guest user to run fusermount
- Allow openshift to read /proc and locale
- Allow realmd to dbus chat with rpm
- Add new interface for virt
- Remove depracated interfaces
- Allow systemd_domains read access on etc, etc_runtime and usr files,
- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t
- Remove some more unconfined_t process transitions, that I don't beli
- Stop transitioning uncofnined_t to checkpc
- dmraid creates /var/lock/dmraid
- Allow systemd_localed to creatre unix_dgram_sockets
- Allow systemd_localed to write kernel messages.
- Also cleanup systemd definition a little.
- Fix userdom_restricted_xwindows_user_template() interface
- Label any block devices or char devices under /dev/infiniband as fix
- User accounts need to dbus chat with accountsd daemon
- Gnome requires all users to be able to read /proc/1/
policy-rawhide-base.patch | 1051 +++++++++++++++++++++---------------------
policy-rawhide-contrib.patch | 486 ++++++++++++--------
selinux-policy.spec | 43 ++-
3 files changed, 855 insertions(+), 725 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 8195c81..53707e1 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -205762,7 +205762,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..b8419c0 100644
+index 644d4d7..4d8e35b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -206036,7 +206036,7 @@ index 644d4d7..b8419c0 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -332,9 +396,11 @@ ifdef(`distro_redhat', `
+@@ -332,9 +396,12 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -206045,10 +206045,11 @@ index 644d4d7..b8419c0 100644
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/munin/plugins/plugin\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +449,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +450,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -206065,7 +206066,7 @@ index 644d4d7..b8419c0 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +467,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +468,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -210224,7 +210225,7 @@ index 6529bd9..cfec99c 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..70c5c72 100644
+index 6a1e4d1..258c7cc 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -210333,16 +210334,11 @@ index 6a1e4d1..70c5c72 100644
## Relabel to and from all entry point
## file types.
## </summary>
-@@ -1530,4 +1543,30 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1543,25 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
+
-+ mcs_file_read_all($1)
-+ mcs_file_write_all($1)
-+ mcs_killall($1)
-+ mcs_ptrace_all($1)
-+ mcs_socket_write_all_levels($1)
+ mcs_process_set_categories($1)
+')
+
@@ -211009,7 +211005,7 @@ index c2c6e05..d0e6d1c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..eaf2611 100644
+index 64ff4d7..8a9355a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -211276,7 +211272,32 @@ index 64ff4d7..eaf2611 100644
')
#############################################
-@@ -1673,6 +1816,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1583,6 +1726,24 @@ interface(`files_getattr_all_mountpoints',`
+
+ ########################################
+ ## <summary>
++## List the directory of all mount points.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Set the attributes of all mount points.
+ ## </summary>
+ ## <param name="domain">
+@@ -1673,6 +1834,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -211301,7 +211322,7 @@ index 64ff4d7..eaf2611 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1691,6 +1852,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,6 +1870,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
@@ -211326,7 +211347,7 @@ index 64ff4d7..eaf2611 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1874,25 +2053,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2071,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -211358,7 +211379,7 @@ index 64ff4d7..eaf2611 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1905,7 +2084,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2102,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -211367,7 +211388,7 @@ index 64ff4d7..eaf2611 100644
')
########################################
-@@ -1928,6 +2107,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2125,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -211392,7 +211413,7 @@ index 64ff4d7..eaf2611 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2627,6 +2824,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +2842,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -211417,7 +211438,7 @@ index 64ff4d7..eaf2611 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +2913,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +2931,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -211425,7 +211446,7 @@ index 64ff4d7..eaf2611 100644
')
########################################
-@@ -2706,7 +2922,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +2940,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -211434,37 +211455,123 @@ index 64ff4d7..eaf2611 100644
## </summary>
## </param>
#
-@@ -2762,6 +2978,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,25 +2996,26 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
+-## Delete system configuration files in /etc.
+## Do not audit attempts to check the
+## access on etc files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_etc_files',`
++interface(`files_dontaudit_access_check_etc',`
+ gen_require(`
+ type etc_t;
+ ')
+
+- delete_files_pattern($1, etc_t, etc_t)
++ dontaudit $1 etc_t:dir_file_class_set audit_access;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute generic files in /etc.
++## Delete system configuration files in /etc.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2788,19 +3023,17 @@ interface(`files_delete_etc_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_exec_etc_files',`
++interface(`files_delete_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+- allow $1 etc_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, etc_t, etc_t)
+- exec_files_pattern($1, etc_t, etc_t)
++ delete_files_pattern($1, etc_t, etc_t)
+ ')
+
+-#######################################
++########################################
+ ## <summary>
+-## Relabel from and to generic files in /etc.
++## Remove entries from the etc directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2808,18 +3041,17 @@ interface(`files_exec_etc_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_relabel_etc_files',`
++interface(`files_delete_etc_dir_entry',`
+ gen_require(`
+ type etc_t;
+ ')
+
+- allow $1 etc_t:dir list_dir_perms;
+- relabel_files_pattern($1, etc_t, etc_t)
++ allow $1 etc_t:dir del_entry_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links in /etc.
++## Execute generic files in /etc.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2827,17 +3059,56 @@ interface(`files_relabel_etc_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_etc_symlinks',`
++interface(`files_exec_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
++ allow $1 etc_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, etc_t, etc_t)
++ exec_files_pattern($1, etc_t, etc_t)
+ ')
+
+-########################################
++#######################################
+ ## <summary>
+-## Create, read, write, and delete symbolic links in /etc.
++## Relabel from and to generic files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_access_check_etc',`
++interface(`files_relabel_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
-+ dontaudit $1 etc_t:dir_file_class_set audit_access;
++ allow $1 etc_t:dir list_dir_perms;
++ relabel_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
- ## Delete system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
-@@ -2780,6 +3015,24 @@ interface(`files_delete_etc_files',`
-
- ########################################
- ## <summary>
-+## Remove entries from the etc directory.
++## Read symbolic links in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -211472,20 +211579,21 @@ index 64ff4d7..eaf2611 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_etc_dir_entry',`
++interface(`files_read_etc_symlinks',`
+ gen_require(`
+ type etc_t;
+ ')
+
-+ allow $1 etc_t:dir del_entry_dir_perms;
++ read_lnk_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
- ## Execute generic files in /etc.
++## Create, read, write, and delete symbolic links in /etc.
## </summary>
## <param name="domain">
-@@ -2945,26 +3198,8 @@ interface(`files_delete_boot_flag',`
+ ## <summary>
+@@ -2945,24 +3216,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -211507,14 +211615,10 @@ index 64ff4d7..eaf2611 100644
-
-########################################
-## <summary>
--## Read files in /etc that are dynamically
--## created on boot, such as mtab.
-+## Read files in /etc that are dynamically
-+## created on boot, such as mtab.
+ ## Read files in /etc that are dynamically
+ ## created on boot, such as mtab.
## </summary>
- ## <desc>
- ## <p>
-@@ -3003,9 +3238,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3256,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -211525,7 +211629,7 @@ index 64ff4d7..eaf2611 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3246,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3264,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -211547,7 +211651,7 @@ index 64ff4d7..eaf2611 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,6 +3274,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3292,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -211574,7 +211678,7 @@ index 64ff4d7..eaf2611 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3059,6 +3311,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3329,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -211582,7 +211686,7 @@ index 64ff4d7..eaf2611 100644
')
########################################
-@@ -3080,6 +3333,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3351,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -211590,7 +211694,7 @@ index 64ff4d7..eaf2611 100644
')
########################################
-@@ -3132,6 +3386,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3404,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -211616,7 +211720,7 @@ index 64ff4d7..eaf2611 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3208,6 +3481,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3499,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
## <summary>
@@ -211642,7 +211746,7 @@ index 64ff4d7..eaf2611 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3455,6 +3747,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3765,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -211668,7 +211772,7 @@ index 64ff4d7..eaf2611 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4107,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4125,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -211712,7 +211816,7 @@ index 64ff4d7..eaf2611 100644
')
########################################
-@@ -4199,6 +4528,133 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,6 +4546,133 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -211846,7 +211950,7 @@ index 64ff4d7..eaf2611 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4221,6 +4677,26 @@ interface(`files_associate_tmp',`
+@@ -4221,6 +4695,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -211873,7 +211977,7 @@ index 64ff4d7..eaf2611 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4234,17 +4710,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4234,17 +4728,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -211912,7 +212016,7 @@ index 64ff4d7..eaf2611 100644
## </summary>
## </param>
#
-@@ -4271,6 +4767,7 @@ interface(`files_search_tmp',`
+@@ -4271,6 +4785,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -211920,7 +212024,7 @@ index 64ff4d7..eaf2611 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4307,6 +4804,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +4822,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -211928,7 +212032,7 @@ index 64ff4d7..eaf2611 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +4814,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +4832,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -211937,7 +212041,7 @@ index 64ff4d7..eaf2611 100644
## </summary>
## </param>
#
-@@ -4328,6 +4826,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +4844,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -211963,7 +212067,7 @@ index 64ff4d7..eaf2611 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4343,6 +4860,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +4878,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -211971,12 +212075,18 @@ index 64ff4d7..eaf2611 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4384,6 +4902,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,13 +4920,39 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
+-## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
@@ -212001,149 +212111,39 @@ index 64ff4d7..eaf2611 100644
+
+########################################
+## <summary>
- ## Manage temporary files and directories in /tmp.
- ## </summary>
- ## <param name="domain">
-@@ -4438,7 +4982,7 @@ interface(`files_rw_generic_tmp_sockets',`
-
- ########################################
- ## <summary>
--## Set the attributes of all tmp directories.
-+## Relabel a dir from the type used in /tmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4446,17 +4990,17 @@ interface(`files_rw_generic_tmp_sockets',`
- ## </summary>
- ## </param>
- #
--interface(`files_setattr_all_tmp_dirs',`
-+interface(`files_relabelfrom_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir { search_dir_perms setattr };
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ## <summary>
--## List all tmp directories.
-+## Relabel a file from the type used in /tmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4464,59 +5008,53 @@ interface(`files_setattr_all_tmp_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_all_tmp',`
-+interface(`files_relabelfrom_tmp_files',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Relabel to and from all temporary
--## directory types.
-+## Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_relabel_all_tmp_dirs',`
-+interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
- attribute tmpfile;
-- type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp files.
-+## Allow caller to read inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
++## Manage temporary files and directories in /tmp.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
-+interface(`files_read_inherited_tmp_files',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- dontaudit $1 tmpfile:file getattr;
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
- ')
-
- ########################################
- ## <summary>
--## Allow attempts to get the attributes
--## of all tmp files.
-+## Allow caller to append inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4524,25 +5062,121 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
- ## </summary>
- ## </param>
++## </summary>
++## </param>
#
--interface(`files_getattr_all_tmp_files',`
-+interface(`files_append_inherited_tmp_files',`
+ interface(`files_manage_generic_tmp_files',`
gen_require(`
- attribute tmpfile;
- ')
-
-- allow $1 tmpfile:file getattr;
-+ allow $1 tmpfile:file append_inherited_file_perms;
- ')
+@@ -4438,6 +5000,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
--## Relabel to and from all temporary
--## file types.
-+## Allow caller to read and write inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
++## Relabel a dir from the type used in /tmp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_relabelfrom_tmp_dirs',`
+ gen_require(`
-+ attribute tmpfile;
++ type tmp_t;
+ ')
+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
-+## List all tmp directories.
++## Relabel a file from the type used in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -212151,59 +212151,60 @@ index 64ff4d7..eaf2611 100644
+## </summary>
+## </param>
+#
-+interface(`files_list_all_tmp',`
++interface(`files_relabelfrom_tmp_files',`
+ gen_require(`
-+ attribute tmpfile;
++ type tmp_t;
+ ')
+
-+ allow $1 tmpfile:dir list_dir_perms;
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
-+## Relabel to and from all temporary
-+## directory types.
+ ## Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4456,6 +5054,60 @@ interface(`files_setattr_all_tmp_dirs',`
+
+ ########################################
+ ## <summary>
++## Allow caller to read inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_tmp_dirs',`
++interface(`files_read_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
-+ type var_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:file { append read_inherited_file_perms };
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
++## Allow caller to append inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_append_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ dontaudit $1 tmpfile:file getattr;
++ allow $1 tmpfile:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Allow attempts to get the attributes
-+## of all tmp files.
++## Allow caller to read and write inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -212211,29 +212212,29 @@ index 64ff4d7..eaf2611 100644
+## </summary>
+## </param>
+#
-+interface(`files_getattr_all_tmp_files',`
++interface(`files_rw_inherited_tmp_file',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:file getattr;
++ allow $1 tmpfile:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Relabel to and from all temporary
-+## file types.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+ ## List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4501,7 +5153,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
#
- interface(`files_relabel_all_tmp_files',`
- gen_require(`
-@@ -4561,7 +5195,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4561,7 +5213,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -212242,7 +212243,7 @@ index 64ff4d7..eaf2611 100644
## </summary>
## </param>
#
-@@ -4593,6 +5227,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4593,6 +5245,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@@ -212287,7 +212288,7 @@ index 64ff4d7..eaf2611 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
-@@ -4646,6 +5318,16 @@ interface(`files_purge_tmp',`
+@@ -4646,6 +5336,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -212304,7 +212305,7 @@ index 64ff4d7..eaf2611 100644
')
########################################
-@@ -5223,6 +5905,24 @@ interface(`files_list_var',`
+@@ -5223,6 +5923,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -212329,7 +212330,7 @@ index 64ff4d7..eaf2611 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5578,6 +6278,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5578,6 +6296,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -212355,7 +212356,7 @@ index 64ff4d7..eaf2611 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5623,7 +6342,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6360,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -212364,7 +212365,7 @@ index 64ff4d7..eaf2611 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5631,12 +6350,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6368,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -212380,7 +212381,7 @@ index 64ff4d7..eaf2611 100644
')
########################################
-@@ -5654,6 +6374,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6392,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -212388,7 +212389,7 @@ index 64ff4d7..eaf2611 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6401,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6419,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -212416,7 +212417,7 @@ index 64ff4d7..eaf2611 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,13 +6428,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6446,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -212433,7 +212434,7 @@ index 64ff4d7..eaf2611 100644
')
########################################
-@@ -5713,7 +6452,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6470,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -212442,7 +212443,7 @@ index 64ff4d7..eaf2611 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +6485,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6503,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -212450,7 +212451,7 @@ index 64ff4d7..eaf2611 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5774,8 +6512,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5774,8 +6530,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -212460,7 +212461,7 @@ index 64ff4d7..eaf2611 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6528,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6546,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -212478,7 +212479,7 @@ index 64ff4d7..eaf2611 100644
')
########################################
-@@ -5816,9 +6552,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6570,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -212489,7 +212490,7 @@ index 64ff4d7..eaf2611 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +6594,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6612,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -212499,7 +212500,7 @@ index 64ff4d7..eaf2611 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6616,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6634,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -212509,7 +212510,7 @@ index 64ff4d7..eaf2611 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6653,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +6671,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -212519,7 +212520,7 @@ index 64ff4d7..eaf2611 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5985,6 +6716,43 @@ interface(`files_search_pids',`
+@@ -5985,6 +6734,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -212563,7 +212564,7 @@ index 64ff4d7..eaf2611 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6007,6 +6775,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +6793,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -212589,7 +212590,7 @@ index 64ff4d7..eaf2611 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6122,7 +6909,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +6927,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -212597,7 +212598,7 @@ index 64ff4d7..eaf2611 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6231,55 +7017,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,46 +7035,230 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -212646,34 +212647,24 @@ index 64ff4d7..eaf2611 100644
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ allow $1 pidfile:sock_file delete_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Delete all process ID directories.
++')
++
++########################################
++## <summary>
+## Create all pid sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6287,25 +7061,136 @@ interface(`files_delete_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_delete_all_pid_dirs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_create_all_pid_sockets',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
@@ -212789,72 +212780,58 @@ index 64ff4d7..eaf2611 100644
+ ')
+
+ exec_files_pattern($1, var_run_t, var_run_t)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write and delete all
--## var_run (pid) content
++')
++
++########################################
++## <summary>
+## manage all pidfiles
+## in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain alloed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
-@@ -6314,9 +7199,7 @@ interface(`files_manage_all_pids',`
- attribute pidfile;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
++## </summary>
++## </param>
++#
++interface(`files_manage_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ manage_files_pattern($1,pidfile,pidfile)
- ')
-
- ########################################
-@@ -6340,6 +7223,158 @@ interface(`files_mounton_all_poly_members',`
-
- ########################################
- ## <summary>
-+## Delete all process IDs.
++')
++
++########################################
++## <summary>
++## Mount filesystems on all polyinstantiation
++## member directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_delete_all_pids',`
++interface(`files_mounton_all_poly_members',`
+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
++ attribute polymember;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ allow $1 polymember:dir mounton;
+')
+
+########################################
+## <summary>
-+## Delete all process ID directories.
++## Delete all process IDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_delete_all_pid_dirs',`
++interface(`files_delete_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
@@ -212862,11 +212839,16 @@ index 64ff4d7..eaf2611 100644
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
++ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+@@ -6300,29 +7288,73 @@ interface(`files_delete_all_pid_dirs',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Make the specified type a file
+## used for spool files.
+## </summary>
@@ -212916,36 +212898,47 @@ index 64ff4d7..eaf2611 100644
+########################################
+## <summary>
+## Create all spool sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain alloed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
+interface(`files_create_all_spool_sockets',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+ attribute spoolfile;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
+ allow $1 spoolfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Delete all spool sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6330,12 +7362,33 @@ interface(`files_manage_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
+interface(`files_delete_all_spool_sockets',`
-+ gen_require(`
+ gen_require(`
+- attribute polymember;
+ attribute spoolfile;
-+ ')
-+
+ ')
+
+- allow $1 polymember:dir mounton;
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
@@ -212968,14 +212961,10 @@ index 64ff4d7..eaf2611 100644
+ ')
+
+ relabel_dirs_pattern($1, spoolfile, spoolfile)
-+')
-+
-+########################################
-+## <summary>
- ## Search the contents of generic spool
- ## directories (/var/spool).
- ## </summary>
-@@ -6562,3 +7597,459 @@ interface(`files_unconfined',`
+ ')
+
+ ########################################
+@@ -6562,3 +7615,459 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -216349,10 +216338,17 @@ index 522ab32..cb9c3a2 100644
')
}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 54f1827..a2d5eaa 100644
+index 54f1827..409df4f 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
-@@ -28,7 +28,8 @@
+@@ -23,12 +23,15 @@
+ /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
+ /dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/infiniband/.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/infiniband/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
@@ -216362,7 +216358,7 @@ index 54f1827..a2d5eaa 100644
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -51,7 +52,7 @@ ifdef(`distro_redhat', `
+@@ -51,7 +54,7 @@ ifdef(`distro_redhat', `
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
@@ -216371,7 +216367,7 @@ index 54f1827..a2d5eaa 100644
/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -81,3 +82,6 @@ ifdef(`distro_redhat', `
+@@ -81,3 +84,6 @@ ifdef(`distro_redhat', `
/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
@@ -217736,10 +217732,10 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..d98e924 100644
+index 5da7870..b66bc2a 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1)
+@@ -8,12 +8,67 @@ policy_module(staff, 2.3.1)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -217801,14 +217797,13 @@ index 5da7870..d98e924 100644
+')
+
+optional_policy(`
-+ accountsd_dbus_chat(staff_t)
+ accountsd_read_lib_files(staff_t)
+')
+
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +79,102 @@ optional_policy(`
+@@ -23,11 +78,102 @@ optional_policy(`
')
optional_policy(`
@@ -217912,7 +217907,7 @@ index 5da7870..d98e924 100644
')
optional_policy(`
-@@ -35,15 +182,31 @@ optional_policy(`
+@@ -35,15 +181,31 @@ optional_policy(`
')
optional_policy(`
@@ -217946,7 +217941,7 @@ index 5da7870..d98e924 100644
')
optional_policy(`
-@@ -52,10 +215,55 @@ optional_policy(`
+@@ -52,10 +214,55 @@ optional_policy(`
')
optional_policy(`
@@ -218002,7 +217997,7 @@ index 5da7870..d98e924 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +273,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +272,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -218013,7 +218008,7 @@ index 5da7870..d98e924 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +282,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +281,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -218024,7 +218019,7 @@ index 5da7870..d98e924 100644
')
optional_policy(`
-@@ -101,10 +301,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +300,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -218035,7 +218030,7 @@ index 5da7870..d98e924 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +321,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +320,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -218046,7 +218041,7 @@ index 5da7870..d98e924 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +333,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +332,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -218057,7 +218052,7 @@ index 5da7870..d98e924 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +364,20 @@ ifndef(`distro_redhat',`
+@@ -176,3 +363,20 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -219324,10 +219319,10 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..1c11aac
+index 0000000..699d0dd
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,369 @@
+@@ -0,0 +1,336 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -219472,10 +219467,6 @@ index 0000000..1c11aac
+ ')
+
+ optional_policy(`
-+ policykit_role(unconfined_r, unconfined_t)
-+ ')
-+
-+ optional_policy(`
+ rtkit_scheduled(unconfined_t)
+ ')
+
@@ -219498,16 +219489,11 @@ index 0000000..1c11aac
+ ')
+
+ optional_policy(`
-+ shutdown_run(unconfined_t, unconfined_r)
-+ ')
-+
-+ optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ xserver_rw_session(unconfined_t, user_tmpfs_t)
-+ xserver_run_xauth(unconfined_t, unconfined_r)
+ xserver_dbus_chat_xdm(unconfined_t)
+ ')
+')
@@ -219522,14 +219508,6 @@ index 0000000..1c11aac
+')
+
+optional_policy(`
-+ apache_run_helper(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ bind_run_ndc(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ chrome_role_notrans(unconfined_r, unconfined_t)
+
+ tunable_policy(`unconfined_chrome_sandbox_transition',`
@@ -219613,10 +219591,6 @@ index 0000000..1c11aac
+')
+
+optional_policy(`
-+ ftp_run_ftpdctl(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ gpsd_run(unconfined_t, unconfined_r)
+')
+
@@ -219628,19 +219602,11 @@ index 0000000..1c11aac
+ livecd_run(unconfined_t, unconfined_r)
+')
+
-+optional_policy(`
-+ lpd_run_checkpc(unconfined_t, unconfined_r)
-+')
-+
+#optional_policy(`
+# mock_role(unconfined_r, unconfined_t)
+#')
+
+optional_policy(`
-+ modutils_run_update_mods(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ mozilla_role_plugin(unconfined_r)
+
+ tunable_policy(`unconfined_mozilla_plugin_transition', `
@@ -219653,10 +219619,6 @@ index 0000000..1c11aac
+')
+
+optional_policy(`
-+ portmap_run_helper(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
@@ -230816,7 +230778,7 @@ index 39ea221..4dd92d4 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..c11d48b 100644
+index 879bb1e..e2a9f15 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',`
@@ -230927,10 +230889,11 @@ index 879bb1e..c11d48b 100644
#
# /var
-@@ -97,5 +164,7 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +164,8 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
++/var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
@@ -231035,7 +230998,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index e8c59a5..7622d77 100644
+index e8c59a5..ea56d23 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -231113,7 +231076,7 @@ index e8c59a5..7622d77 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -191,6 +200,7 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+@@ -191,10 +200,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
@@ -231121,7 +231084,12 @@ index e8c59a5..7622d77 100644
manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
create_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
files_lock_filetrans(lvm_t, lvm_lock_t, file)
-@@ -202,8 +212,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+ files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
++files_lock_filetrans(lvm_t, lvm_lock_t, dir, "dmraid")
+
+ manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+ manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+@@ -202,8 +213,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@@ -231132,7 +231100,7 @@ index e8c59a5..7622d77 100644
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -220,6 +231,7 @@ kernel_read_kernel_sysctls(lvm_t)
+@@ -220,6 +232,7 @@ kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
@@ -231140,7 +231108,7 @@ index e8c59a5..7622d77 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -230,11 +242,13 @@ dev_delete_generic_dirs(lvm_t)
+@@ -230,11 +243,13 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@@ -231155,7 +231123,7 @@ index e8c59a5..7622d77 100644
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
-@@ -246,6 +260,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -246,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -231163,7 +231131,7 @@ index e8c59a5..7622d77 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -255,17 +270,21 @@ files_read_etc_files(lvm_t)
+@@ -255,17 +271,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -231186,7 +231154,7 @@ index e8c59a5..7622d77 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -285,7 +304,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -285,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -231195,7 +231163,7 @@ index e8c59a5..7622d77 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -293,15 +312,20 @@ init_use_script_ptys(lvm_t)
+@@ -293,15 +313,20 @@ init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
@@ -231217,7 +231185,7 @@ index e8c59a5..7622d77 100644
ifdef(`distro_redhat',`
# this is from the initrd:
-@@ -313,6 +337,11 @@ ifdef(`distro_redhat',`
+@@ -313,6 +338,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -231229,7 +231197,7 @@ index e8c59a5..7622d77 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -333,14 +362,26 @@ optional_policy(`
+@@ -333,14 +363,26 @@ optional_policy(`
')
optional_policy(`
@@ -235870,10 +235838,10 @@ index 0000000..a4b0917
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..c0a85ab
+index 0000000..6c712b8
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,624 @@
+@@ -0,0 +1,618 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -235885,11 +235853,11 @@ index 0000000..c0a85ab
+attribute systemd_domain;
+attribute systemctl_domain;
+
-+type systemd_logger_t;
++type systemd_logger_t, systemd_domain;
+type systemd_logger_exec_t;
+init_daemon_domain(systemd_logger_t, systemd_logger_exec_t)
+
-+type systemd_logind_t;
++type systemd_logind_t, systemd_domain;
+type systemd_logind_exec_t;
+init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
+
@@ -235913,7 +235881,7 @@ index 0000000..c0a85ab
+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
+# systemd components
+
-+type systemd_passwd_agent_t;
++type systemd_passwd_agent_t, systemd_domain;
+type systemd_passwd_agent_exec_t;
+init_daemon_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+
@@ -235921,11 +235889,11 @@ index 0000000..c0a85ab
+files_pid_file(systemd_passwd_var_run_t)
+
+# domain for systemd-tmpfiles component
-+type systemd_tmpfiles_t;
++type systemd_tmpfiles_t, systemd_domain;
+type systemd_tmpfiles_exec_t;
+init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+
-+type systemd_notify_t;
++type systemd_notify_t, systemd_domain;
+type systemd_notify_exec_t;
+init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
+
@@ -235940,19 +235908,21 @@ index 0000000..c0a85ab
+type systemd_systemctl_exec_t;
+corecmd_executable_file(systemd_systemctl_exec_t)
+
-+type systemd_localed_t;
++type systemd_localed_t, systemd_domain;
+type systemd_localed_exec_t;
+init_daemon_domain(systemd_localed_t, systemd_localed_exec_t)
+
-+type systemd_hostnamed_t;
++type systemd_hostnamed_t, systemd_domain;
+type systemd_hostnamed_exec_t;
+init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
+
-+type systemd_timedated_t alias gnomeclock_t;
++type systemd_timedated_t, systemd_domain;
+type systemd_timedated_exec_t;
+init_daemon_domain(systemd_timedated_t, systemd_timedated_exec_t)
++typeattribute systemd_timedated_t systemd_domain;
++typealias systemd_timedated_t alias gnomeclock_t;
+
-+type systemd_sysctl_t;
++type systemd_sysctl_t, systemd_domain;
+type systemd_sysctl_exec_t;
+init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
+
@@ -235963,7 +235933,7 @@ index 0000000..c0a85ab
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
-+allow systemd_logind_t self:process { getcap };
++allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
+
@@ -236008,7 +235978,6 @@ index 0000000..c0a85ab
+
+# /etc/udev/udev.conf should probably have a private type if only for confined administration
+# /etc/nsswitch.conf
-+files_read_etc_files(systemd_logind_t)
+
+# /sys/fs/cgroup/systemd/user
+fs_manage_cgroup_dirs(systemd_logind_t)
@@ -236049,7 +236018,6 @@ index 0000000..c0a85ab
+init_rw_stream_sockets(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
-+logging_stream_connect_syslog(systemd_logind_t)
+
+udev_read_db(systemd_logind_t)
+udev_manage_rules_files(systemd_logind_t)
@@ -236115,8 +236083,6 @@ index 0000000..c0a85ab
+
+kernel_stream_connect(systemd_passwd_agent_t)
+
-+files_read_etc_files(systemd_passwd_agent_t)
-+
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
@@ -236131,7 +236097,6 @@ index 0000000..c0a85ab
+init_stream_connect(systemd_passwd_agent_t)
+
+logging_send_syslog_msg(systemd_passwd_agent_t)
-+logging_stream_connect_syslog(systemd_passwd_agent_t)
+
+userdom_use_user_ptys(systemd_passwd_agent_t)
+userdom_use_inherited_user_ttys(systemd_passwd_agent_t)
@@ -236172,7 +236137,6 @@ index 0000000..c0a85ab
+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
+fs_list_all(systemd_tmpfiles_t)
+
-+files_read_etc_files(systemd_tmpfiles_t)
+files_getattr_all_dirs(systemd_tmpfiles_t)
+files_getattr_all_files(systemd_tmpfiles_t)
+files_getattr_all_sockets(systemd_tmpfiles_t)
@@ -236217,7 +236181,6 @@ index 0000000..c0a85ab
+
+logging_create_devlog_dev(systemd_tmpfiles_t)
+logging_send_syslog_msg(systemd_tmpfiles_t)
-+logging_stream_connect_syslog(systemd_tmpfiles_t)
+
+miscfiles_filetrans_named_content(systemd_tmpfiles_t)
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
@@ -236287,9 +236250,6 @@ index 0000000..c0a85ab
+
+domain_use_interactive_fds(systemd_notify_t)
+
-+files_read_etc_files(systemd_notify_t)
-+files_read_usr_files(systemd_notify_t)
-+
+fs_getattr_cgroup_files(systemd_notify_t)
+
+auth_use_nsswitch(systemd_notify_t)
@@ -236317,9 +236277,6 @@ index 0000000..c0a85ab
+
+domain_use_interactive_fds(systemd_logger_t)
+
-+files_read_etc_files(systemd_logger_t)
-+files_read_usr_files(systemd_logger_t)
-+
+# only needs write
+term_use_generic_ptys(systemd_logger_t)
+
@@ -236329,7 +236286,6 @@ index 0000000..c0a85ab
+init_write_pid_socket(systemd_logger_t)
+
+logging_send_syslog_msg(systemd_logger_t)
-+logging_stream_connect_syslog(systemd_logger_t)
+
+########################################
+#
@@ -236355,6 +236311,9 @@ index 0000000..c0a85ab
+allow systemd_localed_t self:process setfscreate;
+allow systemd_localed_t self:fifo_file rw_fifo_file_perms;
+allow systemd_localed_t self:unix_stream_socket create_stream_socket_perms;
++allow systemd_localed_t self:unix_dgram_socket create_socket_perms;
++
++dev_write_kmsg(systemd_localed_t)
+
+seutil_read_config(systemd_localed_t)
+seutil_read_file_contexts(systemd_localed_t)
@@ -236386,8 +236345,6 @@ index 0000000..c0a85ab
+init_read_state(systemd_hostnamed_t)
+init_stream_connect(systemd_hostnamed_t)
+
-+logging_stream_connect_syslog(systemd_hostnamed_t)
-+
+optional_policy(`
+ dbus_system_bus_client(systemd_hostnamed_t)
+ dbus_connect_system_bus(systemd_hostnamed_t)
@@ -236416,8 +236373,6 @@ index 0000000..c0a85ab
+dev_write_kmsg(systemd_timedated_t)
+dev_read_sysfs(systemd_timedated_t)
+
-+files_read_etc_runtime_files(systemd_timedated_t)
-+
+fs_getattr_xattr_fs(systemd_timedated_t)
+
+auth_use_nsswitch(systemd_timedated_t)
@@ -236425,7 +236380,6 @@ index 0000000..c0a85ab
+init_dbus_chat(systemd_timedated_t)
+init_status(systemd_timedated_t)
+
-+logging_stream_connect_syslog(systemd_timedated_t)
+logging_send_syslog_msg(systemd_timedated_t)
+
+miscfiles_manage_localization(systemd_timedated_t)
@@ -236493,11 +236447,19 @@ index 0000000..c0a85ab
+
+domain_use_interactive_fds(systemd_sysctl_t)
+
-+files_read_etc_files(systemd_sysctl_t)
-+
+init_stream_connect(systemd_sysctl_t)
+
-+logging_stream_connect_syslog(systemd_sysctl_t)
++########################################
++#
++# Common rules for systemd domains
++#
++
++files_read_etc_files(systemd_domain)
++files_read_etc_runtime_files(systemd_domain)
++files_read_usr_files(systemd_domain)
++
++logging_stream_connect_syslog(systemd_domain)
++
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..49fd32e 100644
--- a/policy/modules/system/udev.fc
@@ -237869,7 +237831,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..a598a86 100644
+index 3c5dba7..4efa151 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -238950,7 +238912,7 @@ index 3c5dba7..a598a86 100644
##############################
#
# Local policy
-@@ -908,41 +1120,91 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -908,41 +1120,97 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -238973,6 +238935,8 @@ index 3c5dba7..a598a86 100644
+
+ libs_dontaudit_setattr_lib_files($1_usertype)
+
++ init_read_state($1_usertype)
++
+ tunable_policy(`selinuxuser_rw_noexattrfile',`
+ dev_rw_usbfs($1_t)
+ dev_rw_generic_usb_dev($1_usertype)
@@ -239028,6 +238992,10 @@ index 3c5dba7..a598a86 100644
+ ')
+
+ optional_policy(`
++ accountsd_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
@@ -239055,7 +239023,7 @@ index 3c5dba7..a598a86 100644
')
optional_policy(`
-@@ -951,12 +1213,30 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1219,30 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -239087,7 +239055,7 @@ index 3c5dba7..a598a86 100644
')
#######################################
-@@ -990,27 +1270,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1276,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -239125,7 +239093,7 @@ index 3c5dba7..a598a86 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1307,57 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1313,57 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -239170,11 +239138,9 @@ index 3c5dba7..a598a86 100644
+ optional_policy(`
+ systemd_dbus_chat_timedated($1_t)
+ systemd_dbus_chat_hostnamed($1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ gpm_stream_connect($1_usertype)
+ ')
+
@@ -239185,15 +239151,17 @@ index 3c5dba7..a598a86 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1366,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1372,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -239204,7 +239172,7 @@ index 3c5dba7..a598a86 100644
')
')
-@@ -1082,7 +1404,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1410,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -239213,7 +239181,7 @@ index 3c5dba7..a598a86 100644
')
##############################
-@@ -1109,6 +1431,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1437,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -239221,7 +239189,7 @@ index 3c5dba7..a598a86 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1440,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1446,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -239231,7 +239199,7 @@ index 3c5dba7..a598a86 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1457,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1463,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -239239,7 +239207,7 @@ index 3c5dba7..a598a86 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1475,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1481,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -239254,7 +239222,7 @@ index 3c5dba7..a598a86 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1493,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,30 +1499,39 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -239290,14 +239258,16 @@ index 3c5dba7..a598a86 100644
logging_send_syslog_msg($1_t)
- modutils_domtrans_insmod($1_t)
+-
+ optional_policy(`
+ modutils_domtrans_insmod($1_t)
+ modutils_domtrans_depmod($1_t)
+ ')
-
++
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1534,8 @@ template(`userdom_admin_user_template',`
+ # cannot directly manipulate policy files with arbitrary programs.
+@@ -1194,6 +1540,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -239306,7 +239276,7 @@ index 3c5dba7..a598a86 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1543,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1549,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -239325,7 +239295,7 @@ index 3c5dba7..a598a86 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1599,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1605,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -239334,7 +239304,7 @@ index 3c5dba7..a598a86 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1613,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1619,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -239346,7 +239316,7 @@ index 3c5dba7..a598a86 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1627,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1633,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -239389,7 +239359,7 @@ index 3c5dba7..a598a86 100644
')
optional_policy(`
-@@ -1360,14 +1712,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1718,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -239408,7 +239378,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -1408,6 +1763,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1769,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -239460,7 +239430,7 @@ index 3c5dba7..a598a86 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1912,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1918,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -239492,7 +239462,7 @@ index 3c5dba7..a598a86 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +1978,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1984,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -239507,7 +239477,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -1573,9 +2001,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2007,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -239519,7 +239489,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -1632,6 +2062,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2068,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -239562,7 +239532,7 @@ index 3c5dba7..a598a86 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2177,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2183,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -239571,7 +239541,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -1744,10 +2212,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2218,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -239586,7 +239556,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -1772,7 +2242,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2248,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -239595,7 +239565,7 @@ index 3c5dba7..a598a86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,19 +2250,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1780,19 +2256,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -239619,7 +239589,7 @@ index 3c5dba7..a598a86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1800,31 +2268,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1800,31 +2274,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -239659,7 +239629,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -1848,6 +2316,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2322,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -239685,7 +239655,7 @@ index 3c5dba7..a598a86 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2365,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2371,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -239723,7 +239693,7 @@ index 3c5dba7..a598a86 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2405,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2411,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -239741,7 +239711,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -1941,7 +2453,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2459,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -239768,7 +239738,7 @@ index 3c5dba7..a598a86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1951,17 +2481,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2487,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -239789,7 +239759,7 @@ index 3c5dba7..a598a86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2497,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2503,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -239840,7 +239810,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -2010,8 +2574,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2580,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -239850,7 +239820,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -2027,20 +2590,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2596,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -239875,7 +239845,7 @@ index 3c5dba7..a598a86 100644
########################################
## <summary>
-@@ -2123,7 +2680,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2686,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -239884,7 +239854,7 @@ index 3c5dba7..a598a86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2688,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2694,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -239908,7 +239878,7 @@ index 3c5dba7..a598a86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2706,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2712,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -239924,7 +239894,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -2393,11 +2948,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2954,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -239939,7 +239909,7 @@ index 3c5dba7..a598a86 100644
files_search_tmp($1)
')
-@@ -2417,7 +2972,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2978,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -239948,7 +239918,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -2664,6 +3219,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3225,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -239974,7 +239944,7 @@ index 3c5dba7..a598a86 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3254,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3260,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -239990,7 +239960,7 @@ index 3c5dba7..a598a86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3282,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3288,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -239999,7 +239969,7 @@ index 3c5dba7..a598a86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,14 +3290,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,19 +3296,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -240013,28 +239983,61 @@ index 3c5dba7..a598a86 100644
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of a user domain tty.
+## Execute user tmpfs files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2735,21 +3314,39 @@ interface(`userdom_manage_user_tmpfs_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_getattr_user_ttys',`
++interface(`userdom_execute_user_tmpfs_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmpfs_t;
+ ')
+
+- allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
++ allow $1 user_tmpfs_t:file execute;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes of a user domain tty.
++## Get the attributes of a user domain tty.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_execute_user_tmpfs_files',`
++interface(`userdom_getattr_user_ttys',`
+ gen_require(`
-+ type user_tmpfs_t;
++ type user_tty_device_t;
+ ')
+
-+ allow $1 user_tmpfs_t:file execute;
- ')
-
- ########################################
-@@ -2817,6 +3408,24 @@ interface(`userdom_use_user_ttys',`
++ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to get the attributes of a user domain tty.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+@@ -2817,6 +3414,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -240059,7 +240062,7 @@ index 3c5dba7..a598a86 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3444,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3450,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -240102,7 +240105,7 @@ index 3c5dba7..a598a86 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3480,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3486,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -240140,7 +240143,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -2885,8 +3525,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3531,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -240170,7 +240173,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -2958,69 +3617,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3623,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -240271,7 +240274,7 @@ index 3c5dba7..a598a86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3686,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3692,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -240286,7 +240289,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -3097,7 +3755,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3761,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -240295,7 +240298,7 @@ index 3c5dba7..a598a86 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3771,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3777,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -240329,7 +240332,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -3217,7 +3859,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3865,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -240338,7 +240341,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -3272,7 +3914,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3920,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -240404,7 +240407,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -3290,7 +3989,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +3995,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -240413,7 +240416,7 @@ index 3c5dba7..a598a86 100644
')
########################################
-@@ -3309,6 +4008,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4014,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -240421,7 +240424,7 @@ index 3c5dba7..a598a86 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4085,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4091,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -240464,7 +240467,7 @@ index 3c5dba7..a598a86 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4141,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4147,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -240489,7 +240492,7 @@ index 3c5dba7..a598a86 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3439,3 +4193,1365 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3439,3 +4199,1365 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 1726b5d..0c8a316 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -10067,7 +10067,7 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..11c8537
+index 0000000..45057f8
--- /dev/null
+++ b/chrome.te
@@ -0,0 +1,200 @@
@@ -10257,7 +10257,7 @@ index 0000000..11c8537
+
+dev_read_urand(chrome_sandbox_nacl_t)
+dev_read_sysfs(chrome_sandbox_nacl_t)
-+
++dev_rwx_zero(chrome_sandbox_nacl_t)
+
+init_read_state(chrome_sandbox_nacl_t)
+
@@ -12270,7 +12270,7 @@ index 3fe3cb8..684b700 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index 3f2b672..a7aaf98 100644
+index 3f2b672..22ddc47 100644
--- a/condor.te
+++ b/condor.te
@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t)
@@ -12309,18 +12309,18 @@ index 3f2b672..a7aaf98 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -106,10 +107,6 @@ dev_read_rand(condor_domain)
+@@ -106,9 +107,7 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
-logging_send_syslog_msg(condor_domain)
-
-miscfiles_read_localization(condor_domain)
--
++auth_read_passwd(condor_domain)
+
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
- corenet_tcp_connect_all_ports(condor_domain)
-@@ -150,8 +147,6 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
+@@ -150,8 +149,6 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
domain_read_all_domains_state(condor_master_t)
@@ -12329,7 +12329,7 @@ index 3f2b672..a7aaf98 100644
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
-@@ -178,6 +173,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +175,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -12338,7 +12338,7 @@ index 3f2b672..a7aaf98 100644
######################################
#
# Procd local policy
-@@ -209,6 +206,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -209,6 +208,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -12347,7 +12347,7 @@ index 3f2b672..a7aaf98 100644
#####################################
#
# Startd local policy
-@@ -233,11 +232,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +234,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -12360,7 +12360,7 @@ index 3f2b672..a7aaf98 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -249,3 +247,7 @@ optional_policy(`
+@@ -249,3 +249,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -20080,7 +20080,7 @@ index 19aa0b8..b303b37 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..12a8962 100644
+index ba14bcf..07bcb8e 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -20093,15 +20093,18 @@ index ba14bcf..12a8962 100644
########################################
#
# Local policy
-@@ -56,7 +59,6 @@ kernel_read_network_state(dnsmasq_t)
+@@ -56,7 +59,9 @@ kernel_read_network_state(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
kernel_request_load_module(dnsmasq_t)
-corenet_all_recvfrom_unlabeled(dnsmasq_t)
++corecmd_exec_bin(dnsmasq_t)
++corecmd_exec_shell(dnsmasq_t)
++
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
-@@ -88,8 +90,6 @@ auth_use_nsswitch(dnsmasq_t)
+@@ -88,8 +93,6 @@ auth_use_nsswitch(dnsmasq_t)
logging_send_syslog_msg(dnsmasq_t)
@@ -20110,7 +20113,7 @@ index ba14bcf..12a8962 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -98,11 +98,20 @@ optional_policy(`
+@@ -98,12 +101,21 @@ optional_policy(`
')
optional_policy(`
@@ -20123,15 +20126,17 @@ index ba14bcf..12a8962 100644
')
optional_policy(`
+- networkmanager_read_pid_files(dnsmasq_t)
+ dnsmasq_domtrans(dnsmasq_t)
+')
+
+optional_policy(`
+ networkmanager_read_conf(dnsmasq_t)
- networkmanager_read_pid_files(dnsmasq_t)
++ networkmanager_manage_pid_files(dnsmasq_t)
')
-@@ -124,6 +133,7 @@ optional_policy(`
+ optional_policy(`
+@@ -124,6 +136,7 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -23523,7 +23528,7 @@ index e0a4f46..70277e8 100644
+')
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
-index 0000000..4bd6ade
+index 0000000..9614520
--- /dev/null
+++ b/glusterd.fc
@@ -0,0 +1,16 @@
@@ -23537,7 +23542,7 @@ index 0000000..4bd6ade
+
+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
-+/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0)
++/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+
@@ -23701,10 +23706,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..8f595f8
+index 0000000..6704414
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,104 @@
+policy_module(glusterfs, 1.0.1)
+
+########################################
@@ -23802,6 +23807,8 @@ index 0000000..8f595f8
+
+auth_use_nsswitch(glusterd_t)
+
++fs_getattr_all_fs(glusterd_t)
++
+logging_send_syslog_msg(glusterd_t)
+
+miscfiles_read_localization(glusterd_t)
@@ -34906,10 +34913,10 @@ index 0000000..8d0e473
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/mock.if b/mock.if
new file mode 100644
-index 0000000..7f6f2d6
+index 0000000..1446e6a
--- /dev/null
+++ b/mock.if
-@@ -0,0 +1,307 @@
+@@ -0,0 +1,303 @@
+## <summary>policy for mock</summary>
+
+########################################
@@ -35125,10 +35132,6 @@ index 0000000..7f6f2d6
+ mock_domtrans($1)
+ role $2 types mock_t;
+ role $2 types mock_build_t;
-+
-+ optional_policy(`
-+ mount_run(mock_t, $2)
-+ ')
+')
+
+########################################
@@ -35600,10 +35603,10 @@ index 4462c0e..84944d1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..ce28024 100644
+index 6ffaba2..379066c 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,60 @@
+@@ -1,38 +1,61 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -35632,6 +35635,7 @@ index 6ffaba2..ce28024 100644
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -35699,7 +35703,7 @@ index 6ffaba2..ce28024 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..60bb004 100644
+index 6194b80..97b8462 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -36320,7 +36324,7 @@ index 6194b80..60bb004 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +430,47 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +430,48 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -36390,10 +36394,11 @@ index 6194b80..60bb004 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..046b1af 100644
+index 6a306ee..de62123 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -36826,7 +36831,7 @@ index 6a306ee..046b1af 100644
')
optional_policy(`
-@@ -300,63 +316,54 @@ optional_policy(`
+@@ -300,221 +316,171 @@ optional_policy(`
########################################
#
@@ -36920,7 +36925,10 @@ index 6a306ee..046b1af 100644
kernel_read_all_sysctls(mozilla_plugin_t)
kernel_read_system_state(mozilla_plugin_t)
-@@ -366,155 +373,113 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+ kernel_read_network_state(mozilla_plugin_t)
+ kernel_request_load_module(mozilla_plugin_t)
+ kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
++files_dontaudit_read_root_files(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -37138,7 +37146,7 @@ index 6a306ee..046b1af 100644
')
optional_policy(`
-@@ -523,36 +488,43 @@ optional_policy(`
+@@ -523,36 +489,43 @@ optional_policy(`
')
optional_policy(`
@@ -37196,7 +37204,7 @@ index 6a306ee..046b1af 100644
')
optional_policy(`
-@@ -560,7 +532,7 @@ optional_policy(`
+@@ -560,7 +533,7 @@ optional_policy(`
')
optional_policy(`
@@ -37205,7 +37213,7 @@ index 6a306ee..046b1af 100644
')
optional_policy(`
-@@ -568,108 +540,108 @@ optional_policy(`
+@@ -568,108 +541,108 @@ optional_policy(`
')
optional_policy(`
@@ -41733,7 +41741,7 @@ index a1fb3c3..8fe1d63 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..163b870 100644
+index 0e8508c..b9c69d2 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -41896,39 +41904,52 @@ index 0e8508c..163b870 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -171,29 +218,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',`
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
')
--########################################
+#######################################
- ## <summary>
--## Append networkmanager log files.
++## <summary>
+## Read NetworkManager conf files.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`networkmanager_append_log_files',`
-- gen_require(`
-- type NetworkManager_log_t;
-- ')
++## </param>
++#
+interface(`networkmanager_read_conf',`
+ gen_require(`
+ type NetworkManager_etc_t;
+ ')
++
++ allow $1 NetworkManager_etc_t:dir list_dir_perms;
++ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
++')
++
+ ########################################
+ ## <summary>
+-## Append networkmanager log files.
++## Read NetworkManager PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`networkmanager_append_log_files',`
++interface(`networkmanager_read_pid_files',`
+ gen_require(`
+- type NetworkManager_log_t;
++ type NetworkManager_var_run_t;
+ ')
- logging_search_logs($1)
- allow $1 NetworkManager_log_t:dir list_dir_perms;
- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
-+ allow $1 NetworkManager_etc_t:dir list_dir_perms;
-+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
++ files_search_pids($1)
++ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
')
########################################
@@ -41938,12 +41959,19 @@ index 0e8508c..163b870 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -207,17 +253,17 @@ interface(`networkmanager_read_pid_files',`
+@@ -201,23 +266,23 @@ interface(`networkmanager_append_log_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`networkmanager_read_pid_files',`
++interface(`networkmanager_manage_pid_files',`
+ gen_require(`
+ type NetworkManager_var_run_t;
')
files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
-+ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
++ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
')
########################################
@@ -41960,7 +41988,7 @@ index 0e8508c..163b870 100644
## </summary>
## </param>
## <param name="role">
-@@ -227,33 +273,92 @@ interface(`networkmanager_read_pid_files',`
+@@ -227,33 +292,92 @@ interface(`networkmanager_read_pid_files',`
## </param>
## <rolecap/>
#
@@ -46332,14 +46360,16 @@ index cd29ea8..efbf8f8 100644
')
')
diff --git a/oddjob.fc b/oddjob.fc
-index dd1d9ef..7e2287c 100644
+index dd1d9ef..fbbe3ff 100644
--- a/oddjob.fc
+++ b/oddjob.fc
-@@ -1,10 +1,7 @@
+@@ -1,10 +1,10 @@
-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
--
- /usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
--
+
+-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
++/usr/lib/systemd/system/oddjobd.* -- gen_context(system_u:object_r:oddjob_unit_file_t,s0)
+
++/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
@@ -46350,7 +46380,7 @@ index dd1d9ef..7e2287c 100644
-/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if
-index c87bd2a..dec6bc7 100644
+index c87bd2a..7de054a 100644
--- a/oddjob.if
+++ b/oddjob.if
@@ -1,4 +1,8 @@
@@ -46462,7 +46492,7 @@ index c87bd2a..dec6bc7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -105,46 +141,47 @@ interface(`oddjob_domtrans_mkhomedir',`
+@@ -105,46 +141,70 @@ interface(`oddjob_domtrans_mkhomedir',`
#
interface(`oddjob_run_mkhomedir',`
gen_require(`
@@ -46476,36 +46506,54 @@ index c87bd2a..dec6bc7 100644
')
-#####################################
-+########################################
++#######################################
## <summary>
-## Do not audit attempts to read and write
-## oddjob fifo files.
-+## Create a domain which can be started by init,
-+## with a range transition.
++## Execute oddjob in the oddjob domain.
## </summary>
## <param name="domain">
- ## <summary>
+-## <summary>
-## Domain to not audit.
-+## Type to be used as a domain.
- ## </summary>
+-## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
## </param>
--#
+ #
-interface(`oddjob_dontaudit_rw_fifo_files',`
- gen_require(`
- type oddjob_t;
- ')
--
++interface(`oddjob_systemctl',`
++ gen_require(`
++ type oddjob_unit_file_t;
++ type oddjob_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 oddjob_unit_file_t:file read_file_perms;
++ allow $1 oddjob_unit_file_t:service manage_service_perms;
+
- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms;
--')
--
++ ps_process_pattern($1, oddjob_t)
+ ')
+
-######################################
--## <summary>
++########################################
+ ## <summary>
-## Send child terminated signals to oddjob.
--## </summary>
--## <param name="domain">
-+## <param name="entry_point">
++## Create a domain which can be started by init,
++## with a range transition.
+ ## </summary>
+ ## <param name="domain">
## <summary>
-## Domain allowed access.
++## Type to be used as a domain.
++## </summary>
++## </param>
++## <param name="entry_point">
++## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
@@ -46534,7 +46582,7 @@ index c87bd2a..dec6bc7 100644
+ ')
')
diff --git a/oddjob.te b/oddjob.te
-index 296a1d3..467700e 100644
+index 296a1d3..edc3e32 100644
--- a/oddjob.te
+++ b/oddjob.te
@@ -1,12 +1,10 @@
@@ -46551,7 +46599,7 @@ index 296a1d3..467700e 100644
type oddjob_t;
type oddjob_exec_t;
domain_type(oddjob_t)
-@@ -20,8 +18,9 @@ type oddjob_mkhomedir_exec_t;
+@@ -20,18 +18,22 @@ type oddjob_mkhomedir_exec_t;
domain_type(oddjob_mkhomedir_t)
domain_obj_id_change_exemption(oddjob_mkhomedir_t)
init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
@@ -46562,7 +46610,12 @@ index 296a1d3..467700e 100644
type oddjob_var_run_t;
files_pid_file(oddjob_var_run_t)
-@@ -31,7 +30,7 @@ ifdef(`enable_mcs',`
++type oddjob_unit_file_t;
++systemd_unit_file(oddjob_unit_file_t)
++
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
+ ')
########################################
#
@@ -46571,7 +46624,7 @@ index 296a1d3..467700e 100644
#
allow oddjob_t self:capability setgid;
-@@ -43,8 +42,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
+@@ -43,8 +45,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file })
@@ -46580,7 +46633,7 @@ index 296a1d3..467700e 100644
kernel_read_system_state(oddjob_t)
corecmd_exec_bin(oddjob_t)
-@@ -54,9 +51,9 @@ mcs_process_set_categories(oddjob_t)
+@@ -54,9 +54,9 @@ mcs_process_set_categories(oddjob_t)
selinux_compute_create_context(oddjob_t)
@@ -46591,7 +46644,7 @@ index 296a1d3..467700e 100644
locallogin_dontaudit_use_fds(oddjob_t)
-@@ -71,13 +68,13 @@ optional_policy(`
+@@ -71,13 +71,13 @@ optional_policy(`
########################################
#
@@ -46607,7 +46660,7 @@ index 296a1d3..467700e 100644
kernel_read_system_state(oddjob_mkhomedir_t)
-@@ -85,7 +82,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t)
+@@ -85,7 +85,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t)
logging_send_syslog_msg(oddjob_mkhomedir_t)
@@ -46615,7 +46668,7 @@ index 296a1d3..467700e 100644
selinux_get_fs_mount(oddjob_mkhomedir_t)
selinux_validate_context(oddjob_mkhomedir_t)
-@@ -98,8 +94,11 @@ seutil_read_config(oddjob_mkhomedir_t)
+@@ -98,8 +97,11 @@ seutil_read_config(oddjob_mkhomedir_t)
seutil_read_file_contexts(oddjob_mkhomedir_t)
seutil_read_default_contexts(oddjob_mkhomedir_t)
@@ -46979,10 +47032,10 @@ index 0000000..e108d48
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..1a26cd5
+index 0000000..407386d
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,664 @@
+@@ -0,0 +1,646 @@
+
+## <summary> policy for openshift </summary>
+
@@ -47063,24 +47116,6 @@ index 0000000..1a26cd5
+
+########################################
+## <summary>
-+## Send a signal to openshift init scripts.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`openshift_initrc_signl',`
-+ gen_require(`
-+ type openshift_initrc_t;
-+ ')
-+
-+ allow $1 openshift_initrc_t:process signal;
-+')
-+
-+########################################
-+## <summary>
+## Search openshift cache directories.
+## </summary>
+## <param name="domain">
@@ -47649,10 +47684,10 @@ index 0000000..1a26cd5
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..30757e2
+index 0000000..a23c70a
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,467 @@
+@@ -0,0 +1,472 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -47905,6 +47940,7 @@ index 0000000..30757e2
+
+term_dontaudit_search_ptys(openshift_domain)
+term_use_generic_ptys(openshift_domain)
++term_dontaudit_getattr_generic_ptys(openshift_domain)
+term_use_ptmx(openshift_domain)
+
+userdom_use_inherited_user_ptys(openshift_domain)
@@ -48022,6 +48058,10 @@ index 0000000..30757e2
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
++kernel_read_system_state(openshift_cgroup_read_t)
++
++miscfiles_read_localization(openshift_cgroup_read_t)
++
+optional_policy(`
+ ssh_use_ptys(openshift_cgroup_read_t)
+')
@@ -62491,7 +62531,7 @@ index bff31df..e38693b 100644
## <param name="domain">
## <summary>
diff --git a/realmd.te b/realmd.te
-index 9a8f052..ecd8eaf 100644
+index 9a8f052..727d60a 100644
--- a/realmd.te
+++ b/realmd.te
@@ -1,4 +1,4 @@
@@ -62564,7 +62604,7 @@ index 9a8f052..ecd8eaf 100644
optional_policy(`
dbus_system_domain(realmd_t, realmd_exec_t)
-@@ -67,17 +76,21 @@ optional_policy(`
+@@ -67,17 +76,25 @@ optional_policy(`
optional_policy(`
nis_exec_ypbind(realmd_t)
@@ -62586,20 +62626,41 @@ index 9a8f052..ecd8eaf 100644
samba_manage_config(realmd_t)
- samba_getattr_winbind_exec(realmd_t)
+ samba_getattr_winbind(realmd_t)
++')
++
++optional_policy(`
++ rpm_dbus_chat(realmd_t)
')
optional_policy(`
-@@ -86,5 +99,9 @@ optional_policy(`
+@@ -86,5 +103,26 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
- sssd_initrc_domtrans(realmd_t)
+ sssd_systemctl(realmd_t)
-+')
+ ')
+
+optional_policy(`
+ xserver_read_state_xdm(realmd_t)
- ')
++')
++
++#####################################
++#
++# realmd consolehelper local policy
++#
++
++
++optional_policy(`
++ userhelper_console_role_template(realmd, system_r, realmd_t)
++ authconfig_manage_lib_files(realmd_consolehelper_t)
++
++ oddjob_systemctl(realmd_consolehelper_t)
++
++ unconfined_domain_noaudit(realmd_consolehelper_t)
++')
++
++
diff --git a/remotelogin.fc b/remotelogin.fc
index 327baf0..d8691bd 100644
--- a/remotelogin.fc
@@ -69142,7 +69203,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..89b9b6a 100644
+index 57c034b..4d983f7 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -69675,7 +69736,7 @@ index 57c034b..89b9b6a 100644
lpd_exec_lpr(smbd_t)
')
-@@ -493,9 +476,32 @@ optional_policy(`
+@@ -493,9 +476,34 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -69687,6 +69748,7 @@ index 57c034b..89b9b6a 100644
+userdom_home_filetrans_user_home_dir(smbd_t)
+
+tunable_policy(`samba_export_all_ro',`
++ allow nmbd_t self:capability { dac_read_search dac_override };
+ fs_read_noxattr_fs_files(smbd_t)
+ files_read_non_security_files(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
@@ -69694,6 +69756,7 @@ index 57c034b..89b9b6a 100644
+')
+
+tunable_policy(`samba_export_all_rw',`
++ allow nmbd_t self:capability { dac_read_search dac_override };
+ fs_read_noxattr_fs_files(smbd_t)
+ files_manage_non_security_files(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
@@ -69709,7 +69772,7 @@ index 57c034b..89b9b6a 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +512,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +514,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -69724,7 +69787,7 @@ index 57c034b..89b9b6a 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +528,14 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +530,14 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -69747,7 +69810,7 @@ index 57c034b..89b9b6a 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +544,39 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +546,40 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -69771,12 +69834,14 @@ index 57c034b..89b9b6a 100644
corenet_tcp_connect_smbd_port(nmbd_t)
-corenet_tcp_sendrecv_smbd_port(nmbd_t)
- dev_read_sysfs(nmbd_t)
+-dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
-
++dev_read_sysfs(nmbd_t)
++dev_read_urand(nmbd_t)
++
+fs_getattr_all_fs(nmbd_t)
+fs_search_auto_mountpoints(nmbd_t)
-+
+
domain_use_interactive_fds(nmbd_t)
-files_read_usr_files(nmbd_t)
@@ -69794,14 +69859,14 @@ index 57c034b..89b9b6a 100644
-
userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
--
++userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_list_non_auth_dirs(nmbd_t)
- files_read_non_auth_files(nmbd_t)
-')
-+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-
+-
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_manage_non_auth_files(nmbd_t)
@@ -69810,7 +69875,7 @@ index 57c034b..89b9b6a 100644
')
optional_policy(`
-@@ -600,17 +589,24 @@ optional_policy(`
+@@ -600,17 +592,24 @@ optional_policy(`
########################################
#
@@ -69839,7 +69904,7 @@ index 57c034b..89b9b6a 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -620,16 +616,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +619,12 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -69857,7 +69922,7 @@ index 57c034b..89b9b6a 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +629,23 @@ optional_policy(`
+@@ -637,22 +632,23 @@ optional_policy(`
########################################
#
@@ -69889,7 +69954,7 @@ index 57c034b..89b9b6a 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -661,26 +654,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +657,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -69925,7 +69990,7 @@ index 57c034b..89b9b6a 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -692,58 +681,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +684,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -70017,7 +70082,7 @@ index 57c034b..89b9b6a 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +760,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +763,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -70041,7 +70106,7 @@ index 57c034b..89b9b6a 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -770,36 +774,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +777,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -70084,7 +70149,7 @@ index 57c034b..89b9b6a 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -811,10 +804,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +807,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -70098,7 +70163,7 @@ index 57c034b..89b9b6a 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -837,13 +831,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+@@ -837,13 +834,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
@@ -70118,7 +70183,7 @@ index 57c034b..89b9b6a 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +849,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +852,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -70129,7 +70194,7 @@ index 57c034b..89b9b6a 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +860,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +863,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -70159,7 +70224,7 @@ index 57c034b..89b9b6a 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +883,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +886,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -70180,7 +70245,7 @@ index 57c034b..89b9b6a 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +901,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +904,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -70191,7 +70256,7 @@ index 57c034b..89b9b6a 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,11 +909,17 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,11 +912,17 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -70210,7 +70275,7 @@ index 57c034b..89b9b6a 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
userdom_manage_user_home_content_files(winbind_t)
-@@ -936,6 +934,10 @@ optional_policy(`
+@@ -936,6 +937,10 @@ optional_policy(`
')
optional_policy(`
@@ -70221,7 +70286,7 @@ index 57c034b..89b9b6a 100644
kerberos_use(winbind_t)
')
-@@ -952,31 +954,29 @@ optional_policy(`
+@@ -952,31 +957,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -70259,7 +70324,7 @@ index 57c034b..89b9b6a 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +990,38 @@ optional_policy(`
+@@ -990,25 +993,38 @@ optional_policy(`
########################################
#
@@ -81731,7 +81796,7 @@ index cf118fd..cd80e83 100644
+ can_exec($1, consolehelper_exec_t)
+')
diff --git a/userhelper.te b/userhelper.te
-index 274ed9c..4d8adf9 100644
+index 274ed9c..9294dd6 100644
--- a/userhelper.te
+++ b/userhelper.te
@@ -1,15 +1,12 @@
@@ -81752,7 +81817,7 @@ index 274ed9c..4d8adf9 100644
type userhelper_conf_t;
files_config_file(userhelper_conf_t)
-@@ -22,141 +19,67 @@ application_executable_file(consolehelper_exec_t)
+@@ -22,141 +19,71 @@ application_executable_file(consolehelper_exec_t)
########################################
#
@@ -81828,19 +81893,21 @@ index 274ed9c..4d8adf9 100644
-userdom_manage_user_tmp_dirs(consolehelper_type)
-userdom_manage_user_tmp_files(consolehelper_type)
-userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
--
--tunable_policy(`use_nfs_home_dirs',`
-- fs_search_nfs(consolehelper_type)
--')
+userhelper_exec(consolehelper_domain)
--tunable_policy(`use_samba_home_dirs',`
-- fs_search_cifs(consolehelper_type)
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_search_nfs(consolehelper_type)
-')
+userdom_use_user_ptys(consolehelper_domain)
+userdom_use_user_ttys(consolehelper_domain)
+userdom_read_user_home_content_files(consolehelper_domain)
+-tunable_policy(`use_samba_home_dirs',`
+- fs_search_cifs(consolehelper_type)
++optional_policy(`
++ dbus_session_bus_client(consolehelper_domain)
+ ')
+
optional_policy(`
- shutdown_run(consolehelper_type, consolehelper_roles)
- shutdown_signal(consolehelper_type)
@@ -84144,7 +84211,7 @@ index 9dec06c..d8a2b54 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..64b70d6 100644
+index 1f22fba..d984f26 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -84440,7 +84507,9 @@ index 1f22fba..64b70d6 100644
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-
-kernel_read_system_state(virt_domain)
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-fs_getattr_xattr_fs(virt_domain)
-
-corecmd_exec_bin(virt_domain)
@@ -84558,9 +84627,7 @@ index 1f22fba..64b70d6 100644
- fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain)
-')
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-optional_policy(`
- tunable_policy(`virt_use_xserver',`
- xserver_read_xdm_pid(virt_domain)
@@ -84611,7 +84678,9 @@ index 1f22fba..64b70d6 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
@@ -84635,9 +84704,7 @@ index 1f22fba..64b70d6 100644
-corenet_sendrecv_all_server_packets(svirt_t)
-corenet_udp_bind_all_ports(svirt_t)
-corenet_tcp_bind_all_ports(svirt_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-corenet_sendrecv_all_client_packets(svirt_t)
-corenet_tcp_connect_all_ports(svirt_t)
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -84650,7 +84717,7 @@ index 1f22fba..64b70d6 100644
########################################
#
-@@ -407,38 +248,41 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -407,38 +248,42 @@ corenet_tcp_connect_all_ports(svirt_t)
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
@@ -84698,6 +84765,7 @@ index 1f22fba..64b70d6 100644
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virt_domain virtd_t:fd use;
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
++allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
+
+can_exec(virtd_t, qemu_exec_t)
+can_exec(virt_domain, qemu_exec_t)
@@ -84711,7 +84779,7 @@ index 1f22fba..64b70d6 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +292,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +293,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -84757,7 +84825,7 @@ index 1f22fba..64b70d6 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +326,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +327,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -84767,18 +84835,18 @@ index 1f22fba..64b70d6 100644
-
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
--can_exec(virtd_t, virt_tmp_t)
--
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +338,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +339,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -84786,7 +84854,7 @@ index 1f22fba..64b70d6 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,22 +346,12 @@ corecmd_exec_shell(virtd_t)
+@@ -520,22 +347,12 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -84810,7 +84878,7 @@ index 1f22fba..64b70d6 100644
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
-@@ -548,22 +364,22 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +365,22 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -84838,7 +84906,7 @@ index 1f22fba..64b70d6 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +410,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +411,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -84858,7 +84926,7 @@ index 1f22fba..64b70d6 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +432,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +433,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -84893,7 +84961,7 @@ index 1f22fba..64b70d6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +458,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +459,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -84902,7 +84970,7 @@ index 1f22fba..64b70d6 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -646,107 +471,326 @@ optional_policy(`
+@@ -646,107 +472,326 @@ optional_policy(`
consoletype_exec(virtd_t)
')
@@ -85287,7 +85355,7 @@ index 1f22fba..64b70d6 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +802,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +803,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -85317,7 +85385,7 @@ index 1f22fba..64b70d6 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +821,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +822,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -85344,7 +85412,7 @@ index 1f22fba..64b70d6 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +841,21 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +842,21 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -85375,7 +85443,7 @@ index 1f22fba..64b70d6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,6 +873,10 @@ optional_policy(`
+@@ -847,6 +874,10 @@ optional_policy(`
')
optional_policy(`
@@ -85386,7 +85454,7 @@ index 1f22fba..64b70d6 100644
rpm_exec(virsh_t)
')
-@@ -854,7 +884,7 @@ optional_policy(`
+@@ -854,7 +885,7 @@ optional_policy(`
xen_manage_image_dirs(virsh_t)
xen_append_log(virsh_t)
xen_domtrans(virsh_t)
@@ -85395,7 +85463,7 @@ index 1f22fba..64b70d6 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +909,40 @@ optional_policy(`
+@@ -879,34 +910,44 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -85413,20 +85481,23 @@ index 1f22fba..64b70d6 100644
-# Lxc local policy
+# virt_lxc local policy
#
--
- allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
++allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
++allow virtd_lxc_t self:process { transition setpgid signal_perms };
+allow virtd_lxc_t self:capability2 compromise_kernel;
-+
+
+-allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
-allow virtd_lxc_t self:netlink_route_socket nlmsg_write;
-allow virtd_lxc_t self:unix_stream_socket { accept listen };
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
-+allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms;
++allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow virtd_lxc_t self:packet_socket create_socket_perms;
--
--allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
+ps_process_pattern(virtd_lxc_t, svirt_lxc_domain)
++allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms;
+
+-allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
++files_entrypoint_all_files(virtd_lxc_t)
allow virtd_lxc_t virt_image_type:dir mounton;
manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
@@ -85446,7 +85517,7 @@ index 1f22fba..64b70d6 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +952,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +957,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -85462,7 +85533,7 @@ index 1f22fba..64b70d6 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +972,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +977,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -85473,7 +85544,7 @@ index 1f22fba..64b70d6 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +981,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +986,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -85481,7 +85552,7 @@ index 1f22fba..64b70d6 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +993,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +998,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -85500,7 +85571,7 @@ index 1f22fba..64b70d6 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,20 +1007,38 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,20 +1012,44 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -85521,6 +85592,12 @@ index 1f22fba..64b70d6 100644
+
+sysnet_exec_ifconfig(virtd_lxc_t)
+
++userdom_read_admin_home_files(virtd_lxc_t)
++
++optional_policy(`
++ gnome_read_generic_cache_files(virtd_lxc_t)
++')
++
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -85545,7 +85622,7 @@ index 1f22fba..64b70d6 100644
allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
-@@ -995,19 +1047,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,19 +1058,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -85565,7 +85642,7 @@ index 1f22fba..64b70d6 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1054,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1065,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -85584,7 +85661,7 @@ index 1f22fba..64b70d6 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1073,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1084,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -85611,7 +85688,7 @@ index 1f22fba..64b70d6 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,11 +1098,16 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,11 +1109,16 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -85630,7 +85707,7 @@ index 1f22fba..64b70d6 100644
optional_policy(`
udev_read_pid_files(svirt_lxc_domain)
-@@ -1078,81 +1118,67 @@ optional_policy(`
+@@ -1078,81 +1129,67 @@ optional_policy(`
apache_read_sys_content(svirt_lxc_domain)
')
@@ -85738,7 +85815,7 @@ index 1f22fba..64b70d6 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1191,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1202,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -85753,7 +85830,7 @@ index 1f22fba..64b70d6 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1209,8 @@ optional_policy(`
+@@ -1183,9 +1220,8 @@ optional_policy(`
########################################
#
@@ -85764,7 +85841,7 @@ index 1f22fba..64b70d6 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1223,65 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1234,70 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -85777,7 +85854,7 @@ index 1f22fba..64b70d6 100644
+# virt_qemu_ga local policy
+#
+
-+allow virt_qemu_ga_t self:capability sys_tty_config;
++allow virt_qemu_ga_t self:capability { sys_admin sys_tty_config };
+
+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
@@ -85792,11 +85869,15 @@ index 1f22fba..64b70d6 100644
+corecmd_exec_shell(virt_qemu_ga_t)
+corecmd_exec_bin(virt_qemu_ga_t)
+
-+
+dev_rw_sysfs(virt_qemu_ga_t)
+
++files_list_all_mountpoints(virt_qemu_ga_t)
++files_write_all_mountpoints(virt_qemu_ga_t)
++fs_list_all(virt_qemu_ga_t)
++
+term_use_virtio_console(virt_qemu_ga_t)
+term_use_all_ttys(virt_qemu_ga_t)
++term_use_unallocated_ttys(virt_qemu_ga_t)
+
+logging_send_syslog_msg(virt_qemu_ga_t)
+
@@ -85831,6 +85912,7 @@ index 1f22fba..64b70d6 100644
+
+type svirt_socket_t;
+role system_r types svirt_socket_t;
++allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
diff --git a/vlock.te b/vlock.te
index 9ead775..b5285e7 100644
@@ -87974,7 +88056,7 @@ index 0cea2cd..7668014 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index 2882821..32ace1c 100644
+index 2882821..521232e 100644
--- a/xguest.te
+++ b/xguest.te
@@ -1,4 +1,4 @@
@@ -88103,7 +88185,7 @@ index 2882821..32ace1c 100644
')
optional_policy(`
-@@ -97,75 +113,78 @@ optional_policy(`
+@@ -97,75 +113,82 @@ optional_policy(`
')
optional_policy(`
@@ -88123,6 +88205,10 @@ index 2882821..32ace1c 100644
+')
+optional_policy(`
++ mount_run_fusermount(xguest_t, xguest_r)
++')
++
++optional_policy(`
+ pcscd_read_pid_files(xguest_t)
+ pcscd_stream_connect(xguest_t)
+')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 064274e..9fe3c0b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 13%{?dist}
+Release: 14%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -522,6 +522,47 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Feb 20 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-14
+- Allow gluster to get attrs on all fs
+- New access required for virt-sandbox
+- Allow dnsmasq to execute bin_t
+- Allow dnsmasq to create content in /var/run/NetworkManager
+- Fix openshift_initrc_signal() interface
+- Dontaudit openshift domains doing getattr on other domains
+- Allow consolehelper domain to communicate with session bus
+- Mock should not be transitioning to any other domains, we should keep mock_t as mock_t
+- Update virt_qemu_ga_t policy
+- Allow authconfig running from realmd to restart oddjob service
+- Add systemd support for oddjob
+- Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd
+- Add labeling for gnashpluginrc
+- Allow chrome_nacl to execute /dev/zero
+- Allow condor domains to read /proc
+- mozilla_plugin_t will getattr on /core if firefox crashes
+- Allow condor domains to read /etc/passwd
+- Allow dnsmasq to execute shell scripts, openstack requires this access
+- Fix glusterd labeling
+- Allow virtd_t to interact with the socket type
+- Allow nmbd_t to override dac if you turned on sharing all files
+- Allow tuned to created kobject_uevent socket
+- Allow guest user to run fusermount
+- Allow openshift to read /proc and locale
+- Allow realmd to dbus chat with rpm
+- Add new interface for virt
+- Remove depracated interfaces
+- Allow systemd_domains read access on etc, etc_runtime and usr files, also allow them to connect stream to syslog socket
+- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t
+- Remove some more unconfined_t process transitions, that I don't believe are necessary
+- Stop transitioning uncofnined_t to checkpc
+- dmraid creates /var/lock/dmraid
+- Allow systemd_localed to creatre unix_dgram_sockets
+- Allow systemd_localed to write kernel messages.
+- Also cleanup systemd definition a little.
+- Fix userdom_restricted_xwindows_user_template() interface
+- Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t
+- User accounts need to dbus chat with accountsd daemon
+- Gnome requires all users to be able to read /proc/1/
+
* Thu Feb 14 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-13
- virsh now does a setexeccon call
- Additional rules required by openshift domains
More information about the scm-commits
mailing list