[selinux-policy/f18] - Allow logrotate to read /sys - Allow mandb to setattr on man dirs - label /usr/bin/yum-builddep as
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 1 06:08:20 UTC 2013
commit bf030ee36f01b769e074ea17e1630ca2fec7af12
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Mar 1 07:07:00 2013 +0100
- Allow logrotate to read /sys
- Allow mandb to setattr on man dirs
- label /usr/bin/yum-builddep as rpm_exec_t
- Remove init_daemon_run_dir from CUPS policy
- Backport cups+hplip merge from rawhide
- Allow munin CGI scritp to search munin logs
- Allow quantum to connect to amqp port
- Allow jabberd to connect to jabber_interserver_port_t
- Fix authconfig.py labeling
- Fix fcoemon policy
- Allow kdumpgui to manage bootloader_config
- Allow httpd_collectd_script to read /etc/passwd
- Allow milter domains to read /dev/random
- Allow nmbd_t to create samba_var_t directories
- Allow logrotote to getattr on all file sytems
- fcoemon wants also net_raw cap. We have net_admin cap.
- Allow gpg-agent to access fips_enabled file
- Allow collectd to read utmp
- Backport munin policy from rawhide
- Allow kadmind to read /etc/passwd
- Dontaudit append .xsession-errors file on ecryptfs for policykit-auth
- Allow chrome_nacl to execute /dev/zero
- Label /usr/lib64/security/pam_krb5/pam_krb5_cchelperas bin_t
- Add fs_dontaudit_append_fusefs_files() interface
- Allow systemd domains to talk to kernel_t using unix_dgram_socket
- Add miscfiles_setattr_man_pages()
- Add manage interface to be used bu kdumpgui
- Localectl needs to be able to send dbus signals to users
- Hostname needs to send syslog messages
- Add stream support for mpd, accessible from users
policy-f18-base.patch | 853 ++++++++++++++--------
policy-f18-contrib.patch | 1781 ++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 34 +-
3 files changed, 1888 insertions(+), 780 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 389d7e7..7c2db27 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -110513,7 +110513,7 @@ index 7a6f06f..bf04b0a 100644
-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
-index a778bb1..5e914db 100644
+index a778bb1..18e2246 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
@@ -110565,7 +110565,34 @@ index a778bb1..5e914db 100644
')
########################################
-@@ -100,7 +128,7 @@ interface(`bootloader_rw_tmp_files',`
+@@ -85,6 +113,26 @@ interface(`bootloader_rw_config',`
+
+ ########################################
+ ## <summary>
++## Manage the bootloader
++## configuration file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`bootloader_manage_config',`
++ gen_require(`
++ type bootloader_etc_t;
++ ')
++
++ manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t)
++')
++
++########################################
++## <summary>
+ ## Read and write the bootloader
+ ## temporary data in /tmp.
+ ## </summary>
+@@ -100,7 +148,7 @@ interface(`bootloader_rw_tmp_files',`
')
files_search_tmp($1)
@@ -110574,7 +110601,7 @@ index a778bb1..5e914db 100644
')
########################################
-@@ -122,3 +150,22 @@ interface(`bootloader_create_runtime_file',`
+@@ -122,3 +170,22 @@ interface(`bootloader_create_runtime_file',`
allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
files_boot_filetrans($1, boot_runtime_t, file)
')
@@ -112431,7 +112458,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..c165d31 100644
+index db981df..8fe3bea 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -112482,11 +112509,12 @@ index db981df..c165d31 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -130,10 +138,11 @@ ifdef(`distro_debian',`
+@@ -130,10 +138,12 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
++/lib/security/pam_krb5/pam_krb5_cchelper -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
@@ -112495,7 +112523,7 @@ index db981df..c165d31 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -147,7 +156,7 @@ ifdef(`distro_gentoo',`
+@@ -147,7 +157,7 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -112504,7 +112532,7 @@ index db981df..c165d31 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -163,6 +172,7 @@ ifdef(`distro_gentoo',`
+@@ -163,6 +173,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112512,7 +112540,7 @@ index db981df..c165d31 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -174,53 +184,80 @@ ifdef(`distro_gentoo',`
+@@ -174,53 +185,80 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -112613,7 +112641,7 @@ index db981df..c165d31 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -235,10 +272,15 @@ ifdef(`distro_gentoo',`
+@@ -235,10 +273,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -112629,7 +112657,7 @@ index db981df..c165d31 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +293,17 @@ ifdef(`distro_gentoo',`
+@@ -251,11 +294,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -112651,7 +112679,7 @@ index db981df..c165d31 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,10 +319,15 @@ ifdef(`distro_gentoo',`
+@@ -271,10 +320,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -112667,7 +112695,7 @@ index db981df..c165d31 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -289,16 +342,22 @@ ifdef(`distro_gentoo',`
+@@ -289,16 +343,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -112692,7 +112720,7 @@ index db981df..c165d31 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +373,12 @@ ifdef(`distro_redhat', `
+@@ -314,20 +374,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -112705,7 +112733,10 @@ index db981df..c165d31 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +388,12 @@ ifdef(`distro_redhat', `
+ /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
++#/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112718,7 +112749,7 @@ index db981df..c165d31 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +442,15 @@ ifdef(`distro_suse', `
+@@ -376,11 +443,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -112735,7 +112766,7 @@ index db981df..c165d31 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +460,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +461,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -120382,7 +120413,7 @@ index cda5588..91d1e25 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..c6ddff0 100644
+index 7c6b791..6ceb348 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -120896,7 +120927,33 @@ index 7c6b791..c6ddff0 100644
########################################
## <summary>
## Mount a FUSE filesystem.
-@@ -2025,6 +2404,87 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1984,6 +2363,25 @@ interface(`fs_manage_fusefs_files',`
+ manage_files_pattern($1, fusefs_t, fusefs_t)
+ ')
+
++#######################################
++## <summary>
++## Do not audit attempts to append files
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_append_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ dontaudit $1 fusefs_t:file append;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to create,
+@@ -2025,6 +2423,87 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -120984,7 +121041,7 @@ index 7c6b791..c6ddff0 100644
## Get the attributes of an hugetlbfs
## filesystem.
## </summary>
-@@ -2080,6 +2540,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2080,6 +2559,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -121009,7 +121066,7 @@ index 7c6b791..c6ddff0 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,11 +2626,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2645,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -121023,7 +121080,7 @@ index 7c6b791..c6ddff0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2485,6 +2964,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +2983,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -121031,7 +121088,7 @@ index 7c6b791..c6ddff0 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2523,6 +3003,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +3022,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -121039,7 +121096,7 @@ index 7c6b791..c6ddff0 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2549,42 +3030,97 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,42 +3049,97 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -121148,7 +121205,7 @@ index 7c6b791..c6ddff0 100644
')
########################################
-@@ -2603,7 +3139,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3158,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -121157,7 +121214,7 @@ index 7c6b791..c6ddff0 100644
')
########################################
-@@ -2627,7 +3163,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3182,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -121166,7 +121223,7 @@ index 7c6b791..c6ddff0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2741,7 +3277,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3296,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -121175,7 +121232,7 @@ index 7c6b791..c6ddff0 100644
## </summary>
## </param>
#
-@@ -2777,7 +3313,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3332,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -121184,7 +121241,7 @@ index 7c6b791..c6ddff0 100644
## </summary>
## </param>
#
-@@ -2970,6 +3506,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3525,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -121192,7 +121249,7 @@ index 7c6b791..c6ddff0 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +3547,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3566,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -121200,7 +121257,7 @@ index 7c6b791..c6ddff0 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +3588,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3607,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -121208,7 +121265,7 @@ index 7c6b791..c6ddff0 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3263,6 +3802,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +3821,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -121233,7 +121290,7 @@ index 7c6b791..c6ddff0 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3283,6 +3840,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3859,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@@ -121258,7 +121315,7 @@ index 7c6b791..c6ddff0 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
-@@ -3392,7 +3967,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +3986,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -121267,7 +121324,7 @@ index 7c6b791..c6ddff0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4004,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4023,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -121276,7 +121333,7 @@ index 7c6b791..c6ddff0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4022,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4041,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -121285,7 +121342,7 @@ index 7c6b791..c6ddff0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3815,6 +4390,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4409,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -121310,7 +121367,7 @@ index 7c6b791..c6ddff0 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3963,6 +4556,60 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3963,6 +4575,60 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -121371,7 +121428,7 @@ index 7c6b791..c6ddff0 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4069,7 +4716,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4069,7 +4735,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -121380,7 +121437,7 @@ index 7c6b791..c6ddff0 100644
')
########################################
-@@ -4129,6 +4776,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4129,6 +4795,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -121405,7 +121462,7 @@ index 7c6b791..c6ddff0 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4166,7 +4831,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4166,7 +4850,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -121414,7 +121471,7 @@ index 7c6b791..c6ddff0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4185,6 +4850,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4185,6 +4869,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -121475,7 +121532,7 @@ index 7c6b791..c6ddff0 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4242,6 +4961,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4242,6 +4980,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -121520,7 +121577,7 @@ index 7c6b791..c6ddff0 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4261,6 +5018,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4261,6 +5037,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -121546,7 +121603,7 @@ index 7c6b791..c6ddff0 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4467,6 +5243,8 @@ interface(`fs_mount_all_fs',`
+@@ -4467,6 +5262,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -121555,7 +121612,7 @@ index 7c6b791..c6ddff0 100644
')
########################################
-@@ -4513,7 +5291,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4513,7 +5310,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -121564,7 +121621,7 @@ index 7c6b791..c6ddff0 100644
## Example attributes:
## </p>
## <ul>
-@@ -4560,6 +5338,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4560,6 +5357,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -121591,7 +121648,7 @@ index 7c6b791..c6ddff0 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4876,3 +5674,43 @@ interface(`fs_unconfined',`
+@@ -4876,3 +5693,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -126692,10 +126749,10 @@ index a26f84f..947af6c 100644
-/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index ecef19f..149e648 100644
+index ecef19f..5213ad7 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
-@@ -10,7 +10,7 @@
+@@ -10,90 +10,21 @@
## </summary>
## </param>
## <param name="user_domain">
@@ -126704,10 +126761,49 @@ index ecef19f..149e648 100644
## The type of the user domain.
## </summary>
## </param>
-@@ -54,15 +54,6 @@ interface(`postgresql_role',`
- # Client local policy
- #
+ #
+ interface(`postgresql_role',`
+ gen_require(`
+- class db_database all_db_database_perms;
+- class db_schema all_db_schema_perms;
+- class db_table all_db_table_perms;
+- class db_sequence all_db_sequence_perms;
+- class db_view all_db_view_perms;
+- class db_procedure all_db_procedure_perms;
+- class db_language all_db_language_perms;
+- class db_column all_db_column_perms;
+- class db_tuple all_db_tuple_perms;
+- class db_blob all_db_blob_perms;
+-
+- attribute sepgsql_client_type, sepgsql_database_type;
+- attribute sepgsql_schema_type, sepgsql_sysobj_table_type;
+-
+- type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
+- type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t;
+- type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
+- type user_sepgsql_schema_t, user_sepgsql_seq_t;
+- type user_sepgsql_sysobj_t, user_sepgsql_table_t;
+- type user_sepgsql_view_t;
+- type sepgsql_temp_object_t;
++ attribute sepgsql_client_type;
++ type sepgsql_trusted_proc_t;
++ type sepgsql_ranged_proc_t;
+ ')
+- ########################################
+- #
+- # Declarations
+- #
+-
+ typeattribute $2 sepgsql_client_type;
+ role $1 types sepgsql_trusted_proc_t;
+ role $1 types sepgsql_ranged_proc_t;
+-
+- ##############################
+- #
+- # Client local policy
+- #
+-
- tunable_policy(`sepgsql_enable_users_ddl',`
- allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
@@ -126717,27 +126813,41 @@ index ecef19f..149e648 100644
- allow $2 user_sepgsql_view_t:db_view { create drop setattr };
- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
- ')
-
- allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
- type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
-@@ -94,6 +85,16 @@ interface(`postgresql_role',`
-
- allow $2 sepgsql_trusted_proc_t:process transition;
- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
-+
-+ tunable_policy(`sepgsql_enable_users_ddl',`
-+ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
-+ allow $2 user_sepgsql_table_t:db_table { create drop setattr };
-+ allow $2 user_sepgsql_table_t:db_column { create drop setattr };
-+ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
-+ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
-+ allow $2 user_sepgsql_view_t:db_view { create drop setattr };
-+ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
-+ ')
+-
+- allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
+- type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
+- type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
+-
+- allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock };
+- allow $2 user_sepgsql_table_t:db_column { getattr select update insert };
+- allow $2 user_sepgsql_table_t:db_tuple { select update insert delete };
+- type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t;
+-
+- allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
+- type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
+-
+- allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
+- type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
+-
+- allow $2 user_sepgsql_view_t:db_view { getattr expand };
+- type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t;
+-
+- allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
+- type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
+-
+- allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+- type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
+-
+- allow $2 sepgsql_ranged_proc_t:process transition;
+- type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
+- allow sepgsql_ranged_proc_t $2:process dyntransition;
+-
+- allow $2 sepgsql_trusted_proc_t:process transition;
+- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
')
########################################
-@@ -312,7 +313,7 @@ interface(`postgresql_search_db',`
+@@ -312,7 +243,7 @@ interface(`postgresql_search_db',`
type postgresql_db_t;
')
@@ -126746,7 +126856,7 @@ index ecef19f..149e648 100644
')
########################################
-@@ -324,14 +325,16 @@ interface(`postgresql_search_db',`
+@@ -324,14 +255,16 @@ interface(`postgresql_search_db',`
## Domain allowed access.
## </summary>
## </param>
@@ -126766,7 +126876,7 @@ index ecef19f..149e648 100644
')
########################################
-@@ -354,6 +357,24 @@ interface(`postgresql_domtrans',`
+@@ -354,6 +287,24 @@ interface(`postgresql_domtrans',`
######################################
## <summary>
@@ -126791,7 +126901,7 @@ index ecef19f..149e648 100644
## Allow domain to signal postgresql
## </summary>
## <param name="domain">
-@@ -421,7 +442,6 @@ interface(`postgresql_tcp_connect',`
+@@ -421,7 +372,6 @@ interface(`postgresql_tcp_connect',`
## Domain allowed access.
## </summary>
## </param>
@@ -126799,7 +126909,7 @@ index ecef19f..149e648 100644
#
interface(`postgresql_stream_connect',`
gen_require(`
-@@ -429,10 +449,8 @@ interface(`postgresql_stream_connect',`
+@@ -429,10 +379,8 @@ interface(`postgresql_stream_connect',`
')
files_search_pids($1)
@@ -126812,15 +126922,91 @@ index ecef19f..149e648 100644
')
########################################
-@@ -515,7 +533,6 @@ interface(`postgresql_unpriv_client',`
- allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
+@@ -448,83 +396,10 @@ interface(`postgresql_stream_connect',`
+ #
+ interface(`postgresql_unpriv_client',`
+ gen_require(`
+- class db_database all_db_database_perms;
+- class db_schema all_db_schema_perms;
+- class db_table all_db_table_perms;
+- class db_sequence all_db_sequence_perms;
+- class db_view all_db_view_perms;
+- class db_procedure all_db_procedure_perms;
+- class db_language all_db_language_perms;
+- class db_column all_db_column_perms;
+- class db_tuple all_db_tuple_perms;
+- class db_blob all_db_blob_perms;
+-
+ attribute sepgsql_client_type;
+- attribute sepgsql_database_type, sepgsql_schema_type;
+- attribute sepgsql_sysobj_table_type;
+-
+- type sepgsql_ranged_proc_t, sepgsql_ranged_proc_exec_t;
+- type sepgsql_temp_object_t;
+- type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
+- type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
+- type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t;
+- type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
+- type unpriv_sepgsql_view_t;
+ ')
+- ########################################
+- #
+- # Declarations
+- #
+-
+ typeattribute $1 sepgsql_client_type;
+-
+- ########################################
+- #
+- # Client local policy
+- #
+-
+- type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
+- allow $1 sepgsql_ranged_proc_t:process transition;
+- allow sepgsql_ranged_proc_t $1:process dyntransition;
+-
+- type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+- allow $1 sepgsql_trusted_proc_t:process transition;
+-
+- allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+- type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
-
- tunable_policy(`sepgsql_enable_users_ddl',`
- allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
-@@ -548,6 +565,29 @@ interface(`postgresql_unconfined',`
+- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
+- type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t;
+-
+- allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
+- type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
+- type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
+-
+- allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock };
+- allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert };
+- allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete };
+- type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t;
+-
+- allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value };
+- type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t;
+-
+- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
+- type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
+-
+- allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
+- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
+-
+-
+- tunable_policy(`sepgsql_enable_users_ddl',`
+- allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
+- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+- allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr };
+- allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };
+- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+- ')
+ ')
+
+ ########################################
+@@ -548,6 +423,29 @@ interface(`postgresql_unconfined',`
########################################
## <summary>
@@ -126850,7 +127036,7 @@ index ecef19f..149e648 100644
## All of the rules required to administrate an postgresql environment
## </summary>
## <param name="domain">
-@@ -564,35 +604,41 @@ interface(`postgresql_unconfined',`
+@@ -564,35 +462,41 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
@@ -126901,7 +127087,7 @@ index ecef19f..149e648 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 4318f73..a626a63 100644
+index 4318f73..612e37c 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -126914,15 +127100,15 @@ index 4318f73..a626a63 100644
+## <p>
+## Allow postgresql to use ssh and rsync for point-in-time recovery
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(sepgsql_enable_users_ddl, true)
+gen_tunable(postgresql_can_rsync, false)
+
+## <desc>
+## <p>
+## Allow unprivileged users to execute DDL statement
+## </p>
- ## </desc>
--gen_tunable(sepgsql_enable_users_ddl, true)
++## </desc>
+gen_tunable(postgresql_selinux_users_ddl, true)
## <desc>
@@ -127013,16 +127199,64 @@ index 4318f73..a626a63 100644
allow postgresql_t self:process execmem;
')
-@@ -487,7 +493,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db
- # Note that permission of creation/deletion are eventually controlled by
- # create or drop permission of individual objects within shared schemas.
- # So, it just allows to create/drop user specific types.
+@@ -484,10 +490,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+ # It is always allowed to operate temporary objects for any database client.
+ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
+
+-# Note that permission of creation/deletion are eventually controlled by
+-# create or drop permission of individual objects within shared schemas.
+-# So, it just allows to create/drop user specific types.
-tunable_policy(`sepgsql_enable_users_ddl',`
++##############################
++#
++# Client local policy
++#
++allow sepgsql_client_type user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
++type_transition sepgsql_client_type sepgsql_database_type:db_schema user_sepgsql_schema_t;
++type_transition sepgsql_client_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
++
++allow sepgsql_client_type user_sepgsql_table_t:db_table { getattr select update insert delete lock };
++allow sepgsql_client_type user_sepgsql_table_t:db_column { getattr select update insert };
++allow sepgsql_client_type user_sepgsql_table_t:db_tuple { select update insert delete };
++type_transition sepgsql_client_type sepgsql_schema_type:db_table user_sepgsql_table_t;
++
++allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { use select };
++type_transition sepgsql_client_type sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
++
++allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
++type_transition sepgsql_client_type sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
++
++allow sepgsql_client_type user_sepgsql_view_t:db_view { getattr expand };
++type_transition sepgsql_client_type sepgsql_schema_type:db_view user_sepgsql_view_t;
++
++allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { getattr execute };
++type_transition sepgsql_client_type sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
++
++allow sepgsql_client_type user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
++type_transition sepgsql_client_type sepgsql_database_type:db_blob user_sepgsql_blob_t;
++
++allow sepgsql_client_type sepgsql_ranged_proc_t:process transition;
++type_transition sepgsql_client_type sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
++allow sepgsql_ranged_proc_t sepgsql_client_type:process dyntransition;
++
++allow sepgsql_client_type sepgsql_trusted_proc_t:process transition;
++type_transition sepgsql_client_type sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
++
+tunable_policy(`postgresql_selinux_users_ddl',`
++ allow sepgsql_client_type user_sepgsql_schema_t:db_schema { create drop setattr };
++ allow sepgsql_client_type user_sepgsql_table_t:db_table { create drop setattr };
++ allow sepgsql_client_type user_sepgsql_table_t:db_column { create drop setattr };
++ allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { update insert delete };
++ allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
++ allow sepgsql_client_type user_sepgsql_view_t:db_view { create drop setattr };
++ allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
++ # Note that permission of creation/deletion are eventually controlled by
++ # create or drop permission of individual objects within shared schemas.
++ # So, it just allows to create/drop user specific types.
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
-@@ -535,7 +541,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -535,7 +583,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@@ -127031,7 +127265,7 @@ index 4318f73..a626a63 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -588,3 +594,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -588,3 +636,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@@ -138194,7 +138428,7 @@ index fe3427d..2410a4e 100644
/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 926ba65..9cac7b3 100644
+index 926ba65..e968a36 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
@@ -138246,7 +138480,7 @@ index 926ba65..9cac7b3 100644
allow $1 locale_t:file execute;
')
-@@ -531,6 +550,10 @@ interface(`miscfiles_read_man_pages',`
+@@ -531,6 +550,31 @@ interface(`miscfiles_read_man_pages',`
allow $1 man_t:dir list_dir_perms;
read_files_pattern($1, man_t, man_t)
read_lnk_files_pattern($1, man_t, man_t)
@@ -138254,10 +138488,31 @@ index 926ba65..9cac7b3 100644
+ optional_policy(`
+ mandb_read_cache_files($1)
+ ')
++')
++
++########################################
++## <summary>
++## Setattr man pages
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++# cjp: added for tmpreaper
++#
++interface(`miscfiles_setattr_man_pages',`
++ gen_require(`
++ type man_t;
++ ')
++
++ files_search_usr($1)
++
++ allow $1 man_t:dir setattr;
')
########################################
-@@ -557,6 +580,11 @@ interface(`miscfiles_delete_man_pages',`
+@@ -557,6 +601,11 @@ interface(`miscfiles_delete_man_pages',`
delete_dirs_pattern($1, man_t, man_t)
delete_files_pattern($1, man_t, man_t)
delete_lnk_files_pattern($1, man_t, man_t)
@@ -138269,7 +138524,7 @@ index 926ba65..9cac7b3 100644
')
########################################
-@@ -582,6 +610,30 @@ interface(`miscfiles_manage_man_pages',`
+@@ -582,6 +631,30 @@ interface(`miscfiles_manage_man_pages',`
########################################
## <summary>
@@ -138300,7 +138555,7 @@ index 926ba65..9cac7b3 100644
## Read public files used for file
## transfer services.
## </summary>
-@@ -744,8 +796,10 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -744,8 +817,10 @@ interface(`miscfiles_etc_filetrans_localization',`
type locale_t;
')
@@ -138313,7 +138568,7 @@ index 926ba65..9cac7b3 100644
')
########################################
-@@ -769,3 +823,43 @@ interface(`miscfiles_manage_localization',`
+@@ -769,3 +844,43 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -141719,10 +141974,10 @@ index 0000000..7917796
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..8fbbd45
+index 0000000..a32bdce
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1007 @@
+@@ -0,0 +1,1006 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -142729,13 +142984,12 @@ index 0000000..8fbbd45
+ allow systemd_hostnamed_t $1:dbus send_msg;
+ ps_process_pattern(systemd_hostnamed_t, $1)
+')
-+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..52f0a12
+index 0000000..4c332d5
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,612 @@
+@@ -0,0 +1,616 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -143228,10 +143482,13 @@ index 0000000..52f0a12
+seutil_read_file_contexts(systemd_localed_t)
+
+logging_stream_connect_syslog(systemd_localed_t)
++logging_send_syslog_msg(systemd_localed_t)
+
+miscfiles_manage_localization(systemd_localed_t)
+miscfiles_etc_filetrans_localization(systemd_localed_t)
+
++userdom_dbus_send_all_users(systemd_localed_t)
++
+optional_policy(`
+ dbus_connect_system_bus(systemd_localed_t)
+ dbus_system_bus_client(systemd_localed_t)
@@ -143258,6 +143515,7 @@ index 0000000..52f0a12
+init_stream_connect(systemd_hostnamed_t)
+
+logging_stream_connect_syslog(systemd_hostnamed_t)
++logging_send_syslog_msg(systemd_hostnamed_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_hostnamed_t)
@@ -144703,7 +144961,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..2a4e6ef 100644
+index e720dcd..ef5c047 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -145341,7 +145599,7 @@ index e720dcd..2a4e6ef 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,100 +689,140 @@ template(`userdom_common_user_template',`
+@@ -546,100 +689,146 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -145490,17 +145748,22 @@ index e720dcd..2a4e6ef 100644
+ inn_read_config($1_usertype)
+ inn_read_news_lib($1_usertype)
+ inn_read_news_spool($1_usertype)
- ')
-
- optional_policy(`
-- locate_read_lib_files($1_t)
-+ lircd_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
-+ locate_read_lib_files($1_usertype)
++ lircd_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ locate_read_lib_files($1_t)
')
++ optional_policy(`
++ mpd_manage_user_data_content($1_t)
++ mpd_relabel_user_data_content($1_t)
++ mpd_stream_connect($1_t)
++ ')
++
# for running depmod as part of the kernel packaging process
optional_policy(`
- modutils_read_module_config($1_t)
@@ -145520,7 +145783,7 @@ index e720dcd..2a4e6ef 100644
mysql_stream_connect($1_t)
')
')
-@@ -651,40 +834,52 @@ template(`userdom_common_user_template',`
+@@ -651,40 +840,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -145557,35 +145820,35 @@ index e720dcd..2a4e6ef 100644
+
+ optional_policy(`
+ rpcbind_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ slrnpull_search_spool($1_usertype)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
++ slrnpull_search_spool($1_usertype)
++ ')
++
++ optional_policy(`
+ thumb_role($1_r, $1_usertype)
')
')
-@@ -709,17 +904,33 @@ template(`userdom_common_user_template',`
+@@ -709,17 +910,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -145596,14 +145859,16 @@ index e720dcd..2a4e6ef 100644
- userdom_manage_home_role($1_r, $1_t)
+ typeattribute $1_t login_userdomain;
++
++ userdom_manage_home_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_home_role($1_r, $1_usertype)
-+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable($1_exec_content, true)
+
@@ -145614,9 +145879,7 @@ index e720dcd..2a4e6ef 100644
+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -145624,7 +145887,7 @@ index e720dcd..2a4e6ef 100644
userdom_change_password_template($1)
-@@ -727,82 +938,100 @@ template(`userdom_login_user_template', `
+@@ -727,82 +944,100 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -145717,14 +145980,14 @@ index e720dcd..2a4e6ef 100644
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_exec_setfiles($1_usertype)
-+
+
+- seutil_read_config($1_t)
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
+ ')
-
-- seutil_read_config($1_t)
++
+ optional_policy(`
+ kerberos_use($1_usertype)
+ kerberos_filetrans_home_content($1_usertype)
@@ -145761,7 +146024,7 @@ index e720dcd..2a4e6ef 100644
')
')
-@@ -834,6 +1063,12 @@ template(`userdom_restricted_user_template',`
+@@ -834,6 +1069,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -145774,7 +146037,7 @@ index e720dcd..2a4e6ef 100644
##############################
#
# Local policy
-@@ -874,46 +1109,128 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,46 +1115,128 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -145861,23 +146124,23 @@ index e720dcd..2a4e6ef 100644
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
-+ ')
+ ')
optional_policy(`
-- consolekit_dbus_chat($1_t)
+- cups_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
++
++ optional_policy(`
+ fprintd_dbus_chat($1_t)
- ')
++ ')
+
+ optional_policy(`
+ realmd_dbus_chat($1_t)
@@ -145916,7 +146179,7 @@ index e720dcd..2a4e6ef 100644
')
')
-@@ -948,27 +1265,33 @@ template(`userdom_unpriv_user_template', `
+@@ -948,27 +1271,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -145954,7 +146217,7 @@ index e720dcd..2a4e6ef 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -979,47 +1302,82 @@ template(`userdom_unpriv_user_template', `
+@@ -979,44 +1308,79 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -146007,9 +146270,6 @@ index e720dcd..2a4e6ef 100644
-## This template creates a user domain, types, and
-## rules for the user's tty, pty, home directories,
-## tmp, and tmpfs files.
--## </p>
--## <p>
--## The privileges given to administrative users are:
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
+ ')
@@ -146057,13 +146317,10 @@ index e720dcd..2a4e6ef 100644
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
-+## </p>
-+## <p>
-+## The privileges given to administrative users are:
- ## <ul>
- ## <li>Raw disk access</li>
- ## <li>Set all sysctls</li>
-@@ -1040,7 +1398,7 @@ template(`userdom_unpriv_user_template', `
+ ## </p>
+ ## <p>
+ ## The privileges given to administrative users are:
+@@ -1040,7 +1404,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -146072,7 +146329,7 @@ index e720dcd..2a4e6ef 100644
')
##############################
-@@ -1067,6 +1425,7 @@ template(`userdom_admin_user_template',`
+@@ -1067,6 +1431,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -146080,7 +146337,7 @@ index e720dcd..2a4e6ef 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1075,6 +1434,9 @@ template(`userdom_admin_user_template',`
+@@ -1075,6 +1440,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -146090,7 +146347,7 @@ index e720dcd..2a4e6ef 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1451,7 @@ template(`userdom_admin_user_template',`
+@@ -1089,6 +1457,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -146098,7 +146355,7 @@ index e720dcd..2a4e6ef 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,10 +1469,14 @@ template(`userdom_admin_user_template',`
+@@ -1106,10 +1475,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -146113,7 +146370,7 @@ index e720dcd..2a4e6ef 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1120,29 +1487,38 @@ template(`userdom_admin_user_template',`
+@@ -1120,29 +1493,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -146156,7 +146413,7 @@ index e720dcd..2a4e6ef 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1152,6 +1528,8 @@ template(`userdom_admin_user_template',`
+@@ -1152,6 +1534,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -146165,7 +146422,7 @@ index e720dcd..2a4e6ef 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1159,13 +1537,17 @@ template(`userdom_admin_user_template',`
+@@ -1159,13 +1543,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -146184,7 +146441,7 @@ index e720dcd..2a4e6ef 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1593,8 @@ template(`userdom_security_admin_template',`
+@@ -1211,6 +1599,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -146193,7 +146450,7 @@ index e720dcd..2a4e6ef 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1223,8 +1607,10 @@ template(`userdom_security_admin_template',`
+@@ -1223,8 +1613,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -146205,7 +146462,7 @@ index e720dcd..2a4e6ef 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1235,29 +1621,31 @@ template(`userdom_security_admin_template',`
+@@ -1235,29 +1627,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -146248,7 +146505,7 @@ index e720dcd..2a4e6ef 100644
')
optional_policy(`
-@@ -1317,12 +1705,15 @@ interface(`userdom_user_application_domain',`
+@@ -1317,12 +1711,15 @@ interface(`userdom_user_application_domain',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -146265,7 +146522,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -1363,6 +1754,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1363,6 +1760,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -146317,7 +146574,7 @@ index e720dcd..2a4e6ef 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1467,11 +1903,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1467,11 +1909,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -146349,7 +146606,7 @@ index e720dcd..2a4e6ef 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1513,6 +1969,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1513,6 +1975,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -146364,7 +146621,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -1528,9 +1992,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1528,9 +1998,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -146376,7 +146633,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -1587,6 +2053,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1587,6 +2059,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -146419,7 +146676,7 @@ index e720dcd..2a4e6ef 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1666,6 +2168,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1666,6 +2174,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -146428,7 +146685,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -1680,10 +2184,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1680,10 +2190,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -146443,7 +146700,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -1726,6 +2232,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1726,6 +2238,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -146487,7 +146744,7 @@ index e720dcd..2a4e6ef 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1745,6 +2288,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1745,6 +2294,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -146513,7 +146770,7 @@ index e720dcd..2a4e6ef 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1775,14 +2337,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1775,14 +2343,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -146551,7 +146808,7 @@ index e720dcd..2a4e6ef 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1793,11 +2377,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1793,11 +2383,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -146569,7 +146826,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -1856,25 +2443,25 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1856,25 +2449,25 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -146601,7 +146858,7 @@ index e720dcd..2a4e6ef 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1882,46 +2469,53 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+@@ -1882,104 +2475,169 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
## </summary>
## </param>
#
@@ -146633,86 +146890,97 @@ index e720dcd..2a4e6ef 100644
+interface(`userdom_delete_all_user_home_content_sock_files',`
gen_require(`
- type user_home_dir_t, user_home_t;
-+ attribute user_home_type;
- ')
-
+- ')
+-
- files_search_home($1)
- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+ allow $1 user_home_type:sock_file delete_file_perms;
-+')
-
+-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-+########################################
-+## <summary>
-+## Delete all files in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_delete_all_user_home_content',`
-+ gen_require(`
+ attribute user_home_type;
')
- tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files($1)
- ')
-+ allow $1 user_home_type:dir_file_class_set delete_file_perms;
++ allow $1 user_home_type:sock_file delete_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to execute user home files.
-+## Do not audit attempts to write user home files.
++## Delete all files in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
-@@ -1929,18 +2523,17 @@ interface(`userdom_exec_user_home_content_files',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`userdom_dontaudit_exec_user_home_content_files',`
-+interface(`userdom_dontaudit_relabel_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content',`
gen_require(`
- type user_home_t;
+- type user_home_t;
++ attribute user_home_type;
')
- dontaudit $1 user_home_t:file exec_file_perms;
-+ dontaudit $1 user_home_t:file relabel_file_perms;
++ allow $1 user_home_type:dir_file_class_set delete_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete files
-## in a user home subdirectory.
-+## Read user home subdirectory symbolic links.
++## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
## <summary>
-@@ -1948,20 +2541,79 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`userdom_manage_user_home_content_files',`
-+interface(`userdom_read_user_home_content_symlinks',`
++interface(`userdom_dontaudit_relabel_user_home_content_files',`
gen_require(`
- type user_home_dir_t, user_home_t;
+- type user_home_dir_t, user_home_t;
++ type user_home_t;
')
- manage_files_pattern($1, user_home_t, user_home_t)
- allow $1 user_home_dir_t:dir search_dir_perms;
- files_search_home($1)
-+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
++ dontaudit $1 user_home_t:file relabel_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to create, read, write, and delete directories
-## in a user home subdirectory.
++## Read user home subdirectory symbolic links.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_manage_user_home_content_dirs',`
++interface(`userdom_read_user_home_content_symlinks',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:dir manage_dir_perms;
++ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete symbolic links
+## Execute user home files.
+## </summary>
+## <param name="domain">
@@ -146776,10 +147044,28 @@ index e720dcd..2a4e6ef 100644
+## <summary>
+## Do not audit attempts to create, read, write, and delete directories
+## in a user home subdirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_manage_user_home_content_dirs',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ ')
++
++ dontaudit $1 user_home_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete symbolic links
+ ## in a user home subdirectory.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -2018,6 +2670,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -2018,6 +2676,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -146804,7 +147090,7 @@ index e720dcd..2a4e6ef 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2250,11 +2920,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2250,11 +2926,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -146819,7 +147105,7 @@ index e720dcd..2a4e6ef 100644
files_search_tmp($1)
')
-@@ -2274,7 +2944,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2274,7 +2950,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -146828,7 +147114,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -2521,6 +3191,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2521,6 +3197,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -146854,7 +147140,7 @@ index e720dcd..2a4e6ef 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2537,13 +3226,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2537,13 +3232,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -146870,7 +147156,7 @@ index e720dcd..2a4e6ef 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3254,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3260,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -146879,7 +147165,7 @@ index e720dcd..2a4e6ef 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,14 +3262,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,14 +3268,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -146914,7 +147200,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -2674,6 +3380,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2674,6 +3386,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -146939,7 +147225,7 @@ index e720dcd..2a4e6ef 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3416,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3422,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -146982,7 +147268,7 @@ index e720dcd..2a4e6ef 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3452,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3458,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -147020,7 +147306,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -2742,8 +3497,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3503,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -147050,7 +147336,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -2815,69 +3589,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3595,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -147151,7 +147437,7 @@ index e720dcd..2a4e6ef 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3658,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3664,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -147166,7 +147452,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -2954,7 +3727,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3733,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -147175,7 +147461,7 @@ index e720dcd..2a4e6ef 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3743,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,29 +3749,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -147209,7 +147495,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -3074,7 +3831,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3837,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -147218,7 +147504,7 @@ index e720dcd..2a4e6ef 100644
')
########################################
-@@ -3129,12 +3886,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,12 +3892,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -147234,7 +147520,7 @@ index e720dcd..2a4e6ef 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3142,36 +3900,37 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3142,21 +3906,77 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -147259,90 +147545,21 @@ index e720dcd..2a4e6ef 100644
## <summary>
-## Domain allowed access.
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
- gen_require(`
-- attribute userdomain;
-+ type user_tmp_t;
- ')
-
-- read_files_pattern($1, userdomain, userdomain)
-- kernel_search_proc($1)
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of all user domains.
-+## Allow domain to read/write inherited users
-+## fifo files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3179,35 +3938,91 @@ interface(`userdom_read_all_users_state',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_getattr_all_users',`
-+interface(`userdom_rw_inherited_user_pipes',`
- gen_require(`
- attribute userdomain;
- ')
-
-- allow $1 userdomain:process getattr;
-+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Inherit the file descriptors from all user domains
-+## Do not audit attempts to use user ttys.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_use_all_users_fds',`
-+interface(`userdom_dontaudit_use_user_ttys',`
- gen_require(`
-- attribute userdomain;
-+ type user_tty_device_t;
- ')
-
-- allow $1 userdomain:fd use;
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to inherit the file
-+## Read the process state of all user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
-+ attribute userdomain;
++ type user_tmp_t;
+ ')
+
-+ read_files_pattern($1, userdomain, userdomain)
-+ read_lnk_files_pattern($1,userdomain,userdomain)
-+ kernel_search_proc($1)
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Get the attributes of all user domains.
++## Allow domain to read/write inherited users
++## fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -147350,39 +147567,51 @@ index e720dcd..2a4e6ef 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_getattr_all_users',`
++interface(`userdom_rw_inherited_user_pipes',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
-+ allow $1 userdomain:process getattr;
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Inherit the file descriptors from all user domains
++## Do not audit attempts to use user ttys.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`userdom_use_all_users_fds',`
++interface(`userdom_dontaudit_use_user_ttys',`
+ gen_require(`
-+ attribute userdomain;
++ type user_tty_device_t;
+ ')
+
-+ allow $1 userdomain:fd use;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to inherit the file
- ## descriptors from any user domains.
- ## </summary>
- ## <param name="domain">
-@@ -3242,6 +4057,42 @@ interface(`userdom_signal_all_users',`
++## Read the process state of all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+@@ -3166,6 +3986,7 @@ interface(`userdom_read_all_users_state',`
+ ')
+
+ read_files_pattern($1, userdomain, userdomain)
++ read_lnk_files_pattern($1,userdomain,userdomain)
+ kernel_search_proc($1)
+ ')
+
+@@ -3242,6 +4063,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -147425,7 +147654,7 @@ index e720dcd..2a4e6ef 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4113,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4119,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -147450,7 +147679,7 @@ index e720dcd..2a4e6ef 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4165,1365 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4171,1365 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index c160a11..57e3993 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -5137,11 +5137,11 @@ index 159610b..164b672 100644
diff --git a/authconfig.fc b/authconfig.fc
new file mode 100644
-index 0000000..86bbf21
+index 0000000..4579cfe
--- /dev/null
+++ b/authconfig.fc
@@ -0,0 +1,3 @@
-+/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
++/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
+
+/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
diff --git a/authconfig.if b/authconfig.if
@@ -8962,10 +8962,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..3ac7547
+index 0000000..d1bd04c
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,203 @@
+@@ -0,0 +1,201 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -9155,8 +9155,6 @@ index 0000000..3ac7547
+dev_read_sysfs(chrome_sandbox_nacl_t)
+dev_rwx_zero(chrome_sandbox_nacl_t)
+
-+files_read_etc_files(chrome_sandbox_nacl_t)
-+
+init_read_state(chrome_sandbox_nacl_t)
+
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
@@ -11040,10 +11038,10 @@ index 0000000..40415f8
+
diff --git a/collectd.te b/collectd.te
new file mode 100644
-index 0000000..cb6dbe6
+index 0000000..e3f985b
--- /dev/null
+++ b/collectd.te
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,93 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -11111,6 +11109,8 @@ index 0000000..cb6dbe6
+
+fs_getattr_all_fs(collectd_t)
+
++init_read_utmp(collectd_t)
++
+logging_send_syslog_msg(collectd_t)
+
+sysnet_dns_name_resolve(collectd_t)
@@ -11128,6 +11128,8 @@ index 0000000..cb6dbe6
+ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
++
++ auth_read_passwd(httpd_collectd_script_t)
+')
+
+optional_policy(`
@@ -14813,40 +14815,78 @@ index 0000000..33656de
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/cups.fc b/cups.fc
-index 848bb92..600efa5 100644
+index 848bb92..85b210b 100644
--- a/cups.fc
+++ b/cups.fc
-@@ -19,7 +19,10 @@
+@@ -15,28 +15,30 @@
+
+ /etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
+
+-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
++/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
+
- /lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -52,18 +55,32 @@
+ /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+-/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+
+ /usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+ /usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+-/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+
+ /usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+-/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+ /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+ /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+ /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+ /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+@@ -44,7 +46,7 @@
+
+ /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+ /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+
+ /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+@@ -52,18 +54,32 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
- /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
++/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-+/var/log/hp(/.*)? gen_context(system_u:object_r:hplip_var_log_t,s0)
++/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
- /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
- /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
++/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
@@ -14862,11 +14902,28 @@ index 848bb92..600efa5 100644
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 305ddf4..a682e21 100644
+index 305ddf4..ca832e1 100644
--- a/cups.if
+++ b/cups.if
-@@ -9,6 +9,11 @@
- ## Domain allowed access.
+@@ -1,14 +1,25 @@
+-## <summary>Common UNIX printing system</summary>
++## <summary>Common UNIX printing system.</summary>
+
+ ########################################
+ ## <summary>
+-## Setup cups to transtion to the cups backend domain
++## Create a domain which can be
++## started by cupsd.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="entry_point">
++## <summary>
++## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
+## <param name="entry_file">
@@ -14877,7 +14934,41 @@ index 305ddf4..a682e21 100644
#
interface(`cups_backend',`
gen_require(`
-@@ -190,10 +195,12 @@ interface(`cups_dbus_chat_config',`
+@@ -42,12 +53,14 @@ interface(`cups_domtrans',`
+ type cupsd_t, cupsd_exec_t;
+ ')
+
++ corecmd_search_bin($1)
+ domtrans_pattern($1, cupsd_exec_t, cupsd_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to cupsd over an unix domain stream socket.
++## Connect to cupsd over an unix
++## domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -120,7 +133,8 @@ interface(`cups_read_pid_files',`
+
+ ########################################
+ ## <summary>
+-## Execute cups_config in the cups_config domain.
++## Execute cups_config in the
++## cups config domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -133,6 +147,7 @@ interface(`cups_domtrans_config',`
+ type cupsd_config_t, cupsd_config_exec_t;
+ ')
+
++ corecmd_search_bin($1)
+ domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t)
+ ')
+
+@@ -190,10 +205,12 @@ interface(`cups_dbus_chat_config',`
interface(`cups_read_config',`
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
@@ -14890,10 +14981,22 @@ index 305ddf4..a682e21 100644
read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
')
-@@ -296,6 +303,29 @@ interface(`cups_stream_connect_ptal',`
+@@ -277,7 +294,8 @@ interface(`cups_write_log',`
########################################
## <summary>
+-## Connect to ptal over an unix domain stream socket.
++## Connect to ptal over an unix
++## domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -296,8 +314,31 @@ interface(`cups_stream_connect_ptal',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to administrate
+-## an cups environment
+## Execute cupsd server in the cupsd domain.
+## </summary>
+## <param name="domain">
@@ -14917,62 +15020,82 @@ index 305ddf4..a682e21 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an cups environment
++## All of the rules required to
++## administrate an cups environment.
## </summary>
-@@ -314,16 +344,20 @@ interface(`cups_stream_connect_ptal',`
- interface(`cups_admin',`
- gen_require(`
+ ## <param name="domain">
+ ## <summary>
+@@ -306,7 +347,7 @@ interface(`cups_stream_connect_ptal',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## The role to be allowed to manage the cups domain.
++## Role allowed access.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -316,43 +357,93 @@ interface(`cups_admin',`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
-- type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+ type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
- type cupsd_var_run_t, ptal_etc_t;
- type ptal_var_run_t, hplip_var_run_t;
- type cupsd_initrc_exec_t;
-+ type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
-+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
-+ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
-+ type ptal_var_run_t;
++ type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
++ type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
++ type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
++ type ptal_t;
+ type cupsd_unit_file_t;
')
- allow $1 cupsd_t:process { ptrace signal_perms };
-+ allow $1 cupsd_t:process signal_perms;
- ps_process_pattern($1, cupsd_t)
-
+- ps_process_pattern($1, cupsd_t)
++ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
++ allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
++ ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
++ ps_process_pattern($1, { cups_pdf_t ptal_t })
++
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cupsd_t:process ptrace;
++ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
+ ')
-+
+
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cupsd_initrc_exec_t system_r;
-@@ -341,18 +375,72 @@ interface(`cups_admin',`
+ allow $2 system_r;
- admin_pattern($1, cupsd_lpd_var_run_t)
+- admin_pattern($1, cupsd_etc_t)
+ files_list_etc($1)
++ admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })
-- admin_pattern($1, cupsd_spool_t)
-- files_list_spool($1)
+- admin_pattern($1, cupsd_config_var_run_t)
-
- admin_pattern($1, cupsd_tmp_t)
- files_list_tmp($1)
-
- admin_pattern($1, cupsd_var_run_t)
- files_list_pids($1)
+- admin_pattern($1, cupsd_log_t)
+ logging_list_logs($1)
++ admin_pattern($1, cupsd_log_t)
-+ admin_pattern($1, hplip_etc_t)
-+
- admin_pattern($1, hplip_var_run_t)
+- admin_pattern($1, cupsd_lpd_tmp_t)
+-
+- admin_pattern($1, cupsd_lpd_var_run_t)
+-
+- admin_pattern($1, cupsd_spool_t)
+ files_list_spool($1)
++ admin_pattern($1, cupsd_spool_t)
- admin_pattern($1, ptal_etc_t)
+- admin_pattern($1, cupsd_tmp_t)
+ files_list_tmp($1)
++ admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
++ admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
++ admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
- admin_pattern($1, ptal_var_run_t)
-+
+- admin_pattern($1, cupsd_var_run_t)
+- files_list_pids($1)
+ cupsd_systemctl($1)
+ admin_pattern($1, cupsd_unit_file_t)
+ allow $1 cupsd_unit_file_t:service all_service_perms;
+')
-+
+
+- admin_pattern($1, hplip_var_run_t)
+########################################
+## <summary>
+## Transition to cups named content
@@ -14988,7 +15111,8 @@ index 305ddf4..a682e21 100644
+ type cupsd_rw_etc_t;
+ type cupsd_etc_t;
+ ')
-+
+
+- admin_pattern($1, ptal_etc_t)
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
@@ -15004,7 +15128,8 @@ index 305ddf4..a682e21 100644
+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+')
-+
+
+- admin_pattern($1, ptal_var_run_t)
+########################################
+## <summary>
+## Allow the domain to read cups state files in /proc.
@@ -15024,64 +15149,197 @@ index 305ddf4..a682e21 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index e5a8924..ac29949 100644
+index e5a8924..2baae57 100644
--- a/cups.te
+++ b/cups.te
-@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
- type cupsd_t;
+@@ -1,22 +1,28 @@
+-policy_module(cups, 1.15.0)
++policy_module(cups, 1.15.9)
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-type cupsd_config_t;
++attribute cups_domain;
++
++type cupsd_config_t, cups_domain;
+ type cupsd_config_exec_t;
+ init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
+
+ type cupsd_config_var_run_t;
+ files_pid_file(cupsd_config_var_run_t)
+
+-type cupsd_t;
++type cupsd_t, cups_domain;
type cupsd_exec_t;
++typealias cupsd_t alias hplip_t;
++typealias cupsd_exec_t alias hplip_exec_t;
init_daemon_domain(cupsd_t, cupsd_exec_t)
+mls_trusted_object(cupsd_t)
type cupsd_etc_t;
++typealias cupsd_etc_t alias hplip_etc_t;
files_config_file(cupsd_etc_t)
-@@ -60,6 +61,9 @@ type cupsd_var_run_t;
+
+ type cupsd_initrc_exec_t;
+@@ -32,9 +38,13 @@ type cupsd_lock_t;
+ files_lock_file(cupsd_lock_t)
+
+ type cupsd_log_t;
++typealias cupsd_log_t alias hplip_var_log_t;
+ logging_log_file(cupsd_log_t)
+
+-type cupsd_lpd_t;
++type cupsd_var_lib_t alias hplip_var_lib_t;
++files_type(cupsd_var_lib_t)
++
++type cupsd_lpd_t, cups_domain;
+ type cupsd_lpd_exec_t;
+ domain_type(cupsd_lpd_t)
+ domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
+@@ -46,7 +56,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
+ type cupsd_lpd_var_run_t;
+ files_pid_file(cupsd_lpd_var_run_t)
+
+-type cups_pdf_t;
++type cups_pdf_t, cups_domain;
+ type cups_pdf_exec_t;
+ cups_backend(cups_pdf_t, cups_pdf_exec_t)
+
+@@ -54,29 +64,16 @@ type cups_pdf_tmp_t;
+ files_tmp_file(cups_pdf_tmp_t)
+
+ type cupsd_tmp_t;
++typealias cupsd_tmp_t alias hplip_tmp_t;
+ files_tmp_file(cupsd_tmp_t)
+
+ type cupsd_var_run_t;
++typealias cupsd_var_run_t alias hplip_var_run_t;
files_pid_file(cupsd_var_run_t)
mls_trusted_object(cupsd_var_run_t)
+-type hplip_t;
+-type hplip_exec_t;
+-init_daemon_domain(hplip_t, hplip_exec_t)
+-# For CUPS to run as a backend
+-cups_backend(hplip_t, hplip_exec_t)
+-
+-type hplip_etc_t;
+-files_config_file(hplip_etc_t)
+-
+-type hplip_tmp_t;
+-files_tmp_file(hplip_tmp_t)
+-
+-type hplip_var_lib_t;
+-files_type(hplip_var_lib_t)
+-
+-type hplip_var_run_t;
+-files_pid_file(hplip_var_run_t)
+type cupsd_unit_file_t;
+systemd_unit_file(cupsd_unit_file_t)
-+
- type hplip_t;
- type hplip_exec_t;
- init_daemon_domain(hplip_t, hplip_exec_t)
-@@ -75,6 +79,9 @@ files_tmp_file(hplip_tmp_t)
- type hplip_var_lib_t;
- files_type(hplip_var_lib_t)
-+type hplip_var_log_t;
-+logging_log_file(hplip_var_log_t)
+ type ptal_t;
+ type ptal_exec_t;
+@@ -96,77 +93,103 @@ ifdef(`enable_mls',`
+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
+ ')
+
++#######################################
++#
++# Cups general local policy
++#
++
++allow cups_domain self:capability { setuid setgid };
++allow cups_domain self:process signal_perms;
++allow cups_domain self:fifo_file rw_fifo_file_perms;
++allow cups_domain self:tcp_socket { accept listen };
++
++kernel_read_kernel_sysctls(cups_domain)
++kernel_read_network_state(cups_domain)
++
++corecmd_exec_bin(cups_domain)
++corecmd_exec_shell(cups_domain)
+
- type hplip_var_run_t;
- files_pid_file(hplip_var_run_t)
++dev_read_urand(cups_domain)
++dev_read_rand(cups_domain)
++dev_read_sysfs(cups_domain)
++
++fs_getattr_all_fs(cups_domain)
++
++miscfiles_read_fonts(cups_domain)
++miscfiles_setattr_fonts_cache_dirs(cups_domain)
++
++optional_policy(`
++ lpd_manage_spool(cups_domain)
++')
++
+ ########################################
+ #
+ # Cups local policy
+ #
-@@ -104,6 +111,7 @@ ifdef(`enable_mls',`
- # /usr/lib/cups/backend/serial needs sys_admin(?!)
- allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+-# /usr/lib/cups/backend/serial needs sys_admin(?!)
+-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
++allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-+allow cupsd_t self:capability2 { block_suspend };
- allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
- allow cupsd_t self:fifo_file rw_fifo_file_perms;
- allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -123,6 +131,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
- files_search_etc(cupsd_t)
+-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+-allow cupsd_t self:fifo_file rw_fifo_file_perms;
+-allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow cupsd_t self:unix_dgram_socket create_socket_perms;
++allow cupsd_t self:capability2 block_suspend;
++allow cupsd_t self:process { getpgid setpgid setsched };
++allow cupsd_t self:unix_stream_socket { accept connectto listen };
+ allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+ allow cupsd_t self:shm create_shm_perms;
+ allow cupsd_t self:sem create_sem_perms;
+-allow cupsd_t self:tcp_socket create_stream_socket_perms;
+-allow cupsd_t self:udp_socket create_socket_perms;
+ allow cupsd_t self:appletalk_socket create_socket_perms;
+-# generic socket here until appletalk socket is available in kernels
+-allow cupsd_t self:socket create_socket_perms;
+
+-allow cupsd_t cupsd_etc_t:{ dir file } setattr;
++allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
++allow cupsd_t cupsd_etc_t:file setattr_file_perms;
+ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+-files_search_etc(cupsd_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -137,6 +146,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+ filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+ files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+
+-# allow cups to execute its backend scripts
+-can_exec(cupsd_t, cupsd_exec_t)
+ allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+
allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+-manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-allow cupsd_t cupsd_log_t:dir setattr;
+manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- allow cupsd_t cupsd_log_t:dir setattr;
++append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
++create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
++read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
++setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
-@@ -146,11 +156,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+
++manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
++manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
++
+ manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
- files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+-files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
++files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
-allow cupsd_t cupsd_var_run_t:dir setattr;
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
@@ -15090,19 +15348,23 @@ index e5a8924..ac29949 100644
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
-files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
-+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file })
+-
+-allow cupsd_t hplip_t:process { signal sigkill };
++files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
- allow cupsd_t hplip_t:process { signal sigkill };
+-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
++allow cupsd_t cupsd_unit_file_t:file read_file_perms;
-@@ -159,14 +170,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
- allow cupsd_t hplip_var_run_t:file read_file_perms;
+-allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-allow cupsd_t ptal_var_run_t : sock_file setattr;
+allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
++
++can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
- kernel_read_network_state(cupsd_t)
+-kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
kernel_request_load_module(cupsd_t)
@@ -15110,38 +15372,135 @@ index e5a8924..ac29949 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -211,6 +221,7 @@ mls_rangetrans_target(cupsd_t)
- mls_socket_write_all_levels(cupsd_t)
- mls_fd_use_all_levels(cupsd_t)
-
-+term_use_usb_ttys(cupsd_t)
- term_use_unallocated_ttys(cupsd_t)
- term_search_ptys(cupsd_t)
-
-@@ -220,11 +231,12 @@ corecmd_exec_bin(cupsd_t)
-
+@@ -178,6 +201,9 @@ corenet_tcp_sendrecv_all_ports(cupsd_t)
+ corenet_udp_sendrecv_all_ports(cupsd_t)
+ corenet_tcp_bind_generic_node(cupsd_t)
+ corenet_udp_bind_generic_node(cupsd_t)
++
++corenet_sendrecv_all_server_packets(cupsd_t)
++corenet_sendrecv_all_client_packets(cupsd_t)
+ corenet_tcp_bind_ipp_port(cupsd_t)
+ corenet_udp_bind_ipp_port(cupsd_t)
+ corenet_udp_bind_howl_port(cupsd_t)
+@@ -185,60 +211,61 @@ corenet_tcp_bind_reserved_port(cupsd_t)
+ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+ corenet_tcp_bind_all_rpc_ports(cupsd_t)
+ corenet_tcp_connect_all_ports(cupsd_t)
++
+ corenet_sendrecv_hplip_client_packets(cupsd_t)
++corenet_receive_hplip_server_packets(cupsd_t)
++corenet_tcp_bind_hplip_port(cupsd_t)
++corenet_tcp_connect_hplip_port(cupsd_t)
++corenet_tcp_bind_glance_port(cupsd_t)
++corenet_tcp_connect_glance_port(cupsd_t)
++
+ corenet_sendrecv_ipp_client_packets(cupsd_t)
+-corenet_sendrecv_ipp_server_packets(cupsd_t)
++corenet_tcp_connect_ipp_port(cupsd_t)
++
++corenet_sendrecv_howl_server_packets(cupsd_t)
++corenet_udp_bind_howl_port(cupsd_t)
+
+ dev_rw_printer(cupsd_t)
+-dev_read_urand(cupsd_t)
+-dev_read_sysfs(cupsd_t)
+-dev_rw_input_dev(cupsd_t) #447878
++dev_rw_input_dev(cupsd_t)
+ dev_rw_generic_usb_dev(cupsd_t)
+ dev_rw_usbfs(cupsd_t)
+ dev_getattr_printer_dev(cupsd_t)
+
+ domain_read_all_domains_state(cupsd_t)
+-
+-fs_getattr_all_fs(cupsd_t)
+-fs_search_auto_mountpoints(cupsd_t)
+-fs_search_fusefs(cupsd_t)
+-fs_read_anon_inodefs_files(cupsd_t)
+-
+-mls_file_downgrade(cupsd_t)
+-mls_file_write_all_levels(cupsd_t)
+-mls_file_read_all_levels(cupsd_t)
+-mls_rangetrans_target(cupsd_t)
+-mls_socket_write_all_levels(cupsd_t)
+-mls_fd_use_all_levels(cupsd_t)
+-
+-term_use_unallocated_ttys(cupsd_t)
+-term_search_ptys(cupsd_t)
+-
+-# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+-corecmd_exec_shell(cupsd_t)
+-corecmd_exec_bin(cupsd_t)
+-
domain_use_interactive_fds(cupsd_t)
+files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
-files_read_etc_files(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
- # read python modules
- files_read_usr_files(cupsd_t)
+-# read python modules
+-files_read_usr_files(cupsd_t)
+files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
files_list_world_readable(cupsd_t)
-@@ -258,7 +270,6 @@ libs_exec_lib_files(cupsd_t)
+ files_read_world_readable_files(cupsd_t)
+ files_read_world_readable_symlinks(cupsd_t)
+-# Satisfy readahead
+ files_read_var_files(cupsd_t)
+ files_read_var_symlinks(cupsd_t)
++files_dontaudit_getattr_all_tmp_files(cupsd_t)
++files_dontaudit_list_home(cupsd_t)
+ # for /etc/printcap
+ files_dontaudit_write_etc_files(cupsd_t)
+-# smbspool seems to be iterating through all existing tmp files.
+-# redhat bug #214953
+-# cjp: this might be a broken behavior
+-files_dontaudit_getattr_all_tmp_files(cupsd_t)
++files_dontaudit_write_usr_dirs(cupsd_t)
++
++fs_search_auto_mountpoints(cupsd_t)
++fs_search_fusefs(cupsd_t)
++fs_read_anon_inodefs_files(cupsd_t)
++fs_rw_anon_inodefs_files(cupsd_t)
++
++mls_fd_use_all_levels(cupsd_t)
++mls_file_downgrade(cupsd_t)
++mls_file_write_all_levels(cupsd_t)
++mls_file_read_all_levels(cupsd_t)
++mls_rangetrans_target(cupsd_t)
++mls_socket_write_all_levels(cupsd_t)
++
++term_search_ptys(cupsd_t)
++term_use_unallocated_ttys(cupsd_t)
++term_use_ptmx(cupsd_t)
+
+ selinux_compute_access_vector(cupsd_t)
+ selinux_validate_context(cupsd_t)
+@@ -251,30 +278,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+ auth_rw_faillog(cupsd_t)
+ auth_use_nsswitch(cupsd_t)
+
+-# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
+-libs_read_lib_files(cupsd_t)
+ libs_exec_lib_files(cupsd_t)
+
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
-miscfiles_read_localization(cupsd_t)
- # invoking ghostscript needs to read fonts
- miscfiles_read_fonts(cupsd_t)
- miscfiles_setattr_fonts_cache_dirs(cupsd_t)
-@@ -269,12 +280,7 @@ sysnet_exec_ifconfig(cupsd_t)
- files_dontaudit_list_home(cupsd_t)
+-# invoking ghostscript needs to read fonts
+-miscfiles_read_fonts(cupsd_t)
+-miscfiles_setattr_fonts_cache_dirs(cupsd_t)
+-
+ seutil_read_config(cupsd_t)
++
+ sysnet_exec_ifconfig(cupsd_t)
++sysnet_dns_name_resolve(cupsd_t)
+
+-files_dontaudit_list_home(cupsd_t)
++userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
++userdom_dontaudit_search_user_home_dirs(cupsd_t)
++userdom_dontaudit_search_user_home_content(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
-
@@ -15150,11 +15509,10 @@ index e5a8924..ac29949 100644
-lpd_read_config(cupsd_t)
-lpd_exec_lpr(cupsd_t)
-lpd_relabel_spool(cupsd_t)
-+userdom_search_admin_dir(cupsd_t)
optional_policy(`
apm_domtrans_client(cupsd_t)
-@@ -287,6 +293,8 @@ optional_policy(`
+@@ -287,6 +305,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -15163,7 +15521,7 @@ index e5a8924..ac29949 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -297,8 +305,10 @@ optional_policy(`
+@@ -297,8 +317,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -15174,7 +15532,7 @@ index e5a8924..ac29949 100644
')
')
-@@ -311,10 +321,23 @@ optional_policy(`
+@@ -311,17 +333,28 @@ optional_policy(`
')
optional_policy(`
@@ -15187,10 +15545,8 @@ index e5a8924..ac29949 100644
')
optional_policy(`
-+ # Write to /var/spool/cups.
-+ lpd_manage_spool(cupsd_t)
-+ lpd_read_config(cupsd_t)
+ lpd_exec_lpr(cupsd_t)
++ lpd_read_config(cupsd_t)
+ lpd_relabel_spool(cupsd_t)
+')
+
@@ -15198,16 +15554,15 @@ index e5a8924..ac29949 100644
mta_send_mail(cupsd_t)
')
-@@ -322,6 +345,8 @@ optional_policy(`
- # cups execs smbtool which reads samba_etc_t files
+ optional_policy(`
+- # cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-+ # needed by smbspool
+ samba_stream_connect_nmbd(cupsd_t)
')
optional_policy(`
-@@ -336,12 +361,16 @@ optional_policy(`
+@@ -336,18 +369,18 @@ optional_policy(`
udev_read_db(cupsd_t)
')
@@ -15217,15 +15572,33 @@ index e5a8924..ac29949 100644
+
########################################
#
- # Cups configuration daemon local policy
+-# Cups configuration daemon local policy
++# Configuration daemon local policy
#
--allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
-+allow cupsd_config_t self:capability { chown dac_override setuid setgid sys_tty_config };
+ allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
- allow cupsd_config_t self:process { getsched signal_perms };
- allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -371,8 +400,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+-allow cupsd_config_t self:process { getsched signal_perms };
+-allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
+-allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+-allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+-allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
++allow cupsd_config_t self:process { getsched };
+
+ allow cupsd_config_t cupsd_t:process signal;
+ ps_process_pattern(cupsd_config_t, cupsd_t)
+@@ -360,9 +393,7 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+ manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+ files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file)
+
+-can_exec(cupsd_config_t, cupsd_config_exec_t)
+-
+-allow cupsd_config_t cupsd_log_t:file rw_file_perms;
++allow cupsd_config_t cupsd_log_t:file { append_file_perms read_file_perms };
+
+ manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+ manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+@@ -371,70 +402,49 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -15234,9 +15607,14 @@ index e5a8924..ac29949 100644
-files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
+files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
- domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
++read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
+
+-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
++stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
++
++can_exec(cupsd_config_t, cupsd_config_exec_t)
-@@ -381,7 +411,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
@@ -15244,177 +15622,304 @@ index e5a8924..ac29949 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -407,7 +436,6 @@ domain_use_interactive_fds(cupsd_config_t)
+ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+-corenet_tcp_connect_all_ports(cupsd_config_t)
++
+ corenet_sendrecv_all_client_packets(cupsd_config_t)
++corenet_tcp_connect_all_ports(cupsd_config_t)
+
+-dev_read_sysfs(cupsd_config_t)
+-dev_read_urand(cupsd_config_t)
+-dev_read_rand(cupsd_config_t)
+ dev_rw_generic_usb_dev(cupsd_config_t)
+
++files_read_etc_runtime_files(cupsd_config_t)
++files_read_var_symlinks(cupsd_config_t)
+ files_search_all_mountpoints(cupsd_config_t)
+
+-fs_getattr_all_fs(cupsd_config_t)
+ fs_search_auto_mountpoints(cupsd_config_t)
+
+-corecmd_exec_bin(cupsd_config_t)
+-corecmd_exec_shell(cupsd_config_t)
+-
+ domain_use_interactive_fds(cupsd_config_t)
+-# killall causes the following
domain_dontaudit_search_all_domains_state(cupsd_config_t)
- files_read_usr_files(cupsd_config_t)
+-files_read_usr_files(cupsd_config_t)
-files_read_etc_files(cupsd_config_t)
- files_read_etc_runtime_files(cupsd_config_t)
- files_read_var_symlinks(cupsd_config_t)
+-files_read_etc_runtime_files(cupsd_config_t)
+-files_read_var_symlinks(cupsd_config_t)
+-
+-# Alternatives asks for this
+ init_getattr_all_script_files(cupsd_config_t)
-@@ -418,18 +446,15 @@ auth_use_nsswitch(cupsd_config_t)
+ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
-miscfiles_read_localization(cupsd_config_t)
- miscfiles_read_hwdata(cupsd_config_t)
-
+-miscfiles_read_hwdata(cupsd_config_t)
+-
-seutil_dontaudit_search_config(cupsd_config_t)
-
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
-+userdom_rw_user_tmp_files(cupsd_config_t)
-+userdom_read_user_tmp_symlinks(cupsd_config_t)
-
- cups_stream_connect(cupsd_config_t)
-
+-
+-cups_stream_connect(cupsd_config_t)
+-
-lpd_read_config(cupsd_config_t)
-
- ifdef(`distro_redhat',`
- optional_policy(`
- rpm_read_db(cupsd_config_t)
-@@ -453,6 +478,10 @@ optional_policy(`
- ')
+-ifdef(`distro_redhat',`
+- optional_policy(`
+- rpm_read_db(cupsd_config_t)
+- ')
+-')
++userdom_read_all_users_state(cupsd_config_t)
++userdom_read_user_tmp_symlinks(cupsd_config_t)
++userdom_rw_user_tmp_files(cupsd_config_t)
optional_policy(`
-+ gnome_dontaudit_search_config(cupsd_config_t)
+ term_use_generic_ptys(cupsd_config_t)
+@@ -450,12 +460,19 @@ optional_policy(`
+ optional_policy(`
+ hal_dbus_chat(cupsd_config_t)
+ ')
++
++ optional_policy(`
++ policykit_dbus_chat(cupsd_config_t)
++ ')
+')
+
+optional_policy(`
++ gnome_dontaudit_search_config(cupsd_config_t)
+ ')
+
+ optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
- hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +496,10 @@ optional_policy(`
+- hal_dontaudit_use_fds(hplip_t)
')
optional_policy(`
+@@ -467,8 +484,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- policykit_dbus_chat(cupsd_config_t)
+- userdom_read_all_users_state(cupsd_config_t)
+ lpd_read_config(cupsd_config_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(cupsd_config_t)
- userdom_read_all_users_state(cupsd_config_t)
')
-@@ -526,7 +559,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
+
+ optional_policy(`
+@@ -489,231 +505,84 @@ optional_policy(`
+
+ ########################################
+ #
+-# Cups lpd support
++# Lpd local policy
+ #
+
+-allow cupsd_lpd_t self:process signal_perms;
+-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
+-allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
+-allow cupsd_lpd_t self:udp_socket create_socket_perms;
+-
+-# for identd
+-# cjp: this should probably only be inetd_child rules?
+ allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow cupsd_lpd_t self:capability { setuid setgid };
+-files_search_home(cupsd_lpd_t)
+-optional_policy(`
+- kerberos_use(cupsd_lpd_t)
+-')
+-#end for identd
+
+-allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
+-read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
+-read_lnk_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
+-
+-allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
+-read_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+-read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
++allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
++allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:file read_file_perms;
++allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
+ manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
+-files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
++files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { dir file })
+
+ manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t)
+ files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file)
+
++stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
++
+ kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
- kernel_read_network_state(cupsd_lpd_t)
+-kernel_read_network_state(cupsd_lpd_t)
-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
- corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
-@@ -537,19 +569,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
- corenet_tcp_bind_generic_node(cupsd_lpd_t)
- corenet_udp_bind_generic_node(cupsd_lpd_t)
- corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+-corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
+ corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
+-corenet_udp_sendrecv_generic_node(cupsd_lpd_t)
+-corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
+-corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+-corenet_tcp_bind_generic_node(cupsd_lpd_t)
+-corenet_udp_bind_generic_node(cupsd_lpd_t)
+-corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+-
+-dev_read_urand(cupsd_lpd_t)
+-dev_read_rand(cupsd_lpd_t)
+
+-fs_getattr_xattr_fs(cupsd_lpd_t)
++corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
++corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+corenet_tcp_connect_printer_port(cupsd_lpd_t)
-
- dev_read_urand(cupsd_lpd_t)
- dev_read_rand(cupsd_lpd_t)
-
- fs_getattr_xattr_fs(cupsd_lpd_t)
++corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
-files_read_etc_files(cupsd_lpd_t)
++files_search_home(cupsd_lpd_t)
auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
-miscfiles_read_localization(cupsd_lpd_t)
- miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
+-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
+-
+-cups_stream_connect(cupsd_lpd_t)
+-
+ optional_policy(`
+ inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
+ ')
- cups_stream_connect(cupsd_lpd_t)
-@@ -577,33 +608,32 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
+ ########################################
+ #
+-# cups_pdf local policy
++# Pdf local policy
+ #
- kernel_read_system_state(cups_pdf_t)
+ allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+-allow cups_pdf_t self:fifo_file rw_file_perms;
+ allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
--files_read_etc_files(cups_pdf_t)
- files_read_usr_files(cups_pdf_t)
+-manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
++append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
++create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
++setattr_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-+fs_getattr_xattr_fs(cups_pdf_t)
-+
- corecmd_exec_shell(cups_pdf_t)
- corecmd_exec_bin(cups_pdf_t)
+ manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+-files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
++files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { dir file })
+ fs_rw_anon_inodefs_files(cups_pdf_t)
++fs_search_auto_mountpoints(cups_pdf_t)
+
+ kernel_read_system_state(cups_pdf_t)
+
+-files_read_etc_files(cups_pdf_t)
+-files_read_usr_files(cups_pdf_t)
+-
+-corecmd_exec_shell(cups_pdf_t)
+-corecmd_exec_bin(cups_pdf_t)
+-
auth_use_nsswitch(cups_pdf_t)
-miscfiles_read_localization(cups_pdf_t)
- miscfiles_read_fonts(cups_pdf_t)
-+miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
-
- userdom_home_filetrans_user_home_dir(cups_pdf_t)
-+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
+-miscfiles_read_fonts(cups_pdf_t)
+-
+-userdom_home_filetrans_user_home_dir(cups_pdf_t)
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
-+userdom_dontaudit_search_admin_dir(cups_pdf_t)
-
--lpd_manage_spool(cups_pdf_t)
-
+-lpd_manage_spool(cups_pdf_t)
-
--tunable_policy(`use_nfs_home_dirs',`
++userdom_home_filetrans_user_home_dir(cups_pdf_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
- fs_search_auto_mountpoints(cups_pdf_t)
-- fs_manage_nfs_dirs(cups_pdf_t)
-- fs_manage_nfs_files(cups_pdf_t)
-+optional_policy(`
-+ lpd_manage_spool(cups_pdf_t)
+ fs_manage_nfs_dirs(cups_pdf_t)
+ fs_manage_nfs_files(cups_pdf_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(cups_pdf_t)
- fs_manage_cifs_files(cups_pdf_t)
-+userdom_home_manager(cups_pdf_t)
-+
-+optional_policy(`
-+ gnome_read_config(cups_pdf_t)
- ')
-
- ########################################
-@@ -635,9 +665,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
- read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
- files_search_etc(hplip_t)
-
-+allow hplip_t cupsd_unit_file_t:file read_file_perms;
-+
- manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
- manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-
-+manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file })
-+
- manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
- files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-
-@@ -647,7 +684,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
- kernel_read_system_state(hplip_t)
- kernel_read_kernel_sysctls(hplip_t)
-
+-')
+-
+-########################################
+-#
+-# HPLIP local policy
+-#
+-
+-# Needed for USB Scanneer and xsane
+-allow hplip_t self:capability { dac_override dac_read_search net_raw };
+-dontaudit hplip_t self:capability sys_tty_config;
+-allow hplip_t self:fifo_file rw_fifo_file_perms;
+-allow hplip_t self:process signal_perms;
+-allow hplip_t self:unix_dgram_socket create_socket_perms;
+-allow hplip_t self:unix_stream_socket create_socket_perms;
+-allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
+-allow hplip_t self:tcp_socket create_stream_socket_perms;
+-allow hplip_t self:udp_socket create_socket_perms;
+-allow hplip_t self:rawip_socket create_socket_perms;
+-
+-allow hplip_t cupsd_etc_t:dir search_dir_perms;
+-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
+-
+-cups_stream_connect(hplip_t)
+-
+-allow hplip_t hplip_etc_t:dir list_dir_perms;
+-read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+-read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+-files_search_etc(hplip_t)
+-
+-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+-
+-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+-
+-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
+-files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+-
+-kernel_read_system_state(hplip_t)
+-kernel_read_kernel_sysctls(hplip_t)
+-
-corenet_all_recvfrom_unlabeled(hplip_t)
-+# for python
-+corecmd_exec_bin(hplip_t)
-+
- corenet_all_recvfrom_netlabel(hplip_t)
- corenet_tcp_sendrecv_generic_if(hplip_t)
- corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -661,10 +700,10 @@ corenet_tcp_bind_generic_node(hplip_t)
- corenet_udp_bind_generic_node(hplip_t)
- corenet_tcp_bind_hplip_port(hplip_t)
- corenet_tcp_connect_hplip_port(hplip_t)
+-corenet_all_recvfrom_netlabel(hplip_t)
+-corenet_tcp_sendrecv_generic_if(hplip_t)
+-corenet_udp_sendrecv_generic_if(hplip_t)
+-corenet_raw_sendrecv_generic_if(hplip_t)
+-corenet_tcp_sendrecv_generic_node(hplip_t)
+-corenet_udp_sendrecv_generic_node(hplip_t)
+-corenet_raw_sendrecv_generic_node(hplip_t)
+-corenet_tcp_sendrecv_all_ports(hplip_t)
+-corenet_udp_sendrecv_all_ports(hplip_t)
+-corenet_tcp_bind_generic_node(hplip_t)
+-corenet_udp_bind_generic_node(hplip_t)
+-corenet_tcp_bind_hplip_port(hplip_t)
+-corenet_tcp_connect_hplip_port(hplip_t)
-corenet_tcp_connect_ipp_port(hplip_t)
-corenet_sendrecv_hplip_client_packets(hplip_t)
-corenet_receive_hplip_server_packets(hplip_t)
-+corenet_tcp_bind_glance_port(hplip_t)
-+corenet_tcp_connect_glance_port(hplip_t)
- corenet_udp_bind_howl_port(hplip_t)
-+corenet_tcp_connect_ipp_port(hplip_t)
-
- dev_read_sysfs(hplip_t)
- dev_rw_printer(hplip_t)
-@@ -673,31 +712,34 @@ dev_read_rand(hplip_t)
- dev_rw_generic_usb_dev(hplip_t)
- dev_rw_usbfs(hplip_t)
-
+-corenet_udp_bind_howl_port(hplip_t)
+-
+-dev_read_sysfs(hplip_t)
+-dev_rw_printer(hplip_t)
+-dev_read_urand(hplip_t)
+-dev_read_rand(hplip_t)
+-dev_rw_generic_usb_dev(hplip_t)
+-dev_rw_usbfs(hplip_t)
+-
-fs_getattr_all_fs(hplip_t)
-fs_search_auto_mountpoints(hplip_t)
-fs_rw_anon_inodefs_files(hplip_t)
@@ -15422,42 +15927,62 @@ index e5a8924..ac29949 100644
-# for python
-corecmd_exec_bin(hplip_t)
-
- domain_use_interactive_fds(hplip_t)
-
- files_read_etc_files(hplip_t)
- files_read_etc_runtime_files(hplip_t)
- files_read_usr_files(hplip_t)
-+files_dontaudit_write_usr_dirs(hplip_t)
-
+-domain_use_interactive_fds(hplip_t)
+-
+-files_read_etc_files(hplip_t)
+-files_read_etc_runtime_files(hplip_t)
+-files_read_usr_files(hplip_t)
+-
-logging_send_syslog_msg(hplip_t)
-+fs_getattr_all_fs(hplip_t)
-+fs_search_auto_mountpoints(hplip_t)
-+fs_rw_anon_inodefs_files(hplip_t)
-
+-
-miscfiles_read_localization(hplip_t)
-+term_use_ptmx(hplip_t)
-+
-+auth_read_passwd(hplip_t)
-+
-+logging_send_syslog_msg(hplip_t)
-
- sysnet_read_config(hplip_t)
-
- userdom_dontaudit_use_unpriv_user_fds(hplip_t)
- userdom_dontaudit_search_user_home_dirs(hplip_t)
- userdom_dontaudit_search_user_home_content(hplip_t)
-+userdom_dbus_send_all_users(hplip_t)
-
+-
+-sysnet_read_config(hplip_t)
+-
+-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+-userdom_dontaudit_search_user_home_dirs(hplip_t)
+-userdom_dontaudit_search_user_home_content(hplip_t)
+-
-lpd_read_config(hplip_t)
-lpd_manage_spool(hplip_t)
-+optional_policy(`
-+ lpd_read_config(hplip_t)
-+ lpd_manage_spool(hplip_t)
-+')
++userdom_home_manager(cups_pdf_t)
optional_policy(`
- dbus_system_bus_client(hplip_t)
-@@ -743,7 +785,6 @@ kernel_read_kernel_sysctls(ptal_t)
+- dbus_system_bus_client(hplip_t)
++ gnome_read_config(cups_pdf_t)
+ ')
+
+-optional_policy(`
+- seutil_sigchld_newrole(hplip_t)
+-')
+-
+-optional_policy(`
+- snmp_read_snmp_var_lib_files(hplip_t)
+-')
+-
+-optional_policy(`
+- udev_read_db(hplip_t)
+-')
+
+ ########################################
+ #
+@@ -723,14 +592,12 @@ optional_policy(`
+ allow ptal_t self:capability { chown sys_rawio };
+ dontaudit ptal_t self:capability sys_tty_config;
+ allow ptal_t self:fifo_file rw_fifo_file_perms;
+-allow ptal_t self:unix_dgram_socket create_socket_perms;
+-allow ptal_t self:unix_stream_socket create_stream_socket_perms;
++allow ptal_t self:unix_stream_socket { accept listen };
+ allow ptal_t self:tcp_socket create_stream_socket_perms;
+
+ allow ptal_t ptal_etc_t:dir list_dir_perms;
+ read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
+ read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
+-files_search_etc(ptal_t)
+
+ manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+ manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+@@ -743,29 +610,26 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -15465,20 +15990,34 @@ index e5a8924..ac29949 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,13 +801,10 @@ fs_search_auto_mountpoints(ptal_t)
+-corenet_tcp_sendrecv_all_ports(ptal_t)
+ corenet_tcp_bind_generic_node(ptal_t)
++
++corenet_sendrecv_ptal_server_packets(ptal_t)
+ corenet_tcp_bind_ptal_port(ptal_t)
++corenet_tcp_sendrecv_ptal_port(ptal_t)
+
+-dev_read_sysfs(ptal_t)
+ dev_read_usbfs(ptal_t)
+ dev_rw_printer(ptal_t)
+-fs_getattr_all_fs(ptal_t)
+-fs_search_auto_mountpoints(ptal_t)
+-
domain_use_interactive_fds(ptal_t)
-files_read_etc_files(ptal_t)
files_read_etc_runtime_files(ptal_t)
- logging_send_syslog_msg(ptal_t)
+-logging_send_syslog_msg(ptal_t)
++fs_getattr_all_fs(ptal_t)
++fs_search_auto_mountpoints(ptal_t)
-miscfiles_read_localization(ptal_t)
--
++logging_send_syslog_msg(ptal_t)
+
sysnet_read_config(ptal_t)
- userdom_dontaudit_use_unpriv_user_fds(ptal_t)
diff --git a/cvs.if b/cvs.if
index c43ff4c..5da88b5 100644
--- a/cvs.if
@@ -21160,10 +21699,10 @@ index 0000000..33508c1
+
diff --git a/fcoemon.te b/fcoemon.te
new file mode 100644
-index 0000000..724ca0d
+index 0000000..cb04d99
--- /dev/null
+++ b/fcoemon.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,46 @@
+policy_module(fcoemon, 1.0.0)
+
+########################################
@@ -21185,13 +21724,15 @@ index 0000000..724ca0d
+
+# dac_override
+# /var/rnn/fcm/fcm_clif socket is owned by root
-+allow fcoemon_t self:capability { net_admin dac_override };
++allow fcoemon_t self:capability { net_admin net_raw dac_override };
+allow fcoemon_t self:capability { kill };
+
+allow fcoemon_t self:fifo_file rw_fifo_file_perms;
+allow fcoemon_t self:unix_stream_socket create_stream_socket_perms;
+allow fcoemon_t self:netlink_socket create_socket_perms;
+allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
++allow fcoemon_t self:packet_socket create_socket_perms;
++allow fcoemon_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
+manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
@@ -21200,7 +21741,7 @@ index 0000000..724ca0d
+
+files_read_etc_files(fcoemon_t)
+
-+dev_read_sysfs(fcoemon_t)
++dev_rw_sysfs(fcoemon_t)
+
+logging_send_syslog_msg(fcoemon_t)
+
@@ -23643,12 +24184,35 @@ index 0000000..e15bbb0
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..b0039ff
+index 0000000..3685c24
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,127 @@
+policy_module(glusterd, 1.0.0)
+
++## <desc>
++## <p>
++## Allow glusterfsd to modify public files used for public file
++## transfer services. Files/Directories must be labeled
++## public_content_rw_t.
++## </p>
++## </desc>
++gen_tunable(gluster_anon_write, false)
++
++## <desc>
++## <p>
++## Allow glusterfsd to share any file/directory read only.
++## </p>
++## </desc>
++gen_tunable(gluster_export_all_ro, false)
++
++## <desc>
++## <p>
++## Allow glusterfsd to share any file/directory read/write.
++## </p>
++## </desc>
++gen_tunable(gluster_export_all_rw, true)
++
+########################################
+#
+# Declarations
@@ -26008,7 +26572,7 @@ index 6d50300..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 72a113e..9711129 100644
+index 72a113e..8221a4b 100644
--- a/gpg.te
+++ b/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.6.0)
@@ -26252,7 +26816,13 @@ index 72a113e..9711129 100644
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
-@@ -223,43 +257,34 @@ corecmd_read_bin_symlinks(gpg_agent_t)
+@@ -219,47 +253,40 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+ # allow gpg to connect to the gpg agent
+ stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+
++kernel_read_system_state(gpg_agent_t)
++
+ corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
@@ -26301,7 +26871,7 @@ index 72a113e..9711129 100644
optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
-@@ -294,10 +319,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+@@ -294,10 +321,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
@@ -26313,7 +26883,7 @@ index 72a113e..9711129 100644
corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
corenet_tcp_bind_generic_node(gpg_pinentry_t)
corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
-@@ -310,7 +335,6 @@ dev_read_rand(gpg_pinentry_t)
+@@ -310,7 +337,6 @@ dev_read_rand(gpg_pinentry_t)
files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
@@ -26321,7 +26891,7 @@ index 72a113e..9711129 100644
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
fs_getattr_tmpfs(gpg_pinentry_t)
-@@ -320,18 +344,19 @@ auth_use_nsswitch(gpg_pinentry_t)
+@@ -320,18 +346,19 @@ auth_use_nsswitch(gpg_pinentry_t)
logging_send_syslog_msg(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
@@ -26347,7 +26917,7 @@ index 72a113e..9711129 100644
')
optional_policy(`
-@@ -340,6 +365,12 @@ optional_policy(`
+@@ -340,6 +367,12 @@ optional_policy(`
')
optional_policy(`
@@ -26360,7 +26930,7 @@ index 72a113e..9711129 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -349,4 +380,27 @@ optional_policy(`
+@@ -349,4 +382,27 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -28223,10 +28793,10 @@ index 9878499..01673a4 100644
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/jabber.te b/jabber.te
-index 53e53ca..c1ce1b7 100644
+index 53e53ca..1f2daae 100644
--- a/jabber.te
+++ b/jabber.te
-@@ -1,94 +1,146 @@
+@@ -1,94 +1,147 @@
-policy_module(jabber, 1.9.0)
+policy_module(jabber, 1.8.0)
@@ -28351,6 +28921,7 @@ index 53e53ca..c1ce1b7 100644
-sysnet_read_config(jabberd_t)
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
++corenet_tcp_connect_jabber_interserver_port(jabberd_t)
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
userdom_dontaudit_search_user_home_dirs(jabberd_t)
@@ -29404,7 +29975,7 @@ index d6af9b0..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index 0c52f60..acb89ac 100644
+index 0c52f60..6454b8f 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -7,25 +7,36 @@ policy_module(kdumpgui, 1.1.0)
@@ -29474,7 +30045,7 @@ index 0c52f60..acb89ac 100644
+
+optional_policy(`
+ bootloader_exec(kdumpgui_t)
-+ bootloader_rw_config(kdumpgui_t)
++ bootloader_manage_config(kdumpgui_t)
+')
optional_policy(`
@@ -29821,7 +30392,7 @@ index 604f67b..138e1e2 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
+')
diff --git a/kerberos.te b/kerberos.te
-index 6a95faf..6127834 100644
+index 6a95faf..9ed7d30 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0)
@@ -29920,8 +30491,12 @@ index 6a95faf..6127834 100644
domain_use_interactive_fds(kadmind_t)
-@@ -149,8 +157,9 @@ selinux_validate_context(kadmind_t)
+@@ -147,10 +155,13 @@ files_read_var_files(kadmind_t)
+
+ selinux_validate_context(kadmind_t)
++auth_read_passwd(kadmind_t)
++
logging_send_syslog_msg(kadmind_t)
-miscfiles_read_localization(kadmind_t)
@@ -29931,7 +30506,7 @@ index 6a95faf..6127834 100644
seutil_read_file_contexts(kadmind_t)
sysnet_read_config(kadmind_t)
-@@ -164,10 +173,18 @@ optional_policy(`
+@@ -164,10 +175,18 @@ optional_policy(`
')
optional_policy(`
@@ -29950,7 +30525,7 @@ index 6a95faf..6127834 100644
seutil_sigchld_newrole(kadmind_t)
')
-@@ -182,6 +199,7 @@ optional_policy(`
+@@ -182,6 +201,7 @@ optional_policy(`
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
@@ -29958,7 +30533,7 @@ index 6a95faf..6127834 100644
dontaudit krb5kdc_t self:capability sys_tty_config;
allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -197,13 +215,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
+@@ -197,13 +217,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
@@ -29974,7 +30549,7 @@ index 6a95faf..6127834 100644
manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
-@@ -221,7 +238,6 @@ kernel_search_network_sysctl(krb5kdc_t)
+@@ -221,7 +240,6 @@ kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
@@ -29982,7 +30557,7 @@ index 6a95faf..6127834 100644
corenet_all_recvfrom_netlabel(krb5kdc_t)
corenet_tcp_sendrecv_generic_if(krb5kdc_t)
corenet_udp_sendrecv_generic_if(krb5kdc_t)
-@@ -242,6 +258,7 @@ dev_read_urand(krb5kdc_t)
+@@ -242,6 +260,7 @@ dev_read_urand(krb5kdc_t)
fs_getattr_all_fs(krb5kdc_t)
fs_search_auto_mountpoints(krb5kdc_t)
@@ -29990,8 +30565,12 @@ index 6a95faf..6127834 100644
domain_use_interactive_fds(krb5kdc_t)
-@@ -253,7 +270,7 @@ selinux_validate_context(krb5kdc_t)
+@@ -251,9 +270,11 @@ files_read_var_files(krb5kdc_t)
+ selinux_validate_context(krb5kdc_t)
+
++auth_read_passwd(krb5kdc_t)
++
logging_send_syslog_msg(krb5kdc_t)
-miscfiles_read_localization(krb5kdc_t)
@@ -29999,7 +30578,7 @@ index 6a95faf..6127834 100644
seutil_read_file_contexts(krb5kdc_t)
-@@ -268,6 +285,10 @@ optional_policy(`
+@@ -268,6 +289,10 @@ optional_policy(`
')
optional_policy(`
@@ -30010,7 +30589,7 @@ index 6a95faf..6127834 100644
nis_use_ypbind(krb5kdc_t)
')
-@@ -276,6 +297,10 @@ optional_policy(`
+@@ -276,6 +301,10 @@ optional_policy(`
')
optional_policy(`
@@ -30021,7 +30600,7 @@ index 6a95faf..6127834 100644
udev_read_db(krb5kdc_t)
')
-@@ -308,7 +333,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -308,7 +337,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -30029,7 +30608,7 @@ index 6a95faf..6127834 100644
corenet_tcp_sendrecv_generic_if(kpropd_t)
corenet_tcp_sendrecv_generic_node(kpropd_t)
corenet_tcp_sendrecv_all_ports(kpropd_t)
-@@ -324,8 +348,6 @@ selinux_validate_context(kpropd_t)
+@@ -324,8 +352,6 @@ selinux_validate_context(kpropd_t)
logging_send_syslog_msg(kpropd_t)
@@ -31972,7 +32551,7 @@ index 572b5db..1e55f43 100644
+userdom_use_inherited_user_terminals(lockdev_t)
+
diff --git a/logrotate.te b/logrotate.te
-index 7090dae..14b3dd7 100644
+index 7090dae..e80b2eb 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -29,9 +29,8 @@ files_type(logrotate_var_lib_t)
@@ -31995,7 +32574,7 @@ index 7090dae..14b3dd7 100644
allow logrotate_t self:fifo_file rw_fifo_file_perms;
allow logrotate_t self:unix_dgram_socket create_socket_perms;
allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
-@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+@@ -61,20 +61,23 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
# for /var/lib/logrotate.status and /var/lib/logcheck
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
@@ -32003,7 +32582,16 @@ index 7090dae..14b3dd7 100644
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
kernel_read_system_state(logrotate_t)
-@@ -75,6 +76,7 @@ fs_list_inotifyfs(logrotate_t)
+ kernel_read_kernel_sysctls(logrotate_t)
+
+ dev_read_urand(logrotate_t)
++dev_read_sysfs(logrotate_t)
+
+ fs_search_auto_mountpoints(logrotate_t)
+-fs_getattr_xattr_fs(logrotate_t)
++fs_getattr_all_fs(logrotate_t)
+ fs_list_inotifyfs(logrotate_t)
+
mls_file_read_all_levels(logrotate_t)
mls_file_write_all_levels(logrotate_t)
mls_file_upgrade(logrotate_t)
@@ -32011,7 +32599,7 @@ index 7090dae..14b3dd7 100644
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
-@@ -85,6 +87,7 @@ auth_use_nsswitch(logrotate_t)
+@@ -85,6 +88,7 @@ auth_use_nsswitch(logrotate_t)
# Run helper programs.
corecmd_exec_bin(logrotate_t)
corecmd_exec_shell(logrotate_t)
@@ -32019,7 +32607,7 @@ index 7090dae..14b3dd7 100644
domain_signal_all_domains(logrotate_t)
domain_use_interactive_fds(logrotate_t)
-@@ -93,7 +96,6 @@ domain_getattr_all_entry_files(logrotate_t)
+@@ -93,7 +97,6 @@ domain_getattr_all_entry_files(logrotate_t)
domain_read_all_domains_state(logrotate_t)
files_read_usr_files(logrotate_t)
@@ -32027,7 +32615,7 @@ index 7090dae..14b3dd7 100644
files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
files_search_all(logrotate_t)
-@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t)
+@@ -102,6 +105,7 @@ files_read_var_lib_files(logrotate_t)
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -32035,7 +32623,7 @@ index 7090dae..14b3dd7 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -112,21 +115,23 @@ logging_send_audit_msgs(logrotate_t)
+@@ -112,21 +116,23 @@ logging_send_audit_msgs(logrotate_t)
# cjp: why is this needed?
logging_exec_all_logs(logrotate_t)
@@ -32068,7 +32656,7 @@ index 7090dae..14b3dd7 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -138,7 +143,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +144,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
@@ -32077,7 +32665,7 @@ index 7090dae..14b3dd7 100644
')
optional_policy(`
-@@ -154,6 +159,10 @@ optional_policy(`
+@@ -154,6 +160,10 @@ optional_policy(`
')
optional_policy(`
@@ -32088,7 +32676,7 @@ index 7090dae..14b3dd7 100644
asterisk_domtrans(logrotate_t)
')
-@@ -162,10 +171,20 @@ optional_policy(`
+@@ -162,10 +172,20 @@ optional_policy(`
')
optional_policy(`
@@ -32109,7 +32697,7 @@ index 7090dae..14b3dd7 100644
cups_domtrans(logrotate_t)
')
-@@ -178,6 +197,10 @@ optional_policy(`
+@@ -178,6 +198,10 @@ optional_policy(`
')
optional_policy(`
@@ -32120,7 +32708,7 @@ index 7090dae..14b3dd7 100644
icecast_signal(logrotate_t)
')
-@@ -194,15 +217,23 @@ optional_policy(`
+@@ -194,15 +218,23 @@ optional_policy(`
')
optional_policy(`
@@ -32144,7 +32732,7 @@ index 7090dae..14b3dd7 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -217,6 +248,15 @@ optional_policy(`
+@@ -217,6 +249,15 @@ optional_policy(`
')
optional_policy(`
@@ -32160,7 +32748,7 @@ index 7090dae..14b3dd7 100644
squid_domtrans(logrotate_t)
')
-@@ -228,3 +268,14 @@ optional_policy(`
+@@ -228,3 +269,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -33341,10 +33929,10 @@ index 0000000..4a4e899
+')
diff --git a/mandb.te b/mandb.te
new file mode 100644
-index 0000000..cc1c704
+index 0000000..dbeac05
--- /dev/null
+++ b/mandb.te
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,43 @@
+policy_module(mandb, 1.0.0)
+
+########################################
@@ -33386,6 +33974,8 @@ index 0000000..cc1c704
+domain_use_interactive_fds(mandb_t)
+
+files_read_etc_files(mandb_t)
++
++miscfiles_setattr_man_pages(mandb_t)
diff --git a/mcelog.fc b/mcelog.fc
index 56c43c0..409bbfc 100644
--- a/mcelog.fc
@@ -33833,7 +34423,7 @@ index 1ec5a6c..64ac6f0 100644
/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/milter.if b/milter.if
-index ee72cbe..bdf319a 100644
+index ee72cbe..8735916 100644
--- a/milter.if
+++ b/milter.if
@@ -24,9 +24,13 @@ template(`milter_template',`
@@ -33851,7 +34441,7 @@ index ee72cbe..bdf319a 100644
# Allow communication with MTA over a TCP socket
allow $1_milter_t self:tcp_socket create_stream_socket_perms;
-@@ -36,12 +40,13 @@ template(`milter_template',`
+@@ -36,12 +40,15 @@ template(`milter_template',`
# Create other data files and directories in the data directory
manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
@@ -33863,10 +34453,12 @@ index ee72cbe..bdf319a 100644
files_read_etc_files($1_milter_t)
- miscfiles_read_localization($1_milter_t)
++ dev_read_rand($1_milter_t)
++ dev_read_urand($1_milter_t)
logging_send_syslog_msg($1_milter_t)
')
-@@ -61,6 +66,7 @@ interface(`milter_stream_connect_all',`
+@@ -61,6 +68,7 @@ interface(`milter_stream_connect_all',`
attribute milter_data_type, milter_domains;
')
@@ -33874,7 +34466,7 @@ index ee72cbe..bdf319a 100644
getattr_dirs_pattern($1, milter_data_type, milter_data_type)
stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
')
-@@ -86,6 +92,24 @@ interface(`milter_getattr_all_sockets',`
+@@ -86,6 +94,24 @@ interface(`milter_getattr_all_sockets',`
########################################
## <summary>
@@ -33899,7 +34491,7 @@ index ee72cbe..bdf319a 100644
## Manage spamassassin milter state
## </summary>
## <param name="domain">
-@@ -104,3 +128,22 @@ interface(`milter_manage_spamass_state',`
+@@ -104,3 +130,22 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
@@ -35672,20 +36264,97 @@ index d4fcb75..b788245 100644
+ userdom_execmod_user_home_files(mozilla_plugin_t)
')
diff --git a/mpd.fc b/mpd.fc
-index ddc14d6..c74bf3d 100644
+index ddc14d6..5c34d21 100644
--- a/mpd.fc
+++ b/mpd.fc
-@@ -6,3 +6,5 @@
+@@ -6,3 +6,7 @@
/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0)
/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
+
-+/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
++/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
++
++/var/run/mpd(/.*)? gen_context(system_u:object_r:mpd_var_run_t,s0)
diff --git a/mpd.if b/mpd.if
-index d72276f..cb8c563 100644
+index d72276f..695854e 100644
--- a/mpd.if
+++ b/mpd.if
-@@ -244,8 +244,11 @@ interface(`mpd_admin',`
+@@ -222,8 +222,72 @@ interface(`mpd_manage_lib_dirs',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to administrate
+-## an mpd environment
++## Connect to mpd over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mpd_stream_connect',`
++ gen_require(`
++ type mpd_t, mpd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t)
++')
++
++#######################################
++## <summary>
++## Create, read, write, and delete
++## mpd user data content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mpd_manage_user_data_content',`
++ gen_require(`
++ type mpd_user_data_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 mpd_user_data_t:dir manage_dir_perms;
++ allow $1 mpd_user_data_t:file manage_file_perms;
++ allow $1 mpd_user_data_t:lnk_file manage_lnk_file_perms;
++')
++
++#######################################
++## <summary>
++## Create, read, write, and delete
++## mpd user data content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++
++interface(`mpd_relabel_user_data_content',`
++ gen_require(`
++ type mpd_user_data_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 mpd_user_data_t:dir relabel_dir_perms;
++ allow $1 mpd_user_data_t:file relabel_file_perms;
++ allow $1 mpd_user_data_t:lnk_file relabel_lnk_file_perms;
++')
++
++########################################
++## <summary>
++## All of the rules required to
++## administrate an mpd environment.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -244,8 +308,11 @@ interface(`mpd_admin',`
type mpd_tmpfs_t;
')
@@ -35699,10 +36368,23 @@ index d72276f..cb8c563 100644
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/mpd.te b/mpd.te
-index 7f68872..d92aaa8 100644
+index 7f68872..5e3afd2 100644
--- a/mpd.te
+++ b/mpd.te
-@@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+@@ -31,6 +31,12 @@ files_tmpfs_file(mpd_tmpfs_t)
+ type mpd_var_lib_t;
+ files_type(mpd_var_lib_t)
+
++type mpd_user_data_t;
++userdom_user_home_content(mpd_user_data_t) # customizable
++
++type mpd_var_run_t;
++files_pid_file(mpd_var_run_t)
++
+ ########################################
+ #
+ # mpd local policy
+@@ -44,6 +50,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow mpd_t self:tcp_socket create_stream_socket_perms;
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -35712,7 +36394,7 @@ index 7f68872..d92aaa8 100644
manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
-@@ -51,6 +54,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+@@ -51,6 +60,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
@@ -35723,7 +36405,20 @@ index 7f68872..d92aaa8 100644
manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
-@@ -72,7 +79,6 @@ kernel_read_kernel_sysctls(mpd_t)
+@@ -65,14 +78,18 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+ manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+ files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
+
+-# needed by pulseaudio
++manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
++manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
++manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
++manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
++files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file })
++
+ kernel_getattr_proc(mpd_t)
+ kernel_read_system_state(mpd_t)
+ kernel_read_kernel_sysctls(mpd_t)
corecmd_exec_bin(mpd_t)
@@ -35731,7 +36426,7 @@ index 7f68872..d92aaa8 100644
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -87,6 +93,7 @@ corenet_sendrecv_http_cache_client_packets(mpd_t)
+@@ -87,6 +104,7 @@ corenet_sendrecv_http_cache_client_packets(mpd_t)
corenet_sendrecv_pulseaudio_client_packets(mpd_t)
corenet_sendrecv_soundd_client_packets(mpd_t)
@@ -35739,7 +36434,7 @@ index 7f68872..d92aaa8 100644
dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
dev_read_sysfs(mpd_t)
-@@ -101,7 +108,9 @@ auth_use_nsswitch(mpd_t)
+@@ -101,7 +119,9 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
@@ -35750,7 +36445,7 @@ index 7f68872..d92aaa8 100644
optional_policy(`
alsa_read_rw_config(mpd_t)
-@@ -122,5 +131,20 @@ optional_policy(`
+@@ -122,5 +142,20 @@ optional_policy(`
')
optional_policy(`
@@ -37485,19 +38180,25 @@ index c358d8f..1cc176c 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index f17583b..fea9b77 100644
+index f17583b..f076c38 100644
--- a/munin.te
+++ b/munin.te
-@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
+@@ -1,10 +1,13 @@
+-policy_module(munin, 1.8.0)
++policy_module(munin, 1.8.10)
+
+ ########################################
+ #
# Declarations
#
+attribute munin_plugin_domain;
++attribute munin_plugin_tmp_content;
+
type munin_t alias lrrd_t;
type munin_exec_t alias lrrd_exec_t;
init_daemon_domain(munin_t, munin_exec_t)
-@@ -24,6 +26,9 @@ files_tmp_file(munin_tmp_t)
+@@ -24,40 +27,77 @@ files_tmp_file(munin_tmp_t)
type munin_var_lib_t alias lrrd_var_lib_t;
files_type(munin_var_lib_t)
@@ -37507,18 +38208,51 @@ index f17583b..fea9b77 100644
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
-@@ -31,16 +36,20 @@ munin_plugin_template(disk)
-
+ munin_plugin_template(disk)
+-
munin_plugin_template(mail)
-
+-
+munin_plugin_template(selinux)
-+
munin_plugin_template(services)
-
+-
munin_plugin_template(system)
-
+munin_plugin_template(unconfined)
+
++type httpd_munin_script_tmp_t;
++files_tmp_file(httpd_munin_script_tmp_t)
++
++################################
++#
++# Common munin plugin local policy
++#
++
++allow munin_plugin_domain self:process signal_perms;
++allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
++
++allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
++
++read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
++
++allow munin_plugin_domain munin_exec_t:file read_file_perms;
++
++allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
++
++manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
++
++corenet_tcp_sendrecv_generic_if(munin_plugin_domain)
++corenet_tcp_sendrecv_generic_node(munin_plugin_domain)
++
++corecmd_exec_bin(munin_plugin_domain)
++corecmd_exec_shell(munin_plugin_domain)
++
++files_search_var_lib(munin_plugin_domain)
++
++fs_getattr_all_fs(munin_plugin_domain)
++
++optional_policy(`
++ nscd_use(munin_plugin_domain)
++')
+
########################################
#
# Local policy
@@ -37528,38 +38262,93 @@ index f17583b..fea9b77 100644
+allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio };
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
- allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -71,9 +80,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+-allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
+-allow munin_t self:tcp_socket create_stream_socket_perms;
+-allow munin_t self:udp_socket create_socket_perms;
++allow munin_t self:unix_stream_socket { accept connectto listen };
++allow munin_t self:unix_dgram_socket sendto;
++allow munin_t self:tcp_socket { accept listen };
+ allow munin_t self:fifo_file manage_fifo_file_perms;
+
+-allow munin_t munin_etc_t:dir list_dir_perms;
+-read_files_pattern(munin_t, munin_etc_t, munin_etc_t)
+-read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t)
+-files_search_etc(munin_t)
++allow munin_t munin_plugin_domain:process signal_perms;
+
+-can_exec(munin_t, munin_exec_t)
++allow munin_t munin_etc_t:dir list_dir_perms;
++allow munin_t munin_etc_t:file read_file_perms;
++allow munin_t munin_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
+-manage_files_pattern(munin_t, munin_log_t, munin_log_t)
++append_files_pattern(munin_t, munin_log_t, munin_log_t)
++create_files_pattern(munin_t, munin_log_t, munin_log_t)
++setattr_files_pattern(munin_t, munin_log_t, munin_log_t)
+ logging_log_filetrans(munin_t, munin_log_t, { file dir })
+
+ manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+@@ -65,15 +105,18 @@ manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+ manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+ files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file })
+
+-# Allow access to the munin databases
+ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
- files_search_var_lib(munin_t)
+-files_search_var_lib(munin_t)
++rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
++
+manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-files_pid_filetrans(munin_t, munin_var_run_t, file)
-+files_pid_filetrans(munin_t, munin_var_run_t, { file dir })
++files_pid_filetrans(munin_t, munin_var_run_t, { dir file })
+
-+rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
++can_exec(munin_t, munin_exec_t)
kernel_read_system_state(munin_t)
kernel_read_network_state(munin_t)
-@@ -82,7 +94,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -82,18 +125,20 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
-corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
- corenet_udp_sendrecv_generic_if(munin_t)
-@@ -101,7 +112,6 @@ dev_read_urand(munin_t)
+-corenet_udp_sendrecv_generic_if(munin_t)
+ corenet_tcp_sendrecv_generic_node(munin_t)
+-corenet_udp_sendrecv_generic_node(munin_t)
+-corenet_tcp_sendrecv_all_ports(munin_t)
+-corenet_udp_sendrecv_all_ports(munin_t)
+ corenet_tcp_bind_generic_node(munin_t)
++
++corenet_sendrecv_munin_server_packets(munin_t)
+ corenet_tcp_bind_munin_port(munin_t)
++corenet_sendrecv_munin_client_packets(munin_t)
+ corenet_tcp_connect_munin_port(munin_t)
++corenet_tcp_sendrecv_munin_port(munin_t)
++
++corenet_sendrecv_http_client_packets(munin_t)
+ corenet_tcp_connect_http_port(munin_t)
++corenet_tcp_sendrecv_http_port(munin_t)
+
+ dev_read_sysfs(munin_t)
+ dev_read_urand(munin_t)
+@@ -101,9 +146,7 @@ dev_read_urand(munin_t)
domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
-files_read_etc_files(munin_t)
files_read_etc_runtime_files(munin_t)
- files_read_usr_files(munin_t)
+-files_read_usr_files(munin_t)
files_list_spool(munin_t)
-@@ -115,7 +125,7 @@ logging_send_syslog_msg(munin_t)
+
+ fs_getattr_all_fs(munin_t)
+@@ -115,20 +158,13 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -37568,55 +38357,61 @@ index f17583b..fea9b77 100644
sysnet_exec_ifconfig(munin_t)
-@@ -128,6 +138,11 @@ optional_policy(`
- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- apache_search_sys_content(munin_t)
-+
-+ read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
-+ read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
-+
-+ files_search_var_lib(httpd_munin_script_t)
- ')
+ userdom_dontaudit_use_unpriv_user_fds(munin_t)
+ userdom_dontaudit_search_user_home_dirs(munin_t)
+
+-optional_policy(`
+- apache_content_template(munin)
+-
+- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+- apache_search_sys_content(munin_t)
+-')
optional_policy(`
-@@ -145,6 +160,7 @@ optional_policy(`
+ cron_system_entry(munin_t, munin_exec_t)
+@@ -143,9 +179,10 @@ optional_policy(`
+ ')
+
optional_policy(`
- mta_read_config(munin_t)
- mta_send_mail(munin_t)
+ mta_list_queue(munin_t)
+ mta_read_config(munin_t)
+- mta_send_mail(munin_t)
mta_read_queue(munin_t)
++ mta_send_mail(munin_t)
')
-@@ -155,10 +171,13 @@ optional_policy(`
+ optional_policy(`
+@@ -155,6 +192,8 @@ optional_policy(`
optional_policy(`
netutils_domtrans_ping(munin_t)
-+ netutils_signal_ping(munin_t)
+ netutils_kill_ping(munin_t)
++ netutils_signal_ping(munin_t)
')
optional_policy(`
- postfix_list_spool(munin_t)
-+ postfix_getattr_spool_files(munin_t)
- ')
+@@ -179,26 +218,29 @@ optional_policy(`
- optional_policy(`
-@@ -182,6 +201,7 @@ optional_policy(`
- # local policy for disk plugins
+ ###################################
+ #
+-# local policy for disk plugins
++# Disk local policy
#
+allow disk_munin_plugin_t self:capability { sys_admin sys_rawio };
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -190,15 +210,18 @@ corecmd_exec_shell(disk_munin_plugin_t)
+-corecmd_exec_shell(disk_munin_plugin_t)
+-
++corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
++corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
-files_read_etc_files(disk_munin_plugin_t)
files_read_etc_runtime_files(disk_munin_plugin_t)
-+files_read_usr_files(disk_munin_plugin_t)
-fs_getattr_all_fs(disk_munin_plugin_t)
-
@@ -37633,7 +38428,13 @@ index f17583b..fea9b77 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -217,34 +240,56 @@ optional_policy(`
+@@ -212,56 +254,81 @@ optional_policy(`
+
+ ####################################
+ #
+-# local policy for mail plugins
++# Mail local policy
+ #
allow mail_munin_plugin_t self:capability dac_override;
@@ -37654,17 +38455,17 @@ index f17583b..fea9b77 100644
+optional_policy(`
+ exim_read_log(mail_munin_plugin_t)
+')
-
--mta_read_config(mail_munin_plugin_t)
--mta_send_mail(mail_munin_plugin_t)
--mta_read_queue(mail_munin_plugin_t)
++
+optional_policy(`
+ mta_read_config(mail_munin_plugin_t)
+ mta_send_mail(mail_munin_plugin_t)
+ mta_list_queue(mail_munin_plugin_t)
+ mta_read_queue(mail_munin_plugin_t)
+')
-+
+
+-mta_read_config(mail_munin_plugin_t)
+-mta_send_mail(mail_munin_plugin_t)
+-mta_read_queue(mail_munin_plugin_t)
+optional_policy(`
+ nscd_socket_use(mail_munin_plugin_t)
+')
@@ -37681,14 +38482,15 @@ index f17583b..fea9b77 100644
+##################################
+#
-+# local policy for selinux plugins
++# Selinux local policy
+#
+
+selinux_get_enforce_mode(selinux_munin_plugin_t)
+
###################################
#
- # local policy for service plugins
+-# local policy for service plugins
++# Service local policy
#
+allow services_munin_plugin_t self:shm create_sem_perms;
@@ -37696,7 +38498,12 @@ index f17583b..fea9b77 100644
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +300,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+
++corenet_sendrecv_all_client_packets(services_munin_plugin_t)
+ corenet_tcp_connect_all_ports(services_munin_plugin_t)
+ corenet_tcp_connect_http_port(services_munin_plugin_t)
++corenet_tcp_sendrecv_all_ports(services_munin_plugin_t)
+
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -37707,11 +38514,15 @@ index f17583b..fea9b77 100644
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
++ bind_read_config(munin_services_plugin_t)
++')
++
++optional_policy(`
+ cups_read_config(services_munin_plugin_t)
cups_stream_connect(services_munin_plugin_t)
')
-@@ -279,6 +321,14 @@ optional_policy(`
+@@ -279,6 +346,14 @@ optional_policy(`
')
optional_policy(`
@@ -37726,7 +38537,7 @@ index f17583b..fea9b77 100644
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +336,18 @@ optional_policy(`
+@@ -286,30 +361,79 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -37738,30 +38549,35 @@ index f17583b..fea9b77 100644
+ varnishd_read_lib_files(services_munin_plugin_t)
+')
+
-+optional_policy(`
-+ bind_read_config(munin_services_plugin_t)
-+')
-+
##################################
#
- # local policy for system plugins
-@@ -295,12 +357,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+-# local policy for system plugins
++# System local policy
+ #
+
+ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
--kernel_read_network_state(system_munin_plugin_t)
--kernel_read_all_sysctls(system_munin_plugin_t)
-+# needed by munin_* plugins
+read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
++
+ kernel_read_network_state(system_munin_plugin_t)
+ kernel_read_all_sysctls(system_munin_plugin_t)
-corecmd_exec_shell(system_munin_plugin_t)
-
-fs_getattr_all_fs(system_munin_plugin_t)
-+kernel_read_network_state(system_munin_plugin_t)
-
+-
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +373,47 @@ init_read_utmp(system_munin_plugin_t)
+
+ domain_read_all_domains_state(system_munin_plugin_t)
+
+-# needed by users plugin
+ init_read_utmp(system_munin_plugin_t)
+
++logging_search_logs(system_munin_plugin_t)
++
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -37774,40 +38590,38 @@ index f17583b..fea9b77 100644
+
+#######################################
+#
-+# Unconfined plugin policy
++# Unconfined plugin local policy
+#
+
+optional_policy(`
+ unconfined_domain(unconfined_munin_plugin_t)
+')
+
-+################################
++
++#######################################
+#
-+# local policy for munin plugin domains
++# Munin CGI script local policy
+#
+
-+allow munin_plugin_domain self:process signal;
++apache_content_template(munin)
+
-+allow munin_plugin_domain munin_exec_t:file read_file_perms;
-+allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
++manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
++manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+
-+# creates plugin state files
-+manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
++manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t)
++manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t)
+
-+read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
++read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
++read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
+
-+corecmd_exec_bin(munin_plugin_domain)
-+corecmd_exec_shell(munin_plugin_domain)
++allow httpd_munin_script_t munin_log_t:file read_file_perms;
+
-+files_search_var_lib(munin_plugin_domain)
-+files_read_usr_files(munin_plugin_domain)
++files_search_var_lib(httpd_munin_script_t)
+
-+fs_getattr_all_fs(munin_plugin_domain)
-+
-+auth_read_passwd(munin_plugin_domain)
++auth_read_passwd(httpd_munin_script_t)
+
+optional_policy(`
-+ nscd_socket_use(munin_plugin_domain)
++ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
index 716d666..43f60de 100644
@@ -47840,7 +48654,7 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 44db896..946bfb5 100644
+index 44db896..6e3b3fd 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,51 +1,67 @@
@@ -47924,7 +48738,7 @@ index 44db896..946bfb5 100644
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +72,115 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +72,116 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@@ -48030,6 +48844,7 @@ index 44db896..946bfb5 100644
+
+fs_getattr_all_fs(policykit_auth_t)
+fs_search_tmpfs(policykit_auth_t)
++fs_dontaudit_append_ecryptfs_files(policykit_auth_t)
+auth_rw_var_auth(policykit_auth_t)
auth_use_nsswitch(policykit_auth_t)
@@ -48051,7 +48866,7 @@ index 44db896..946bfb5 100644
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,14 +193,26 @@ optional_policy(`
+@@ -118,14 +194,26 @@ optional_policy(`
hal_read_state(policykit_auth_t)
')
@@ -48080,7 +48895,7 @@ index 44db896..946bfb5 100644
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -142,22 +229,22 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -142,22 +230,22 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@@ -48108,7 +48923,7 @@ index 44db896..946bfb5 100644
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,9 +254,8 @@ optional_policy(`
+@@ -167,9 +255,8 @@ optional_policy(`
# polkit_resolve local policy
#
@@ -48120,7 +48935,7 @@ index 44db896..946bfb5 100644
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-@@ -182,17 +268,12 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t
+@@ -182,17 +269,12 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t
can_exec(policykit_resolve_t, policykit_resolve_exec_t)
corecmd_search_bin(policykit_resolve_t)
@@ -51538,7 +52353,7 @@ index 84f23dc..0e7d875 100644
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
-index f40c64d..8a82574 100644
+index f40c64d..191600b 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -35,6 +35,9 @@ interface(`pulseaudio_role',`
@@ -51566,7 +52381,7 @@ index f40c64d..8a82574 100644
')
########################################
-@@ -257,4 +262,87 @@ interface(`pulseaudio_manage_home_files',`
+@@ -257,4 +262,106 @@ interface(`pulseaudio_manage_home_files',`
userdom_search_user_home_dirs($1)
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
@@ -51653,12 +52468,40 @@ index f40c64d..8a82574 100644
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, pulseaudio_t)
++')
++
++######################################
++## <summary>
++## Make the specified tmpfs file type
++## pulseaudio tmpfs content.
++## </summary>
++## <param name="file_type">
++## <summary>
++## File type to make pulseaudio tmpfs content.
++## </summary>
++## </param>
++#
++interface(`pulseaudio_tmpfs_content',`
++ gen_require(`
++ attribute pulseaudio_tmpfsfile;
++ ')
++
++ typeattribute $1 pulseaudio_tmpfsfile;
')
diff --git a/pulseaudio.te b/pulseaudio.te
-index 901ac9b..bef43f7 100644
+index 901ac9b..68f1fb6 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
-@@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -5,6 +5,8 @@ policy_module(pulseaudio, 1.5.0)
+ # Declarations
+ #
+
++attribute pulseaudio_tmpfsfile;
++
+ type pulseaudio_t;
+ type pulseaudio_exec_t;
+ init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+@@ -41,7 +43,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
@@ -51672,7 +52515,7 @@ index 901ac9b..bef43f7 100644
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
-@@ -51,7 +57,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+@@ -51,7 +59,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
@@ -51681,7 +52524,7 @@ index 901ac9b..bef43f7 100644
can_exec(pulseaudio_t, pulseaudio_exec_t)
-@@ -61,7 +67,6 @@ kernel_read_kernel_sysctls(pulseaudio_t)
+@@ -61,7 +69,6 @@ kernel_read_kernel_sysctls(pulseaudio_t)
corecmd_exec_bin(pulseaudio_t)
@@ -51689,7 +52532,7 @@ index 901ac9b..bef43f7 100644
corenet_all_recvfrom_netlabel(pulseaudio_t)
corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
corenet_tcp_bind_soundd_port(pulseaudio_t)
-@@ -70,32 +75,49 @@ corenet_tcp_sendrecv_generic_node(pulseaudio_t)
+@@ -70,32 +77,49 @@ corenet_tcp_sendrecv_generic_node(pulseaudio_t)
corenet_udp_bind_sap_port(pulseaudio_t)
corenet_udp_sendrecv_generic_if(pulseaudio_t)
corenet_udp_sendrecv_generic_node(pulseaudio_t)
@@ -51726,7 +52569,11 @@ index 901ac9b..bef43f7 100644
+ fs_manage_nfs_named_sockets(pulseaudio_t)
+ fs_manage_nfs_named_pipes(pulseaudio_t)
+')
-+
+
+-# cjp: this seems excessive. need to confirm
+-userdom_manage_user_home_content_files(pulseaudio_t)
+-userdom_manage_user_tmp_files(pulseaudio_t)
+-userdom_manage_user_tmpfs_files(pulseaudio_t)
+tunable_policy(`use_samba_home_dirs',`
+ fs_mount_cifs(pulseaudio_t)
+ fs_mounton_cifs(pulseaudio_t)
@@ -51736,18 +52583,14 @@ index 901ac9b..bef43f7 100644
+ fs_manage_cifs_named_sockets(pulseaudio_t)
+ fs_manage_cifs_named_pipes(pulseaudio_t)
+')
-
--# cjp: this seems excessive. need to confirm
--userdom_manage_user_home_content_files(pulseaudio_t)
--userdom_manage_user_tmp_files(pulseaudio_t)
--userdom_manage_user_tmpfs_files(pulseaudio_t)
++
+optional_policy(`
+ alsa_read_rw_config(pulseaudio_t)
+')
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
-@@ -125,16 +147,37 @@ optional_policy(`
+@@ -125,16 +149,37 @@ optional_policy(`
')
optional_policy(`
@@ -51785,7 +52628,7 @@ index 901ac9b..bef43f7 100644
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
')
-@@ -146,3 +189,7 @@ optional_policy(`
+@@ -146,3 +191,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -53997,10 +54840,10 @@ index 0000000..010b2be
+')
diff --git a/quantum.te b/quantum.te
new file mode 100644
-index 0000000..6e15504
+index 0000000..992837f
--- /dev/null
+++ b/quantum.te
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,81 @@
+policy_module(quantum, 1.0.0)
+
+########################################
@@ -54057,6 +54900,7 @@ index 0000000..6e15504
+corenet_tcp_bind_generic_node(quantum_t)
+corenet_tcp_bind_quantum_port(quantum_t)
+corenet_tcp_connect_mysqld_port(quantum_t)
++corenet_tcp_connect_amqp_port(quantum_t)
+
+dev_read_urand(quantum_t)
+dev_list_sysfs(quantum_t)
@@ -58701,10 +59545,10 @@ index a63e9ee..e4a0c9b 100644
+ nis_use_ypbind(rpcbind_t)
+')
diff --git a/rpm.fc b/rpm.fc
-index b2a0b6a..3916381 100644
+index b2a0b6a..d8a9750 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -2,10 +2,12 @@
+@@ -2,10 +2,13 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
@@ -58713,11 +59557,12 @@ index b2a0b6a..3916381 100644
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -20,12 +22,18 @@
+@@ -20,12 +23,18 @@
/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
@@ -58736,7 +59581,7 @@ index b2a0b6a..3916381 100644
')
/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-@@ -35,10 +43,12 @@ ifdef(`distro_redhat', `
+@@ -35,10 +44,12 @@ ifdef(`distro_redhat', `
/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
@@ -59373,7 +60218,7 @@ index ffb9605..4bb7119 100644
-
-miscfiles_read_localization(rssh_chroot_helper_t)
diff --git a/rsync.fc b/rsync.fc
-index 479615b..2d77839 100644
+index 479615b..d92f567 100644
--- a/rsync.fc
+++ b/rsync.fc
@@ -2,6 +2,6 @@
@@ -59381,7 +60226,7 @@ index 479615b..2d77839 100644
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
-/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
-+/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0)
++/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0)
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/rsync.if b/rsync.if
@@ -60130,7 +60975,7 @@ index 82cb169..4f6fe4a 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 905883f..4293f70 100644
+index 905883f..57f516b 100644
--- a/samba.te
+++ b/samba.te
@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0)
@@ -60445,11 +61290,13 @@ index 905883f..4293f70 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -501,11 +534,13 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
+@@ -500,12 +533,15 @@ read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
- manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
++manage_dirs_pattern(nmbd_t, samba_var_t, samba_var_t)
+manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
@@ -60461,7 +61308,7 @@ index 905883f..4293f70 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -513,7 +548,6 @@ kernel_read_network_state(nmbd_t)
+@@ -513,7 +549,6 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -60469,7 +61316,7 @@ index 905883f..4293f70 100644
corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_generic_if(nmbd_t)
corenet_udp_sendrecv_generic_if(nmbd_t)
-@@ -527,8 +561,10 @@ corenet_sendrecv_nmbd_server_packets(nmbd_t)
+@@ -527,8 +562,10 @@ corenet_sendrecv_nmbd_server_packets(nmbd_t)
corenet_sendrecv_nmbd_client_packets(nmbd_t)
corenet_tcp_connect_smbd_port(nmbd_t)
@@ -60481,7 +61328,7 @@ index 905883f..4293f70 100644
fs_getattr_all_fs(nmbd_t)
fs_search_auto_mountpoints(nmbd_t)
-@@ -536,7 +572,6 @@ fs_search_auto_mountpoints(nmbd_t)
+@@ -536,7 +573,6 @@ fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
files_read_usr_files(nmbd_t)
@@ -60489,7 +61336,7 @@ index 905883f..4293f70 100644
files_list_var_lib(nmbd_t)
auth_use_nsswitch(nmbd_t)
-@@ -544,12 +579,14 @@ auth_use_nsswitch(nmbd_t)
+@@ -544,12 +580,14 @@ auth_use_nsswitch(nmbd_t)
logging_search_logs(nmbd_t)
logging_send_syslog_msg(nmbd_t)
@@ -60506,7 +61353,7 @@ index 905883f..4293f70 100644
seutil_sigchld_newrole(nmbd_t)
')
-@@ -562,18 +599,21 @@ optional_policy(`
+@@ -562,18 +600,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -60532,7 +61379,7 @@ index 905883f..4293f70 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -581,11 +621,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -581,11 +622,19 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -60555,7 +61402,7 @@ index 905883f..4293f70 100644
########################################
#
-@@ -604,18 +652,20 @@ allow smbmount_t samba_etc_t:file read_file_perms;
+@@ -604,18 +653,20 @@ allow smbmount_t samba_etc_t:file read_file_perms;
can_exec(smbmount_t, smbmount_exec_t)
@@ -60578,7 +61425,7 @@ index 905883f..4293f70 100644
corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_generic_if(smbmount_t)
corenet_raw_sendrecv_generic_if(smbmount_t)
-@@ -645,31 +695,32 @@ files_list_mnt(smbmount_t)
+@@ -645,31 +696,32 @@ files_list_mnt(smbmount_t)
files_mounton_mnt(smbmount_t)
files_manage_etc_runtime_files(smbmount_t)
files_etc_filetrans_etc_runtime(smbmount_t, file)
@@ -60616,7 +61463,7 @@ index 905883f..4293f70 100644
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -684,7 +735,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -684,7 +736,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -60626,7 +61473,7 @@ index 905883f..4293f70 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -698,13 +750,17 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -698,13 +751,17 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
@@ -60644,7 +61491,7 @@ index 905883f..4293f70 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -717,6 +773,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -717,6 +774,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -60652,7 +61499,7 @@ index 905883f..4293f70 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -726,7 +783,6 @@ kernel_read_network_state(swat_t)
+@@ -726,7 +784,6 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -60660,7 +61507,7 @@ index 905883f..4293f70 100644
corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
-@@ -744,7 +800,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
+@@ -744,7 +801,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
dev_read_urand(swat_t)
files_list_var_lib(swat_t)
@@ -60668,7 +61515,7 @@ index 905883f..4293f70 100644
files_search_home(swat_t)
files_read_usr_files(swat_t)
fs_getattr_xattr_fs(swat_t)
-@@ -759,7 +814,10 @@ logging_send_syslog_msg(swat_t)
+@@ -759,7 +815,10 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -60680,7 +61527,7 @@ index 905883f..4293f70 100644
optional_policy(`
cups_read_rw_config(swat_t)
-@@ -790,7 +848,8 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -790,7 +849,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -60690,7 +61537,7 @@ index 905883f..4293f70 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,6 +865,8 @@ manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
+@@ -806,6 +866,8 @@ manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
@@ -60699,7 +61546,7 @@ index 905883f..4293f70 100644
files_list_var_lib(winbind_t)
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
-@@ -813,21 +874,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -813,21 +875,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -60733,7 +61580,7 @@ index 905883f..4293f70 100644
corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_generic_if(winbind_t)
corenet_udp_sendrecv_generic_if(winbind_t)
-@@ -840,12 +906,15 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -840,12 +907,15 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -60749,7 +61596,7 @@ index 905883f..4293f70 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -855,12 +924,14 @@ auth_manage_cache(winbind_t)
+@@ -855,12 +925,14 @@ auth_manage_cache(winbind_t)
domain_use_interactive_fds(winbind_t)
@@ -60766,7 +61613,7 @@ index 905883f..4293f70 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -871,6 +942,15 @@ userdom_manage_user_home_content_sockets(winbind_t)
+@@ -871,6 +943,15 @@ userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -60782,7 +61629,7 @@ index 905883f..4293f70 100644
kerberos_use(winbind_t)
')
-@@ -909,9 +989,7 @@ auth_use_nsswitch(winbind_helper_t)
+@@ -909,9 +990,7 @@ auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
@@ -60793,7 +61640,7 @@ index 905883f..4293f70 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -929,19 +1007,34 @@ optional_policy(`
+@@ -929,19 +1008,34 @@ optional_policy(`
#
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 11590e0..e8f551b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 81%{?dist}
+Release: 82%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,38 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Feb 28 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-82
+- Allow logrotate to read /sys
+- Allow mandb to setattr on man dirs
+- label /usr/bin/yum-builddep as rpm_exec_t
+- Remove init_daemon_run_dir from CUPS policy
+- Backport cups+hplip merge from rawhide
+- Allow munin CGI scritp to search munin logs
+- Allow quantum to connect to amqp port
+- Allow jabberd to connect to jabber_interserver_port_t
+- Fix authconfig.py labeling
+- Fix fcoemon policy
+- Allow kdumpgui to manage bootloader_config
+- Allow httpd_collectd_script to read /etc/passwd
+- Allow milter domains to read /dev/random
+- Allow nmbd_t to create samba_var_t directories
+- Allow logrotote to getattr on all file sytems
+- fcoemon wants also net_raw cap. We have net_admin cap.
+- Allow gpg-agent to access fips_enabled file
+- Allow collectd to read utmp
+- Backport munin policy from rawhide
+- Allow kadmind to read /etc/passwd
+- Dontaudit append .xsession-errors file on ecryptfs for policykit-auth
+- Allow chrome_nacl to execute /dev/zero
+- Label /usr/lib64/security/pam_krb5/pam_krb5_cchelperas bin_t
+- Add fs_dontaudit_append_fusefs_files() interface
+- Allow systemd domains to talk to kernel_t using unix_dgram_socket
+- Add miscfiles_setattr_man_pages()
+- Add manage interface to be used bu kdumpgui
+- Localectl needs to be able to send dbus signals to users
+- Hostname needs to send syslog messages
+- Add stream support for mpd, accessible from users
+
* Fri Feb 22 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-81
- Fix systemd_dbus_chat_timedated interface
- Allow userdomains to dbus chat with systemd-hostnamed
More information about the scm-commits
mailing list