[selinux-policy] Allow localectl to read /etc/X11/xorg.conf.d directory
Daniel J Walsh
dwalsh at fedoraproject.org
Sun Mar 24 10:40:10 UTC 2013
commit 6c034c693d76e001d94233bef473e19b432c491d
Author: Dan Walsh <dwalsh at redhat.com>
Date: Sun Mar 24 06:39:58 2013 -0400
Allow localectl to read /etc/X11/xorg.conf.d directory
- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""
- Allow mount to transition to systemd_passwd_agent
- Make sure abrt directories are labeled correctly
- Allow commands that are going to read mount pid files to search mount_var_run_t
- label /usr/bin/repoquery as rpm_exec_t
- Allow automount to block suspend
- Add abrt_filetrans_named_content so that abrt directories get labeled correctly
- Allow virt domains to setrlimit and read file_context
policy-rawhide-base.patch | 5596 ++++++++++++++++++++++++++++++++----------
policy-rawhide-contrib.patch | 774 ++++--
selinux-policy.spec | 58 +-
3 files changed, 4917 insertions(+), 1511 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 7ba4bba..f05841c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1616,7 +1616,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index 8128de8..0bb92ab 100644
+index 8128de8..b0a385b 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.2)
@@ -1700,7 +1700,11 @@ index 8128de8..0bb92ab 100644
domain_use_interactive_fds(ping_t)
-@@ -132,11 +137,9 @@ kernel_read_system_state(ping_t)
+@@ -129,14 +134,13 @@ files_read_etc_files(ping_t)
+ files_dontaudit_search_var(ping_t)
+
+ kernel_read_system_state(ping_t)
++kernel_read_network_state(ping_t)
auth_use_nsswitch(ping_t)
@@ -1714,7 +1718,7 @@ index 8128de8..0bb92ab 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -147,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -147,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -1740,7 +1744,7 @@ index 8128de8..0bb92ab 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -159,6 +176,15 @@ optional_policy(`
+@@ -159,6 +177,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -1756,7 +1760,7 @@ index 8128de8..0bb92ab 100644
########################################
#
# Traceroute local policy
-@@ -172,7 +198,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -172,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -1764,7 +1768,7 @@ index 8128de8..0bb92ab 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -196,6 +221,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -196,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -1772,7 +1776,7 @@ index 8128de8..0bb92ab 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -204,11 +230,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -204,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -3017,7 +3021,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..330ed39 100644
+index 644d4d7..d2dbf35 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3085,11 +3089,12 @@ index 644d4d7..330ed39 100644
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
-@@ -134,10 +146,11 @@ ifdef(`distro_debian',`
+@@ -134,10 +146,12 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib64/security/pam_krb5/pam_krb5_cchelper -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
@@ -3098,7 +3103,7 @@ index 644d4d7..330ed39 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -151,7 +164,7 @@ ifdef(`distro_gentoo',`
+@@ -151,7 +165,7 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -3107,7 +3112,7 @@ index 644d4d7..330ed39 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +180,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +181,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3115,7 +3120,7 @@ index 644d4d7..330ed39 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -178,33 +192,49 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +193,49 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3174,7 +3179,7 @@ index 644d4d7..330ed39 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +245,28 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +246,28 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3210,7 +3215,7 @@ index 644d4d7..330ed39 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +281,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +282,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3226,7 +3231,7 @@ index 644d4d7..330ed39 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +302,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +303,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3247,7 +3252,7 @@ index 644d4d7..330ed39 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +328,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +329,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3263,7 +3268,7 @@ index 644d4d7..330ed39 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +351,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +352,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3288,7 +3293,7 @@ index 644d4d7..330ed39 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +384,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +385,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3317,7 +3322,7 @@ index 644d4d7..330ed39 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +453,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +454,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3334,7 +3339,7 @@ index 644d4d7..330ed39 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +471,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +472,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -3348,10 +3353,33 @@ index 644d4d7..330ed39 100644
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..87d577e 100644
+index 9e9263a..979f47f 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
-@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
+@@ -8,6 +8,22 @@
+ ## run init.
+ ## </required>
+
++#####################################
++## <summary>
++## corecmd stub bin_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`corecmd_stub_bin',`
++ gen_require(`
++ type bin_t;
++ ')
++')
++
+ ########################################
+ ## <summary>
+ ## Make the specified type usable for files
+@@ -122,6 +138,7 @@ interface(`corecmd_search_bin',`
type bin_t;
')
@@ -3359,7 +3387,7 @@ index 9e9263a..87d577e 100644
search_dirs_pattern($1, bin_t, bin_t)
')
-@@ -158,6 +159,7 @@ interface(`corecmd_list_bin',`
+@@ -158,6 +175,7 @@ interface(`corecmd_list_bin',`
type bin_t;
')
@@ -3367,7 +3395,7 @@ index 9e9263a..87d577e 100644
list_dirs_pattern($1, bin_t, bin_t)
')
-@@ -203,7 +205,7 @@ interface(`corecmd_getattr_bin_files',`
+@@ -203,7 +221,7 @@ interface(`corecmd_getattr_bin_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -3376,7 +3404,7 @@ index 9e9263a..87d577e 100644
## </summary>
## </param>
#
-@@ -231,6 +233,7 @@ interface(`corecmd_read_bin_files',`
+@@ -231,6 +249,7 @@ interface(`corecmd_read_bin_files',`
type bin_t;
')
@@ -3384,7 +3412,7 @@ index 9e9263a..87d577e 100644
read_files_pattern($1, bin_t, bin_t)
')
-@@ -254,6 +257,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
+@@ -254,6 +273,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
########################################
## <summary>
@@ -3409,7 +3437,7 @@ index 9e9263a..87d577e 100644
## Read symbolic links in bin directories.
## </summary>
## <param name="domain">
-@@ -285,6 +306,7 @@ interface(`corecmd_read_bin_pipes',`
+@@ -285,6 +322,7 @@ interface(`corecmd_read_bin_pipes',`
type bin_t;
')
@@ -3417,7 +3445,7 @@ index 9e9263a..87d577e 100644
read_fifo_files_pattern($1, bin_t, bin_t)
')
-@@ -303,6 +325,7 @@ interface(`corecmd_read_bin_sockets',`
+@@ -303,6 +341,7 @@ interface(`corecmd_read_bin_sockets',`
type bin_t;
')
@@ -3425,7 +3453,7 @@ index 9e9263a..87d577e 100644
read_sock_files_pattern($1, bin_t, bin_t)
')
-@@ -345,6 +368,10 @@ interface(`corecmd_exec_bin',`
+@@ -345,6 +384,10 @@ interface(`corecmd_exec_bin',`
read_lnk_files_pattern($1, bin_t, bin_t)
list_dirs_pattern($1, bin_t, bin_t)
can_exec($1, bin_t)
@@ -3436,7 +3464,7 @@ index 9e9263a..87d577e 100644
')
########################################
-@@ -362,6 +389,7 @@ interface(`corecmd_manage_bin_files',`
+@@ -362,6 +405,7 @@ interface(`corecmd_manage_bin_files',`
type bin_t;
')
@@ -3444,7 +3472,7 @@ index 9e9263a..87d577e 100644
manage_files_pattern($1, bin_t, bin_t)
')
-@@ -398,6 +426,7 @@ interface(`corecmd_mmap_bin_files',`
+@@ -398,6 +442,7 @@ interface(`corecmd_mmap_bin_files',`
type bin_t;
')
@@ -3452,7 +3480,7 @@ index 9e9263a..87d577e 100644
mmap_files_pattern($1, bin_t, bin_t)
')
-@@ -954,6 +983,24 @@ interface(`corecmd_exec_chroot',`
+@@ -954,6 +999,24 @@ interface(`corecmd_exec_chroot',`
########################################
## <summary>
@@ -3477,7 +3505,7 @@ index 9e9263a..87d577e 100644
## Get the attributes of all executable files.
## </summary>
## <param name="domain">
-@@ -1012,6 +1059,10 @@ interface(`corecmd_exec_all_executables',`
+@@ -1012,6 +1075,10 @@ interface(`corecmd_exec_all_executables',`
can_exec($1, exec_type)
list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, exec_type)
@@ -3488,7 +3516,7 @@ index 9e9263a..87d577e 100644
')
########################################
-@@ -1049,6 +1100,7 @@ interface(`corecmd_manage_all_executables',`
+@@ -1049,6 +1116,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t;
')
@@ -3496,7 +3524,7 @@ index 9e9263a..87d577e 100644
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
-@@ -1091,3 +1143,36 @@ interface(`corecmd_mmap_all_executables',`
+@@ -1091,3 +1159,36 @@ interface(`corecmd_mmap_all_executables',`
mmap_files_pattern($1, bin_t, exec_type)
')
@@ -3567,7 +3595,7 @@ index f9b25c1..9af1f7a 100644
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 07126bd..4aecd37 100644
+index 07126bd..d6ec4a8 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
@@ -3636,10 +3664,29 @@ index 07126bd..4aecd37 100644
## Bind TCP sockets to generic nodes.
## </summary>
## <desc>
-@@ -855,6 +893,25 @@ interface(`corenet_udp_bind_generic_node',`
+@@ -855,6 +893,44 @@ interface(`corenet_udp_bind_generic_node',`
########################################
## <summary>
++## Dontaudit attempts to bind TCP sockets to generic nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <infoflow type="read" weight="1"/>
++#
++interface(`corenet_dontaudit_tcp_bind_generic_node',`
++ gen_require(`
++ type node_t;
++ ')
++
++ dontaudit $1 node_t:tcp_socket node_bind;
++')
++
++########################################
++## <summary>
+## Dontaudit attempts to bind UDP sockets to generic nodes.
+## </summary>
+## <param name="domain">
@@ -3662,7 +3709,7 @@ index 07126bd..4aecd37 100644
## Bind raw sockets to genric nodes.
## </summary>
## <param name="domain">
-@@ -928,6 +985,24 @@ interface(`corenet_inout_generic_node',`
+@@ -928,6 +1004,24 @@ interface(`corenet_inout_generic_node',`
########################################
## <summary>
@@ -3687,7 +3734,7 @@ index 07126bd..4aecd37 100644
## Send and receive TCP network traffic on all nodes.
## </summary>
## <param name="domain">
-@@ -1102,6 +1177,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
+@@ -1102,6 +1196,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
########################################
## <summary>
@@ -3712,7 +3759,7 @@ index 07126bd..4aecd37 100644
## Bind TCP sockets to all nodes.
## </summary>
## <param name="domain">
-@@ -1157,6 +1250,24 @@ interface(`corenet_raw_bind_all_nodes',`
+@@ -1157,6 +1269,24 @@ interface(`corenet_raw_bind_all_nodes',`
########################################
## <summary>
@@ -3737,7 +3784,7 @@ index 07126bd..4aecd37 100644
## Send and receive TCP network traffic on generic ports.
## </summary>
## <param name="domain">
-@@ -1167,10 +1278,30 @@ interface(`corenet_raw_bind_all_nodes',`
+@@ -1167,10 +1297,30 @@ interface(`corenet_raw_bind_all_nodes',`
#
interface(`corenet_tcp_sendrecv_generic_port',`
gen_require(`
@@ -3770,7 +3817,7 @@ index 07126bd..4aecd37 100644
')
########################################
-@@ -1185,10 +1316,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
+@@ -1185,10 +1335,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
#
interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
gen_require(`
@@ -3783,7 +3830,7 @@ index 07126bd..4aecd37 100644
')
########################################
-@@ -1203,10 +1334,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+@@ -1203,10 +1353,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
#
interface(`corenet_udp_send_generic_port',`
gen_require(`
@@ -3796,7 +3843,7 @@ index 07126bd..4aecd37 100644
')
########################################
-@@ -1221,10 +1352,10 @@ interface(`corenet_udp_send_generic_port',`
+@@ -1221,10 +1371,10 @@ interface(`corenet_udp_send_generic_port',`
#
interface(`corenet_udp_receive_generic_port',`
gen_require(`
@@ -3809,7 +3856,7 @@ index 07126bd..4aecd37 100644
')
########################################
-@@ -1244,6 +1375,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1244,6 +1394,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
########################################
## <summary>
@@ -3836,7 +3883,7 @@ index 07126bd..4aecd37 100644
## Bind TCP sockets to generic ports.
## </summary>
## <param name="domain">
-@@ -1254,16 +1405,35 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1254,16 +1424,35 @@ interface(`corenet_udp_sendrecv_generic_port',`
#
interface(`corenet_tcp_bind_generic_port',`
gen_require(`
@@ -3874,7 +3921,7 @@ index 07126bd..4aecd37 100644
## Do not audit bind TCP sockets to generic ports.
## </summary>
## <param name="domain">
-@@ -1274,10 +1444,10 @@ interface(`corenet_tcp_bind_generic_port',`
+@@ -1274,10 +1463,10 @@ interface(`corenet_tcp_bind_generic_port',`
#
interface(`corenet_dontaudit_tcp_bind_generic_port',`
gen_require(`
@@ -3887,7 +3934,7 @@ index 07126bd..4aecd37 100644
')
########################################
-@@ -1292,16 +1462,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+@@ -1292,16 +1481,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
#
interface(`corenet_udp_bind_generic_port',`
gen_require(`
@@ -3924,15 +3971,14 @@ index 07126bd..4aecd37 100644
## Connect TCP sockets to generic ports.
## </summary>
## <param name="domain">
-@@ -1312,10 +1500,28 @@ interface(`corenet_udp_bind_generic_port',`
+@@ -1312,10 +1519,28 @@ interface(`corenet_udp_bind_generic_port',`
#
interface(`corenet_tcp_connect_generic_port',`
gen_require(`
- type port_t;
+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- allow $1 port_t:tcp_socket name_connect;
++ ')
++
+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect;
+')
+
@@ -3949,13 +3995,14 @@ index 07126bd..4aecd37 100644
+interface(`corenet_dccp_sendrecv_all_ports',`
+ gen_require(`
+ attribute port_type;
-+ ')
-+
+ ')
+
+- allow $1 port_t:tcp_socket name_connect;
+ allow $1 port_type:dccp_socket { send_msg recv_msg };
')
########################################
-@@ -1439,6 +1645,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
+@@ -1439,6 +1664,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
########################################
## <summary>
@@ -3981,7 +4028,7 @@ index 07126bd..4aecd37 100644
## Bind TCP sockets to all ports.
## </summary>
## <param name="domain">
-@@ -1458,6 +1683,24 @@ interface(`corenet_tcp_bind_all_ports',`
+@@ -1458,6 +1702,24 @@ interface(`corenet_tcp_bind_all_ports',`
########################################
## <summary>
@@ -4006,7 +4053,7 @@ index 07126bd..4aecd37 100644
## Do not audit attepts to bind TCP sockets to any ports.
## </summary>
## <param name="domain">
-@@ -1513,6 +1756,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
+@@ -1513,6 +1775,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
########################################
## <summary>
@@ -4031,7 +4078,7 @@ index 07126bd..4aecd37 100644
## Connect TCP sockets to all ports.
## </summary>
## <desc>
-@@ -1559,6 +1820,25 @@ interface(`corenet_tcp_connect_all_ports',`
+@@ -1559,6 +1839,25 @@ interface(`corenet_tcp_connect_all_ports',`
########################################
## <summary>
@@ -4057,7 +4104,7 @@ index 07126bd..4aecd37 100644
## Do not audit attempts to connect TCP sockets
## to all ports.
## </summary>
-@@ -1578,6 +1858,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
+@@ -1578,6 +1877,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
########################################
## <summary>
@@ -4082,7 +4129,7 @@ index 07126bd..4aecd37 100644
## Send and receive TCP network traffic on generic reserved ports.
## </summary>
## <param name="domain">
-@@ -1647,6 +1945,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+@@ -1647,6 +1964,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
########################################
## <summary>
@@ -4108,7 +4155,7 @@ index 07126bd..4aecd37 100644
## Bind TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
-@@ -1685,6 +2002,24 @@ interface(`corenet_udp_bind_reserved_port',`
+@@ -1685,6 +2021,24 @@ interface(`corenet_udp_bind_reserved_port',`
########################################
## <summary>
@@ -4133,7 +4180,7 @@ index 07126bd..4aecd37 100644
## Connect TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
-@@ -1703,6 +2038,24 @@ interface(`corenet_tcp_connect_reserved_port',`
+@@ -1703,6 +2057,24 @@ interface(`corenet_tcp_connect_reserved_port',`
########################################
## <summary>
@@ -4158,7 +4205,7 @@ index 07126bd..4aecd37 100644
## Send and receive TCP network traffic on all reserved ports.
## </summary>
## <param name="domain">
-@@ -1752,12 +2105,210 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+@@ -1752,12 +2124,210 @@ interface(`corenet_udp_receive_all_reserved_ports',`
attribute reserved_port_type;
')
@@ -4371,7 +4418,7 @@ index 07126bd..4aecd37 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1765,14 +2316,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+@@ -1765,14 +2335,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
## </summary>
## </param>
#
@@ -4393,7 +4440,7 @@ index 07126bd..4aecd37 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,36 +2334,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
+@@ -1780,36 +2353,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
## </summary>
## </param>
#
@@ -4437,7 +4484,7 @@ index 07126bd..4aecd37 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1817,36 +2370,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+@@ -1817,36 +2389,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
## </summary>
## </param>
#
@@ -4488,7 +4535,7 @@ index 07126bd..4aecd37 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1854,17 +2406,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+@@ -1854,17 +2425,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
## </summary>
## </param>
#
@@ -4509,7 +4556,7 @@ index 07126bd..4aecd37 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,67 +2424,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
+@@ -1872,67 +2443,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
## </summary>
## </param>
#
@@ -4596,7 +4643,7 @@ index 07126bd..4aecd37 100644
')
########################################
-@@ -1955,6 +2508,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
+@@ -1955,6 +2527,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
########################################
## <summary>
@@ -4622,7 +4669,7 @@ index 07126bd..4aecd37 100644
## Do not audit attempts to connect TCP sockets
## all rpc ports.
## </summary>
-@@ -1993,6 +2565,24 @@ interface(`corenet_rw_tun_tap_dev',`
+@@ -1993,6 +2584,24 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
## <summary>
@@ -4647,7 +4694,7 @@ index 07126bd..4aecd37 100644
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
## </summary>
-@@ -2049,6 +2639,25 @@ interface(`corenet_rw_ppp_dev',`
+@@ -2049,6 +2658,25 @@ interface(`corenet_rw_ppp_dev',`
########################################
## <summary>
@@ -4673,7 +4720,7 @@ index 07126bd..4aecd37 100644
## Bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2068,6 +2677,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2696,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
########################################
## <summary>
@@ -4698,7 +4745,7 @@ index 07126bd..4aecd37 100644
## Do not audit attempts to bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2194,6 +2821,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2840,25 @@ interface(`corenet_tcp_recv_netlabel',`
########################################
## <summary>
@@ -4724,7 +4771,7 @@ index 07126bd..4aecd37 100644
## Receive TCP packets from a NetLabel connection.
## </summary>
## <param name="domain">
-@@ -2213,7 +2859,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,7 +2878,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -4733,7 +4780,7 @@ index 07126bd..4aecd37 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2221,10 +2867,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2221,10 +2886,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </summary>
## </param>
#
@@ -4751,7 +4798,7 @@ index 07126bd..4aecd37 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2249,6 +2900,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2919,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
########################################
## <summary>
@@ -4778,7 +4825,7 @@ index 07126bd..4aecd37 100644
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
## </summary>
-@@ -2269,6 +2940,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2959,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -4806,7 +4853,7 @@ index 07126bd..4aecd37 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2533,15 +3225,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,15 +3244,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
## <infoflow type="read" weight="10"/>
#
interface(`corenet_all_recvfrom_unlabeled',`
@@ -4826,7 +4873,7 @@ index 07126bd..4aecd37 100644
')
########################################
-@@ -2567,11 +3254,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
+@@ -2567,11 +3273,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
#
interface(`corenet_all_recvfrom_netlabel',`
gen_require(`
@@ -4864,7 +4911,7 @@ index 07126bd..4aecd37 100644
')
########################################
-@@ -2585,6 +3295,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3314,7 @@ interface(`corenet_all_recvfrom_netlabel',`
## </param>
#
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@@ -4872,7 +4919,7 @@ index 07126bd..4aecd37 100644
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3324,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3343,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
')
dontaudit $1 netlabel_peer_t:peer recv;
@@ -4909,7 +4956,7 @@ index 07126bd..4aecd37 100644
')
########################################
-@@ -2727,6 +3466,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3485,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
@@ -4917,7 +4964,7 @@ index 07126bd..4aecd37 100644
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
-@@ -3134,3 +3874,53 @@ interface(`corenet_unconfined',`
+@@ -3134,3 +3893,53 @@ interface(`corenet_unconfined',`
typeattribute $1 corenet_unconfined_type;
')
@@ -5027,7 +5074,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..49513c7 100644
+index 4edc40d..f678b45 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5200,7 +5247,8 @@ index 4edc40d..49513c7 100644
network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
- network_port(milter) # no defined portcon
+-network_port(milter) # no defined portcon
++network_port(milter, tcp, 8891, s0) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mongod, tcp,27017,s0)
network_port(monopd, tcp,1234,s0)
@@ -5332,7 +5380,16 @@ index 4edc40d..49513c7 100644
########################################
#
-@@ -342,9 +388,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -330,6 +376,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+
+ build_option(`enable_mls',`
+ network_interface(lo, lo, s0 - mls_systemhigh)
++allow netlabel_peer_t lo_netif_t:netif ingress;
++allow netlabel_peer_type lo_netif_t:netif egress;
+ ',`
+ typealias netif_t alias { lo_netif_t netif_lo_t };
+ ')
+@@ -342,9 +390,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -7634,7 +7691,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..431baa5 100644
+index cf04cb5..274ef6d 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -7760,7 +7817,7 @@ index cf04cb5..431baa5 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,261 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,265 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -7809,6 +7866,10 @@ index cf04cb5..431baa5 100644
+')
+
+optional_policy(`
++ abrt_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ alsa_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -8023,7 +8084,7 @@ index cf04cb5..431baa5 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c2c6e05..d0e6d1c 100644
+index c2c6e05..96aeeef 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -8220,7 +8281,7 @@ index c2c6e05..d0e6d1c 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +243,21 @@ ifndef(`distro_redhat',`
+@@ -237,11 +243,22 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -8230,6 +8291,7 @@ index c2c6e05..d0e6d1c 100644
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
+-/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
@@ -8237,12 +8299,13 @@ index c2c6e05..d0e6d1c 100644
+/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
- /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
++/var/lock -d gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
++/var/lock/.* <<none>>
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -262,6 +278,7 @@ ifndef(`distro_redhat',`
+@@ -262,6 +279,7 @@ ifndef(`distro_redhat',`
/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp -l gen_context(system_u:object_r:tmp_t,s0)
@@ -8250,17 +8313,137 @@ index c2c6e05..d0e6d1c 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -270,3 +287,5 @@ ifndef(`distro_redhat',`
+@@ -270,3 +288,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..8a9355a 100644
+index 64ff4d7..90999af 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
-@@ -55,6 +55,7 @@
+@@ -19,6 +19,119 @@
+ ## Comains the file initial SID.
+ ## </required>
+
++#####################################
++## <summary>
++## files stub etc_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_etc',`
++ gen_require(`
++ type etc_t;
++ ')
++')
++
++#####################################
++## <summary>
++## files stub var_lock_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_var_lock',`
++ gen_require(`
++ type var_lock_t;
++ ')
++')
++
++#####################################
++## <summary>
++## files stub var_log_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_var_log',`
++ gen_require(`
++ type var_log_t;
++ ')
++')
++
++#####################################
++## <summary>
++## files stub var_lib_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_var_lib',`
++ gen_require(`
++ type var_lib_t;
++ ')
++')
++
++#####################################
++## <summary>
++## files stub var_run_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_var_run',`
++ gen_require(`
++ type var_run_t;
++ ')
++')
++
++#####################################
++## <summary>
++## files stub var_run_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_var_spool',`
++ gen_require(`
++ type var_spool_t;
++ ')
++')
++
++#####################################
++## <summary>
++## files stub tmp_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_tmp',`
++ gen_require(`
++ type tmp_t;
++ ')
++')
++
++
+ ########################################
+ ## <summary>
+ ## Make the specified type usable for files
+@@ -55,6 +168,7 @@
## <li>files_pid_file()</li>
## <li>files_security_file()</li>
## <li>files_security_mountpoint()</li>
@@ -8268,7 +8451,87 @@ index 64ff4d7..8a9355a 100644
## <li>files_tmp_file()</li>
## <li>files_tmpfs_file()</li>
## <li>logging_log_file()</li>
-@@ -521,7 +522,7 @@ interface(`files_mounton_non_security',`
+@@ -125,30 +239,31 @@ interface(`files_security_file',`
+ typeattribute $1 file_type, security_file_type, non_auth_file_type;
+ ')
+
++
+ ########################################
+ ## <summary>
+ ## Make the specified type usable for
+-## lock files.
++## filesystem mount points.
+ ## </summary>
+ ## <param name="type">
+ ## <summary>
+-## Type to be used for lock files.
++## Type to be used for mount points.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_lock_file',`
++interface(`files_mountpoint',`
+ gen_require(`
+- attribute lockfile;
++ attribute mountpoint;
+ ')
+
+ files_type($1)
+- typeattribute $1 lockfile;
++ typeattribute $1 mountpoint;
+ ')
+
+ ########################################
+ ## <summary>
+ ## Make the specified type usable for
+-## filesystem mount points.
++## security file filesystem mount points.
+ ## </summary>
+ ## <param name="type">
+ ## <summary>
+@@ -156,33 +271,33 @@ interface(`files_lock_file',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mountpoint',`
++interface(`files_security_mountpoint',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+- files_type($1)
++ files_security_file($1)
+ typeattribute $1 mountpoint;
+ ')
+
+ ########################################
+ ## <summary>
+ ## Make the specified type usable for
+-## security file filesystem mount points.
++## lock files.
+ ## </summary>
+ ## <param name="type">
+ ## <summary>
+-## Type to be used for mount points.
++## Type to be used for lock files.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_security_mountpoint',`
++interface(`files_lock_file',`
+ gen_require(`
+- attribute mountpoint;
++ attribute lockfile;
+ ')
+
+- files_security_file($1)
+- typeattribute $1 mountpoint;
++ files_type($1)
++ typeattribute $1 lockfile;
+ ')
+
+ ########################################
+@@ -521,7 +636,7 @@ interface(`files_mounton_non_security',`
attribute non_security_file_type;
')
@@ -8277,7 +8540,7 @@ index 64ff4d7..8a9355a 100644
allow $1 non_security_file_type:file mounton;
')
-@@ -620,6 +621,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+@@ -620,6 +735,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
########################################
## <summary>
@@ -8341,7 +8604,7 @@ index 64ff4d7..8a9355a 100644
## Read all files.
## </summary>
## <param name="domain">
-@@ -683,12 +741,82 @@ interface(`files_read_non_security_files',`
+@@ -683,12 +855,82 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -8424,7 +8687,7 @@ index 64ff4d7..8a9355a 100644
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
-@@ -953,6 +1081,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+@@ -953,6 +1195,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
########################################
## <summary>
@@ -8450,7 +8713,7 @@ index 64ff4d7..8a9355a 100644
## Get the attributes of all named sockets.
## </summary>
## <param name="domain">
-@@ -991,6 +1138,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1252,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
########################################
## <summary>
@@ -8476,7 +8739,7 @@ index 64ff4d7..8a9355a 100644
## Do not audit attempts to get the attributes
## of non security named sockets.
## </summary>
-@@ -1073,10 +1239,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,10 +1353,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8489,7 +8752,7 @@ index 64ff4d7..8a9355a 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1346,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1460,6 @@ interface(`files_list_all',`
########################################
## <summary>
@@ -8514,7 +8777,7 @@ index 64ff4d7..8a9355a 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,9 +1589,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1703,6 @@ interface(`files_relabel_non_auth_files',`
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@@ -8524,7 +8787,7 @@ index 64ff4d7..8a9355a 100644
')
#############################################
-@@ -1583,6 +1726,24 @@ interface(`files_getattr_all_mountpoints',`
+@@ -1583,6 +1840,24 @@ interface(`files_getattr_all_mountpoints',`
########################################
## <summary>
@@ -8549,7 +8812,7 @@ index 64ff4d7..8a9355a 100644
## Set the attributes of all mount points.
## </summary>
## <param name="domain">
-@@ -1673,6 +1834,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,6 +1948,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -8574,11 +8837,33 @@ index 64ff4d7..8a9355a 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1691,6 +1870,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,7 +1984,7 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
+-## List the contents of the root directory.
+## Write all file type directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1699,12 +1992,30 @@ interface(`files_dontaudit_write_all_mountpoints',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_root',`
++interface(`files_write_all_dirs',`
+ gen_require(`
+- type root_t;
++ attribute file_type;
+ ')
+
+- allow $1 root_t:dir list_dir_perms;
++ allow $1 file_type:dir write;
++')
++
++########################################
++## <summary>
++## List the contents of the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -8586,20 +8871,16 @@ index 64ff4d7..8a9355a 100644
+## </summary>
+## </param>
+#
-+interface(`files_write_all_dirs',`
++interface(`files_list_root',`
+ gen_require(`
-+ attribute file_type;
++ type root_t;
+ ')
+
-+ allow $1 file_type:dir write;
-+')
-+
-+########################################
-+## <summary>
- ## List the contents of the root directory.
- ## </summary>
- ## <param name="domain">
-@@ -1874,25 +2071,25 @@ interface(`files_delete_root_dir_entry',`
++ allow $1 root_t:dir list_dir_perms;
+ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ')
+
+@@ -1874,25 +2185,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -8631,7 +8912,7 @@ index 64ff4d7..8a9355a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1905,7 +2102,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2216,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -8640,7 +8921,7 @@ index 64ff4d7..8a9355a 100644
')
########################################
-@@ -1928,6 +2125,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2239,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -8665,7 +8946,7 @@ index 64ff4d7..8a9355a 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2627,6 +2842,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +2956,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -8690,7 +8971,7 @@ index 64ff4d7..8a9355a 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +2931,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3045,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -8698,7 +8979,7 @@ index 64ff4d7..8a9355a 100644
')
########################################
-@@ -2706,7 +2940,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3054,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -8707,123 +8988,37 @@ index 64ff4d7..8a9355a 100644
## </summary>
## </param>
#
-@@ -2762,25 +2996,26 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3110,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
--## Delete system configuration files in /etc.
+## Do not audit attempts to check the
+## access on etc files
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_delete_etc_files',`
-+interface(`files_dontaudit_access_check_etc',`
- gen_require(`
- type etc_t;
- ')
-
-- delete_files_pattern($1, etc_t, etc_t)
-+ dontaudit $1 etc_t:dir_file_class_set audit_access;
- ')
-
- ########################################
- ## <summary>
--## Execute generic files in /etc.
-+## Delete system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2788,19 +3023,17 @@ interface(`files_delete_etc_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_exec_etc_files',`
-+interface(`files_delete_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
-- allow $1 etc_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, etc_t, etc_t)
-- exec_files_pattern($1, etc_t, etc_t)
-+ delete_files_pattern($1, etc_t, etc_t)
- ')
-
--#######################################
-+########################################
- ## <summary>
--## Relabel from and to generic files in /etc.
-+## Remove entries from the etc directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2808,18 +3041,17 @@ interface(`files_exec_etc_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_relabel_etc_files',`
-+interface(`files_delete_etc_dir_entry',`
- gen_require(`
- type etc_t;
- ')
-
-- allow $1 etc_t:dir list_dir_perms;
-- relabel_files_pattern($1, etc_t, etc_t)
-+ allow $1 etc_t:dir del_entry_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Read symbolic links in /etc.
-+## Execute generic files in /etc.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2827,17 +3059,56 @@ interface(`files_relabel_etc_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_etc_symlinks',`
-+interface(`files_exec_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
-+ allow $1 etc_t:dir list_dir_perms;
- read_lnk_files_pattern($1, etc_t, etc_t)
-+ exec_files_pattern($1, etc_t, etc_t)
- ')
-
--########################################
-+#######################################
- ## <summary>
--## Create, read, write, and delete symbolic links in /etc.
-+## Relabel from and to generic files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`files_relabel_etc_files',`
++interface(`files_dontaudit_access_check_etc',`
+ gen_require(`
+ type etc_t;
+ ')
+
-+ allow $1 etc_t:dir list_dir_perms;
-+ relabel_files_pattern($1, etc_t, etc_t)
++ dontaudit $1 etc_t:dir_file_class_set audit_access;
+')
+
+########################################
+## <summary>
-+## Read symbolic links in /etc.
+ ## Delete system configuration files in /etc.
+ ## </summary>
+ ## <param name="domain">
+@@ -2780,6 +3147,24 @@ interface(`files_delete_etc_files',`
+
+ ########################################
+ ## <summary>
++## Remove entries from the etc directory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -8831,21 +9026,20 @@ index 64ff4d7..8a9355a 100644
+## </summary>
+## </param>
+#
-+interface(`files_read_etc_symlinks',`
++interface(`files_delete_etc_dir_entry',`
+ gen_require(`
+ type etc_t;
+ ')
+
-+ read_lnk_files_pattern($1, etc_t, etc_t)
++ allow $1 etc_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete symbolic links in /etc.
+ ## Execute generic files in /etc.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -2945,24 +3216,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3330,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -8870,7 +9064,7 @@ index 64ff4d7..8a9355a 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3256,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3370,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -8881,7 +9075,7 @@ index 64ff4d7..8a9355a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3264,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3378,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -8903,7 +9097,7 @@ index 64ff4d7..8a9355a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,6 +3292,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3406,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -8930,7 +9124,7 @@ index 64ff4d7..8a9355a 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3059,6 +3329,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3443,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -8938,7 +9132,7 @@ index 64ff4d7..8a9355a 100644
')
########################################
-@@ -3080,6 +3351,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3465,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -8946,7 +9140,7 @@ index 64ff4d7..8a9355a 100644
')
########################################
-@@ -3132,6 +3404,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3518,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -8972,7 +9166,7 @@ index 64ff4d7..8a9355a 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3208,6 +3499,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3613,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
## <summary>
@@ -8998,7 +9192,7 @@ index 64ff4d7..8a9355a 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3455,6 +3765,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3879,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -9024,7 +9218,7 @@ index 64ff4d7..8a9355a 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4125,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4239,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -9068,64 +9262,98 @@ index 64ff4d7..8a9355a 100644
')
########################################
-@@ -4199,6 +4546,133 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,156 +4660,176 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Allow the specified type to associate
+-## to a filesystem with the type of the
+-## temporary directory (/tmp).
+## Read manageable system configuration files in /etc
-+## </summary>
+ ## </summary>
+-## <param name="file_type">
+-## <summary>
+-## Type of the file to associate.
+-## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_associate_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:filesystem associate;
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Get the attributes of the tmp directory (/tmp).
+## Manage manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_getattr_tmp_dirs',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:dir getattr;
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+ files_filetrans_system_conf_named_files($1)
-+')
-+
+ ')
+
+-########################################
+#####################################
-+## <summary>
+ ## <summary>
+-## Do not audit attempts to get the
+-## attributes of the tmp directory (/tmp).
+## File name transition for system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_tmp_dirs',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- dontaudit $1 tmp_t:dir getattr;
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -9142,124 +9370,195 @@ index 64ff4d7..8a9355a 100644
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Search the tmp directory (/tmp).
+## Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_search_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-+
+
+- allow $1 tmp_t:dir search_dir_perms;
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Do not audit attempts to search the tmp directory (/tmp).
+## Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain to not audit.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_search_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-+
+
+- dontaudit $1 tmp_t:dir search_dir_perms;
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+###################################
-+## <summary>
+ ## <summary>
+-## Read the tmp directory (/tmp).
+## Create files in /etc with the type used for
+## the manageable system config files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## The type of the process performing this action.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_list_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:dir list_dir_perms;
+ filetrans_pattern($1, etc_t, system_conf_t, file)
-+')
-+
+ ')
+
########################################
## <summary>
- ## Allow the specified type to associate
-@@ -4221,6 +4695,26 @@ interface(`files_associate_tmp',`
+-## Do not audit listing of the tmp directory (/tmp).
++## Allow the specified type to associate
++## to a filesystem with the type of the
++## temporary directory (/tmp).
+ ## </summary>
+-## <param name="domain">
++## <param name="file_type">
+ ## <summary>
+-## Domain not to audit.
++## Type of the file to associate.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_list_tmp',`
++interface(`files_associate_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+- dontaudit $1 tmp_t:dir list_dir_perms;
++ allow $1 tmp_t:filesystem associate;
+ ')
########################################
## <summary>
+-## Remove entries from the tmp directory.
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type of the file to associate.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_tmp_dir_entry',`
+interface(`files_associate_rootfs',`
-+ gen_require(`
+ gen_require(`
+- type tmp_t;
+ type root_t;
-+ ')
-+
+ ')
+
+- allow $1 tmp_t:dir del_entry_dir_perms;
+ allow $1 root_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of the tmp directory (/tmp).
+ ')
+
+ ########################################
+ ## <summary>
+-## Read files in the tmp directory (/tmp).
++## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4234,17 +4728,37 @@ interface(`files_getattr_tmp_dirs',`
+ ## <summary>
+@@ -4356,53 +4837,56 @@ interface(`files_delete_tmp_dir_entry',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_files',`
++interface(`files_getattr_tmp_dirs',`
+ gen_require(`
type tmp_t;
')
+- read_files_pattern($1, tmp_t, tmp_t)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir getattr;
++ allow $1 tmp_t:dir getattr;
')
########################################
## <summary>
+-## Manage temporary directories in /tmp.
+## Do not audit attempts to check the
+## access on tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_dirs',`
+interface(`files_dontaudit_access_check_tmp',`
-+ gen_require(`
+ gen_require(`
+- type tmp_t;
+ type etc_t;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, tmp_t, tmp_t)
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to get the
- ## attributes of the tmp directory (/tmp).
+ ')
+
+ ########################################
+ ## <summary>
+-## Manage temporary files and directories in /tmp.
++## Do not audit attempts to get the
++## attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
@@ -9268,77 +9567,218 @@ index 64ff4d7..8a9355a 100644
## </summary>
## </param>
#
-@@ -4271,6 +4785,7 @@ interface(`files_search_tmp',`
+-interface(`files_manage_generic_tmp_files',`
++interface(`files_dontaudit_getattr_tmp_dirs',`
+ gen_require(`
type tmp_t;
')
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir search_dir_perms;
+- manage_files_pattern($1, tmp_t, tmp_t)
++ dontaudit $1 tmp_t:dir getattr;
')
-@@ -4307,6 +4822,7 @@ interface(`files_list_tmp',`
+ ########################################
+ ## <summary>
+-## Read symbolic links in the tmp directory (/tmp).
++## Search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4410,35 +4894,36 @@ interface(`files_manage_generic_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_symlinks',`
++interface(`files_search_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write generic named sockets in the tmp directory (/tmp).
++## Do not audit attempts to search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_generic_tmp_sockets',`
++interface(`files_dontaudit_search_tmp',`
+ gen_require(`
type tmp_t;
')
+- rw_sock_files_pattern($1, tmp_t, tmp_t)
++ dontaudit $1 tmp_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of all tmp directories.
++## Read the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4446,77 +4931,74 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_list_tmp',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir { search_dir_perms setattr };
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir list_dir_perms;
++ allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +4832,7 @@ interface(`files_list_tmp',`
+ ########################################
+ ## <summary>
+-## List all tmp directories.
++## Do not audit listing of the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
--## Domain not to audit.
+-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-@@ -4328,6 +4844,25 @@ interface(`files_dontaudit_list_tmp',`
- dontaudit $1 tmp_t:dir list_dir_perms;
+-interface(`files_list_all_tmp',`
++interface(`files_dontaudit_list_tmp',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
++ dontaudit $1 tmp_t:dir list_dir_perms;
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Relabel to and from all temporary
+-## directory types.
+## Allow read and write to the tmp directory (/tmp).
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain not to audit.
+## </summary>
-+## </param>
-+#
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
+- gen_require(`
+- attribute tmpfile;
+- type var_t;
+- ')
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ ')
-+
+
+- allow $1 var_t:dir search_dir_perms;
+- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
-+')
-+
+ ')
+
########################################
## <summary>
- ## Remove entries from the tmp directory.
-@@ -4343,6 +4878,7 @@ interface(`files_delete_tmp_dir_entry',`
- type tmp_t;
+-## Do not audit attempts to get the attributes
+-## of all tmp files.
++## Remove entries from the tmp directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_delete_tmp_dir_entry',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
')
+- dontaudit $1 tmpfile:file getattr;
+ files_search_tmp($1)
- allow $1 tmp_t:dir del_entry_dir_perms;
++ allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4384,13 +4920,39 @@ interface(`files_manage_generic_tmp_dirs',`
+ ########################################
+ ## <summary>
+-## Allow attempts to get the attributes
+-## of all tmp files.
++## Read files in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4524,58 +5006,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_read_generic_tmp_files',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:file getattr;
++ read_files_pattern($1, tmp_t, tmp_t)
+ ')
########################################
## <summary>
--## Manage temporary files and directories in /tmp.
+-## Relabel to and from all temporary
+-## file types.
++## Manage temporary directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_manage_generic_tmp_dirs',`
+ gen_require(`
+- attribute tmpfile;
+- type var_t;
++ type tmp_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- relabel_files_pattern($1, tmpfile, tmpfile)
++ manage_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of all tmp sock_file.
+## Allow shared library text relocations in tmp files.
## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
@@ -9347,160 +9787,2335 @@ index 64ff4d7..8a9355a 100644
+## This is added to support java policy.
+## </p>
+## </desc>
-+## <param name="domain">
-+## <summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
+interface(`files_execmod_tmp',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+- dontaudit $1 tmpfile:sock_file getattr;
+ allow $1 tmpfile:file execmod;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all tmp files.
+## Manage temporary files and directories in /tmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4583,51 +5068,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ ## </summary>
+ ## </param>
#
- interface(`files_manage_generic_tmp_files',`
+-interface(`files_read_all_tmp_files',`
++interface(`files_manage_generic_tmp_files',`
gen_require(`
-@@ -4438,6 +5000,42 @@ interface(`files_rw_generic_tmp_sockets',`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- read_files_pattern($1, tmpfile, tmpfile)
++ manage_files_pattern($1, tmp_t, tmp_t)
+ ')
########################################
## <summary>
-+## Relabel a dir from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_relabelfrom_tmp_dirs',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
-+## Relabel a file from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_relabelfrom_tmp_files',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
- ## Set the attributes of all tmp directories.
+-## Create an object in the tmp directories, with a private
+-## type using a type transition.
++## Read symbolic links in the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4456,6 +5054,60 @@ interface(`files_setattr_all_tmp_dirs',`
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+-## <summary>
+-## The type of the object to be created.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`files_tmp_filetrans',`
++interface(`files_read_generic_tmp_symlinks',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+- filetrans_pattern($1, tmp_t, $2, $3, $4)
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ ')
########################################
## <summary>
-+## Allow caller to read inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_read_inherited_tmp_files',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
-+')
-+
-+########################################
-+## <summary>
-+## Allow caller to append inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_append_inherited_tmp_files',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:file append_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Allow caller to read and write inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_inherited_tmp_file',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## List all tmp directories.
+-## Delete the contents of /tmp.
++## Read and write generic named sockets in the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4501,7 +5153,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ## <summary>
+@@ -4635,22 +5104,17 @@ interface(`files_tmp_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_purge_tmp',`
++interface(`files_rw_generic_tmp_sockets',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
+- delete_dirs_pattern($1, tmpfile, tmpfile)
+- delete_files_pattern($1, tmpfile, tmpfile)
+- delete_lnk_files_pattern($1, tmpfile, tmpfile)
+- delete_fifo_files_pattern($1, tmpfile, tmpfile)
+- delete_sock_files_pattern($1, tmpfile, tmpfile)
++ rw_sock_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of the /usr directory.
++## Relabel a dir from the type used in /tmp.
## </summary>
## <param name="domain">
## <summary>
--## Domain not to audit.
-+## Domain to not audit.
+@@ -4658,17 +5122,17 @@ interface(`files_purge_tmp',`
## </summary>
## </param>
#
-@@ -4561,7 +5213,7 @@ interface(`files_relabel_all_tmp_files',`
+-interface(`files_setattr_usr_dirs',`
++interface(`files_relabelfrom_tmp_dirs',`
+ gen_require(`
+- type usr_t;
++ type tmp_t;
+ ')
+
+- allow $1 usr_t:dir setattr;
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the content of /usr.
++## Relabel a file from the type used in /tmp.
## </summary>
## <param name="domain">
## <summary>
--## Domain not to audit.
-+## Domain to not audit.
+@@ -4676,18 +5140,17 @@ interface(`files_setattr_usr_dirs',`
## </summary>
## </param>
#
-@@ -4593,6 +5245,44 @@ interface(`files_read_all_tmp_files',`
+-interface(`files_search_usr',`
++interface(`files_relabelfrom_tmp_files',`
+ gen_require(`
+- type usr_t;
++ type tmp_t;
+ ')
+
+- allow $1 usr_t:dir search_dir_perms;
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
########################################
## <summary>
+-## List the contents of generic
+-## directories in /usr.
++## Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4695,35 +5158,35 @@ interface(`files_search_usr',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_usr',`
++interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- allow $1 usr_t:dir list_dir_perms;
++ allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit write of /usr dirs
++## Allow caller to read inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_usr_dirs',`
++interface(`files_read_inherited_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- dontaudit $1 usr_t:dir write;
++ allow $1 tmpfile:file { append read_inherited_file_perms };
+ ')
+
+ ########################################
+ ## <summary>
+-## Add and remove entries from /usr directories.
++## Allow caller to append inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4731,36 +5194,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_usr_dirs',`
++interface(`files_append_inherited_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- allow $1 usr_t:dir rw_dir_perms;
++ allow $1 tmpfile:file append_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to add and remove
+-## entries from /usr directories.
++## Allow caller to read and write inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_usr_dirs',`
++interface(`files_rw_inherited_tmp_file',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- dontaudit $1 usr_t:dir rw_dir_perms;
++ allow $1 tmpfile:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete generic directories in /usr in the caller domain.
++## List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4768,111 +5230,100 @@ interface(`files_dontaudit_rw_usr_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_usr_dirs',`
++interface(`files_list_all_tmp',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- delete_dirs_pattern($1, usr_t, usr_t)
++ allow $1 tmpfile:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete generic files in /usr in the caller domain.
++## Relabel to and from all temporary
++## directory types.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_delete_usr_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
++ type var_t;
+ ')
+
+- delete_files_pattern($1, usr_t, usr_t)
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of files in /usr.
++## Do not audit attempts to get the attributes
++## of all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- getattr_files_pattern($1, usr_t, usr_t)
++ dontaudit $1 tmpfile:file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic files in /usr.
++## Allow attempts to get the attributes
++## of all tmp files.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Allow the specified domain to read generic
+-## files in /usr. These files are various program
+-## files that do not have more specific SELinux types.
+-## Some examples of these files are:
+-## </p>
+-## <ul>
+-## <li>/usr/include/*</li>
+-## <li>/usr/share/doc/*</li>
+-## <li>/usr/share/info/*</li>
+-## </ul>
+-## <p>
+-## Generally, it is safe for many domains to have
+-## this access.
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="read" weight="10"/>
+ #
+-interface(`files_read_usr_files',`
++interface(`files_getattr_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- allow $1 usr_t:dir list_dir_perms;
+- read_files_pattern($1, usr_t, usr_t)
+- read_lnk_files_pattern($1, usr_t, usr_t)
++ allow $1 tmpfile:file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute generic programs in /usr in the caller domain.
++## Relabel to and from all temporary
++## file types.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_exec_usr_files',`
++interface(`files_relabel_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
++ type var_t;
+ ')
+
+- allow $1 usr_t:dir list_dir_perms;
+- exec_files_pattern($1, usr_t, usr_t)
+- read_lnk_files_pattern($1, usr_t, usr_t)
++ allow $1 var_t:dir search_dir_perms;
++ relabel_files_pattern($1, tmpfile, tmpfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## dontaudit write of /usr files
++## Do not audit attempts to get the attributes
++## of all tmp sock_file.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4880,35 +5331,17 @@ interface(`files_exec_usr_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_usr_files',`
+- gen_require(`
+- type usr_t;
+- ')
+-
+- dontaudit $1 usr_t:file write;
+-')
+-
+-########################################
+-## <summary>
+-## Create, read, write, and delete files in the /usr directory.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`files_manage_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- manage_files_pattern($1, usr_t, usr_t)
++ dontaudit $1 tmpfile:sock_file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel a file to the type used in /usr.
++## Read all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4916,67 +5349,70 @@ interface(`files_manage_usr_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_relabelto_usr_files',`
++interface(`files_read_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- relabelto_files_pattern($1, usr_t, usr_t)
++ read_files_pattern($1, tmpfile, tmpfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel a file from the type used in /usr.
+## Do not audit attempts to read or write
+## all leaked tmpfiles files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_relabelfrom_usr_files',`
++interface(`files_dontaudit_tmp_file_leaks',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- relabelfrom_files_pattern($1, usr_t, usr_t)
++ dontaudit $1 tmpfile:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links in /usr.
++## Do allow attempts to read or write
++## all leaked tmpfiles files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_usr_symlinks',`
++interface(`files_rw_tmp_file_leaks',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- read_lnk_files_pattern($1, usr_t, usr_t)
++ allow $1 tmpfile:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the /usr directory
++## Create an object in the tmp directories, with a private
++## type using a type transition.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
++## <param name="private type">
+ ## <summary>
+-## The type of the object to be created
++## The type of the object to be created.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
++## <param name="object">
+ ## <summary>
+-## The object class.
++## The object class of the object being created.
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -4985,35 +5421,50 @@ interface(`files_read_usr_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_usr_filetrans',`
++interface(`files_tmp_filetrans',`
+ gen_require(`
+- type usr_t;
++ type tmp_t;
+ ')
+
+- filetrans_pattern($1, usr_t, $2, $3, $4)
++ filetrans_pattern($1, tmp_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search /usr/src.
++## Delete the contents of /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_src',`
++interface(`files_purge_tmp',`
+ gen_require(`
+- type src_t;
++ attribute tmpfile;
+ ')
+
+- dontaudit $1 src_t:dir search_dir_perms;
++ allow $1 tmpfile:dir list_dir_perms;
++ delete_dirs_pattern($1, tmpfile, tmpfile)
++ delete_files_pattern($1, tmpfile, tmpfile)
++ delete_lnk_files_pattern($1, tmpfile, tmpfile)
++ delete_fifo_files_pattern($1, tmpfile, tmpfile)
++ delete_sock_files_pattern($1, tmpfile, tmpfile)
++ delete_chr_files_pattern($1, tmpfile, tmpfile)
++ delete_blk_files_pattern($1, tmpfile, tmpfile)
++ files_list_isid_type_dirs($1)
++ files_delete_isid_type_dirs($1)
++ files_delete_isid_type_files($1)
++ files_delete_isid_type_symlinks($1)
++ files_delete_isid_type_fifo_files($1)
++ files_delete_isid_type_sock_files($1)
++ files_delete_isid_type_blk_files($1)
++ files_delete_isid_type_chr_files($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of files in /usr/src.
++## Set the attributes of the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5021,20 +5472,17 @@ interface(`files_dontaudit_search_src',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_usr_src_files',`
++interface(`files_setattr_usr_dirs',`
+ gen_require(`
+- type usr_t, src_t;
++ type usr_t;
+ ')
+
+- getattr_files_pattern($1, src_t, src_t)
+-
+- # /usr/src/linux symlink:
+- read_lnk_files_pattern($1, usr_t, src_t)
++ allow $1 usr_t:dir setattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read files in /usr/src.
++## Search the content of /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5042,20 +5490,18 @@ interface(`files_getattr_usr_src_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_usr_src_files',`
++interface(`files_search_usr',`
+ gen_require(`
+- type usr_t, src_t;
++ type usr_t;
+ ')
+
+ allow $1 usr_t:dir search_dir_perms;
+- read_files_pattern($1, { usr_t src_t }, src_t)
+- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+- allow $1 src_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute programs in /usr/src in the caller domain.
++## List the contents of generic
++## directories in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5063,38 +5509,35 @@ interface(`files_read_usr_src_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_exec_usr_src_files',`
++interface(`files_list_usr',`
+ gen_require(`
+- type usr_t, src_t;
++ type usr_t;
+ ')
+
+- list_dirs_pattern($1, usr_t, src_t)
+- exec_files_pattern($1, src_t, src_t)
+- read_lnk_files_pattern($1, src_t, src_t)
++ allow $1 usr_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Install a system.map into the /boot directory.
++## Do not audit write of /usr dirs
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_create_kernel_symbol_table',`
++interface(`files_dontaudit_write_usr_dirs',`
+ gen_require(`
+- type boot_t, system_map_t;
++ type usr_t;
+ ')
+
+- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+- allow $1 system_map_t:file { create_file_perms rw_file_perms };
++ dontaudit $1 usr_t:dir write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read system.map in the /boot directory.
++## Add and remove entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5102,37 +5545,36 @@ interface(`files_create_kernel_symbol_table',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_kernel_symbol_table',`
++interface(`files_rw_usr_dirs',`
+ gen_require(`
+- type boot_t, system_map_t;
++ type usr_t;
+ ')
+
+- allow $1 boot_t:dir list_dir_perms;
+- read_files_pattern($1, boot_t, system_map_t)
++ allow $1 usr_t:dir rw_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete a system.map in the /boot directory.
++## Do not audit attempts to add and remove
++## entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_kernel_symbol_table',`
++interface(`files_dontaudit_rw_usr_dirs',`
+ gen_require(`
+- type boot_t, system_map_t;
++ type usr_t;
+ ')
+
+- allow $1 boot_t:dir list_dir_perms;
+- delete_files_pattern($1, boot_t, system_map_t)
++ dontaudit $1 usr_t:dir rw_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of /var.
++## Delete generic directories in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5140,35 +5582,35 @@ interface(`files_delete_kernel_symbol_table',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_var',`
++interface(`files_delete_usr_dirs',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write to /var.
++## Delete generic files in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_var_dirs',`
++interface(`files_delete_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- dontaudit $1 var_t:dir write;
++ delete_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow attempts to write to /var.dirs
++## Get the attributes of files in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5176,36 +5618,55 @@ interface(`files_dontaudit_write_var_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_write_var_dirs',`
++interface(`files_getattr_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- allow $1 var_t:dir write;
++ getattr_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search
+-## the contents of /var.
++## Read generic files in /usr.
+ ## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to read generic
++## files in /usr. These files are various program
++## files that do not have more specific SELinux types.
++## Some examples of these files are:
++## </p>
++## <ul>
++## <li>/usr/include/*</li>
++## <li>/usr/share/doc/*</li>
++## <li>/usr/share/info/*</li>
++## </ul>
++## <p>
++## Generally, it is safe for many domains to have
++## this access.
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <infoflow type="read" weight="10"/>
+ #
+-interface(`files_dontaudit_search_var',`
++interface(`files_read_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- dontaudit $1 var_t:dir search_dir_perms;
++ allow $1 usr_t:dir list_dir_perms;
++ read_files_pattern($1, usr_t, usr_t)
++ read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of /var.
++## Execute generic programs in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5213,36 +5674,37 @@ interface(`files_dontaudit_search_var',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_var',`
++interface(`files_exec_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- allow $1 var_t:dir list_dir_perms;
++ allow $1 usr_t:dir list_dir_perms;
++ exec_files_pattern($1, usr_t, usr_t)
++ read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete directories
+-## in the /var directory.
++## dontaudit write of /usr files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_var_dirs',`
++interface(`files_dontaudit_write_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- allow $1 var_t:dir manage_dir_perms;
++ dontaudit $1 usr_t:file write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read files in the /var directory.
++## Create, read, write, and delete files in the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5250,17 +5712,17 @@ interface(`files_manage_var_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_files',`
++interface(`files_manage_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- read_files_pattern($1, var_t, var_t)
++ manage_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Append files in the /var directory.
++## Relabel a file to the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5268,17 +5730,17 @@ interface(`files_read_var_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_append_var_files',`
++interface(`files_relabelto_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- append_files_pattern($1, var_t, var_t)
++ relabelto_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write files in the /var directory.
++## Relabel a file from the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5286,73 +5748,86 @@ interface(`files_append_var_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_var_files',`
++interface(`files_relabelfrom_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- rw_files_pattern($1, var_t, var_t)
++ relabelfrom_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and write
+-## files in the /var directory.
++## Read symbolic links in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_var_files',`
++interface(`files_read_usr_symlinks',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- dontaudit $1 var_t:file rw_file_perms;
++ read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete files in the /var directory.
++## Create objects in the /usr directory
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+ #
+-interface(`files_manage_var_files',`
++interface(`files_usr_filetrans',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- manage_files_pattern($1, var_t, var_t)
++ filetrans_pattern($1, usr_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links in the /var directory.
++## Do not audit attempts to search /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_symlinks',`
++interface(`files_dontaudit_search_src',`
+ gen_require(`
+- type var_t;
++ type src_t;
+ ')
+
+- read_lnk_files_pattern($1, var_t, var_t)
++ dontaudit $1 src_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete symbolic
+-## links in the /var directory.
++## Get the attributes of files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5360,50 +5835,41 @@ interface(`files_read_var_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_var_symlinks',`
++interface(`files_getattr_usr_src_files',`
+ gen_require(`
+- type var_t;
++ type usr_t, src_t;
+ ')
+
+- manage_lnk_files_pattern($1, var_t, var_t)
++ getattr_files_pattern($1, src_t, src_t)
++
++ # /usr/src/linux symlink:
++ read_lnk_files_pattern($1, usr_t, src_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the /var directory
++## Read files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
+-## <summary>
+-## The type of the object to be created
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## The object class.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`files_var_filetrans',`
++interface(`files_read_usr_src_files',`
+ gen_require(`
+- type var_t;
++ type usr_t, src_t;
+ ')
+
+- filetrans_pattern($1, var_t, $2, $3, $4)
++ allow $1 usr_t:dir search_dir_perms;
++ read_files_pattern($1, { usr_t src_t }, src_t)
++ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
++ allow $1 src_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of the /var/lib directory.
++## Execute programs in /usr/src in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5411,69 +5877,57 @@ interface(`files_var_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_var_lib_dirs',`
++interface(`files_exec_usr_src_files',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type usr_t, src_t;
+ ')
+
+- getattr_dirs_pattern($1, var_t, var_lib_t)
++ list_dirs_pattern($1, usr_t, src_t)
++ exec_files_pattern($1, src_t, src_t)
++ read_lnk_files_pattern($1, src_t, src_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the /var/lib directory.
++## Install a system.map into the /boot directory.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Search the /var/lib directory. This is
+-## necessary to access files or directories under
+-## /var/lib that have a private type. For example, a
+-## domain accessing a private library file in the
+-## /var/lib directory:
+-## </p>
+-## <p>
+-## allow mydomain_t mylibfile_t:file read_file_perms;
+-## files_search_var_lib(mydomain_t)
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_search_var_lib',`
++interface(`files_create_kernel_symbol_table',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type boot_t, system_map_t;
+ ')
+
+- search_dirs_pattern($1, var_t, var_lib_t)
++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
++ allow $1 system_map_t:file { create_file_perms rw_file_perms };
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search the
+-## contents of /var/lib.
++## Read system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_dontaudit_search_var_lib',`
++interface(`files_read_kernel_symbol_table',`
+ gen_require(`
+- type var_lib_t;
++ type boot_t, system_map_t;
+ ')
+
+- dontaudit $1 var_lib_t:dir search_dir_perms;
++ allow $1 boot_t:dir list_dir_perms;
++ read_files_pattern($1, boot_t, system_map_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of the /var/lib directory.
++## Delete a system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5481,17 +5935,18 @@ interface(`files_dontaudit_search_var_lib',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_var_lib',`
++interface(`files_delete_kernel_symbol_table',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type boot_t, system_map_t;
+ ')
+
+- list_dirs_pattern($1, var_t, var_lib_t)
++ allow $1 boot_t:dir list_dir_perms;
++ delete_files_pattern($1, boot_t, system_map_t)
+ ')
+
+-###########################################
++########################################
+ ## <summary>
+-## Read-write /var/lib directories
++## Search the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5499,51 +5954,35 @@ interface(`files_list_var_lib',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_var_lib_dirs',`
++interface(`files_search_var',`
+ gen_require(`
+- type var_lib_t;
++ type var_t;
+ ')
+
+- rw_dirs_pattern($1, var_lib_t, var_lib_t)
++ allow $1 var_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the /var/lib directory
++## Do not audit attempts to write to /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="file_type">
+-## <summary>
+-## The type of the object to be created
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## The object class.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_var_lib_filetrans',`
++interface(`files_dontaudit_write_var_dirs',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_lib_t, $2, $3, $4)
++ dontaudit $1 var_t:dir write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic files in /var/lib.
++## Allow attempts to write to /var.dirs
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5551,40 +5990,36 @@ interface(`files_var_lib_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_files',`
++interface(`files_write_var_dirs',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_lib_t:dir list_dir_perms;
+- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++ allow $1 var_t:dir write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic symbolic links in /var/lib
++## Do not audit attempts to search
++## the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_symlinks',`
++interface(`files_dontaudit_search_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++ dontaudit $1 var_t:dir search_dir_perms;
+ ')
+
+-# cjp: the next two interfaces really need to be fixed
+-# in some way. They really neeed their own types.
+-
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete the
+-## pseudorandom number generator seed.
++## List the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5592,38 +6027,36 @@ interface(`files_read_var_lib_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_urandom_seed',`
++interface(`files_list_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_lib_t, var_lib_t)
++ allow $1 var_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow domain to manage mount tables
+-## necessary for rpcd, nfsd, etc.
++## Do not audit listing of the var directory (/var).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_mounttab',`
++interface(`files_dontaudit_list_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_lib_t, var_lib_t)
++ dontaudit $1 var_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of the generic lock directories.
++## Create, read, write, and delete directories
++## in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5631,17 +6064,17 @@ interface(`files_manage_mounttab',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_lock_dirs',`
++interface(`files_manage_var_dirs',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- setattr_dirs_pattern($1, var_t, var_lock_t)
++ allow $1 var_t:dir manage_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the locks directory (/var/lock).
++## Read files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5649,38 +6082,35 @@ interface(`files_setattr_lock_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_locks',`
++interface(`files_read_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- search_dirs_pattern($1, var_t, var_lock_t)
++ read_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search the
+-## locks directory (/var/lock).
++## Append files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_locks',`
++interface(`files_append_var_files',`
+ gen_require(`
+- type var_lock_t;
++ type var_t;
+ ')
+
+- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_lock_t:dir search_dir_perms;
++ append_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List generic lock directories.
++## Read and write files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5688,80 +6118,73 @@ interface(`files_dontaudit_search_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_locks',`
++interface(`files_rw_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_lock_t)
++ rw_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Add and remove entries in the /var/lock
+-## directories.
++## Do not audit attempts to read and write
++## files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_lock_dirs',`
++interface(`files_dontaudit_rw_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- rw_dirs_pattern($1, var_t, var_lock_t)
++ dontaudit $1 var_t:file rw_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create lock directories
++## Create, read, write, and delete files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access
++## <summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_create_lock_dirs',`
++interface(`files_manage_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- create_dirs_pattern($1, var_lock_t, var_lock_t)
++ manage_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel to and from all lock directory types.
++## Read symbolic links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_lock_dirs',`
++interface(`files_read_var_symlinks',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- relabel_dirs_pattern($1, lockfile, lockfile)
++ read_lnk_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of generic lock files.
++## Create, read, write, and delete symbolic
++## links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5769,41 +6192,50 @@ interface(`files_relabel_all_lock_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_manage_var_symlinks',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 var_lock_t:dir list_dir_perms;
+- getattr_files_pattern($1, var_lock_t, var_lock_t)
++ manage_lnk_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete generic lock files.
++## Create objects in the /var directory
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+ #
+-interface(`files_delete_generic_locks',`
++interface(`files_var_filetrans',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
++ filetrans_pattern($1, var_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## lock files.
++## Get the attributes of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5811,65 +6243,69 @@ interface(`files_delete_generic_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_locks',`
++interface(`files_getattr_var_lib_dirs',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
+- manage_files_pattern($1, var_lock_t, var_lock_t)
++ getattr_dirs_pattern($1, var_t, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all lock files.
++## Search the /var/lib directory.
+ ## </summary>
++## <desc>
++## <p>
++## Search the /var/lib directory. This is
++## necessary to access files or directories under
++## /var/lib that have a private type. For example, a
++## domain accessing a private library file in the
++## /var/lib directory:
++## </p>
++## <p>
++## allow mydomain_t mylibfile_t:file read_file_perms;
++## files_search_var_lib(mydomain_t)
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_delete_all_locks',`
++interface(`files_search_var_lib',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, lockfile, lockfile)
++ search_dirs_pattern($1, var_t, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all lock files.
++## Do not audit attempts to search the
++## contents of /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_read_all_locks',`
++interface(`files_dontaudit_search_var_lib',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_lib_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- allow $1 lockfile:dir list_dir_perms;
+- read_files_pattern($1, lockfile, lockfile)
+- read_lnk_files_pattern($1, lockfile, lockfile)
++ dontaudit $1 var_lib_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## manage all lock files.
++## List the contents of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5877,37 +6313,49 @@ interface(`files_read_all_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_locks',`
++interface(`files_list_var_lib',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- manage_dirs_pattern($1, lockfile, lockfile)
+- manage_files_pattern($1, lockfile, lockfile)
+- manage_lnk_files_pattern($1, lockfile, lockfile)
++ list_dirs_pattern($1, var_t, var_lib_t)
++')
++
++###########################################
++## <summary>
++## Read-write /var/lib directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ rw_dirs_pattern($1, var_lib_t, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in the locks directory, with a private
+-## type using a type transition.
++## Create objects in the /var/lib directory
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
++## <param name="file_type">
+ ## <summary>
+-## The type of the object to be created.
++## The type of the object to be created
+ ## </summary>
+ ## </param>
+-## <param name="object">
++## <param name="object_class">
+ ## <summary>
+-## The object class of the object being created.
++## The object class.
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -5916,39 +6364,37 @@ interface(`files_manage_all_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_lock_filetrans',`
++interface(`files_var_lib_filetrans',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- filetrans_pattern($1, var_lock_t, $2, $3, $4)
++ filetrans_pattern($1, var_lib_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of the /var/run directory.
++## Read generic files in /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_pid_dirs',`
++interface(`files_read_var_lib_files',`
+ gen_require(`
+- type var_run_t;
++ type var_t, var_lib_t;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir getattr;
++ allow $1 var_lib_t:dir list_dir_perms;
++ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of the /var/run directory.
++## Read generic symbolic links in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5956,19 +6402,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_pid_dirs',`
++interface(`files_read_var_lib_symlinks',`
+ gen_require(`
+- type var_run_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir setattr;
++ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of runtime process
+-## ID directories (/var/run).
++## manage generic symbolic links
++## in the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5976,39 +6421,41 @@ interface(`files_setattr_pid_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_pids',`
++interface(`files_manage_var_lib_symlinks',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_lib_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- search_dirs_pattern($1, var_t, var_run_t)
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
+ ')
+
++# cjp: the next two interfaces really need to be fixed
++# in some way. They really neeed their own types.
++
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search
+-## the /var/run directory.
++## Create, read, write, and delete the
++## pseudorandom number generator seed.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_pids',`
++interface(`files_manage_urandom_seed',`
+ gen_require(`
+- type var_run_t;
++ type var_t, var_lib_t;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir search_dir_perms;
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_lib_t, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of the runtime process
+-## ID directories (/var/run).
++## Allow domain to manage mount tables
++## necessary for rpcd, nfsd, etc.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6016,18 +6463,1012 @@ interface(`files_dontaudit_search_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
++interface(`files_manage_mounttab',`
++ gen_require(`
++ type var_t, var_lib_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_lib_t, var_lib_t)
++')
++
++########################################
++## <summary>
++## List generic lock directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ list_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Search the locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ search_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search the
++## locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_lock_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read/write inherited
++## locks (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Set the attributes of the /var/lock directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_setattr_lock_dirs',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ allow $1 var_lock_t:dir setattr;
++')
++
++########################################
++## <summary>
++## Add and remove entries in the /var/lock
++## directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_lock_dirs',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ rw_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Create lock directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_create_lock_dirs',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ create_dirs_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Relabel to and from all lock directory types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabel_all_lock_dirs',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ relabel_dirs_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Get the attributes of generic lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_getattr_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ allow $1 var_lock_t:dir list_dir_perms;
++ getattr_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Delete generic lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ delete_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete generic
++## lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ manage_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Delete all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_delete_all_locks',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ delete_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Read all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_all_locks',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ allow $1 lockfile:dir list_dir_perms;
++ read_files_pattern($1, lockfile, lockfile)
++ read_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## manage all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_all_locks',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ manage_dirs_pattern($1, lockfile, lockfile)
++ manage_files_pattern($1, lockfile, lockfile)
++ manage_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Create an object in the locks directory, with a private
++## type using a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_lock_filetrans',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ filetrans_pattern($1, var_lock_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to get the attributes
++## of the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_run_t:dir getattr;
++')
++
++########################################
++## <summary>
++## Set the attributes of the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_setattr_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ allow $1 var_run_t:dir setattr;
++')
++
++########################################
++## <summary>
++## Search the contents of runtime process
++## ID directories (/var/run).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ search_dirs_pattern($1, var_t, var_run_t)
++')
++
++######################################
++## <summary>
++## Add and remove entries from pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:dir rw_dir_perms;
++')
++
++#######################################
++## <summary>
++## Create generic pid directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_var_run_dirs',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir create_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search
++## the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9508,18 +12123,19 @@ index 64ff4d7..8a9355a 100644
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_tmp_file_leaks',`
++interface(`files_dontaudit_search_pids',`
+ gen_require(`
-+ attribute tmpfile;
++ type var_run_t;
+ ')
+
-+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## Do allow attempts to read or write
-+## all leaked tmpfiles files.
++## Do not audit attempts to search
++## the all /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9527,69 +12143,57 @@ index 64ff4d7..8a9355a 100644
+## </summary>
+## </param>
+#
-+interface(`files_rw_tmp_file_leaks',`
++interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
-+ attribute tmpfile;
++ attribute pidfile;
+ ')
+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
++ dontaudit $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+## <summary>
- ## Create an object in the tmp directories, with a private
- ## type using a type transition.
- ## </summary>
-@@ -4646,6 +5336,16 @@ interface(`files_purge_tmp',`
- delete_lnk_files_pattern($1, tmpfile, tmpfile)
- delete_fifo_files_pattern($1, tmpfile, tmpfile)
- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ delete_chr_files_pattern($1, tmpfile, tmpfile)
-+ delete_blk_files_pattern($1, tmpfile, tmpfile)
-+ files_list_isid_type_dirs($1)
-+ files_delete_isid_type_dirs($1)
-+ files_delete_isid_type_files($1)
-+ files_delete_isid_type_symlinks($1)
-+ files_delete_isid_type_fifo_files($1)
-+ files_delete_isid_type_sock_files($1)
-+ files_delete_isid_type_blk_files($1)
-+ files_delete_isid_type_chr_files($1)
- ')
-
- ########################################
-@@ -5223,6 +5923,24 @@ interface(`files_list_var',`
-
- ########################################
- ## <summary>
-+## Do not audit listing of the var directory (/var).
++## List the contents of the runtime process
++## ID directories (/var/run).
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_list_var',`
++interface(`files_list_pids',`
+ gen_require(`
-+ type var_t;
++ type var_t, var_run_t;
+ ')
+
-+ dontaudit $1 var_t:dir list_dir_perms;
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ list_dirs_pattern($1, var_t, var_run_t)
+')
+
+########################################
+## <summary>
- ## Create, read, write, and delete directories
- ## in the /var directory.
- ## </summary>
-@@ -5578,6 +6296,25 @@ interface(`files_read_var_lib_symlinks',`
- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
++## Read generic process ID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_generic_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ list_dirs_pattern($1, var_t, var_run_t)
++ read_files_pattern($1, var_run_t, var_run_t)
++')
++
+########################################
+## <summary>
-+## manage generic symbolic links
-+## in the /var/lib directory.
++## Write named generic process ID pipes
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9597,231 +12201,162 @@ index 64ff4d7..8a9355a 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_var_lib_symlinks',`
++interface(`files_write_generic_pid_pipes',`
+ gen_require(`
-+ type var_lib_t;
++ type var_run_t;
+ ')
+
-+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ allow $1 var_run_t:fifo_file write;
+')
+
- # cjp: the next two interfaces really need to be fixed
- # in some way. They really neeed their own types.
-
-@@ -5623,7 +6360,7 @@ interface(`files_manage_mounttab',`
-
- ########################################
- ## <summary>
--## Set the attributes of the generic lock directories.
-+## List generic lock directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5631,12 +6368,13 @@ interface(`files_manage_mounttab',`
- ## </summary>
- ## </param>
- #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_list_locks',`
- gen_require(`
- type var_t, var_lock_t;
- ')
-
-- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ files_search_locks($1)
-+ list_dirs_pattern($1, var_t, var_lock_t)
- ')
-
- ########################################
-@@ -5654,6 +6392,7 @@ interface(`files_search_locks',`
- type var_t, var_lock_t;
- ')
-
-+ files_search_pids($1)
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- search_dirs_pattern($1, var_t, var_lock_t)
- ')
-@@ -5680,7 +6419,26 @@ interface(`files_dontaudit_search_locks',`
-
- ########################################
- ## <summary>
--## List generic lock directories.
-+## Do not audit attempts to read/write inherited
-+## locks (/var/lock).
++########################################
++## <summary>
++## Create an object in the process ID directory, with a private type.
+## </summary>
++## <desc>
++## <p>
++## Create an object in the process ID directory (e.g., /var/run)
++## with a private type. Typically this is used for creating
++## private PID files in /var/run with the private type instead
++## of the general PID file type. To accomplish this goal,
++## either the program must be SELinux-aware, or use this interface.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>files_pid_file()</li>
++## </ul>
++## <p>
++## Example usage with a domain that can create and
++## write its PID file with a private PID file type in the
++## /var/run directory:
++## </p>
++## <p>
++## type mypidfile_t;
++## files_pid_file(mypidfile_t)
++## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
++## files_pid_filetrans(mydomain_t, mypidfile_t, file)
++## </p>
++## </desc>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
+## </summary>
+## </param>
++## <infoflow type="write" weight="10"/>
+#
-+interface(`files_dontaudit_rw_inherited_locks',`
++interface(`files_pid_filetrans',`
+ gen_require(`
-+ type var_lock_t;
++ type var_t, var_run_t;
+ ')
+
-+ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_run_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
-+## Set the attributes of the /var/lock directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5688,13 +6446,12 @@ interface(`files_dontaudit_search_locks',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_locks',`
-+interface(`files_setattr_lock_dirs',`
- gen_require(`
-- type var_t, var_lock_t;
++## Create a generic lock directory within the run directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_pid_filetrans_lock_dir',`
++ gen_require(`
+ type var_lock_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_lock_t:dir setattr;
- ')
-
- ########################################
-@@ -5713,7 +6470,7 @@ interface(`files_rw_lock_dirs',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- rw_dirs_pattern($1, var_t, var_lock_t)
- ')
-
-@@ -5746,7 +6503,6 @@ interface(`files_create_lock_dirs',`
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
- interface(`files_relabel_all_lock_dirs',`
- gen_require(`
-@@ -5774,8 +6530,7 @@ interface(`files_getattr_generic_locks',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- allow $1 var_lock_t:dir list_dir_perms;
- getattr_files_pattern($1, var_lock_t, var_lock_t)
- ')
-@@ -5791,13 +6546,12 @@ interface(`files_getattr_generic_locks',`
- ## </param>
- #
- interface(`files_delete_generic_locks',`
-- gen_require(`
-+ gen_require(`
- type var_t, var_lock_t;
-- ')
-+ ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ files_search_locks($1)
-+ delete_files_pattern($1, var_lock_t, var_lock_t)
- ')
-
- ########################################
-@@ -5816,9 +6570,7 @@ interface(`files_manage_generic_locks',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-+ files_search_locks($1)
- manage_files_pattern($1, var_lock_t, var_lock_t)
- ')
-
-@@ -5860,8 +6612,7 @@ interface(`files_read_all_locks',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+ files_search_locks($1)
- allow $1 lockfile:dir list_dir_perms;
- read_files_pattern($1, lockfile, lockfile)
- read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6634,7 @@ interface(`files_manage_all_locks',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+ files_search_locks($1)
- manage_dirs_pattern($1, lockfile, lockfile)
- manage_files_pattern($1, lockfile, lockfile)
- manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6671,7 @@ interface(`files_lock_filetrans',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- filetrans_pattern($1, var_lock_t, $2, $3, $4)
- ')
-
-@@ -5985,6 +6734,43 @@ interface(`files_search_pids',`
- search_dirs_pattern($1, var_t, var_run_t)
- ')
-
-+######################################
++ ')
++
++ files_pid_filetrans($1, var_lock_t, dir, $2)
++')
++
++########################################
+## <summary>
-+## Add and remove entries from pid directories.
++## Read and write generic process ID files.
+## </summary>
+## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_generic_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ list_dirs_pattern($1, var_t, var_run_t)
++ rw_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
+## <summary>
-+## Domain allowed access.
++## Do not audit attempts to get the attributes of
++## daemon runtime data files.
+## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
+## </param>
+#
-+interface(`files_rw_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
++interface(`files_dontaudit_getattr_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_run_t;
++ ')
+
-+ allow $1 var_run_t:dir rw_dir_perms;
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 pidfile:file getattr;
+')
+
-+#######################################
++########################################
+## <summary>
-+## Create generic pid directory.
++## Do not audit attempts to write to daemon runtime data files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain to not audit.
++## </summary>
+## </param>
+#
-+interface(`files_create_var_run_dirs',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
++interface(`files_dontaudit_write_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir create_dir_perms;
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 pidfile:file write;
+')
+
- ########################################
- ## <summary>
- ## Do not audit attempts to search
-@@ -6007,6 +6793,25 @@ interface(`files_dontaudit_search_pids',`
-
- ########################################
- ## <summary>
-+## Do not audit attempts to search
-+## the all /var/run directory.
++########################################
++## <summary>
++## Do not audit attempts to ioctl daemon runtime data files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9829,76 +12364,49 @@ index 64ff4d7..8a9355a 100644
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_search_all_pids',`
++interface(`files_dontaudit_ioctl_all_pids',`
+ gen_require(`
+ attribute pidfile;
++ type var_run_t;
+ ')
+
-+ dontaudit $1 pidfile:dir search_dir_perms;
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 pidfile:file ioctl;
+')
+
+########################################
+## <summary>
- ## List the contents of the runtime process
- ## ID directories (/var/run).
- ## </summary>
-@@ -6122,7 +6927,6 @@ interface(`files_pid_filetrans',`
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- filetrans_pattern($1, var_run_t, $2, $3, $4)
- ')
-
-@@ -6231,46 +7035,230 @@ interface(`files_dontaudit_ioctl_all_pids',`
-
- ########################################
- ## <summary>
--## Read all process ID files.
+## Relable all pid directories
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_read_all_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_relabel_all_pid_dirs',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ relabel_dirs_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Delete all process IDs.
++')
++
++########################################
++## <summary>
+## Delete all pid sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_delete_all_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_delete_all_pid_sockets',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ allow $1 pidfile:sock_file delete_sock_file_perms;
+')
+
@@ -10092,15 +12600,35 @@ index 64ff4d7..8a9355a 100644
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:dir rmdir;
- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
- delete_files_pattern($1, pidfile, pidfile)
- delete_fifo_files_pattern($1, pidfile, pidfile)
-@@ -6300,29 +7288,73 @@ interface(`files_delete_all_pid_dirs',`
-
- ########################################
- ## <summary>
--## Create, read, write and delete all
--## var_run (pid) content
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++## Delete all process ID directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
+## Make the specified type a file
+## used for spool files.
+## </summary>
@@ -10150,399 +12678,757 @@ index 64ff4d7..8a9355a 100644
+########################################
+## <summary>
+## Create all spool sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain alloed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
++## </summary>
++## </param>
++#
+interface(`files_create_all_spool_sockets',`
gen_require(`
-- attribute pidfile;
+- type var_t, var_run_t;
+ attribute spoolfile;
')
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+ allow $1 spoolfile:sock_file create_sock_file_perms;
')
########################################
## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
+-## Read generic process ID files.
+## Delete all spool sockets
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,12 +7362,33 @@ interface(`files_manage_all_pids',`
+@@ -6035,123 +7476,336 @@ interface(`files_list_pids',`
## </summary>
## </param>
#
--interface(`files_mounton_all_poly_members',`
+-interface(`files_read_generic_pids',`
+interface(`files_delete_all_spool_sockets',`
gen_require(`
-- attribute polymember;
+- type var_t, var_run_t;
+ attribute spoolfile;
')
-- allow $1 polymember:dir mounton;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Write named generic process ID pipes
++## Relabel to and from all spool
++## directory types.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_write_generic_pid_pipes',`
++interface(`files_relabel_all_spool_dirs',`
+ gen_require(`
+- type var_run_t;
++ attribute spoolfile;
++ type var_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:fifo_file write;
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in the process ID directory, with a private type.
++## Search the contents of generic spool
++## directories (/var/spool).
+ ## </summary>
+-## <desc>
+-## <p>
+-## Create an object in the process ID directory (e.g., /var/run)
+-## with a private type. Typically this is used for creating
+-## private PID files in /var/run with the private type instead
+-## of the general PID file type. To accomplish this goal,
+-## either the program must be SELinux-aware, or use this interface.
+-## </p>
+-## <p>
+-## Related interfaces:
+-## </p>
+-## <ul>
+-## <li>files_pid_file()</li>
+-## </ul>
+-## <p>
+-## Example usage with a domain that can create and
+-## write its PID file with a private PID file type in the
+-## /var/run directory:
+-## </p>
+-## <p>
+-## type mypidfile_t;
+-## files_pid_file(mypidfile_t)
+-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+-## files_pid_filetrans(mydomain_t, mypidfile_t, file)
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
++#
++interface(`files_search_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ search_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search generic
++## spool directories.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The type of the object to be created.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+-## <param name="object">
++#
++interface(`files_dontaudit_search_spool',`
++ gen_require(`
++ type var_spool_t;
++ ')
++
++ dontaudit $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## Relabel to and from all spool
-+## directory types.
++## List the contents of generic spool
++## (/var/spool) directories.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The object class of the object being created.
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_spool_dirs',`
++interface(`files_list_spool',`
+ gen_require(`
-+ attribute spoolfile;
-+ type var_t;
++ type var_t, var_spool_t;
+ ')
+
-+ relabel_dirs_pattern($1, spoolfile, spoolfile)
- ')
-
- ########################################
-@@ -6562,3 +7615,459 @@ interface(`files_unconfined',`
-
- typeattribute $1 files_unconfined_type;
- ')
++ list_dirs_pattern($1, var_t, var_spool_t)
++')
+
+########################################
+## <summary>
-+## Create a core files in /
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
+## </summary>
-+## <desc>
-+## <p>
-+## Create a core file in /,
-+## </p>
-+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_manage_root_files',`
++interface(`files_manage_generic_spool_dirs',`
+ gen_require(`
-+ type root_t;
++ type var_t, var_spool_t;
+ ')
+
-+ manage_files_pattern($1, root_t, root_t)
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Create a default directory
++## Read generic spool files.
+## </summary>
-+## <desc>
-+## <p>
-+## Create a default_t direcrory
-+## </p>
-+## </desc>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_create_default_dir',`
-+ gen_require(`
-+ type default_t;
-+ ')
++interface(`files_read_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
+
-+ allow $1 default_t:dir create;
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Create, default_t objects with an automatic
-+## type transition.
++## Create, read, write, and delete generic
++## spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="object">
-+## <summary>
-+## The class of the object being created.
-+## </summary>
-+## </param>
+#
-+interface(`files_root_filetrans_default',`
-+ gen_require(`
-+ type root_t, default_t;
-+ ')
++interface(`files_manage_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
+
-+ filetrans_pattern($1, root_t, default_t, $2)
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## manage generic symbolic links
-+## in the /var/run directory.
++## Create objects in the spool directory
++## with a private type with a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <param name="file">
++## <summary>
++## Type to which the created node will be transitioned.
++## </summary>
++## </param>
++## <param name="class">
++## <summary>
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+ ## <summary>
+-## The name of the object being created.
++## The name of the object being created.
++## </summary>
++## </param>
+#
-+interface(`files_manage_generic_pids_symlinks',`
++interface(`files_spool_filetrans',`
+ gen_require(`
-+ type var_run_t;
++ type var_t, var_spool_t;
+ ')
+
-+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to getattr
-+## all tmpfs files.
++## Allow access to manage all polyinstantiated
++## directories on the system.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_getattr_tmpfs_files',`
++interface(`files_polyinstantiate_all',`
+ gen_require(`
-+ attribute tmpfsfile;
++ attribute polydir, polymember, polyparent;
++ type poly_t;
+ ')
+
-+ allow $1 tmpfsfile:file getattr;
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
++
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
++ allow $1 polyparent:dir { getattr mounton };
++
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
+')
+
+########################################
+## <summary>
-+## Allow read write all tmpfs files
++## Unconfined access to files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_rw_tmpfs_files',`
++interface(`files_unconfined',`
+ gen_require(`
-+ attribute tmpfsfile;
++ attribute files_unconfined_type;
+ ')
+
-+ allow $1 tmpfsfile:file { read write };
++ typeattribute $1 files_unconfined_type;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read security files
++## Create a core files in /
+## </summary>
++## <desc>
++## <p>
++## Create a core file in /,
++## </p>
++## </desc>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
-+## </summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
++## <rolecap/>
+ #
+-interface(`files_pid_filetrans',`
++interface(`files_manage_root_files',`
+ gen_require(`
+- type var_t, var_run_t;
++ type root_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- filetrans_pattern($1, var_run_t, $2, $3, $4)
++ manage_files_pattern($1, root_t, root_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create a generic lock directory within the run directories
++## Create a default directory
+ ## </summary>
++## <desc>
++## <p>
++## Create a default_t direcrory
++## </p>
++## </desc>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_dontaudit_read_security_files',`
-+ gen_require(`
-+ attribute security_file_type;
-+ ')
++interface(`files_create_default_dir',`
++ gen_require(`
++ type default_t;
++ ')
+
-+ dontaudit $1 security_file_type:file read_file_perms;
++ allow $1 default_t:dir create;
+')
+
+########################################
+## <summary>
-+## rw any files inherited from another process
++## Create, default_t objects with an automatic
++## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
++## <param name="object">
+ ## <summary>
+-## The name of the object being created.
++## The class of the object being created.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_pid_filetrans_lock_dir',`
+- gen_require(`
+- type var_lock_t;
+- ')
++interface(`files_root_filetrans_default',`
++ gen_require(`
++ type root_t, default_t;
++ ')
+
+- files_pid_filetrans($1, var_lock_t, dir, $2)
++ filetrans_pattern($1, root_t, default_t, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write generic process ID files.
++## manage generic symbolic links
++## in the /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6159,20 +7813,18 @@ interface(`files_pid_filetrans_lock_dir',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_generic_pids',`
++interface(`files_manage_generic_pids_symlinks',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- rw_files_pattern($1, var_run_t, var_run_t)
++ manage_lnk_files_pattern($1,var_run_t,var_run_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes of
+-## daemon runtime data files.
++## Do not audit attempts to getattr
++## all tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6180,19 +7832,17 @@ interface(`files_rw_generic_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_pids',`
++interface(`files_dontaudit_getattr_tmpfs_files',`
+ gen_require(`
+- attribute pidfile;
+- type var_run_t;
++ attribute tmpfsfile;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 pidfile:file getattr;
++ allow $1 tmpfsfile:file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write to daemon runtime data files.
++## Allow read write all tmpfs files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6200,18 +7850,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_all_pids',`
++interface(`files_rw_tmpfs_files',`
+ gen_require(`
+- attribute pidfile;
++ attribute tmpfsfile;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 pidfile:file write;
++ allow $1 tmpfsfile:file { read write };
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to ioctl daemon runtime data files.
++## Do not audit attempts to read security files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6219,41 +7868,43 @@ interface(`files_dontaudit_write_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_ioctl_all_pids',`
++interface(`files_dontaudit_read_security_files',`
+ gen_require(`
+- attribute pidfile;
+- type var_run_t;
++ attribute security_file_type;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 pidfile:file ioctl;
++ dontaudit $1 security_file_type:file read_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all process ID files.
++## rw any files inherited from another process
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+## <param name="object_type">
+## <summary>
+## Object type.
+## </summary>
+## </param>
-+#
+ #
+-interface(`files_read_all_pids',`
+interface(`files_rw_all_inherited_files',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+- type var_t, var_run_t;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process IDs.
+## Allow any file point to be the entrypoint of this domain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6262,67 +7913,55 @@ interface(`files_read_all_pids',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
+interface(`files_entrypoint_all_files',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+- type var_t, var_run_t;
+ attribute file_type;
-+ ')
+ ')
+-
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ allow $1 file_type:file entrypoint;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process ID directories.
+## Do not audit attempts to rw inherited file perms
+## of non security files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
+interface(`files_dontaudit_all_non_security_leaks',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+- type var_t, var_run_t;
+ attribute non_security_file_type;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Do not audit attempts to read or write
+## all leaked files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain alloed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
+interface(`files_dontaudit_leaks',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Allow domain to create_file_ass all types
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6330,37 +7969,37 @@ interface(`files_manage_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
+interface(`files_create_as_is_all_files',`
-+ gen_require(`
+ gen_require(`
+- attribute polymember;
+ attribute file_type;
+ class kernel_service create_files_as;
-+ ')
-+
+ ')
+
+- allow $1 polymember:dir mounton;
+ allow $1 file_type:kernel_service create_files_as;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of generic spool
+-## directories (/var/spool).
+## Do not audit attempts to check the
+## access on all files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
+interface(`files_dontaudit_all_access_check',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
+ dontaudit $1 file_type:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search generic
+-## spool directories.
+## Do not audit attempts to write to all files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6368,186 +8007,169 @@ interface(`files_search_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_spool',`
+interface(`files_dontaudit_write_all_files',`
-+ gen_require(`
+ gen_require(`
+- type var_spool_t;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- dontaudit $1 var_spool_t:dir search_dir_perms;
+ dontaudit $1 file_type:dir_file_class_set write;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of generic spool
+-## (/var/spool) directories.
+## Allow domain to delete to all files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
+interface(`files_delete_all_non_security_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute non_security_file_type;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+ allow $1 non_security_file_type:dir del_entry_dir_perms;
+ allow $1 non_security_file_type:file_class_set delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
+## Transition named content in the var_run_t directory
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
+interface(`files_filetrans_named_content',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ type mnt_t;
+ type usr_t;
+ type var_t;
+ type tmp_t;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ files_pid_filetrans($1, mnt_t, dir, "media")
+ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -10564,13 +13450,15 @@ index 64ff4d7..8a9355a 100644
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic spool files.
+## Make the specified type a
+## base file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <desc>
+## <p>
+## Identify file type as base file type. Tools will use this attribute,
@@ -10578,103 +13466,185 @@ index 64ff4d7..8a9355a 100644
+## </p>
+## </desc>
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type to be used as a base files.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <infoflow type="none"/>
-+#
+ #
+-interface(`files_read_generic_spool',`
+interface(`files_base_file',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute base_file_type;
-+ ')
+ ')
+-
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
+ files_type($1)
+ typeattribute $1 base_file_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool files.
+## Make the specified type a
+## base read only file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <desc>
+## <p>
+## Make the specified type readable for all domains.
+## </p>
+## </desc>
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type to be used as a base read only files.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <infoflow type="none"/>
-+#
+ #
+-interface(`files_manage_generic_spool',`
+interface(`files_ro_base_file',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute base_ro_file_type;
-+ ')
+ ')
+-
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
+ files_base_file($1)
+ typeattribute $1 base_ro_file_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the spool directory
+-## with a private type with a type transition.
+## Read all ro base files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file">
+-## <summary>
+-## Type to which the created node will be transitioned.
+-## </summary>
+-## </param>
+-## <param name="class">
+-## <summary>
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+## <rolecap/>
-+#
+ #
+-interface(`files_spool_filetrans',`
+interface(`files_read_all_base_ro_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute base_ro_file_type;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
+ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
+ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
+ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
+## Execute all base ro files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`files_polyinstantiate_all',`
+interface(`files_exec_all_base_ro_files',`
-+ gen_require(`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
+ attribute base_ro_file_type;
-+ ')
-+
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+-
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+- ')
+ can_exec($1, base_ro_file_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Unconfined access to files.
+## Allow the specified domain to modify the systemd configuration of
+## any file.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6555,10 +8177,11 @@ interface(`files_polyinstantiate_all',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_unconfined',`
+interface(`files_config_all_files',`
-+ gen_require(`
+ gen_require(`
+- attribute files_unconfined_type;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- typeattribute $1 files_unconfined_type;
+ allow $1 file_type:service all_service_perms;
-+')
+ ')
+
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 148d87a..822f6be 100644
@@ -12180,7 +15150,7 @@ index 8416beb..60b2ce1 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..3c5f139 100644
+index 9e603f5..97dbeb4 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
@@ -12228,7 +15198,18 @@ index 9e603f5..3c5f139 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -145,11 +153,6 @@ fs_type(spufs_t)
+@@ -125,6 +133,10 @@ type oprofilefs_t;
+ fs_type(oprofilefs_t)
+ genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
+
++type pstorefs_t;
++fs_type(pstorefs_t)
++genfscon pstore / gen_context(system_u:object_r:pstorefs_t,s0)
++
+ type ramfs_t;
+ fs_type(ramfs_t)
+ files_mountpoint(ramfs_t)
+@@ -145,11 +157,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -12240,7 +15221,7 @@ index 9e603f5..3c5f139 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -167,6 +170,8 @@ type vxfs_t;
+@@ -167,6 +174,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -12249,7 +15230,7 @@ index 9e603f5..3c5f139 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +181,8 @@ fs_type(tmpfs_t)
+@@ -176,6 +185,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -12258,7 +15239,7 @@ index 9e603f5..3c5f139 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +262,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -12267,7 +15248,7 @@ index 9e603f5..3c5f139 100644
files_mountpoint(removable_t)
#
-@@ -274,6 +283,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +287,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -15364,10 +18345,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..8c061b9 100644
+index 88d0028..83e6404 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,74 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,78 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -15444,6 +18425,10 @@ index 88d0028..8c061b9 100644
+userdom_exec_admin_home_files(sysadm_t)
+
+optional_policy(`
++ abrt_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
+ alsa_filetrans_named_content(sysadm_t)
+')
+
@@ -15453,7 +18438,7 @@ index 88d0028..8c061b9 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +90,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +94,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -15468,7 +18453,7 @@ index 88d0028..8c061b9 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +100,9 @@ optional_policy(`
+@@ -71,9 +104,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -15479,7 +18464,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -87,6 +116,7 @@ optional_policy(`
+@@ -87,6 +120,7 @@ optional_policy(`
optional_policy(`
asterisk_stream_connect(sysadm_t)
@@ -15487,7 +18472,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -110,6 +140,10 @@ optional_policy(`
+@@ -110,6 +144,10 @@ optional_policy(`
')
optional_policy(`
@@ -15498,7 +18483,7 @@ index 88d0028..8c061b9 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -122,11 +156,19 @@ optional_policy(`
+@@ -122,11 +160,19 @@ optional_policy(`
')
optional_policy(`
@@ -15520,7 +18505,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -140,6 +182,10 @@ optional_policy(`
+@@ -140,6 +186,10 @@ optional_policy(`
')
optional_policy(`
@@ -15531,7 +18516,7 @@ index 88d0028..8c061b9 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +202,11 @@ optional_policy(`
+@@ -156,11 +206,11 @@ optional_policy(`
')
optional_policy(`
@@ -15545,7 +18530,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -179,6 +225,13 @@ optional_policy(`
+@@ -179,6 +229,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -15559,7 +18544,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -186,15 +239,20 @@ optional_policy(`
+@@ -186,15 +243,20 @@ optional_policy(`
')
optional_policy(`
@@ -15571,19 +18556,19 @@ index 88d0028..8c061b9 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
++ kudzu_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -214,22 +272,20 @@ optional_policy(`
+@@ -214,22 +276,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -15612,7 +18597,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -241,14 +297,27 @@ optional_policy(`
+@@ -241,14 +301,27 @@ optional_policy(`
')
optional_policy(`
@@ -15640,7 +18625,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -256,10 +325,20 @@ optional_policy(`
+@@ -256,10 +329,20 @@ optional_policy(`
')
optional_policy(`
@@ -15661,7 +18646,7 @@ index 88d0028..8c061b9 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +349,36 @@ optional_policy(`
+@@ -270,31 +353,36 @@ optional_policy(`
')
optional_policy(`
@@ -15705,7 +18690,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -319,12 +403,18 @@ optional_policy(`
+@@ -319,12 +407,18 @@ optional_policy(`
')
optional_policy(`
@@ -15725,7 +18710,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -349,7 +439,18 @@ optional_policy(`
+@@ -349,7 +443,18 @@ optional_policy(`
')
optional_policy(`
@@ -15745,7 +18730,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -360,19 +461,15 @@ optional_policy(`
+@@ -360,19 +465,15 @@ optional_policy(`
')
optional_policy(`
@@ -15767,7 +18752,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -384,10 +481,6 @@ optional_policy(`
+@@ -384,10 +485,6 @@ optional_policy(`
')
optional_policy(`
@@ -15778,7 +18763,7 @@ index 88d0028..8c061b9 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +488,9 @@ optional_policy(`
+@@ -395,6 +492,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -15788,7 +18773,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -402,31 +498,34 @@ optional_policy(`
+@@ -402,31 +502,34 @@ optional_policy(`
')
optional_policy(`
@@ -15829,7 +18814,7 @@ index 88d0028..8c061b9 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +538,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +542,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -15840,7 +18825,7 @@ index 88d0028..8c061b9 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +558,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +562,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18912,7 +21897,7 @@ index 5fc0391..3540387 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..146340a 100644
+index d1f64a0..3be3d00 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -18951,10 +21936,11 @@ index d1f64a0..146340a 100644
#
# /dev
-@@ -22,13 +44,20 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -22,13 +44,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
++/etc/X11/xorg\.conf\.d(/.*)? gen_context(system_u:object_r:xserver_etc_t,s0)
+/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0)
+/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
+/etc/[mg]dm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
@@ -18973,7 +21959,7 @@ index d1f64a0..146340a 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +75,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +76,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -19011,7 +21997,7 @@ index d1f64a0..146340a 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,25 +126,49 @@ ifndef(`distro_debian',`
+@@ -92,25 +127,49 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -19067,7 +22053,7 @@ index d1f64a0..146340a 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..8a8ed32 100644
+index 6bf0ecc..d4ed029 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -19315,7 +22301,7 @@ index 6bf0ecc..8a8ed32 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +495,24 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +495,34 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
@@ -19328,6 +22314,16 @@ index 6bf0ecc..8a8ed32 100644
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c")
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:0")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:1")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:2")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:3")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:4")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:5")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:6")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:7")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:8")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:9")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped.old")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc")
@@ -19342,7 +22338,7 @@ index 6bf0ecc..8a8ed32 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +524,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +534,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -19372,7 +22368,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -517,6 +575,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +585,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -19380,7 +22376,7 @@ index 6bf0ecc..8a8ed32 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -547,6 +606,42 @@ interface(`xserver_domtrans_xauth',`
+@@ -547,6 +616,42 @@ interface(`xserver_domtrans_xauth',`
domtrans_pattern($1, xauth_exec_t, xauth_t)
')
@@ -19423,7 +22419,7 @@ index 6bf0ecc..8a8ed32 100644
########################################
## <summary>
## Create a Xauthority file in the user home directory.
-@@ -598,6 +693,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +703,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -19431,7 +22427,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -615,7 +711,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +721,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -19440,7 +22436,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -638,6 +734,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +744,25 @@ interface(`xserver_rw_console',`
########################################
## <summary>
@@ -19466,7 +22462,7 @@ index 6bf0ecc..8a8ed32 100644
## Use file descriptors for xdm.
## </summary>
## <param name="domain">
-@@ -651,7 +766,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +776,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -19475,7 +22471,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -670,7 +785,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +795,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -19484,7 +22480,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -688,7 +803,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +813,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -19493,7 +22489,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -703,12 +818,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +828,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -19507,7 +22503,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -765,11 +879,31 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +889,71 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -19538,10 +22534,50 @@ index 6bf0ecc..8a8ed32 100644
+
+ userdom_search_user_home_dirs($1)
+ allow $1 xdm_home_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Read xserver configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_read_config',`
++ gen_require(`
++ type xserver_etc_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, xserver_etc_t, xserver_etc_t)
++ read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
++')
++
++########################################
++## <summary>
++## Manage xserver configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_manage_config',`
++ gen_require(`
++ type xserver_etc_t;
++ ')
++
++ files_search_etc($1)
++ manage_files_pattern($1, xserver_etc_t, xserver_etc_t)
++ manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
')
########################################
-@@ -793,6 +927,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +977,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@@ -19567,7 +22603,7 @@ index 6bf0ecc..8a8ed32 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -806,7 +959,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +1009,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -19594,7 +22630,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -846,7 +1017,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1067,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -19622,7 +22658,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -869,6 +1059,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1109,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -19647,7 +22683,7 @@ index 6bf0ecc..8a8ed32 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -938,7 +1146,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1196,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -19675,7 +22711,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -957,7 +1184,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1234,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -19684,7 +22720,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -1004,6 +1231,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1281,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -19730,7 +22766,7 @@ index 6bf0ecc..8a8ed32 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1017,7 +1283,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1333,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -19739,7 +22775,7 @@ index 6bf0ecc..8a8ed32 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,6 +1345,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1395,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -19782,7 +22818,7 @@ index 6bf0ecc..8a8ed32 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1093,7 +1395,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1445,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -19791,7 +22827,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -1111,8 +1413,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1463,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -19803,7 +22839,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -1226,6 +1530,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1580,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -19830,7 +22866,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -1251,7 +1575,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1625,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -19839,7 +22875,7 @@ index 6bf0ecc..8a8ed32 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1261,13 +1585,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1635,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -19864,7 +22900,7 @@ index 6bf0ecc..8a8ed32 100644
')
########################################
-@@ -1284,10 +1618,577 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1668,577 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -20445,7 +23481,7 @@ index 6bf0ecc..8a8ed32 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..7a3a6c0 100644
+index 2696452..8ac9130 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -20624,7 +23660,7 @@ index 2696452..7a3a6c0 100644
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -193,14 +249,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -193,14 +249,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -20632,7 +23668,9 @@ index 2696452..7a3a6c0 100644
-typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-userdom_user_tmp_file(xserver_tmp_t)
--
++type xserver_etc_t;
++files_config_file(xserver_etc_t)
+
type xserver_tmpfs_t;
-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
-typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
@@ -20641,7 +23679,7 @@ index 2696452..7a3a6c0 100644
userdom_user_tmpfs_file(xserver_tmpfs_t)
type xsession_exec_t;
-@@ -225,21 +276,33 @@ optional_policy(`
+@@ -225,21 +279,33 @@ optional_policy(`
#
allow iceauth_t iceauth_home_t:file manage_file_perms;
@@ -20684,7 +23722,7 @@ index 2696452..7a3a6c0 100644
')
########################################
-@@ -247,48 +310,83 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +313,83 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -20768,18 +23806,18 @@ index 2696452..7a3a6c0 100644
+ifdef(`hide_broken_symptoms',`
+ term_dontaudit_use_unallocated_ttys(xauth_t)
+ dev_dontaudit_rw_dri(xauth_t)
-+')
-+
-+optional_policy(`
-+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
')
optional_policy(`
++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
++')
++
++optional_policy(`
+ ssh_use_ptys(xauth_t)
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +397,106 @@ optional_policy(`
+@@ -299,64 +400,106 @@ optional_policy(`
# XDM Local policy
#
@@ -20896,7 +23934,7 @@ index 2696452..7a3a6c0 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +505,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +508,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -20926,7 +23964,7 @@ index 2696452..7a3a6c0 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +535,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +538,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -20979,7 +24017,7 @@ index 2696452..7a3a6c0 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +587,27 @@ files_list_mnt(xdm_t)
+@@ -430,9 +590,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -21004,10 +24042,11 @@ index 2696452..7a3a6c0 100644
+fs_manage_cgroup_files(xdm_t)
+
+mls_socket_write_to_clearance(xdm_t)
++mls_trusted_object(xdm_t)
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +616,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +620,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -21051,7 +24090,7 @@ index 2696452..7a3a6c0 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +658,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +662,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -21101,7 +24140,7 @@ index 2696452..7a3a6c0 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +708,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +712,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -21128,7 +24167,7 @@ index 2696452..7a3a6c0 100644
')
optional_policy(`
-@@ -514,12 +735,72 @@ optional_policy(`
+@@ -514,12 +739,72 @@ optional_policy(`
')
optional_policy(`
@@ -21201,7 +24240,7 @@ index 2696452..7a3a6c0 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +818,78 @@ optional_policy(`
+@@ -537,28 +822,78 @@ optional_policy(`
')
optional_policy(`
@@ -21289,7 +24328,7 @@ index 2696452..7a3a6c0 100644
')
optional_policy(`
-@@ -570,6 +901,14 @@ optional_policy(`
+@@ -570,6 +905,14 @@ optional_policy(`
')
optional_policy(`
@@ -21304,7 +24343,7 @@ index 2696452..7a3a6c0 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +933,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -21317,7 +24356,7 @@ index 2696452..7a3a6c0 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -21333,7 +24372,18 @@ index 2696452..7a3a6c0 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -617,6 +970,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+
+ filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
+
++allow xserver_t xserver_etc_t:dir list_dir_perms;
++read_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t)
++read_lnk_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t)
++
+ manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+ manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+@@ -628,12 +985,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -21355,7 +24405,7 @@ index 2696452..7a3a6c0 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +997,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1005,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -21369,7 +24419,7 @@ index 2696452..7a3a6c0 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1023,27 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1031,27 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -21400,21 +24450,25 @@ index 2696452..7a3a6c0 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1054,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1062,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
+-
+fs_rw_tmpfs_files(xserver_t)
-
- mls_xwin_read_to_clearance(xserver_t)
-+mls_process_write_to_clearance(xserver_t)
++
+mls_file_read_to_clearance(xserver_t)
+mls_file_write_all_levels(xserver_t)
+mls_file_upgrade(xserver_t)
++mls_process_write_to_clearance(xserver_t)
++mls_socket_read_to_clearance(xserver_t)
++mls_sysvipc_read_to_clearance(xserver_t)
++mls_sysvipc_write_to_clearance(xserver_t)
++mls_trusted_object(xserver_t)
+ mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
- selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1073,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1085,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -21438,7 +24492,7 @@ index 2696452..7a3a6c0 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1092,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1104,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -21447,7 +24501,7 @@ index 2696452..7a3a6c0 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1136,44 @@ optional_policy(`
+@@ -775,16 +1148,44 @@ optional_policy(`
')
optional_policy(`
@@ -21493,7 +24547,7 @@ index 2696452..7a3a6c0 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1182,10 @@ optional_policy(`
+@@ -793,6 +1194,10 @@ optional_policy(`
')
optional_policy(`
@@ -21504,7 +24558,7 @@ index 2696452..7a3a6c0 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1201,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1213,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -21518,7 +24572,7 @@ index 2696452..7a3a6c0 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1212,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1224,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -21527,7 +24581,7 @@ index 2696452..7a3a6c0 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1225,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1237,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -21562,7 +24616,7 @@ index 2696452..7a3a6c0 100644
')
optional_policy(`
-@@ -902,7 +1290,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1302,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -21571,7 +24625,7 @@ index 2696452..7a3a6c0 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1344,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1356,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -21603,7 +24657,7 @@ index 2696452..7a3a6c0 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1390,40 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1402,40 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -22640,7 +25694,7 @@ index 3efd5b6..792df83 100644
+')
+
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..a8a2a2d 100644
+index 104037e..28dbe0b 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -22937,15 +25991,16 @@ index 104037e..a8a2a2d 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,6 +493,7 @@ optional_policy(`
+@@ -456,6 +493,8 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
+ sssd_read_public_files(nsswitch_domain)
++ sssd_read_lib_files(nsswitch_domain)
')
optional_policy(`
-@@ -463,3 +501,132 @@ optional_policy(`
+@@ -463,3 +502,132 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -23661,10 +26716,32 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..c0ec978 100644
+index 24e7804..f03be17 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
-@@ -106,6 +106,8 @@ interface(`init_domain',`
+@@ -1,5 +1,21 @@
+ ## <summary>System initialization programs (init and init scripts).</summary>
+
++######################################
++## <summary>
++## initrc stub interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`init_stub_initrc',`
++ gen_require(`
++ type initrc_t;
++ ')
++')
++
+ ########################################
+ ## <summary>
+ ## Create a file type used for init scripts.
+@@ -106,6 +122,8 @@ interface(`init_domain',`
role system_r types $1;
domtrans_pattern(init_t, $2, $1)
@@ -23673,7 +26750,7 @@ index 24e7804..c0ec978 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -192,50 +194,43 @@ interface(`init_ranged_domain',`
+@@ -192,50 +210,43 @@ interface(`init_ranged_domain',`
interface(`init_daemon_domain',`
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -23746,7 +26823,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -283,17 +278,20 @@ interface(`init_daemon_domain',`
+@@ -283,17 +294,20 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
@@ -23768,7 +26845,7 @@ index 24e7804..c0ec978 100644
')
')
-@@ -336,23 +334,19 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,23 +350,19 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -23799,7 +26876,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -401,20 +395,41 @@ interface(`init_system_domain',`
+@@ -401,20 +411,41 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -23841,7 +26918,7 @@ index 24e7804..c0ec978 100644
########################################
## <summary>
## Mark the file type as a daemon run dir, allowing initrc_t
-@@ -469,7 +484,6 @@ interface(`init_domtrans',`
+@@ -469,7 +500,6 @@ interface(`init_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -23849,7 +26926,7 @@ index 24e7804..c0ec978 100644
#
interface(`init_exec',`
gen_require(`
-@@ -478,6 +492,48 @@ interface(`init_exec',`
+@@ -478,6 +508,48 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -23898,7 +26975,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -566,6 +622,58 @@ interface(`init_sigchld',`
+@@ -566,6 +638,58 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -23957,7 +27034,7 @@ index 24e7804..c0ec978 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -576,10 +684,66 @@ interface(`init_sigchld',`
+@@ -576,10 +700,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -24026,7 +27103,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -743,22 +907,23 @@ interface(`init_write_initctl',`
+@@ -743,22 +923,23 @@ interface(`init_write_initctl',`
interface(`init_telinit',`
gen_require(`
type initctl_t;
@@ -24059,7 +27136,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -787,7 +952,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +968,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -24068,7 +27145,7 @@ index 24e7804..c0ec978 100644
## </summary>
## </param>
#
-@@ -830,11 +995,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1011,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -24083,7 +27160,7 @@ index 24e7804..c0ec978 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -845,11 +1011,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1027,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -24097,7 +27174,7 @@ index 24e7804..c0ec978 100644
')
')
-@@ -865,19 +1031,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1047,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -24143,7 +27220,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -933,9 +1121,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1137,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -24158,7 +27235,7 @@ index 24e7804..c0ec978 100644
files_search_etc($1)
')
-@@ -1026,7 +1219,9 @@ interface(`init_ptrace',`
+@@ -1026,7 +1235,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -24169,7 +27246,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -1125,6 +1320,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1336,25 @@ interface(`init_getattr_all_script_files',`
########################################
## <summary>
@@ -24195,7 +27272,7 @@ index 24e7804..c0ec978 100644
## Read all init script files.
## </summary>
## <param name="domain">
-@@ -1144,6 +1358,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1374,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -24220,7 +27297,7 @@ index 24e7804..c0ec978 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1195,12 +1427,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1443,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -24234,7 +27311,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -1440,6 +1667,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1683,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -24262,7 +27339,7 @@ index 24e7804..c0ec978 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1526,6 +1774,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1526,6 +1790,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -24288,17 +27365,26 @@ index 24e7804..c0ec978 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1584,6 +1851,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,21 +1867,39 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
+-## Create files in a init script
+-## temporary data directory.
+## Read and write init script inherited temporary data.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
+-## <summary>
+-## The type of the object to be created
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+#
+interface(`init_rw_inherited_script_tmp_files',`
+ gen_require(`
@@ -24310,19 +27396,32 @@ index 24e7804..c0ec978 100644
+
+########################################
+## <summary>
- ## Create files in a init script
- ## temporary data directory.
- ## </summary>
-@@ -1656,11 +1941,48 @@ interface(`init_read_utmp',`
++## Create files in a init script
++## temporary data directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
+ ## The object class.
+ ## </summary>
+ ## </param>
+@@ -1656,6 +1957,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
--## Do not audit attempts to write utmp.
+## Read utmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
@@ -24356,15 +27455,10 @@ index 24e7804..c0ec978 100644
+
+########################################
+## <summary>
-+## Do not audit attempts to write utmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -1744,7 +2066,7 @@ interface(`init_dontaudit_rw_utmp',`
+ ## Do not audit attempts to write utmp.
+ ## </summary>
+ ## <param name="domain">
+@@ -1744,7 +2082,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -24373,7 +27467,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -1785,6 +2107,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,6 +2123,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -24507,7 +27601,7 @@ index 24e7804..c0ec978 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2268,283 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2284,283 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -24792,7 +27886,7 @@ index 24e7804..c0ec978 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..4d9b509 100644
+index dd3be8d..8913598 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -25030,7 +28124,7 @@ index dd3be8d..4d9b509 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +271,177 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +271,178 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -25141,6 +28235,7 @@ index dd3be8d..4d9b509 100644
+fs_mount_all_fs(init_t)
+fs_unmount_all_fs(init_t)
+fs_remount_all_fs(init_t)
++fs_list_all(init_t)
+fs_list_auto_mountpoints(init_t)
+fs_register_binary_executable_type(init_t)
+fs_relabel_tmpfs_sock_file(init_t)
@@ -25216,7 +28311,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -216,6 +449,27 @@ optional_policy(`
+@@ -216,6 +450,27 @@ optional_policy(`
')
optional_policy(`
@@ -25244,7 +28339,7 @@ index dd3be8d..4d9b509 100644
unconfined_domain(init_t)
')
-@@ -225,8 +479,9 @@ optional_policy(`
+@@ -225,8 +480,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -25256,7 +28351,7 @@ index dd3be8d..4d9b509 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +512,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +513,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -25273,7 +28368,7 @@ index dd3be8d..4d9b509 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +537,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +538,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -25316,7 +28411,7 @@ index dd3be8d..4d9b509 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +574,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +575,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -25328,7 +28423,7 @@ index dd3be8d..4d9b509 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +586,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +587,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -25339,7 +28434,7 @@ index dd3be8d..4d9b509 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +597,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +598,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -25349,7 +28444,7 @@ index dd3be8d..4d9b509 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +606,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +607,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -25357,7 +28452,7 @@ index dd3be8d..4d9b509 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +613,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +614,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -25365,7 +28460,7 @@ index dd3be8d..4d9b509 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +621,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +622,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -25383,7 +28478,7 @@ index dd3be8d..4d9b509 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +639,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +640,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -25397,7 +28492,7 @@ index dd3be8d..4d9b509 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +654,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +655,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -25411,7 +28506,7 @@ index dd3be8d..4d9b509 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +667,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +668,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -25419,7 +28514,7 @@ index dd3be8d..4d9b509 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +679,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +680,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -25427,7 +28522,7 @@ index dd3be8d..4d9b509 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +698,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +699,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -25451,7 +28546,7 @@ index dd3be8d..4d9b509 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +731,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +732,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -25459,7 +28554,7 @@ index dd3be8d..4d9b509 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +765,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +766,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -25470,7 +28565,7 @@ index dd3be8d..4d9b509 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +789,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +790,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -25479,7 +28574,7 @@ index dd3be8d..4d9b509 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +804,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +805,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -25487,7 +28582,7 @@ index dd3be8d..4d9b509 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +825,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +826,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -25495,7 +28590,7 @@ index dd3be8d..4d9b509 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +835,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +836,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -25540,7 +28635,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -558,14 +880,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +881,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -25572,7 +28667,7 @@ index dd3be8d..4d9b509 100644
')
')
-@@ -576,6 +915,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +916,39 @@ ifdef(`distro_suse',`
')
')
@@ -25612,7 +28707,7 @@ index dd3be8d..4d9b509 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +960,8 @@ optional_policy(`
+@@ -588,6 +961,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -25621,7 +28716,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -609,6 +983,7 @@ optional_policy(`
+@@ -609,6 +984,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -25629,7 +28724,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -625,6 +1000,17 @@ optional_policy(`
+@@ -625,6 +1001,17 @@ optional_policy(`
')
optional_policy(`
@@ -25647,7 +28742,7 @@ index dd3be8d..4d9b509 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1027,13 @@ optional_policy(`
+@@ -641,9 +1028,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -25661,7 +28756,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -656,15 +1046,11 @@ optional_policy(`
+@@ -656,15 +1047,11 @@ optional_policy(`
')
optional_policy(`
@@ -25679,7 +28774,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -685,6 +1071,15 @@ optional_policy(`
+@@ -685,6 +1072,15 @@ optional_policy(`
')
optional_policy(`
@@ -25695,7 +28790,7 @@ index dd3be8d..4d9b509 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1120,7 @@ optional_policy(`
+@@ -725,6 +1121,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -25703,7 +28798,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -742,7 +1138,14 @@ optional_policy(`
+@@ -742,7 +1139,14 @@ optional_policy(`
')
optional_policy(`
@@ -25718,7 +28813,7 @@ index dd3be8d..4d9b509 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1168,10 @@ optional_policy(`
+@@ -765,6 +1169,10 @@ optional_policy(`
')
optional_policy(`
@@ -25729,7 +28824,7 @@ index dd3be8d..4d9b509 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1181,20 @@ optional_policy(`
+@@ -774,10 +1182,20 @@ optional_policy(`
')
optional_policy(`
@@ -25750,7 +28845,7 @@ index dd3be8d..4d9b509 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1203,10 @@ optional_policy(`
+@@ -786,6 +1204,10 @@ optional_policy(`
')
optional_policy(`
@@ -25761,7 +28856,7 @@ index dd3be8d..4d9b509 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1228,6 @@ optional_policy(`
+@@ -807,8 +1229,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -25770,7 +28865,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -817,6 +1236,10 @@ optional_policy(`
+@@ -817,6 +1237,10 @@ optional_policy(`
')
optional_policy(`
@@ -25781,7 +28876,7 @@ index dd3be8d..4d9b509 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1249,12 @@ optional_policy(`
+@@ -826,10 +1250,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -25794,7 +28889,7 @@ index dd3be8d..4d9b509 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1281,27 @@ optional_policy(`
+@@ -856,12 +1282,27 @@ optional_policy(`
')
optional_policy(`
@@ -25823,7 +28918,7 @@ index dd3be8d..4d9b509 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1311,18 @@ optional_policy(`
+@@ -871,6 +1312,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -25842,7 +28937,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -886,6 +1338,10 @@ optional_policy(`
+@@ -886,6 +1339,10 @@ optional_policy(`
')
optional_policy(`
@@ -25853,7 +28948,7 @@ index dd3be8d..4d9b509 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1352,185 @@ optional_policy(`
+@@ -896,3 +1353,185 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29383,7 +32478,7 @@ index 72c746e..f035d9f 100644
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..300c3f7 100644
+index 4584457..0755e25 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@@ -29482,7 +32577,7 @@ index 4584457..300c3f7 100644
+ type mount_var_run_t;
+ ')
+
-+ allow $1 mount_var_run_t:file read_file_perms;
++ read_files_pattern($1, mount_var_run_t, mount_var_run_t)
+ files_search_pids($1)
+')
+
@@ -29671,7 +32766,7 @@ index 4584457..300c3f7 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..bfb146f 100644
+index 6a50270..ac90315 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@@ -29868,7 +32963,7 @@ index 6a50270..bfb146f 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -121,16 +187,19 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +187,21 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -29883,6 +32978,8 @@ index 6a50270..bfb146f 100644
seutil_read_config(mount_t)
++systemd_passwd_agent_domtrans(mount_t)
++
userdom_use_all_users_fds(mount_t)
+userdom_manage_user_home_content_dirs(mount_t)
+userdom_read_user_home_content_symlinks(mount_t)
@@ -29890,7 +32987,7 @@ index 6a50270..bfb146f 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -146,26 +215,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',`
')
')
@@ -29930,7 +33027,7 @@ index 6a50270..bfb146f 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +249,8 @@ optional_policy(`
+@@ -179,6 +251,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -29939,7 +33036,7 @@ index 6a50270..bfb146f 100644
')
optional_policy(`
-@@ -186,6 +258,36 @@ optional_policy(`
+@@ -186,6 +260,36 @@ optional_policy(`
')
optional_policy(`
@@ -29976,7 +33073,7 @@ index 6a50270..bfb146f 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +296,124 @@ optional_policy(`
+@@ -194,24 +298,124 @@ optional_policy(`
')
optional_policy(`
@@ -33390,10 +36487,10 @@ index 0000000..fc080a1
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..90e063a
+index 0000000..60e3e89
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,632 @@
+@@ -0,0 +1,641 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -33429,6 +36526,7 @@ index 0000000..90e063a
+
+type random_seed_t;
+files_security_file(random_seed_t)
++files_mountpoint(random_seed_t)
+
+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
+# systemd components
@@ -33722,6 +36820,7 @@ index 0000000..90e063a
+auth_manage_faillog(systemd_tmpfiles_t)
+auth_relabel_faillog(systemd_tmpfiles_t)
+auth_manage_var_auth(systemd_tmpfiles_t)
++auth_manage_login_records(systemd_tmpfiles_t)
+auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
@@ -33871,6 +36970,8 @@ index 0000000..90e063a
+
+userdom_dbus_send_all_users(systemd_localed_t)
+
++xserver_read_config(systemd_localed_t)
++
+optional_policy(`
+ dbus_connect_system_bus(systemd_localed_t)
+ dbus_system_bus_client(systemd_localed_t)
@@ -33972,6 +37073,7 @@ index 0000000..90e063a
+optional_policy(`
+ gnome_manage_usr_config(systemd_timedated_t)
+ gnome_manage_home_config(systemd_timedated_t)
++ gnome_manage_home_config_dirs(systemd_timedated_t)
+')
+
+optional_policy(`
@@ -33988,6 +37090,10 @@ index 0000000..90e063a
+ policykit_read_reload(systemd_timedated_t)
+')
+
++optional_policy(`
++ xserver_manage_config(systemd_timedated_t)
++')
++
+########################################
+#
+# systemd_sysctl domains local policy
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 59ef21b..ff0cb24 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -64,7 +64,7 @@ index e4f84de..94697ea 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..b7620e3 100644
+index 058d908..702b716 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -156,7 +156,7 @@ index 058d908..b7620e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -154,17 +174,54 @@ interface(`abrt_domtrans_helper',`
+@@ -154,17 +174,35 @@ interface(`abrt_domtrans_helper',`
#
interface(`abrt_run_helper',`
gen_require(`
@@ -186,55 +186,55 @@ index 058d908..b7620e3 100644
+
+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-+')
-+
-+########################################
-+## <summary>
-+## Append abrt cache
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`abrt_append_cache',`
-+ gen_require(`
-+ type abrt_var_cache_t;
-+ ')
-+
-+
-+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## abrt cache files.
-+## Read/Write inherited abrt cache
++## Append abrt cache
## </summary>
## <param name="domain">
## <summary>
-@@ -172,15 +229,18 @@ interface(`abrt_run_helper',`
+@@ -172,15 +210,37 @@ interface(`abrt_run_helper',`
## </summary>
## </param>
#
-interface(`abrt_cache_manage',`
- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
- abrt_manage_cache($1)
-+interface(`abrt_rw_inherited_cache',`
++interface(`abrt_append_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+
-+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
++ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## abrt cache content.
++## Read/Write inherited abrt cache
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_rw_inherited_cache',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++
++ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## Manage abrt cache
## </summary>
## <param name="domain">
@@ -329,7 +329,7 @@ index 058d908..b7620e3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -288,39 +387,146 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',`
## </param>
## <param name="role">
## <summary>
@@ -470,7 +470,7 @@ index 058d908..b7620e3 100644
+ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+')
+ ')
+
+########################################
+## <summary>
@@ -488,7 +488,33 @@ index 058d908..b7620e3 100644
+ ')
+
+ dontaudit $1 abrt_t:sock_file write;
- ')
++')
++
++########################################
++## <summary>
++## Transition to abrt named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_filetrans_named_content',`
++ gen_require(`
++ type abrt_tmp_t;
++ type abrt_etc_t;
++ type abrt_var_cache_t;
++ type abrt_var_run_t;
++ ')
++
++ files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt")
++ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
++ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
++ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
++ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
++')
++
diff --git a/abrt.te b/abrt.te
index cc43d25..304203f 100644
--- a/abrt.te
@@ -3020,7 +3046,7 @@ index 550a69e..e714059 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 83e899c..7b2ad39 100644
+index 83e899c..e3bed6a 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -4204,7 +4230,7 @@ index 83e899c..7b2ad39 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1393,106 @@ interface(`apache_admin',`
+@@ -1218,9 +1393,129 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -4292,6 +4318,29 @@ index 83e899c..7b2ad39 100644
+
+########################################
+## <summary>
++## Execute a httpd_exec_t in the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`apache_exec_domtrans',`
++ gen_require(`
++ type httpd_exec_t;
++ ')
++
++ domtrans_pattern($1, httpd_exec_t, $2)
++')
++
++########################################
++## <summary>
+## Transition to apache home content
+## </summary>
+## <param name="domain">
@@ -7299,10 +7348,10 @@ index 089430a..7cd037b 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index a579c3b..e8961f7 100644
+index a579c3b..512d6b1 100644
--- a/automount.te
+++ b/automount.te
-@@ -22,6 +22,9 @@ type automount_tmp_t;
+@@ -22,12 +22,16 @@ type automount_tmp_t;
files_tmp_file(automount_tmp_t)
files_mountpoint(automount_tmp_t)
@@ -7312,7 +7361,15 @@ index a579c3b..e8961f7 100644
########################################
#
# Local policy
-@@ -62,7 +65,6 @@ kernel_dontaudit_search_xen_state(automount_t)
+ #
+
+-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
++allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
++allow automount_t self:capability2 block_suspend;
+ dontaudit automount_t self:capability sys_tty_config;
+ allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
+ allow automount_t self:fifo_file rw_fifo_file_perms;
+@@ -62,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
@@ -7320,7 +7377,7 @@ index a579c3b..e8961f7 100644
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
-@@ -96,7 +98,6 @@ files_mount_all_file_type_fs(automount_t)
+@@ -96,7 +99,6 @@ files_mount_all_file_type_fs(automount_t)
files_mounton_all_mountpoints(automount_t)
files_mounton_mnt(automount_t)
files_read_etc_runtime_files(automount_t)
@@ -7328,7 +7385,7 @@ index a579c3b..e8961f7 100644
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
-@@ -130,15 +131,18 @@ auth_use_nsswitch(automount_t)
+@@ -130,15 +132,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -8311,7 +8368,7 @@ index c723a0a..3e8a553 100644
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
-index 6f09d24..88b8feb 100644
+index 6f09d24..9c48d18 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
@@ -8367,15 +8424,20 @@ index 6f09d24..88b8feb 100644
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
-@@ -132,6 +143,7 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+@@ -130,8 +141,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+ userdom_dontaudit_use_user_terminals(bluetooth_t)
+ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
++# machine-info
++systemd_hostnamed_read_config(bluetooth_t)
++
optional_policy(`
dbus_system_bus_client(bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
optional_policy(`
cups_dbus_chat(bluetooth_t)
-@@ -199,7 +211,6 @@ dev_read_urand(bluetooth_helper_t)
+@@ -199,7 +214,6 @@ dev_read_urand(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t)
files_read_etc_runtime_files(bluetooth_helper_t)
@@ -8626,7 +8688,7 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..1dc00c7 100644
+index 7c92aa1..4d8b6ae 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,13 @@
@@ -8645,7 +8707,7 @@ index 7c92aa1..1dc00c7 100644
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
-@@ -21,31 +23,65 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -21,31 +23,66 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
@@ -8675,6 +8737,7 @@ index 7c92aa1..1dc00c7 100644
+#
+
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
++allow boinc_domain self:process signal;
+allow boinc_domain self:sem create_sem_perms;
+allow boinc_domain self:process execmem;
+
@@ -8720,7 +8783,7 @@ index 7c92aa1..1dc00c7 100644
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +90,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -54,74 +91,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@@ -8814,7 +8877,7 @@ index 7c92aa1..1dc00c7 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +137,61 @@ init_read_utmp(boinc_t)
+@@ -130,55 +138,61 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -15958,7 +16021,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..c8d914e 100644
+index 9f34c2e..45fe9a0 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16199,15 +16262,16 @@ index 9f34c2e..c8d914e 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +266,7 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +266,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
+term_use_ptmx(cupsd_t)
++term_use_usb_ttys(cupsd_t)
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +279,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +280,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -16233,7 +16297,7 @@ index 9f34c2e..c8d914e 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +306,8 @@ optional_policy(`
+@@ -275,6 +307,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -16242,7 +16306,7 @@ index 9f34c2e..c8d914e 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +318,10 @@ optional_policy(`
+@@ -285,8 +319,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -16253,7 +16317,7 @@ index 9f34c2e..c8d914e 100644
')
')
-@@ -299,8 +334,8 @@ optional_policy(`
+@@ -299,8 +335,8 @@ optional_policy(`
')
optional_policy(`
@@ -16263,7 +16327,7 @@ index 9f34c2e..c8d914e 100644
')
optional_policy(`
-@@ -309,7 +344,6 @@ optional_policy(`
+@@ -309,7 +345,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -16271,7 +16335,7 @@ index 9f34c2e..c8d914e 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +371,7 @@ optional_policy(`
+@@ -337,7 +372,7 @@ optional_policy(`
')
optional_policy(`
@@ -16280,7 +16344,7 @@ index 9f34c2e..c8d914e 100644
')
########################################
-@@ -345,11 +379,9 @@ optional_policy(`
+@@ -345,11 +380,9 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -16294,7 +16358,7 @@ index 9f34c2e..c8d914e 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +407,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +408,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -16314,7 +16378,7 @@ index 9f34c2e..c8d914e 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +424,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +425,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -16335,7 +16399,7 @@ index 9f34c2e..c8d914e 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +441,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +442,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -16347,7 +16411,7 @@ index 9f34c2e..c8d914e 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +468,12 @@ optional_policy(`
+@@ -452,9 +469,12 @@ optional_policy(`
')
optional_policy(`
@@ -16361,7 +16425,7 @@ index 9f34c2e..c8d914e 100644
')
optional_policy(`
-@@ -490,10 +509,6 @@ optional_policy(`
+@@ -490,10 +510,6 @@ optional_policy(`
# Lpd local policy
#
@@ -16372,7 +16436,7 @@ index 9f34c2e..c8d914e 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +526,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +527,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -16405,7 +16469,7 @@ index 9f34c2e..c8d914e 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +552,6 @@ optional_policy(`
+@@ -546,7 +553,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16413,7 +16477,7 @@ index 9f34c2e..c8d914e 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,17 +567,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,17 +568,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -16431,7 +16495,7 @@ index 9f34c2e..c8d914e 100644
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
-@@ -582,128 +578,12 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -582,128 +579,12 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(cups_pdf_t)
')
@@ -16562,7 +16626,7 @@ index 9f34c2e..c8d914e 100644
########################################
#
-@@ -731,7 +611,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +612,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16570,7 +16634,7 @@ index 9f34c2e..c8d914e 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +620,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +621,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -16584,7 +16648,7 @@ index 9f34c2e..c8d914e 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +632,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +633,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -17630,7 +17694,7 @@ index afcf3a2..0730306 100644
+ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..4a56f17 100644
+index 2c2e7e1..5e0bf2f 100644
--- a/dbus.te
+++ b/dbus.te
@@ -1,20 +1,18 @@
@@ -17668,16 +17732,17 @@ index 2c2e7e1..4a56f17 100644
type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
-@@ -41,7 +36,7 @@ files_type(system_dbusd_var_lib_t)
+@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
-init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
+init_sock_file(system_dbusd_var_run_t)
++mls_trusted_object(system_dbusd_var_run_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +46,56 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,57 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
@@ -17749,10 +17814,11 @@ index 2c2e7e1..4a56f17 100644
+storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
+storage_rw_inherited_removable_device(system_dbusd_t)
+
++mls_trusted_object(system_dbusd_t)
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +115,155 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +117,155 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -17922,7 +17988,7 @@ index 2c2e7e1..4a56f17 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +272,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +274,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -17947,7 +18013,7 @@ index 2c2e7e1..4a56f17 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +291,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +293,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -17955,7 +18021,7 @@ index 2c2e7e1..4a56f17 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +300,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +302,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -17997,7 +18063,7 @@ index 2c2e7e1..4a56f17 100644
')
########################################
-@@ -244,5 +337,6 @@ optional_policy(`
+@@ -244,5 +339,6 @@ optional_policy(`
# Unconfined access to this module
#
@@ -21587,6 +21653,17 @@ index a0da189..d8bc9d5 100644
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_user_home_dirs(entropyd_t)
+diff --git a/evolution.fc b/evolution.fc
+index 597f305..8520653 100644
+--- a/evolution.fc
++++ b/evolution.fc
+@@ -1,5 +1,6 @@
+ HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+ HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
++HOME_DIR/\.cache/evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+
+ /tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
+
diff --git a/evolution.te b/evolution.te
index 94fb625..3742ee1 100644
--- a/evolution.te
@@ -22464,7 +22541,7 @@ index 5cf6ac6..839999e 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index c8014f8..1072fcb 100644
+index c8014f8..02de884 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
@@ -22533,6 +22610,17 @@ index c8014f8..1072fcb 100644
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
+@@ -85,6 +100,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_read_generic_data_home_dirs(firewalld_t)
++')
++
++optional_policy(`
+ iptables_domtrans(firewalld_t)
+ ')
+
diff --git a/firewallgui.if b/firewallgui.if
index e6866d1..941f4ef 100644
--- a/firewallgui.if
@@ -24200,10 +24288,10 @@ index fd02acc..0000000
-
-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
-index e39de43..52e5a3a 100644
+index e39de43..5818f74 100644
--- a/gnome.fc
+++ b/gnome.fc
-@@ -1,15 +1,57 @@
+@@ -1,15 +1,58 @@
-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
@@ -24211,6 +24299,7 @@ index e39de43..52e5a3a 100644
-HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
-HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
++HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
@@ -24271,7 +24360,7 @@ index e39de43..52e5a3a 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..0a785a3 100644
+index d03fd43..b000017 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,154 @@
@@ -25360,7 +25449,7 @@ index d03fd43..0a785a3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -704,12 +812,773 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +812,774 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@@ -26054,6 +26143,7 @@ index d03fd43..0a785a3 100644
+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
+ filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig")
+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
++ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+ gnome_filetrans_gstreamer_home_content($1)
+')
+
@@ -35899,10 +35989,10 @@ index 4462c0e..84944d1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..379066c 100644
+index 6ffaba2..18e3a70 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,61 @@
+@@ -1,38 +1,63 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -35925,7 +36015,9 @@ index 6ffaba2..379066c 100644
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.cache\mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -35999,7 +36091,7 @@ index 6ffaba2..379066c 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..97b8462 100644
+index 6194b80..648d041 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -36620,7 +36712,7 @@ index 6194b80..97b8462 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +430,48 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +430,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -36690,11 +36782,13 @@ index 6194b80..97b8462 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
++ #userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "POkemon Advanced Adventure")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
++ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..7131f6f 100644
+index 6a306ee..4c1c064 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -36953,10 +37047,10 @@ index 6a306ee..7131f6f 100644
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
+-
+-userdom_write_user_tmp_sockets(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
--userdom_write_user_tmp_sockets(mozilla_t)
--
-mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -37434,25 +37528,21 @@ index 6a306ee..7131f6f 100644
')
optional_policy(`
-@@ -523,36 +481,43 @@ optional_policy(`
+@@ -523,36 +481,47 @@ optional_policy(`
')
optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
-+ dbus_system_bus_client(mozilla_plugin_t)
-+ dbus_session_bus_client(mozilla_plugin_t)
-+ dbus_connect_session_bus(mozilla_plugin_t)
-+ dbus_read_lib_files(mozilla_plugin_t)
++ apache_list_modules(mozilla_plugin_t)
')
optional_policy(`
- dbus_all_session_bus_client(mozilla_plugin_t)
- dbus_connect_all_session_bus(mozilla_plugin_t)
-- dbus_system_bus_client(mozilla_plugin_t)
-+ gnome_manage_config(mozilla_plugin_t)
-+ gnome_read_usr_config(mozilla_plugin_t)
-+ gnome_filetrans_home_content(mozilla_plugin_t)
-+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
+ dbus_system_bus_client(mozilla_plugin_t)
++ dbus_session_bus_client(mozilla_plugin_t)
++ dbus_connect_session_bus(mozilla_plugin_t)
++ dbus_read_lib_files(mozilla_plugin_t)
')
optional_policy(`
@@ -37460,6 +37550,13 @@ index 6a306ee..7131f6f 100644
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
++ gnome_manage_config(mozilla_plugin_t)
++ gnome_read_usr_config(mozilla_plugin_t)
++ gnome_filetrans_home_content(mozilla_plugin_t)
++ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
++')
++
++optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
')
@@ -37492,7 +37589,7 @@ index 6a306ee..7131f6f 100644
')
optional_policy(`
-@@ -560,7 +525,7 @@ optional_policy(`
+@@ -560,7 +529,7 @@ optional_policy(`
')
optional_policy(`
@@ -37501,7 +37598,7 @@ index 6a306ee..7131f6f 100644
')
optional_policy(`
-@@ -568,108 +533,108 @@ optional_policy(`
+@@ -568,108 +537,108 @@ optional_policy(`
')
optional_policy(`
@@ -41695,7 +41792,7 @@ index 0641e97..d7d9a79 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 44ad3b7..7508aef 100644
+index 44ad3b7..f675581 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -41734,7 +41831,17 @@ index 44ad3b7..7508aef 100644
########################################
#
-@@ -123,7 +124,6 @@ kernel_read_software_raid_state(nagios_t)
+@@ -110,7 +111,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+
+ manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
++manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
++files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file})
+
+ manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+ manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+@@ -123,7 +125,6 @@ kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
@@ -41742,7 +41849,7 @@ index 44ad3b7..7508aef 100644
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
-@@ -143,7 +143,6 @@ domain_read_all_domains_state(nagios_t)
+@@ -143,7 +144,6 @@ domain_read_all_domains_state(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
@@ -41750,7 +41857,7 @@ index 44ad3b7..7508aef 100644
files_search_spool(nagios_t)
fs_getattr_all_fs(nagios_t)
-@@ -153,8 +152,6 @@ auth_use_nsswitch(nagios_t)
+@@ -153,8 +153,6 @@ auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
@@ -41759,7 +41866,7 @@ index 44ad3b7..7508aef 100644
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
-@@ -178,6 +175,7 @@ optional_policy(`
+@@ -178,6 +176,7 @@ optional_policy(`
#
# CGI local policy
#
@@ -41767,7 +41874,7 @@ index 44ad3b7..7508aef 100644
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -231,7 +229,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin
+@@ -231,7 +230,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin
kernel_read_kernel_sysctls(nrpe_t)
kernel_read_software_raid_state(nrpe_t)
@@ -41775,7 +41882,7 @@ index 44ad3b7..7508aef 100644
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
-@@ -253,7 +250,6 @@ domain_use_interactive_fds(nrpe_t)
+@@ -253,7 +251,6 @@ domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
@@ -41783,7 +41890,7 @@ index 44ad3b7..7508aef 100644
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -262,8 +258,6 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,8 +259,6 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
@@ -41792,7 +41899,7 @@ index 44ad3b7..7508aef 100644
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
-@@ -310,15 +304,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +305,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -41811,7 +41918,7 @@ index 44ad3b7..7508aef 100644
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +339,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,6 +340,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
@@ -41819,7 +41926,7 @@ index 44ad3b7..7508aef 100644
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
-@@ -357,9 +352,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +353,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
@@ -41833,7 +41940,7 @@ index 44ad3b7..7508aef 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -411,6 +408,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -411,6 +409,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -41841,7 +41948,7 @@ index 44ad3b7..7508aef 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +418,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,10 +419,10 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
@@ -41854,7 +41961,7 @@ index 44ad3b7..7508aef 100644
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
-@@ -442,6 +440,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,6 +441,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -41869,7 +41976,7 @@ index 44ad3b7..7508aef 100644
########################################
#
# Unconfined plugin policy
-@@ -450,3 +456,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
+@@ -450,3 +457,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -48094,10 +48201,10 @@ index 0000000..407386d
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..d859b72
+index 0000000..45e60e5
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,481 @@
+@@ -0,0 +1,526 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -48438,12 +48545,57 @@ index 0000000..d859b72
+
+allow openshift_user_domain openshift_domain:process ptrace;
+
++mta_signal_user_agent(openshift_user_domain)
++
+optional_policy(`
+ ssh_rw_tcp_sockets(openshift_user_domain)
+')
+
+############################################################################
+#
++# Rules specific to openshift_net_domains
++#
++allow openshift_net_domain openshift_port_t:tcp_socket { name_connect name_bind };
++allow openshift_net_domain openshift_port_t:udp_socket name_bind;
++
++corenet_tcp_connect_mssql_port(openshift_net_domain)
++corenet_tcp_connect_mysqld_port(openshift_net_domain)
++corenet_tcp_connect_postgresql_port(openshift_net_domain)
++corenet_tcp_connect_git_port(openshift_net_domain)
++corenet_tcp_connect_oracle_port(openshift_net_domain)
++corenet_tcp_connect_flash_port(openshift_net_domain)
++corenet_tcp_connect_http_port(openshift_net_domain)
++corenet_tcp_connect_ftp_port(openshift_net_domain)
++#/* These ports are the ephemeral ports needed for ftp */
++corenet_tcp_connect_virt_migration_port(openshift_net_domain)
++corenet_tcp_connect_ssh_port(openshift_net_domain)
++corenet_tcp_connect_jacorb_port(openshift_net_domain)
++corenet_tcp_connect_jboss_management_port(openshift_net_domain)
++corenet_tcp_connect_jboss_debug_port(openshift_net_domain)
++corenet_tcp_connect_jboss_messaging_port(openshift_net_domain)
++corenet_tcp_connect_memcache_port(openshift_net_domain)
++corenet_tcp_connect_http_cache_port(openshift_net_domain)
++corenet_tcp_connect_amqp_port(openshift_net_domain)
++corenet_tcp_connect_generic_port(openshift_net_domain)
++corenet_tcp_connect_mongod_port(openshift_net_domain)
++corenet_tcp_connect_munin_port(openshift_net_domain)
++corenet_tcp_connect_pop_port(openshift_net_domain)
++corenet_tcp_connect_pulseaudio_port(openshift_net_domain)
++corenet_tcp_connect_smtp_port(openshift_net_domain)
++corenet_tcp_connect_whois_port(openshift_net_domain)
++corenet_udp_bind_generic_port(openshift_net_domain)
++corenet_tcp_bind_http_cache_port(openshift_domain)
++corenet_tcp_bind_jacorb_port(openshift_net_domain)
++corenet_tcp_bind_jboss_management_port(openshift_net_domain)
++corenet_tcp_bind_jboss_messaging_port(openshift_net_domain)
++corenet_tcp_bind_jboss_debug_port(openshift_net_domain)
++corenet_tcp_bind_mongod_port(openshift_net_domain)
++corenet_tcp_bind_mysqld_port(openshift_domain)
++corenet_tcp_bind_pulseaudio_port(openshift_net_domain)
++corenet_tcp_bind_postgresql_port(openshift_net_domain)
++
++############################################################################
++#
+# Rules specific to openshift and openshift_app_t
+#
+kernel_read_vm_sysctls(openshift_t)
@@ -50827,15 +50979,17 @@ index 977b972..0000000
-miscfiles_read_localization(pkcs_slotd_t)
diff --git a/pkcsslotd.fc b/pkcsslotd.fc
new file mode 100644
-index 0000000..dd1b8f2
+index 0000000..38fa01d
--- /dev/null
+++ b/pkcsslotd.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/pkcsslotd.service -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
+
+/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0)
+
+/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
++
++/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_lock_t,s0)
diff --git a/pkcsslotd.if b/pkcsslotd.if
new file mode 100644
index 0000000..848ddc9
@@ -50999,10 +51153,10 @@ index 0000000..848ddc9
+')
diff --git a/pkcsslotd.te b/pkcsslotd.te
new file mode 100644
-index 0000000..d6d79b9
+index 0000000..f788d35
--- /dev/null
+++ b/pkcsslotd.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,66 @@
+policy_module(pkcsslotd, 1.0.0)
+
+########################################
@@ -51017,6 +51171,9 @@ index 0000000..d6d79b9
+type pkcsslotd_var_lib_t;
+files_type(pkcsslotd_var_lib_t)
+
++type pkcsslotd_lock_t;
++files_lock_file(pkcsslotd_lock_t)
++
+type pkcsslotd_unit_file_t;
+systemd_unit_file(pkcsslotd_unit_file_t)
+
@@ -51034,14 +51191,16 @@ index 0000000..d6d79b9
+# pkcsslotd local policy
+#
+
-+allow pkcsslotd_t self:capability { kill };
-+allow pkcsslotd_t self:process { fork };
++allow pkcsslotd_t self:capability { chown kill };
+
+allow pkcsslotd_t self:fifo_file rw_fifo_file_perms;
+allow pkcsslotd_t self:sem create_sem_perms;
+allow pkcsslotd_t self:shm create_shm_perms;
+allow pkcsslotd_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(pkcsslotd_t, pkcsslotd_lock_t, pkcsslotd_lock_t)
++files_lock_filetrans(pkcsslotd_t, pkcsslotd_lock_t, file)
++
+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
+manage_files_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
+files_tmp_filetrans(pkcsslotd_t, pkcsslotd_tmp_t, { file dir })
@@ -51061,6 +51220,7 @@ index 0000000..d6d79b9
+
+domain_use_interactive_fds(pkcsslotd_t)
+
++auth_read_passwd(pkcsslotd_t)
+
+logging_send_syslog_msg(pkcsslotd_t)
diff --git a/pki.fc b/pki.fc
@@ -63845,7 +64005,7 @@ index 47de2d6..1f5dbf8 100644
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..27c4de4 100644
+index 56bc01f..cbca7aa 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -63874,27 +64034,19 @@ index 56bc01f..27c4de4 100644
')
##############################
-@@ -28,7 +28,7 @@ template(`rhcs_domain_template',`
- type $1_tmpfs_t, cluster_tmpfs;
- files_tmpfs_file($1_tmpfs_t)
-
-- type $1_var_log_t, cluster_log;
-+ type $1_var_log_t;
- logging_log_file($1_var_log_t)
-
- type $1_var_run_t, cluster_pid;
-@@ -44,9 +44,7 @@ template(`rhcs_domain_template',`
+@@ -43,11 +43,6 @@ template(`rhcs_domain_template',`
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
- manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
+- manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
- append_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- create_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
-+ manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+- manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
-@@ -56,20 +54,19 @@ template(`rhcs_domain_template',`
+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+@@ -56,20 +51,19 @@ template(`rhcs_domain_template',`
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
@@ -63921,7 +64073,7 @@ index 56bc01f..27c4de4 100644
## </param>
#
interface(`rhcs_domtrans_dlm_controld',`
-@@ -83,27 +80,8 @@ interface(`rhcs_domtrans_dlm_controld',`
+@@ -83,27 +77,8 @@ interface(`rhcs_domtrans_dlm_controld',`
#####################################
## <summary>
@@ -63951,7 +64103,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,7 +100,7 @@ interface(`rhcs_stream_connect_dlm_controld',`
+@@ -122,7 +97,7 @@ interface(`rhcs_stream_connect_dlm_controld',`
#####################################
## <summary>
@@ -63960,7 +64112,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -160,9 +138,27 @@ interface(`rhcs_domtrans_fenced',`
+@@ -160,9 +135,27 @@ interface(`rhcs_domtrans_fenced',`
domtrans_pattern($1, fenced_exec_t, fenced_t)
')
@@ -63989,7 +64141,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -181,10 +177,9 @@ interface(`rhcs_rw_fenced_semaphores',`
+@@ -181,10 +174,9 @@ interface(`rhcs_rw_fenced_semaphores',`
manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
')
@@ -64002,7 +64154,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -192,19 +187,18 @@ interface(`rhcs_rw_fenced_semaphores',`
+@@ -192,19 +184,18 @@ interface(`rhcs_rw_fenced_semaphores',`
## </summary>
## </param>
#
@@ -64026,7 +64178,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -223,8 +217,7 @@ interface(`rhcs_stream_connect_fenced',`
+@@ -223,8 +214,7 @@ interface(`rhcs_stream_connect_fenced',`
#####################################
## <summary>
@@ -64036,7 +64188,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -243,7 +236,7 @@ interface(`rhcs_domtrans_gfs_controld',`
+@@ -243,7 +233,7 @@ interface(`rhcs_domtrans_gfs_controld',`
####################################
## <summary>
@@ -64045,7 +64197,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -264,7 +257,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
+@@ -264,7 +254,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
########################################
## <summary>
@@ -64054,7 +64206,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -285,8 +278,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
+@@ -285,8 +275,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
#####################################
## <summary>
@@ -64064,7 +64216,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -324,8 +316,8 @@ interface(`rhcs_domtrans_groupd',`
+@@ -324,8 +313,8 @@ interface(`rhcs_domtrans_groupd',`
#####################################
## <summary>
@@ -64075,7 +64227,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -342,10 +334,9 @@ interface(`rhcs_stream_connect_groupd',`
+@@ -342,10 +331,9 @@ interface(`rhcs_stream_connect_groupd',`
stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
')
@@ -64088,7 +64240,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -353,21 +344,20 @@ interface(`rhcs_stream_connect_groupd',`
+@@ -353,21 +341,20 @@ interface(`rhcs_stream_connect_groupd',`
## </summary>
## </param>
#
@@ -64116,7 +64268,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -375,17 +365,20 @@ interface(`rhcs_rw_cluster_shm',`
+@@ -375,17 +362,20 @@ interface(`rhcs_rw_cluster_shm',`
## </summary>
## </param>
#
@@ -64142,7 +64294,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -393,20 +386,20 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -393,20 +383,20 @@ interface(`rhcs_rw_cluster_semaphores',`
## </summary>
## </param>
#
@@ -64169,7 +64321,7 @@ index 56bc01f..27c4de4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -414,15 +407,32 @@ interface(`rhcs_rw_groupd_semaphores',`
+@@ -414,15 +404,32 @@ interface(`rhcs_rw_groupd_semaphores',`
## </summary>
## </param>
#
@@ -64207,7 +64359,7 @@ index 56bc01f..27c4de4 100644
')
######################################
-@@ -446,52 +456,322 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +453,322 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
## <summary>
@@ -64559,7 +64711,7 @@ index 56bc01f..27c4de4 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..a1461c9 100644
+index 2c2de9a..bbe8875 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -64590,7 +64742,7 @@ index 2c2de9a..a1461c9 100644
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
-@@ -50,28 +71,259 @@ rhcs_domain_template(qdiskd)
+@@ -50,28 +71,263 @@ rhcs_domain_template(qdiskd)
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
@@ -64634,11 +64786,18 @@ index 2c2de9a..a1461c9 100644
allow cluster_domain self:unix_dgram_socket create_socket_perms;
-logging_send_syslog_msg(cluster_domain)
-+optional_policy(`
-+ ccs_stream_connect(cluster_domain)
-+')
-+
-+optional_policy(`
+-
+-miscfiles_read_localization(cluster_domain)
++manage_dirs_pattern(cluster_domain, cluster_log, cluster_log)
++manage_files_pattern(cluster_domain, cluster_log, cluster_log)
++manage_sock_files_pattern(cluster_domain, cluster_log, cluster_log)
+
+ optional_policy(`
+ ccs_stream_connect(cluster_domain)
+ ')
+
+ optional_policy(`
+- corosync_stream_connect(cluster_domain)
+ dbus_system_bus_client(cluster_domain)
+')
+
@@ -64646,8 +64805,7 @@ index 2c2de9a..a1461c9 100644
+#
+# cluster domain local policy
+#
-
--miscfiles_read_localization(cluster_domain)
++
+allow cluster_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner };
+# for hearbeat
+allow cluster_t self:capability { net_raw chown };
@@ -64741,14 +64899,12 @@ index 2c2de9a..a1461c9 100644
+ files_manage_isid_type_dirs(cluster_t)
+ fs_manage_tmpfs_files(cluster_t)
+')
-
- optional_policy(`
-- ccs_stream_connect(cluster_domain)
++
++optional_policy(`
+ ccs_read_config(cluster_t)
- ')
-
- optional_policy(`
-- corosync_stream_connect(cluster_domain)
++')
++
++optional_policy(`
+ cmirrord_rw_shm(cluster_t)
+')
+
@@ -64855,7 +65011,7 @@ index 2c2de9a..a1461c9 100644
')
#####################################
-@@ -98,6 +350,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,6 +354,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -64868,7 +65024,7 @@ index 2c2de9a..a1461c9 100644
#######################################
#
# fenced local policy
-@@ -105,9 +363,13 @@ init_rw_script_tmp_files(dlm_controld_t)
+@@ -105,9 +367,13 @@ init_rw_script_tmp_files(dlm_controld_t)
allow fenced_t self:capability { sys_rawio sys_resource };
allow fenced_t self:process { getsched signal_perms };
@@ -64883,7 +65039,7 @@ index 2c2de9a..a1461c9 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +380,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +384,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -64894,7 +65050,7 @@ index 2c2de9a..a1461c9 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -148,9 +409,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +413,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -64905,7 +65061,7 @@ index 2c2de9a..a1461c9 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +419,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +423,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -64914,7 +65070,7 @@ index 2c2de9a..a1461c9 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -190,10 +449,6 @@ optional_policy(`
+@@ -190,10 +453,6 @@ optional_policy(`
')
optional_policy(`
@@ -64925,7 +65081,7 @@ index 2c2de9a..a1461c9 100644
lvm_domtrans(fenced_t)
lvm_read_config(fenced_t)
')
-@@ -203,6 +458,13 @@ optional_policy(`
+@@ -203,6 +462,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -64939,7 +65095,7 @@ index 2c2de9a..a1461c9 100644
#######################################
#
# foghorn local policy
-@@ -223,7 +485,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -223,7 +489,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
dev_read_urand(foghorn_t)
@@ -64949,7 +65105,7 @@ index 2c2de9a..a1461c9 100644
optional_policy(`
dbus_connect_system_bus(foghorn_t)
-@@ -257,6 +520,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +524,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -64958,7 +65114,7 @@ index 2c2de9a..a1461c9 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +540,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +544,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -64971,7 +65127,7 @@ index 2c2de9a..a1461c9 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +586,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +590,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -67425,10 +67581,10 @@ index c49828c..a323332 100644
sysnet_dns_name_resolve(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..cba31f2 100644
+index ebe91fc..54fe358 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,68 @@
+@@ -1,61 +1,69 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -67451,6 +67607,7 @@ index ebe91fc..cba31f2 100644
+/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -68698,12 +68855,28 @@ index d25301b..d92f567 100644
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/rsync.if b/rsync.if
-index f1140ef..c5bd83a 100644
+index f1140ef..ebc2190 100644
--- a/rsync.if
+++ b/rsync.if
-@@ -1,16 +1,16 @@
+@@ -1,16 +1,32 @@
-## <summary>Fast incremental file transfer for synchronization.</summary>
+## <summary>Fast incremental file transfer for synchronization</summary>
++
++#######################################
++## <summary>
++## Sendmail stub interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sendmail_stub',`
++gen_require(`
++type sendmail_t;
++')
++')
########################################
## <summary>
@@ -68723,7 +68896,7 @@ index f1140ef..c5bd83a 100644
interface(`rsync_entry_type',`
gen_require(`
type rsync_exec_t;
-@@ -43,14 +43,13 @@ interface(`rsync_entry_type',`
+@@ -43,14 +59,13 @@ interface(`rsync_entry_type',`
## Domain to transition to.
## </summary>
## </param>
@@ -68740,7 +68913,7 @@ index f1140ef..c5bd83a 100644
')
########################################
-@@ -77,76 +76,31 @@ interface(`rsync_entry_spec_domtrans',`
+@@ -77,76 +92,31 @@ interface(`rsync_entry_spec_domtrans',`
## Domain to transition to.
## </summary>
## </param>
@@ -68820,7 +68993,7 @@ index f1140ef..c5bd83a 100644
can_exec($1, rsync_exec_t)
')
-@@ -165,13 +119,13 @@ interface(`rsync_read_config',`
+@@ -165,13 +135,13 @@ interface(`rsync_read_config',`
type rsync_etc_t;
')
@@ -68836,7 +69009,7 @@ index f1140ef..c5bd83a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -179,19 +133,18 @@ interface(`rsync_read_config',`
+@@ -179,19 +149,18 @@ interface(`rsync_read_config',`
## </summary>
## </param>
#
@@ -68861,7 +69034,7 @@ index f1140ef..c5bd83a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -199,83 +152,54 @@ interface(`rsync_write_config',`
+@@ -199,83 +168,54 @@ interface(`rsync_write_config',`
## </summary>
## </param>
#
@@ -73588,7 +73761,7 @@ index d14b6bf..da5d41d 100644
+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/sendmail.if b/sendmail.if
-index 88e753f..ca74cd9 100644
+index 88e753f..e25aecc 100644
--- a/sendmail.if
+++ b/sendmail.if
@@ -1,4 +1,4 @@
@@ -73597,6 +73770,15 @@ index 88e753f..ca74cd9 100644
########################################
## <summary>
+@@ -10,7 +10,7 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`sendmail_stub',`
++interface(`rsync_stub',`
+ gen_require(`
+ type sendmail_t;
+ ')
@@ -18,7 +18,8 @@ interface(`sendmail_stub',`
########################################
@@ -74296,7 +74478,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..c6f3302 100644
+index 49b12ae..a89828e 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -74393,11 +74575,12 @@ index 49b12ae..c6f3302 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
-@@ -108,26 +113,23 @@ init_dontaudit_write_utmp(setroubleshootd_t)
+@@ -107,27 +112,24 @@ init_read_utmp(setroubleshootd_t)
+ init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
++libs_exec_ldconfig(setroubleshootd_t)
-+
locallogin_dontaudit_use_fds(setroubleshootd_t)
logging_send_audit_msgs(setroubleshootd_t)
@@ -75798,10 +75981,14 @@ index 0000000..92c3638
+
+sysnet_dns_name_resolve(smsd_t)
diff --git a/snmp.fc b/snmp.fc
-index c73fa24..d852517 100644
+index c73fa24..9018dbc 100644
--- a/snmp.fc
+++ b/snmp.fc
-@@ -13,6 +13,8 @@
+@@ -10,9 +10,12 @@
+
+ /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+ /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
++/var/spool/snmptt(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0)
@@ -78902,6 +79089,53 @@ index 0000000..39f1ca1
+libs_exec_ldconfig(swift_t)
+
+logging_send_syslog_msg(swift_t)
+diff --git a/swift_alias.fc b/swift_alias.fc
+new file mode 100644
+index 0000000..b7db254
+--- /dev/null
++++ b/swift_alias.fc
+@@ -0,0 +1 @@
++# Empty
+diff --git a/swift_alias.if b/swift_alias.if
+new file mode 100644
+index 0000000..3fed1a3
+--- /dev/null
++++ b/swift_alias.if
+@@ -0,0 +1,2 @@
++
++## <summary>swift_alias policy module</summary>
+diff --git a/swift_alias.te b/swift_alias.te
+new file mode 100644
+index 0000000..6e39c4f
+--- /dev/null
++++ b/swift_alias.te
+@@ -0,0 +1,26 @@
++policy_module(swift_alias, 1.0.0)
++
++#
++# swift_alias.pp policy replaces swift.pp policy
++# which is a part of openstack-selinux.rpm package
++#
++
++########################################
++#
++# Declarations
++#
++
++#call stub interfaces for basic types
++init_stub_initrc()
++corecmd_stub_bin()
++files_stub_var_run()
++files_stub_var()
++systemd_stub_unit_file()
++
++typealias initrc_t alias swift_t;
++typealias bin_t alias swift_exec_t;
++typealias var_run_t alias swift_var_run_t;
++typealias systemd_unit_file_t alias swift_unit_file_t;
++typealias var_t alias swift_data_t;
++
++
diff --git a/sxid.te b/sxid.te
index c9824cb..1973f71 100644
--- a/sxid.te
@@ -80960,10 +81194,10 @@ index 0000000..601aea3
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
-index 0000000..eb30b4c
+index 0000000..bfcd2c7
--- /dev/null
+++ b/thumb.if
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,126 @@
+
+## <summary>policy for thumb</summary>
+
@@ -81088,6 +81322,7 @@ index 0000000..eb30b4c
+
+ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
+ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
++ gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails")
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
@@ -83820,7 +84055,7 @@ index c30da4c..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..175e66a 100644
+index 9dec06c..b991ec7 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -84798,7 +85033,7 @@ index 9dec06c..175e66a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,115 +603,244 @@ interface(`virt_read_lib_files',`
+@@ -860,115 +603,245 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -84935,6 +85170,7 @@ index 9dec06c..175e66a 100644
files_search_pids($1)
- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
++ ps_process_pattern(svirt_lxc_domain, $1)
')
+
@@ -85080,7 +85316,7 @@ index 9dec06c..175e66a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +848,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +849,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -85103,7 +85339,7 @@ index 9dec06c..175e66a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +866,17 @@ interface(`virt_search_images',`
+@@ -995,36 +867,17 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -85144,7 +85380,7 @@ index 9dec06c..175e66a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,58 +884,57 @@ interface(`virt_read_images',`
+@@ -1032,58 +885,57 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -85224,7 +85460,7 @@ index 9dec06c..175e66a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,95 +942,131 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,95 +943,132 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -85412,13 +85648,14 @@ index 9dec06c..175e66a 100644
- admin_pattern($1, virt_lock_t)
+ allow $1 svirt_lxc_domain:process transition;
+ role $2 types svirt_lxc_domain;
++ allow $1 svirt_lxc_domain:unix_dgram_socket sendto;
- dev_list_all_dev_nodes($1)
- allow $1 virt_ptynode:chr_file rw_term_perms;
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..d5e8852 100644
+index 1f22fba..e780b1b 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -85887,7 +86124,9 @@ index 1f22fba..d5e8852 100644
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
-corenet_udp_sendrecv_generic_if(svirt_t)
@@ -85909,9 +86148,7 @@ index 1f22fba..d5e8852 100644
-corenet_sendrecv_all_server_packets(svirt_t)
-corenet_udp_bind_all_ports(svirt_t)
-corenet_tcp_bind_all_ports(svirt_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-corenet_sendrecv_all_client_packets(svirt_t)
-corenet_tcp_connect_all_ports(svirt_t)
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -86140,13 +86377,13 @@ index 1f22fba..d5e8852 100644
+sysnet_read_config(virtd_t)
-userdom_read_all_users_state(virtd_t)
-+systemd_dbus_chat_logind(virtd_t)
-+systemd_write_inhibit_pipes(virtd_t)
-
+-
-ifdef(`hide_broken_symptoms',`
- dontaudit virtd_t self:capability { sys_module sys_ptrace };
-')
--
++systemd_dbus_chat_logind(virtd_t)
++systemd_write_inhibit_pipes(virtd_t)
+
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virtd_t)
- fs_manage_fusefs_files(virtd_t)
@@ -86177,13 +86414,15 @@ index 1f22fba..d5e8852 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -649,104 +475,323 @@ optional_policy(`
- optional_policy(`
- dbus_system_bus_client(virtd_t)
+@@ -646,107 +472,327 @@ optional_policy(`
+ consoletype_exec(virtd_t)
+ ')
-- optional_policy(`
-- avahi_dbus_chat(virtd_t)
-- ')
+-optional_policy(`
+- dbus_system_bus_client(virtd_t)
++optional_policy(`
++ dbus_system_bus_client(virtd_t)
++
+ optional_policy(`
+ avahi_dbus_chat(virtd_t)
+ ')
@@ -86363,6 +86602,7 @@ index 1f22fba..d5e8852 100644
+
+dev_list_sysfs(virt_domain)
+dev_getattr_fs(virt_domain)
++dev_dontaudit_getattr_all(virt_domain)
+dev_read_generic_symlinks(virt_domain)
+dev_read_rand(virt_domain)
+dev_read_sound(virt_domain)
@@ -86374,7 +86614,10 @@ index 1f22fba..d5e8852 100644
+dev_rw_inherited_vhost(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
-+
+
+- optional_policy(`
+- avahi_dbus_chat(virtd_t)
+- ')
+files_read_mnt_symlinks(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
@@ -86539,7 +86782,7 @@ index 1f22fba..d5e8852 100644
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow virsh_t self:process { getcap getsched setsched setcap signal };
-+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_chroot sys_nice sys_tty_config };
++allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
allow virsh_t self:fifo_file rw_fifo_file_perms;
-allow virsh_t self:unix_stream_socket { accept connectto listen };
@@ -86557,7 +86800,7 @@ index 1f22fba..d5e8852 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +803,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +804,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -86570,12 +86813,12 @@ index 1f22fba..d5e8852 100644
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-
-allow virsh_t svirt_lxc_domain:process transition;
--
--can_exec(virsh_t, virsh_exec_t)
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
+-can_exec(virsh_t, virsh_exec_t)
+-
-virt_domtrans(virsh_t)
-virt_manage_images(virsh_t)
-virt_manage_config(virsh_t)
@@ -86587,7 +86830,7 @@ index 1f22fba..d5e8852 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +822,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +823,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -86614,12 +86857,13 @@ index 1f22fba..d5e8852 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +842,21 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +843,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
-term_use_all_terms(virsh_t)
+term_use_all_inherited_terms(virsh_t)
++term_dontaudit_use_generic_ptys(virsh_t)
+
+userdom_search_admin_dir(virsh_t)
+userdom_read_home_certs(virsh_t)
@@ -86645,7 +86889,7 @@ index 1f22fba..d5e8852 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,6 +874,10 @@ optional_policy(`
+@@ -847,6 +876,10 @@ optional_policy(`
')
optional_policy(`
@@ -86656,7 +86900,7 @@ index 1f22fba..d5e8852 100644
rpm_exec(virsh_t)
')
-@@ -854,7 +885,7 @@ optional_policy(`
+@@ -854,7 +887,7 @@ optional_policy(`
xen_manage_image_dirs(virsh_t)
xen_append_log(virsh_t)
xen_domtrans(virsh_t)
@@ -86665,7 +86909,7 @@ index 1f22fba..d5e8852 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +910,44 @@ optional_policy(`
+@@ -879,34 +912,44 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -86719,11 +86963,13 @@ index 1f22fba..d5e8852 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +957,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +959,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
+files_associate_rootfs(svirt_lxc_file_t)
++
++seutil_read_file_contexts(virtd_lxc_t)
storage_manage_fixed_disk(virtd_lxc_t)
+storage_rw_fuse(virtd_lxc_t)
@@ -86735,7 +86981,7 @@ index 1f22fba..d5e8852 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +977,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +981,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -86746,7 +86992,7 @@ index 1f22fba..d5e8852 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +986,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +990,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -86754,7 +87000,7 @@ index 1f22fba..d5e8852 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +998,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1002,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -86773,7 +87019,7 @@ index 1f22fba..d5e8852 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,20 +1012,44 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1016,36 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -86809,22 +87055,16 @@ index 1f22fba..d5e8852 100644
-# Common virt lxc domain local policy
+# virt_lxc_domain local policy
#
-+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock };
-+
-+allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
-+allow virtd_t svirt_lxc_domain:process { signal_perms getattr };
-+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
-+allow svirt_lxc_domain virtd_lxc_t:process sigchld;
-+allow svirt_lxc_domain virtd_lxc_t:fd use;
-+allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
-+allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-
+-
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
- allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
++allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock };
++allow svirt_lxc_domain self:key manage_key_perms;
++allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid setrlimit };
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
-@@ -995,19 +1058,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+ allow svirt_lxc_domain self:shm create_shm_perms;
+@@ -995,18 +1053,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -86833,18 +87073,25 @@ index 1f22fba..d5e8852 100644
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
-
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
--
+
-allow svirt_lxc_domain virsh_t:fd use;
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virsh_t:process sigchld;
--
++allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
++allow virtd_t svirt_lxc_domain:process { signal_perms getattr };
++allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched setrlimit transition signal_perms };
+
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
--
++allow svirt_lxc_domain virtd_lxc_t:process sigchld;
++allow svirt_lxc_domain virtd_lxc_t:fd use;
++allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
++allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1065,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1071,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -86863,7 +87110,7 @@ index 1f22fba..d5e8852 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1084,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1090,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -86890,15 +87137,15 @@ index 1f22fba..d5e8852 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1109,91 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1115,90 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
-miscfiles_read_localization(svirt_lxc_domain)
miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
miscfiles_read_fonts(svirt_lxc_domain)
-
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++miscfiles_read_hwdata(svirt_lxc_domain)
++
+systemd_read_unit_files(svirt_lxc_domain)
+
+userdom_use_inherited_user_terminals(svirt_lxc_domain)
@@ -86911,7 +87158,8 @@ index 1f22fba..d5e8852 100644
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+')
-+
+
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
+ ssh_use_ptys(svirt_lxc_net_t)
+')
@@ -86935,11 +87183,10 @@ index 1f22fba..d5e8852 100644
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
+allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap };
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-+allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
- allow svirt_lxc_net_t self:process setrlimit;
+-allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write;
-+
++allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
+allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
+allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms;
@@ -87026,7 +87273,7 @@ index 1f22fba..d5e8852 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1206,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1211,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -87041,7 +87288,7 @@ index 1f22fba..d5e8852 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1224,8 @@ optional_policy(`
+@@ -1183,9 +1229,8 @@ optional_policy(`
########################################
#
@@ -87052,7 +87299,7 @@ index 1f22fba..d5e8852 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1238,70 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1243,70 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -89272,7 +89519,7 @@ index 0cea2cd..7668014 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index 2882821..521232e 100644
+index 2882821..6618596 100644
--- a/xguest.te
+++ b/xguest.te
@@ -1,4 +1,4 @@
@@ -89346,7 +89593,7 @@ index 2882821..521232e 100644
storage_raw_read_removable_device(xguest_t)
storage_raw_write_removable_device(xguest_t)
',`
-@@ -54,9 +54,21 @@ ifndef(`enable_mls',`
+@@ -54,9 +54,22 @@ ifndef(`enable_mls',`
')
optional_policy(`
@@ -89355,6 +89602,7 @@ index 2882821..521232e 100644
+')
+
+kernel_dontaudit_request_load_module(xguest_t)
++kernel_read_software_raid_state(xguest_t)
+
+tunable_policy(`selinuxuser_execstack',`
+ allow xguest_t self:process execstack;
@@ -89369,7 +89617,7 @@ index 2882821..521232e 100644
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -65,10 +77,9 @@ optional_policy(`
+@@ -65,10 +78,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
@@ -89381,7 +89629,7 @@ index 2882821..521232e 100644
')
')
-@@ -84,12 +95,17 @@ optional_policy(`
+@@ -84,12 +96,17 @@ optional_policy(`
')
')
@@ -89401,7 +89649,7 @@ index 2882821..521232e 100644
')
optional_policy(`
-@@ -97,75 +113,82 @@ optional_policy(`
+@@ -97,75 +114,82 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 126dfb1..b22aa16 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -15,11 +15,11 @@
%endif
%define POLICYVER 29
%define POLICYCOREUTILSVER 2.1.14-12
-%define CHECKPOLICYVER 2.1.12-1
+%define CHECKPOLICYVER 2.1.12-3
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 20%{?dist}
+Release: 23%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -253,7 +253,7 @@ fi;
. %{_sysconfdir}/selinux/config; \
if [ -e /etc/selinux/%2/.rebuild ]; then \
rm /etc/selinux/%2/.rebuild; \
- (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
+ (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
/usr/sbin/semodule -B -n -s %2; \
else \
touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \
@@ -526,6 +526,58 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Mar 20 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-23
+- Allow localectl to read /etc/X11/xorg.conf.d directory
+- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""
+- Allow mount to transition to systemd_passwd_agent
+- Make sure abrt directories are labeled correctly
+- Allow commands that are going to read mount pid files to search mount_var_run_t
+- label /usr/bin/repoquery as rpm_exec_t
+- Allow automount to block suspend
+- Add abrt_filetrans_named_content so that abrt directories get labeled correctly
+- Allow virt domains to setrlimit and read file_context
+
+* Mon Mar 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-22
+- Allow nagios to manage nagios spool files
+- /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6
+- Add swift_alias.* policy files which contain typealiases for swift types
+- Add support for /run/lock/opencryptoki
+- Allow pkcsslotd chown capability
+- Allow pkcsslotd to read passwd
+- Add rsync_stub() interface
+- Allow systemd_timedate also manage gnome config homedirs
+- Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t
+- Fix filetrans rules for kdm creates .xsession-errors
+- Allow sytemd_tmpfiles to create wtmp file
+- Really should not label content under /var/lock, since it could have labels on it different from var_lock_t
+- Allow systemd to list all file system directories
+- Add some basic stub interfaces which will be used in PRODUCT policies
+
+* Wed Mar 13 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-21
+- Fix log transition rule for cluster domains
+- Start to group all cluster log together
+- Dont use filename transition for POkemon Advanced Adventure until a new checkpolicy update
+- cups uses usbtty_device_t devices
+- These fixes were all required to build a MLS virtual Machine with single level desktops
+- Allow domains to transiton using httpd_exec_t
+- Allow svirt domains to manage kernel key rings
+- Allow setroubleshoot to execute ldconfig
+- Allow firewalld to read generate gnome data
+- Allow bluetooth to read machine-info
+- Allow boinc domain to send signal to itself
+- Fix gnome_filetrans_home_content() interface
+- Allow mozilla_plugins to list apache modules, for use with gxine
+- Fix labels for POkemon in the users homedir
+- Allow xguest to read mdstat
+- Dontaudit virt_domains getattr on /dev/*
+- These fixes were all required to build a MLS virtual Machine with single level desktops
+- Need to back port this to RHEL6 for openshift
+- Add tcp/8891 as milter port
+- Allow nsswitch domains to read sssd_var_lib_t files
+- Allow ping to read network state.
+- Fix typo
+- Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them
+
* Fri Mar 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-20
- Adopt swift changes from lhh at redhat.com
- Add rhcs_manage_cluster_pid_files() interface
More information about the scm-commits
mailing list