[selinux-policy/f19] * Tue Apr 2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-25 - Allow realmd to create tmp files - F
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 2 12:29:26 UTC 2013
commit 05f4ab426f4748344ee40dcede9b50c9c90b5acc
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Apr 2 14:29:06 2013 +0200
* Tue Apr 2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-25
- Allow realmd to create tmp files
- FIx ircssi_home_t type to irssi_home_t
- Allow adcli running as realmd_t to connect to ldap port
- Allow NetworkManager to transition to ipsec_t, for running strongswan
- Make openshift_initrc_t an lxc_domain
- Allow gssd to manage user_tmp_t files
- Fix handling of irclogs in users homedir
- Fix labeling for drupal an wp-content in subdirs of /var/www/html
- Allow abrt to read utmp_t file
- Fix openshift policy to transition lnk_file, sock-file an fifo_file when creat
- fix labeling for (oo|rhc)-restorer-wrapper.sh
- firewalld needs to be able to write to network sysctls
- Fix mozilla_plugin_dontaudit_rw_sem() interface
- Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains
- Add mozilla_plugin_dontaudit_rw_sem() interface
- Allow svirt_lxc_t to transition to openshift domains
- Allow condor domains block_suspend and dac_override caps
- Allow condor_master to read passd
- Allow condor_master to read system state
- Allow NetworkManager to transition to ipsec_t, for running strongswan
- Lots of access required by lvm_t to created encrypted usb device
- Allow xdm_t to dbus communicate with systemd_localed_t
- Label strongswan content as ipsec_exec_mgmt_t for now
- Allow users to dbus chat with systemd_localed
- Fix handling of .xsession-errors in xserver.if, so kde will work
- Might be a bug but we are seeing avc's about people status on init_t:service
- Make sure we label content under /var/run/lock as <<none>>
- Allow daemon and systemprocesses to search init_var_run_t directory
- Add boolean to allow xdm to write xauth data to the home directory
- Allow mount to write keys for the unconfined domain
- Add unconfined_write_keys() interface
policy-rawhide-base.patch | 536 ++++++++++++++++++++++++++----------------
policy-rawhide-contrib.patch | 361 +++++++++++++++++++----------
selinux-policy.spec | 35 +++-
3 files changed, 607 insertions(+), 325 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 699d224..0b14445 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8084,7 +8084,7 @@ index cf04cb5..274ef6d 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c2c6e05..96aeeef 100644
+index c2c6e05..be423a7 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -8305,7 +8305,14 @@ index c2c6e05..96aeeef 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -262,6 +279,7 @@ ifndef(`distro_redhat',`
+@@ -256,12 +273,14 @@ ifndef(`distro_redhat',`
+ /var/run -l gen_context(system_u:object_r:var_run_t,s0)
+ /var/run/.* gen_context(system_u:object_r:var_run_t,s0)
+ /var/run/.*\.*pid <<none>>
++/var/run/lock/.* <<none>>
+
+ /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
+ /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp -l gen_context(system_u:object_r:tmp_t,s0)
@@ -8313,7 +8320,7 @@ index c2c6e05..96aeeef 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -270,3 +288,5 @@ ifndef(`distro_redhat',`
+@@ -270,3 +289,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -15169,18 +15176,20 @@ index 8416beb..60b2ce1 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..97dbeb4 100644
+index 9e603f5..2b79004 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
-@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+@@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
# Use the allocating task SID to label inodes in the following filesystem
-@@ -53,6 +54,7 @@ type anon_inodefs_t;
+@@ -53,6 +55,7 @@ type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@@ -15188,7 +15197,7 @@ index 9e603f5..97dbeb4 100644
type bdev_t;
fs_type(bdev_t)
-@@ -68,7 +70,7 @@ fs_type(capifs_t)
+@@ -68,7 +71,7 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
@@ -15197,7 +15206,7 @@ index 9e603f5..97dbeb4 100644
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
-@@ -89,6 +91,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -89,6 +92,11 @@ fs_noxattr_type(ecryptfs_t)
files_mountpoint(ecryptfs_t)
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
@@ -15209,7 +15218,7 @@ index 9e603f5..97dbeb4 100644
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -97,6 +104,7 @@ type hugetlbfs_t;
+@@ -97,6 +105,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -15217,7 +15226,7 @@ index 9e603f5..97dbeb4 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -125,6 +133,10 @@ type oprofilefs_t;
+@@ -125,6 +134,10 @@ type oprofilefs_t;
fs_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
@@ -15228,7 +15237,7 @@ index 9e603f5..97dbeb4 100644
type ramfs_t;
fs_type(ramfs_t)
files_mountpoint(ramfs_t)
-@@ -145,11 +157,6 @@ fs_type(spufs_t)
+@@ -145,11 +158,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -15240,7 +15249,7 @@ index 9e603f5..97dbeb4 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -167,6 +174,8 @@ type vxfs_t;
+@@ -167,6 +175,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -15249,7 +15258,7 @@ index 9e603f5..97dbeb4 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +185,8 @@ fs_type(tmpfs_t)
+@@ -176,6 +186,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -15258,7 +15267,7 @@ index 9e603f5..97dbeb4 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +267,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -15267,7 +15276,7 @@ index 9e603f5..97dbeb4 100644
files_mountpoint(removable_t)
#
-@@ -274,6 +287,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +288,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -18984,10 +18993,10 @@ index 0000000..0e8654b
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
-index 0000000..bac0dc0
+index 0000000..cf6582f
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,595 @@
+@@ -0,0 +1,613 @@
+## <summary>Unconfiend user role</summary>
+
+########################################
@@ -19415,6 +19424,24 @@ index 0000000..bac0dc0
+
+########################################
+## <summary>
++## Write keys for the unconfined domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_write_keys',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:key write;
++')
++
++########################################
++## <summary>
+## Send messages to the unconfined domain over dbus.
+## </summary>
+## <param name="domain">
@@ -22072,7 +22099,7 @@ index d1f64a0..3be3d00 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..d4ed029 100644
+index 6bf0ecc..ad955d5 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -22320,32 +22347,11 @@ index 6bf0ecc..d4ed029 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +495,34 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +495,13 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
-+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP")
-+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority")
-+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-c")
-+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-n")
-+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority")
-+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l")
-+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c")
-+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:0")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:1")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:2")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:3")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:4")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:5")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:6")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:7")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:8")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:9")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped.old")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc")
++ xserver_filetrans_home_content($2)
+
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -22357,7 +22363,7 @@ index 6bf0ecc..d4ed029 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +534,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +513,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -22387,7 +22393,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -517,6 +585,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +564,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -22395,7 +22401,7 @@ index 6bf0ecc..d4ed029 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -547,6 +616,42 @@ interface(`xserver_domtrans_xauth',`
+@@ -547,6 +595,42 @@ interface(`xserver_domtrans_xauth',`
domtrans_pattern($1, xauth_exec_t, xauth_t)
')
@@ -22438,7 +22444,7 @@ index 6bf0ecc..d4ed029 100644
########################################
## <summary>
## Create a Xauthority file in the user home directory.
-@@ -598,6 +703,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +682,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -22446,7 +22452,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -615,7 +721,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +700,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -22455,7 +22461,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -638,6 +744,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +723,25 @@ interface(`xserver_rw_console',`
########################################
## <summary>
@@ -22481,7 +22487,7 @@ index 6bf0ecc..d4ed029 100644
## Use file descriptors for xdm.
## </summary>
## <param name="domain">
-@@ -651,7 +776,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +755,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -22490,7 +22496,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -670,7 +795,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +774,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -22499,7 +22505,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -688,7 +813,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +792,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -22508,7 +22514,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -703,12 +828,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +807,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -22522,7 +22528,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -765,11 +889,71 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +868,71 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -22596,7 +22602,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -793,6 +977,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +956,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@@ -22622,7 +22628,7 @@ index 6bf0ecc..d4ed029 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -806,7 +1009,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +988,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -22649,7 +22655,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -846,7 +1067,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1046,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -22677,7 +22683,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -869,6 +1109,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1088,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -22702,7 +22708,7 @@ index 6bf0ecc..d4ed029 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -938,7 +1196,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1175,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -22730,7 +22736,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -957,7 +1234,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1213,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -22739,7 +22745,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -1004,6 +1281,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1260,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -22785,7 +22791,7 @@ index 6bf0ecc..d4ed029 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1017,7 +1333,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1312,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -22794,7 +22800,7 @@ index 6bf0ecc..d4ed029 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,6 +1395,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1374,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -22837,7 +22843,7 @@ index 6bf0ecc..d4ed029 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1093,7 +1445,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1424,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -22846,7 +22852,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -1111,8 +1463,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1442,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -22858,7 +22864,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -1226,6 +1580,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1559,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -22885,7 +22891,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -1251,7 +1625,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1604,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -22894,7 +22900,7 @@ index 6bf0ecc..d4ed029 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1261,13 +1635,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1614,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -22919,7 +22925,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -1284,10 +1668,577 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1647,604 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -23412,14 +23418,28 @@ index 6bf0ecc..d4ed029 100644
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
-+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-c")
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-n")
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
@@ -23448,6 +23468,18 @@ index 6bf0ecc..d4ed029 100644
+
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
@@ -23459,6 +23491,7 @@ index 6bf0ecc..d4ed029 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
+ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++
+ optional_policy(`
+ gnome_cache_filetrans($1, xdm_home_t, dir, "xdm")
+ ')
@@ -23500,7 +23533,7 @@ index 6bf0ecc..d4ed029 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..8ac9130 100644
+index 2696452..0881350 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -24065,7 +24098,7 @@ index 2696452..8ac9130 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +620,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +620,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -24106,10 +24139,11 @@ index 2696452..8ac9130 100644
-sysnet_read_config(xdm_t)
+systemd_write_inhibit_pipes(xdm_t)
++systemd_dbus_chat_localed(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +662,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -24159,7 +24193,7 @@ index 2696452..8ac9130 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +712,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -24186,7 +24220,7 @@ index 2696452..8ac9130 100644
')
optional_policy(`
-@@ -514,12 +739,72 @@ optional_policy(`
+@@ -514,12 +740,72 @@ optional_policy(`
')
optional_policy(`
@@ -24259,7 +24293,7 @@ index 2696452..8ac9130 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +822,78 @@ optional_policy(`
+@@ -537,28 +823,78 @@ optional_policy(`
')
optional_policy(`
@@ -24347,7 +24381,7 @@ index 2696452..8ac9130 100644
')
optional_policy(`
-@@ -570,6 +905,14 @@ optional_policy(`
+@@ -570,6 +906,14 @@ optional_policy(`
')
optional_policy(`
@@ -24362,7 +24396,7 @@ index 2696452..8ac9130 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +938,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -24375,7 +24409,7 @@ index 2696452..8ac9130 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +955,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -24391,7 +24425,7 @@ index 2696452..8ac9130 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +970,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +971,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -24402,7 +24436,7 @@ index 2696452..8ac9130 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +985,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +986,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -24424,7 +24458,7 @@ index 2696452..8ac9130 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1005,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1006,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -24438,7 +24472,7 @@ index 2696452..8ac9130 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1031,27 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1032,27 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -24469,7 +24503,7 @@ index 2696452..8ac9130 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1062,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1063,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -24487,7 +24521,7 @@ index 2696452..8ac9130 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1085,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1086,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -24511,7 +24545,7 @@ index 2696452..8ac9130 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1104,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1105,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -24520,7 +24554,7 @@ index 2696452..8ac9130 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1148,44 @@ optional_policy(`
+@@ -775,16 +1149,44 @@ optional_policy(`
')
optional_policy(`
@@ -24566,7 +24600,7 @@ index 2696452..8ac9130 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1194,10 @@ optional_policy(`
+@@ -793,6 +1195,10 @@ optional_policy(`
')
optional_policy(`
@@ -24577,7 +24611,7 @@ index 2696452..8ac9130 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1213,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1214,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -24591,7 +24625,7 @@ index 2696452..8ac9130 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1224,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1225,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -24600,7 +24634,7 @@ index 2696452..8ac9130 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1237,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1238,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24635,7 +24669,7 @@ index 2696452..8ac9130 100644
')
optional_policy(`
-@@ -902,7 +1302,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1303,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24644,7 +24678,7 @@ index 2696452..8ac9130 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1356,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1357,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -24676,7 +24710,7 @@ index 2696452..8ac9130 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1402,40 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1403,40 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -26735,7 +26769,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..f03be17 100644
+index 24e7804..1894886 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -27620,7 +27654,7 @@ index 24e7804..f03be17 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2284,283 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2284,284 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -27847,6 +27881,7 @@ index 24e7804..f03be17 100644
+ ')
+
+ allow $1 init_t:system status;
++ allow $1 init_t:service status;
+')
+
+########################################
@@ -27905,7 +27940,7 @@ index 24e7804..f03be17 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..8913598 100644
+index dd3be8d..99c538c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -28177,9 +28212,9 @@ index dd3be8d..8913598 100644
- auth_rw_login_records(init_t)
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -28303,9 +28338,9 @@ index dd3be8d..8913598 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -28313,18 +28348,18 @@ index dd3be8d..8913598 100644
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
@@ -28967,7 +29002,7 @@ index dd3be8d..8913598 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1353,185 @@ optional_policy(`
+@@ -896,3 +1353,187 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29018,6 +29053,8 @@ index dd3be8d..8913598 100644
+allow initrc_t daemon:process siginh;
+allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow daemon initrc_transition_domain:fd use;
++allow daemon init_var_run_t:dir search_dir_perms;
++allow systemprocess init_var_run_t:dir search_dir_perms;
+
+allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+allow init_t daemon:unix_dgram_socket create_socket_perms;
@@ -29154,7 +29191,7 @@ index dd3be8d..8913598 100644
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..a452892 100644
+index 662e79b..626a689 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -1,6 +1,8 @@
@@ -29179,7 +29216,7 @@ index 662e79b..a452892 100644
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-+/usr/libexec/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
@@ -29189,7 +29226,7 @@ index 662e79b..a452892 100644
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..ac0a652 100644
+index 0d4c8d3..3375525 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',`
@@ -29216,7 +29253,68 @@ index 0d4c8d3..ac0a652 100644
interface(`ipsec_kill_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -225,6 +222,7 @@ interface(`ipsec_match_default_spd',`
+@@ -167,6 +164,60 @@ interface(`ipsec_kill_mgmt',`
+ allow $1 ipsec_mgmt_t:process sigkill;
+ ')
+
++########################################
++## <summary>
++## Send ipsec a general signal.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipsec_signal',`
++ gen_require(`
++ type ipsec_t;
++ ')
++
++ allow $1 ipsec_t:process signal;
++')
++
++########################################
++## <summary>
++## Send ipsec a null signal.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipsec_signull',`
++ gen_require(`
++ type ipsec_t;
++ ')
++
++ allow $1 ipsec_t:process signull;
++')
++
++########################################
++## <summary>
++## Send ipsec a kill signal.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipsec_kill',`
++ gen_require(`
++ type ipsec_t;
++ ')
++
++ allow $1 ipsec_t:process sigkill;
++')
++
+ ######################################
+ ## <summary>
+ ## Send and receive messages from
+@@ -225,6 +276,7 @@ interface(`ipsec_match_default_spd',`
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
@@ -29224,7 +29322,7 @@ index 0d4c8d3..ac0a652 100644
')
########################################
-@@ -369,3 +367,26 @@ interface(`ipsec_run_setkey',`
+@@ -369,3 +421,26 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -31599,7 +31697,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index e8c59a5..ea56d23 100644
+index e8c59a5..df70cac 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -31621,7 +31719,7 @@ index e8c59a5..ea56d23 100644
type lvm_lock_t;
files_lock_file(lvm_lock_t)
-@@ -49,13 +52,16 @@ files_tmp_file(lvm_tmp_t)
+@@ -49,15 +52,19 @@ files_tmp_file(lvm_tmp_t)
allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
dontaudit clvmd_t self:capability sys_tty_config;
allow clvmd_t self:process { signal_perms setsched };
@@ -31636,10 +31734,14 @@ index e8c59a5..ea56d23 100644
+manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t)
+fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file })
+
++manage_dirs_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
- files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
+-files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
++files_pid_filetrans(clvmd_t, clvmd_var_run_t, { file dir })
+
+ read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t)
-@@ -71,7 +77,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
+@@ -71,7 +78,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
corecmd_exec_shell(clvmd_t)
corecmd_getattr_bin_files(clvmd_t)
@@ -31647,7 +31749,7 @@ index e8c59a5..ea56d23 100644
corenet_all_recvfrom_netlabel(clvmd_t)
corenet_tcp_sendrecv_generic_if(clvmd_t)
corenet_udp_sendrecv_generic_if(clvmd_t)
-@@ -120,9 +125,7 @@ init_dontaudit_getattr_initctl(clvmd_t)
+@@ -120,9 +126,7 @@ init_dontaudit_getattr_initctl(clvmd_t)
logging_send_syslog_msg(clvmd_t)
@@ -31657,7 +31759,7 @@ index e8c59a5..ea56d23 100644
seutil_sigchld_newrole(clvmd_t)
seutil_read_config(clvmd_t)
seutil_read_file_contexts(clvmd_t)
-@@ -141,6 +144,11 @@ ifdef(`distro_redhat',`
+@@ -141,6 +145,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -31669,7 +31771,7 @@ index e8c59a5..ea56d23 100644
ccs_stream_connect(clvmd_t)
')
-@@ -170,6 +178,7 @@ dontaudit lvm_t self:capability sys_tty_config;
+@@ -170,6 +179,7 @@ dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
@@ -31677,7 +31779,7 @@ index e8c59a5..ea56d23 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -191,10 +200,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+@@ -191,10 +201,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
@@ -31690,7 +31792,7 @@ index e8c59a5..ea56d23 100644
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -202,8 +213,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+@@ -202,8 +214,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@@ -31698,10 +31800,11 @@ index e8c59a5..ea56d23 100644
manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
-files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
+files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
++init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -220,6 +232,7 @@ kernel_read_kernel_sysctls(lvm_t)
+@@ -220,6 +234,7 @@ kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
@@ -31709,7 +31812,7 @@ index e8c59a5..ea56d23 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -230,11 +243,13 @@ dev_delete_generic_dirs(lvm_t)
+@@ -230,11 +245,13 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@@ -31724,7 +31827,7 @@ index e8c59a5..ea56d23 100644
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
-@@ -246,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -246,6 +263,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -31732,7 +31835,7 @@ index e8c59a5..ea56d23 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -255,17 +271,21 @@ files_read_etc_files(lvm_t)
+@@ -255,17 +273,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -31755,7 +31858,7 @@ index e8c59a5..ea56d23 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -285,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -285,7 +307,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -31764,15 +31867,15 @@ index e8c59a5..ea56d23 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -293,15 +313,20 @@ init_use_script_ptys(lvm_t)
+@@ -293,15 +315,22 @@ init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
+logging_stream_connect_syslog(lvm_t)
-+
-+authlogin_rw_pipes(lvm_t)
-miscfiles_read_localization(lvm_t)
++authlogin_rw_pipes(lvm_t)
++auth_use_nsswitch(lvm_t)
seutil_read_config(lvm_t)
seutil_read_file_contexts(lvm_t)
@@ -31783,10 +31886,12 @@ index e8c59a5..ea56d23 100644
userdom_use_user_terminals(lvm_t)
+userdom_rw_semaphores(lvm_t)
+userdom_search_user_home_dirs(lvm_t)
++
++usermanage_read_crack_db(lvm_t)
ifdef(`distro_redhat',`
# this is from the initrd:
-@@ -313,6 +338,11 @@ ifdef(`distro_redhat',`
+@@ -313,6 +342,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -31798,7 +31903,7 @@ index e8c59a5..ea56d23 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -333,14 +363,26 @@ optional_policy(`
+@@ -333,14 +367,26 @@ optional_policy(`
')
optional_policy(`
@@ -32797,7 +32902,7 @@ index 4584457..0755e25 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..ac90315 100644
+index 6a50270..2fc14cd 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@@ -33104,7 +33209,7 @@ index 6a50270..ac90315 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +298,124 @@ optional_policy(`
+@@ -194,24 +298,128 @@ optional_policy(`
')
optional_policy(`
@@ -33164,16 +33269,20 @@ index 6a50270..ac90315 100644
+optional_policy(`
+ usbmuxd_stream_connect(mount_t)
+')
++
++optional_policy(`
++ userhelper_exec_console(mount_t)
++')
++
++optional_policy(`
++ unconfined_write_keys(mount_t)
++')
optional_policy(`
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
-+ userhelper_exec_console(mount_t)
- ')
-+
-+optional_policy(`
+ virt_read_blk_images(mount_t)
-+')
+ ')
+
+optional_policy(`
+ vmware_exec_host(mount_t)
@@ -35451,10 +35560,10 @@ index 0000000..4e12420
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..ab20e2f
+index 0000000..2927875
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1081 @@
+@@ -0,0 +1,1103 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -36518,7 +36627,7 @@ index 0000000..ab20e2f
+########################################
+## <summary>
+## Send and receive messages from
-+## systemd timedated over dbus.
++## systemd hostnamed over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -36536,6 +36645,28 @@ index 0000000..ab20e2f
+ allow systemd_hostnamed_t $1:dbus send_msg;
+ ps_process_pattern(systemd_hostnamed_t, $1)
+')
++
++########################################
++## <summary>
++## Send and receive messages from
++## systemd localed over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_dbus_chat_localed',`
++ gen_require(`
++ type systemd_localed_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 systemd_localed_t:dbus send_msg;
++ allow systemd_localed_t $1:dbus send_msg;
++ ps_process_pattern(systemd_localed_t, $1)
++')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..4d56107
@@ -38554,7 +38685,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..05bc969 100644
+index 3c5dba7..9799799 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39816,7 +39947,7 @@ index 3c5dba7..05bc969 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1309,59 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -39863,6 +39994,7 @@ index 3c5dba7..05bc969 100644
+ optional_policy(`
+ systemd_dbus_chat_timedated($1_t)
+ systemd_dbus_chat_hostnamed($1_t)
++ systemd_dbus_chat_localed($1_t)
+ ')
+
+ optional_policy(`
@@ -39886,7 +40018,7 @@ index 3c5dba7..05bc969 100644
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -39897,7 +40029,7 @@ index 3c5dba7..05bc969 100644
')
')
-@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -39906,7 +40038,7 @@ index 3c5dba7..05bc969 100644
')
##############################
-@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -39914,7 +40046,7 @@ index 3c5dba7..05bc969 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -39924,7 +40056,7 @@ index 3c5dba7..05bc969 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -39932,7 +40064,7 @@ index 3c5dba7..05bc969 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -39947,7 +40079,7 @@ index 3c5dba7..05bc969 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -39990,7 +40122,7 @@ index 3c5dba7..05bc969 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -39999,7 +40131,7 @@ index 3c5dba7..05bc969 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -40018,7 +40150,7 @@ index 3c5dba7..05bc969 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -40027,7 +40159,7 @@ index 3c5dba7..05bc969 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -40039,7 +40171,7 @@ index 3c5dba7..05bc969 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -40082,7 +40214,7 @@ index 3c5dba7..05bc969 100644
')
optional_policy(`
-@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -40101,7 +40233,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -40153,7 +40285,7 @@ index 3c5dba7..05bc969 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -40185,7 +40317,7 @@ index 3c5dba7..05bc969 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -40200,7 +40332,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -40212,7 +40344,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -40255,7 +40387,7 @@ index 3c5dba7..05bc969 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -40264,7 +40396,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -40279,7 +40411,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1772,7 +2246,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2247,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -40288,7 +40420,7 @@ index 3c5dba7..05bc969 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,19 +2254,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1780,19 +2255,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -40312,7 +40444,7 @@ index 3c5dba7..05bc969 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1800,31 +2272,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1800,31 +2273,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -40352,7 +40484,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1848,6 +2320,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2321,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -40378,7 +40510,7 @@ index 3c5dba7..05bc969 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2369,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2370,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -40416,7 +40548,7 @@ index 3c5dba7..05bc969 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2409,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2410,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -40434,7 +40566,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1941,7 +2457,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2458,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -40461,7 +40593,7 @@ index 3c5dba7..05bc969 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1951,17 +2485,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2486,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -40482,7 +40614,7 @@ index 3c5dba7..05bc969 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2501,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2502,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -40533,7 +40665,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -2010,8 +2578,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2579,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -40543,7 +40675,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -2027,20 +2594,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2595,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -40568,7 +40700,7 @@ index 3c5dba7..05bc969 100644
########################################
## <summary>
-@@ -2123,7 +2684,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2685,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -40577,7 +40709,7 @@ index 3c5dba7..05bc969 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2692,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2693,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -40601,7 +40733,7 @@ index 3c5dba7..05bc969 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2710,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2711,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -40617,7 +40749,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -2393,11 +2952,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2953,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -40632,7 +40764,7 @@ index 3c5dba7..05bc969 100644
files_search_tmp($1)
')
-@@ -2417,7 +2976,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2977,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -40641,7 +40773,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -2664,6 +3223,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3224,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -40667,7 +40799,7 @@ index 3c5dba7..05bc969 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3258,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3259,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -40683,7 +40815,7 @@ index 3c5dba7..05bc969 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3286,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3287,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -40692,7 +40824,7 @@ index 3c5dba7..05bc969 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,19 +3294,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,19 +3295,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -40715,7 +40847,7 @@ index 3c5dba7..05bc969 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2735,25 +3312,43 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2735,25 +3313,43 @@ interface(`userdom_manage_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -40765,7 +40897,7 @@ index 3c5dba7..05bc969 100644
gen_require(`
type user_tty_device_t;
')
-@@ -2817,6 +3412,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3413,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -40790,7 +40922,7 @@ index 3c5dba7..05bc969 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3448,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3449,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -40833,7 +40965,7 @@ index 3c5dba7..05bc969 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3484,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3485,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -40871,7 +41003,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -2885,8 +3529,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3530,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -40901,7 +41033,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -2958,69 +3621,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3622,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -41002,7 +41134,7 @@ index 3c5dba7..05bc969 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3690,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3691,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -41017,7 +41149,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -3097,7 +3759,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3760,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -41026,7 +41158,7 @@ index 3c5dba7..05bc969 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3775,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3776,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -41060,7 +41192,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -3217,7 +3863,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3864,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -41069,7 +41201,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -3272,7 +3918,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3919,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -41135,7 +41267,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -3290,7 +3993,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +3994,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -41144,7 +41276,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -3309,6 +4012,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4013,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -41152,7 +41284,7 @@ index 3c5dba7..05bc969 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4089,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4090,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -41195,7 +41327,7 @@ index 3c5dba7..05bc969 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4145,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4146,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -41220,7 +41352,7 @@ index 3c5dba7..05bc969 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4196,1357 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4197,1357 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index fe16da6..ab50247 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -516,7 +516,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..0842350 100644
+index cc43d25..563c773 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -732,7 +732,7 @@ index cc43d25..0842350 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +173,34 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +173,36 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -756,13 +756,14 @@ index cc43d25..0842350 100644
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
--auth_use_nsswitch(abrt_t)
--
- logging_read_generic_logs(abrt_t)
++logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
-
-+auth_use_nsswitch(abrt_t)
+
+ auth_use_nsswitch(abrt_t)
+
+-logging_read_generic_logs(abrt_t)
++init_read_utmp(abrt_t)
+
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
@@ -771,7 +772,7 @@ index cc43d25..0842350 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +208,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +210,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -788,7 +789,7 @@ index cc43d25..0842350 100644
')
optional_policy(`
-@@ -209,6 +220,12 @@ optional_policy(`
+@@ -209,6 +222,12 @@ optional_policy(`
')
optional_policy(`
@@ -801,7 +802,7 @@ index cc43d25..0842350 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +237,7 @@ optional_policy(`
+@@ -220,6 +239,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -809,7 +810,7 @@ index cc43d25..0842350 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +248,7 @@ optional_policy(`
+@@ -230,6 +250,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -817,7 +818,7 @@ index cc43d25..0842350 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +259,17 @@ optional_policy(`
+@@ -240,9 +261,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -836,7 +837,7 @@ index cc43d25..0842350 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +280,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +282,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -851,7 +852,7 @@ index cc43d25..0842350 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +299,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +301,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -859,7 +860,7 @@ index cc43d25..0842350 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +308,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +310,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -880,7 +881,7 @@ index cc43d25..0842350 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +329,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +331,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -907,7 +908,7 @@ index cc43d25..0842350 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +365,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +367,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -921,7 +922,7 @@ index cc43d25..0842350 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +383,11 @@ optional_policy(`
+@@ -330,10 +385,11 @@ optional_policy(`
#######################################
#
@@ -935,7 +936,7 @@ index cc43d25..0842350 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,30 +406,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,30 +408,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -977,7 +978,7 @@ index cc43d25..0842350 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
-@@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+@@ -384,14 +448,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
@@ -995,7 +996,7 @@ index cc43d25..0842350 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +463,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +465,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -2721,7 +2722,7 @@ index 0000000..b334e9a
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..e714059 100644
+index 550a69e..78579c0 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,161 +1,184 @@
@@ -3018,12 +3019,12 @@ index 550a69e..e714059 100644
-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
-+/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-+/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
-+/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
@@ -12410,7 +12411,7 @@ index 3fe3cb8..684b700 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index 3f2b672..22ddc47 100644
+index 3f2b672..2af6e1e 100644
--- a/condor.te
+++ b/condor.te
@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t)
@@ -12423,8 +12424,13 @@ index 3f2b672..22ddc47 100644
condor_domain_template(collector)
condor_domain_template(negotiator)
condor_domain_template(procd)
-@@ -59,8 +62,9 @@ condor_domain_template(startd)
+@@ -57,10 +60,14 @@ condor_domain_template(startd)
+ # Global local policy
+ #
++allow condor_domain self:capability dac_override;
++allow condor_domain self:capability2 block_suspend;
++
allow condor_domain self:process signal_perms;
allow condor_domain self:fifo_file rw_fifo_file_perms;
-allow condor_domain self:tcp_socket { accept listen };
@@ -12435,7 +12441,7 @@ index 3f2b672..22ddc47 100644
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
append_files_pattern(condor_domain, condor_log_t, condor_log_t)
-@@ -86,13 +90,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
+@@ -86,13 +93,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
@@ -12449,7 +12455,7 @@ index 3f2b672..22ddc47 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -106,9 +107,7 @@ dev_read_rand(condor_domain)
+@@ -106,9 +110,7 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
@@ -12460,16 +12466,36 @@ index 3f2b672..22ddc47 100644
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
-@@ -150,8 +149,6 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
+@@ -125,7 +127,7 @@ optional_policy(`
+ # Master local policy
+ #
+
+-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
++allow condor_master_t self:capability { setuid setgid sys_ptrace };
+
+ allow condor_master_t condor_domain:process { sigkill signal };
+
+@@ -133,6 +135,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+ manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+ files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+
++can_exec(condor_master_t, condor_master_exec_t)
++
++kernel_read_system_state(condor_master_tmp_t)
++
+ corenet_udp_sendrecv_generic_if(condor_master_t)
+ corenet_udp_sendrecv_generic_node(condor_master_t)
+ corenet_tcp_bind_generic_node(condor_master_t)
+@@ -150,7 +156,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
domain_read_all_domains_state(condor_master_t)
-auth_use_nsswitch(condor_master_t)
--
++auth_read_passwd(condor_master_t)
+
optional_policy(`
mta_send_mail(condor_master_t)
- mta_read_config(condor_master_t)
-@@ -178,6 +175,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +184,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -12478,7 +12504,16 @@ index 3f2b672..22ddc47 100644
######################################
#
# Procd local policy
-@@ -209,6 +208,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -201,6 +209,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+
+ allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
+
++allow condor_schedd_t condor_master_tmp_t:dir getattr;
++
+ domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
+ domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
+
+@@ -209,6 +219,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -12487,7 +12522,7 @@ index 3f2b672..22ddc47 100644
#####################################
#
# Startd local policy
-@@ -233,11 +234,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +245,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -12500,7 +12535,7 @@ index 3f2b672..22ddc47 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -249,3 +249,7 @@ optional_policy(`
+@@ -249,3 +260,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -18739,7 +18774,7 @@ index d294865..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index ff933af..41ca7ce 100644
+index ff933af..fc9d3f4 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@@ -18842,18 +18877,19 @@ index ff933af..41ca7ce 100644
')
optional_policy(`
-@@ -180,6 +184,10 @@ optional_policy(`
+@@ -180,6 +184,11 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_sessions_files(devicekit_disk_t)
++ systemd_write_inhibit_pipes(devicekit_disk_t)
+')
+
+optional_policy(`
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
')
-@@ -188,12 +196,19 @@ optional_policy(`
+@@ -188,12 +197,19 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -18874,7 +18910,7 @@ index ff933af..41ca7ce 100644
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -207,9 +222,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@@ -18885,7 +18921,7 @@ index ff933af..41ca7ce 100644
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -242,17 +255,16 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
@@ -18905,7 +18941,7 @@ index ff933af..41ca7ce 100644
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -269,9 +281,11 @@ optional_policy(`
+@@ -269,9 +282,11 @@ optional_policy(`
optional_policy(`
cron_initrc_domtrans(devicekit_power_t)
@@ -18917,7 +18953,7 @@ index ff933af..41ca7ce 100644
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -302,8 +316,11 @@ optional_policy(`
+@@ -302,8 +317,11 @@ optional_policy(`
')
optional_policy(`
@@ -18930,7 +18966,7 @@ index ff933af..41ca7ce 100644
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
-@@ -341,3 +358,9 @@ optional_policy(`
+@@ -341,3 +359,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
@@ -22546,7 +22582,7 @@ index 5cf6ac6..839999e 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index c8014f8..02de884 100644
+index c8014f8..d84522b 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
@@ -22571,7 +22607,7 @@ index c8014f8..02de884 100644
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
-@@ -40,8 +49,17 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
+@@ -40,11 +49,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
@@ -22589,7 +22625,11 @@ index c8014f8..02de884 100644
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
-@@ -53,20 +71,17 @@ dev_read_urand(firewalld_t)
++kernel_rw_net_sysctls(firewalld_t)
+
+ corecmd_exec_bin(firewalld_t)
+ corecmd_exec_shell(firewalld_t)
+@@ -53,20 +72,17 @@ dev_read_urand(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -22615,7 +22655,7 @@ index c8014f8..02de884 100644
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -85,6 +100,10 @@ optional_policy(`
+@@ -85,6 +101,10 @@ optional_policy(`
')
optional_policy(`
@@ -28148,8 +28188,20 @@ index 94ec5f8..801417b 100644
logging_send_syslog_msg(iodined_t)
+diff --git a/irc.fc b/irc.fc
+index 48e7739..c3285c2 100644
+--- a/irc.fc
++++ b/irc.fc
+@@ -1,6 +1,6 @@
+ HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+ HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
+-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0)
++HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0)
+
+ /etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0)
+
diff --git a/irc.if b/irc.if
-index ac00fb0..06cb083 100644
+index ac00fb0..53e4fc7 100644
--- a/irc.if
+++ b/irc.if
@@ -20,6 +20,7 @@ interface(`irc_role',`
@@ -28160,7 +28212,7 @@ index ac00fb0..06cb083 100644
')
########################################
-@@ -39,10 +40,33 @@ interface(`irc_role',`
+@@ -39,10 +40,34 @@ interface(`irc_role',`
ps_process_pattern($2, irc_t)
allow $2 irc_t:process { ptrace signal_perms };
@@ -28195,16 +28247,23 @@ index ac00fb0..06cb083 100644
+interface(`irc_filetrans_home_content',`
+ gen_require(`
+ type irc_home_t;
++ type irssi_home_t;
+ ')
+ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
-+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs")
++ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
-index ecad9c7..56e2b35 100644
+index ecad9c7..86d790f 100644
--- a/irc.te
+++ b/irc.te
-@@ -37,7 +37,32 @@ userdom_user_home_content(irc_log_home_t)
+@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
+ typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
+ userdom_user_home_content(irc_home_t)
+
+-type irc_log_home_t;
+-userdom_user_home_content(irc_log_home_t)
+-
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
@@ -28233,12 +28292,12 @@ index ecad9c7..56e2b35 100644
+type irssi_etc_t;
+files_config_file(irssi_etc_t)
+
-+type irssi_home_t;
++type irssi_home_t alias irc_log_home_t;
+userdom_user_home_content(irssi_home_t)
########################################
#
-@@ -53,13 +78,7 @@ allow irc_t irc_conf_t:file read_file_perms;
+@@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms;
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
@@ -28253,7 +28312,7 @@ index ecad9c7..56e2b35 100644
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
-@@ -70,7 +89,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_system_state(irc_t)
@@ -28261,7 +28320,7 @@ index ecad9c7..56e2b35 100644
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
corenet_tcp_sendrecv_generic_node(irc_t)
-@@ -93,7 +111,6 @@ dev_read_rand(irc_t)
+@@ -93,7 +108,6 @@ dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
@@ -28269,7 +28328,7 @@ index ecad9c7..56e2b35 100644
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
-@@ -106,13 +123,15 @@ auth_use_nsswitch(irc_t)
+@@ -106,13 +120,15 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
@@ -28287,7 +28346,7 @@ index ecad9c7..56e2b35 100644
tunable_policy(`irc_use_any_tcp_ports',`
corenet_sendrecv_all_server_packets(irc_t)
-@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
+@@ -122,18 +138,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
@@ -36110,7 +36169,7 @@ index 6ffaba2..18e3a70 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..648d041 100644
+index 6194b80..116d9d2 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -36273,14 +36332,14 @@ index 6194b80..648d041 100644
- allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
- allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+ mozilla_filetrans_home_content($2)
-
+-
- allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
- allow $2 mozilla_plugin_rw_t:file read_file_perms;
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
- can_exec($2, mozilla_plugin_rw_t)
--
++ mozilla_filetrans_home_content($2)
+
- optional_policy(`
- mozilla_dbus_chat_plugin($2)
- ')
@@ -36586,7 +36645,7 @@ index 6194b80..648d041 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -433,76 +320,90 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +320,108 @@ interface(`mozilla_dbus_chat',`
## </summary>
## </param>
#
@@ -36654,6 +36713,24 @@ index 6194b80..648d041 100644
- libs_search_lib($1)
- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
++')
++
++#######################################
++## <summary>
++## Dontaudit generict ipc read/write to a mozilla_plugin
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`mozilla_plugin_dontaudit_rw_sem',`
++ gen_require(`
++ type mozilla_plugin_t;
++ ')
++
++ allow $1 mozilla_plugin_t:sem { unix_read unix_write };
')
########################################
@@ -36706,7 +36783,7 @@ index 6194b80..648d041 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -510,19 +411,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +429,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
## </summary>
## </param>
#
@@ -36731,7 +36808,7 @@ index 6194b80..648d041 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +430,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +448,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -42641,7 +42718,7 @@ index 0e8508c..b9c69d2 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..0c6cd41 100644
+index 0b48a30..57fe60f 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -42672,7 +42749,7 @@ index 0b48a30..0c6cd41 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -39,24 +42,41 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,24 +42,42 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
@@ -42699,6 +42776,7 @@ index 0b48a30..0c6cd41 100644
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
++allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_socket create_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow NetworkManager_t self:tcp_socket { accept listen };
@@ -42723,7 +42801,7 @@ index 0b48a30..0c6cd41 100644
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
-@@ -68,6 +88,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,6 +89,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -42731,7 +42809,7 @@ index 0b48a30..0c6cd41 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,9 +102,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,9 +103,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -42741,7 +42819,7 @@ index 0b48a30..0c6cd41 100644
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
-@@ -91,7 +109,6 @@ kernel_request_load_module(NetworkManager_t)
+@@ -91,7 +110,6 @@ kernel_request_load_module(NetworkManager_t)
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
@@ -42749,7 +42827,7 @@ index 0b48a30..0c6cd41 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +119,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +120,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -42775,7 +42853,7 @@ index 0b48a30..0c6cd41 100644
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
-@@ -125,13 +135,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +136,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@@ -42789,7 +42867,7 @@ index 0b48a30..0c6cd41 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +143,16 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,6 +144,16 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -42806,7 +42884,7 @@ index 0b48a30..0c6cd41 100644
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
-@@ -148,10 +161,11 @@ init_domtrans_script(NetworkManager_t)
+@@ -148,10 +162,11 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -42819,7 +42897,7 @@ index 0b48a30..0c6cd41 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +180,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +181,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -42856,7 +42934,7 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -196,10 +221,6 @@ optional_policy(`
+@@ -196,10 +222,6 @@ optional_policy(`
')
optional_policy(`
@@ -42867,7 +42945,7 @@ index 0b48a30..0c6cd41 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +231,11 @@ optional_policy(`
+@@ -210,16 +232,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -42886,7 +42964,7 @@ index 0b48a30..0c6cd41 100644
')
')
-@@ -231,18 +247,19 @@ optional_policy(`
+@@ -231,18 +248,19 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -42909,7 +42987,18 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -257,11 +274,7 @@ optional_policy(`
+@@ -250,6 +268,10 @@ optional_policy(`
+ ipsec_kill_mgmt(NetworkManager_t)
+ ipsec_signal_mgmt(NetworkManager_t)
+ ipsec_signull_mgmt(NetworkManager_t)
++ ipsec_domtrans(NetworkManager_t)
++ ipsec_kill(NetworkManager_t)
++ ipsec_signal(NetworkManager_t)
++ ipsec_signull(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -257,11 +279,7 @@ optional_policy(`
')
optional_policy(`
@@ -42922,7 +43011,7 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -274,10 +287,17 @@ optional_policy(`
+@@ -274,10 +292,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -42940,7 +43029,7 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -289,6 +309,7 @@ optional_policy(`
+@@ -289,6 +314,7 @@ optional_policy(`
')
optional_policy(`
@@ -42948,7 +43037,7 @@ index 0b48a30..0c6cd41 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +317,7 @@ optional_policy(`
+@@ -296,7 +322,7 @@ optional_policy(`
')
optional_policy(`
@@ -42957,7 +43046,7 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -307,6 +328,7 @@ optional_policy(`
+@@ -307,6 +333,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -42965,7 +43054,7 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -320,13 +342,15 @@ optional_policy(`
+@@ -320,13 +347,15 @@ optional_policy(`
')
optional_policy(`
@@ -42985,7 +43074,7 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -356,6 +380,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +385,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -47541,7 +47630,7 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..e108d48
+index 0000000..f2d6119
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,26 @@
@@ -47565,7 +47654,7 @@ index 0000000..e108d48
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
+/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0)
+/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
@@ -48225,10 +48314,10 @@ index 0000000..407386d
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..894ce1c
+index 0000000..3c311bb
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,530 @@
+@@ -0,0 +1,535 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -48325,6 +48414,8 @@ index 0000000..894ce1c
+unconfined_domain_noaudit(openshift_initrc_t)
+mcs_process_set_categories(openshift_initrc_t)
+
++virt_lxc_domain(openshift_initrc_t)
++
+systemd_dbus_chat_logind(openshift_initrc_t)
+
+manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
@@ -48393,7 +48484,10 @@ index 0000000..894ce1c
+
+manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
-+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file })
++manage_lnk_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++manage_sock_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++manage_fifo_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file sock_file lnk_file fifo_file })
+can_exec(openshift_domain, openshift_tmpfs_t)
+
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
@@ -63150,7 +63244,7 @@ index bff31df..e38693b 100644
## <param name="domain">
## <summary>
diff --git a/realmd.te b/realmd.te
-index 9a8f052..727d60a 100644
+index 9a8f052..9817f00 100644
--- a/realmd.te
+++ b/realmd.te
@@ -1,4 +1,4 @@
@@ -63159,7 +63253,7 @@ index 9a8f052..727d60a 100644
########################################
#
-@@ -7,43 +7,52 @@ policy_module(realmd, 1.0.2)
+@@ -7,29 +7,37 @@ policy_module(realmd, 1.0.2)
type realmd_t;
type realmd_exec_t;
@@ -63167,6 +63261,9 @@ index 9a8f052..727d60a 100644
+application_domain(realmd_t, realmd_exec_t)
+role system_r types realmd_t;
+
++type realmd_tmp_t;
++files_tmp_file(realmd_tmp_t)
++
+type realmd_var_cache_t;
+files_type(realmd_var_cache_t)
@@ -63179,6 +63276,10 @@ index 9a8f052..727d60a 100644
allow realmd_t self:capability sys_nice;
allow realmd_t self:process setsched;
++manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
++manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
++files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file })
++
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+
@@ -63195,17 +63296,16 @@ index 9a8f052..727d60a 100644
-corenet_sendrecv_http_client_packets(realmd_t)
corenet_tcp_connect_http_port(realmd_t)
-corenet_tcp_sendrecv_http_port(realmd_t)
++corenet_tcp_connect_ldap_port(realmd_t)
domain_use_interactive_fds(realmd_t)
- dev_read_rand(realmd_t)
- dev_read_urand(realmd_t)
+@@ -38,12 +46,20 @@ dev_read_urand(realmd_t)
--fs_getattr_all_fs(realmd_t)
+ fs_getattr_all_fs(realmd_t)
-files_read_usr_files(realmd_t)
-+fs_getattr_all_fs(realmd_t)
-
+-
auth_use_nsswitch(realmd_t)
logging_send_syslog_msg(realmd_t)
@@ -63223,7 +63323,7 @@ index 9a8f052..727d60a 100644
optional_policy(`
dbus_system_domain(realmd_t, realmd_exec_t)
-@@ -67,17 +76,25 @@ optional_policy(`
+@@ -67,17 +83,25 @@ optional_policy(`
optional_policy(`
nis_exec_ypbind(realmd_t)
@@ -63252,13 +63352,13 @@ index 9a8f052..727d60a 100644
')
optional_policy(`
-@@ -86,5 +103,26 @@ optional_policy(`
+@@ -86,5 +110,26 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
- sssd_initrc_domtrans(realmd_t)
+ sssd_systemctl(realmd_t)
- ')
++')
+
+optional_policy(`
+ xserver_read_state_xdm(realmd_t)
@@ -63277,7 +63377,7 @@ index 9a8f052..727d60a 100644
+ oddjob_systemctl(realmd_consolehelper_t)
+
+ unconfined_domain_noaudit(realmd_consolehelper_t)
-+')
+ ')
+
+
diff --git a/remotelogin.fc b/remotelogin.fc
@@ -67080,7 +67180,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..699925d 100644
+index e5212e6..427ea8c 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -67412,7 +67512,7 @@ index e5212e6..699925d 100644
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
userdom_read_user_tmp_symlinks(gssd_t)
-+ userdom_write_user_tmp_files(gssd_t)
++ userdom_manage_user_tmp_files(gssd_t)
+ files_read_generic_tmp_files(gssd_t)
')
@@ -72221,10 +72321,10 @@ index 0000000..1b21b7b
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..449a87c
+index 0000000..5a3d049
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,462 @@
+@@ -0,0 +1,463 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -72685,6 +72785,7 @@ index 0000000..449a87c
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
++ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
diff --git a/sanlock.fc b/sanlock.fc
@@ -84087,7 +84188,7 @@ index c30da4c..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..b991ec7 100644
+index 9dec06c..8f6d2a3 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -85492,7 +85593,7 @@ index 9dec06c..b991ec7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,95 +943,132 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,95 +943,150 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -85511,16 +85612,16 @@ index 9dec06c..b991ec7 100644
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
-
+-
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
- ')
--
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
+
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_files($1)
- fs_manage_cifs_files($1)
@@ -85585,14 +85686,6 @@ index 9dec06c..b991ec7 100644
- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
--
-- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 virtd_initrc_exec_t system_r;
-- allow $2 system_r;
--
-- fs_search_tmpfs($1)
-- admin_pattern($1, virt_tmpfs_type)
+ type $1_t, svirt_lxc_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
@@ -85600,9 +85693,33 @@ index 9dec06c..b991ec7 100644
+ mcs_constrained($1_t)
+ role system_r types $1_t;
+- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 virtd_initrc_exec_t system_r;
+- allow $2 system_r;
++ kernel_read_system_state($1_t)
++')
+
+- fs_search_tmpfs($1)
+- admin_pattern($1, virt_tmpfs_type)
++########################################
++## <summary>
++## Make the specified type usable as a lxc domain
++## </summary>
++## <param name="type">
++## <summary>
++## Type to be used as a lxc domain
++## </summary>
++## </param>
++#
++template(`virt_lxc_domain',`
++ gen_require(`
++ attribute svirt_lxc_domain;
++ ')
+
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+ kernel_read_system_state($1_t)
++ typeattribute $1 svirt_lxc_domain;
+')
- files_search_etc($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2989464..90ff8f3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 24%{?dist}
+Release: 25%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -526,6 +526,39 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-25
+- Allow realmd to create tmp files
+- FIx ircssi_home_t type to irssi_home_t
+- Allow adcli running as realmd_t to connect to ldap port
+- Allow NetworkManager to transition to ipsec_t, for running strongswan
+- Make openshift_initrc_t an lxc_domain
+- Allow gssd to manage user_tmp_t files
+- Fix handling of irclogs in users homedir
+- Fix labeling for drupal an wp-content in subdirs of /var/www/html
+- Allow abrt to read utmp_t file
+- Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6
+- fix labeling for (oo|rhc)-restorer-wrapper.sh
+- firewalld needs to be able to write to network sysctls
+- Fix mozilla_plugin_dontaudit_rw_sem() interface
+- Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains
+- Add mozilla_plugin_dontaudit_rw_sem() interface
+- Allow svirt_lxc_t to transition to openshift domains
+- Allow condor domains block_suspend and dac_override caps
+- Allow condor_master to read passd
+- Allow condor_master to read system state
+- Allow NetworkManager to transition to ipsec_t, for running strongswan
+- Lots of access required by lvm_t to created encrypted usb device
+- Allow xdm_t to dbus communicate with systemd_localed_t
+- Label strongswan content as ipsec_exec_mgmt_t for now
+- Allow users to dbus chat with systemd_localed
+- Fix handling of .xsession-errors in xserver.if, so kde will work
+- Might be a bug but we are seeing avc's about people status on init_t:service
+- Make sure we label content under /var/run/lock as <<none>>
+- Allow daemon and systemprocesses to search init_var_run_t directory
+- Add boolean to allow xdm to write xauth data to the home directory
+- Allow mount to write keys for the unconfined domain
+- Add unconfined_write_keys() interface
+
* Tue Mar 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-24
- Add labeling for /usr/share/pki
- Allow programs that read var_run_t symlinks also read var_t symlinks
More information about the scm-commits
mailing list