[selinux-policy/f19] - Try to label on controlC devices up to 30 correctly - Add mount_rw_pid_files() interface - Add add
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Apr 5 15:01:05 UTC 2013
commit c3d6611fe09488b87df6e4c8a101a29b8b89a8ce
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Apr 5 17:00:47 2013 +0200
- Try to label on controlC devices up to 30 correctly
- Add mount_rw_pid_files() interface
- Add additional mount/umount interfaces needed by mock
- fsadm_t sends audit messages in reads kernel_ipc_info when doing liv
- Fix tabs
- Allow initrc_domain to search rgmanager lib files
- Add more fixes which make mock working together with confined users
* Allow mock_t to manage rpm files
* Allow mock_t to read rpm log files
* Allow mock to setattr on tmpfs, devpts
* Allow mount/umount filesystems
- Add rpm_read_log() interface
- yum-cron runs rpm from within it.
- Allow tuned to transition to dmidecode
- Allow firewalld to do net_admin
- Allow mock to unmont tmpfs_t
- Fix virt_sigkill() interface
- Add additional fixes for mock. Mainly caused by mount running in moc
- Allow mock to write sysfs_t and mount pid files
- Add mailman_domain to mailman_template()
- Allow openvswitch to execute shell
- Allow qpidd to use kerberos
- Allow mailman to use fusefs, needs back port to RHEL6
- Allow apache and its scripts to use anon_inodefs
- Add alias for git_user_content_t and git_sys_content_t so that RHEL6
- Realmd needs to connect to samba ports, needs back port to F18 also
- Allow colord to read /run/initial-setup-
- Allow sanlock-helper to send sigkill to virtd which is registred to
- Add virt_kill() interface
- Add rgmanager_search_lib() interface
- Allow wdmd to getattr on all filesystems.
policy-rawhide-base.patch | 363 +++++++++++++++++++++++++++-----------
policy-rawhide-contrib.patch | 406 +++++++++++++++++++++++++++++-------------
selinux-policy.spec | 35 ++++-
3 files changed, 579 insertions(+), 225 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 0b14445..45f92f2 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5515,7 +5515,7 @@ index b31c054..3a628fe 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..f7e9534 100644
+index 76f285e..059e984 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6306,7 +6306,7 @@ index 76f285e..f7e9534 100644
')
########################################
-@@ -3855,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,6 +4185,78 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -6346,10 +6346,46 @@ index 76f285e..f7e9534 100644
+
+########################################
+## <summary>
++## Mount sysfs filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_mount_sysfs_fs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ allow $1 sysfs_t:filesystem mount;
++')
++
++########################################
++## <summary>
++## Unmount sysfs filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_unmount_sysfs_fs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ allow $1 sysfs_t:filesystem unmount;
++')
++
++########################################
++## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3904,6 +4270,7 @@ interface(`dev_list_sysfs',`
+@@ -3904,6 +4306,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
@@ -6357,7 +6393,7 @@ index 76f285e..f7e9534 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3946,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3946,23 +4349,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -6378,7 +6414,7 @@ index 76f285e..f7e9534 100644
#
-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_read_cpu_online',`
-+ gen_require(`
+ gen_require(`
+ type cpu_online_t;
+ ')
+
@@ -6397,7 +6433,7 @@ index 76f285e..f7e9534 100644
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
- gen_require(`
++ gen_require(`
+ type cpu_online_t;
type sysfs_t;
')
@@ -6411,7 +6447,7 @@ index 76f285e..f7e9534 100644
########################################
## <summary>
## Read hardware state information.
-@@ -4016,6 +4409,62 @@ interface(`dev_rw_sysfs',`
+@@ -4016,6 +4445,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -6474,7 +6510,7 @@ index 76f285e..f7e9534 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4113,6 +4562,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +4598,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -6500,7 +6536,7 @@ index 76f285e..f7e9534 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4557,6 +5025,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5061,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -6525,7 +6561,7 @@ index 76f285e..f7e9534 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4762,6 +5248,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5284,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -6552,7 +6588,7 @@ index 76f285e..f7e9534 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4851,3 +5357,917 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5393,937 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -7386,6 +7422,26 @@ index 76f285e..f7e9534 100644
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
@@ -15293,7 +15349,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..31a14c8 100644
+index 649e458..cc924ae 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -15305,7 +15361,32 @@ index 649e458..31a14c8 100644
')
########################################
-@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
+@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',`
+
+ ########################################
+ ## <summary>
++## Mount the proc filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_mount_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ allow $1 proc_t:filesystem mount;
++')
++
++########################################
++## <summary>
+ ## Unmount the proc filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -804,6 +822,24 @@ interface(`kernel_unmount_proc',`
########################################
## <summary>
@@ -15330,7 +15411,7 @@ index 649e458..31a14c8 100644
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
-@@ -991,13 +1009,10 @@ interface(`kernel_read_proc_symlinks',`
+@@ -991,13 +1027,10 @@ interface(`kernel_read_proc_symlinks',`
#
interface(`kernel_read_system_state',`
gen_require(`
@@ -15346,7 +15427,7 @@ index 649e458..31a14c8 100644
')
########################################
-@@ -1477,6 +1492,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@@ -15371,7 +15452,7 @@ index 649e458..31a14c8 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -2085,7 +2118,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -15380,7 +15461,7 @@ index 649e458..31a14c8 100644
')
########################################
-@@ -2282,6 +2315,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -15406,7 +15487,7 @@ index 649e458..31a14c8 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2358,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -15415,7 +15496,7 @@ index 649e458..31a14c8 100644
## </summary>
## </param>
#
-@@ -2488,6 +2540,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -15440,7 +15521,7 @@ index 649e458..31a14c8 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2525,6 +2595,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -15465,7 +15546,7 @@ index 649e458..31a14c8 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2632,7 +2720,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -15474,7 +15555,7 @@ index 649e458..31a14c8 100644
')
########################################
-@@ -2670,6 +2758,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -15499,7 +15580,7 @@ index 649e458..31a14c8 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2697,6 +2803,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -15525,7 +15606,7 @@ index 649e458..31a14c8 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2806,6 +2931,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -15559,7 +15640,7 @@ index 649e458..31a14c8 100644
########################################
## <summary>
-@@ -2961,6 +3113,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -15584,7 +15665,7 @@ index 649e458..31a14c8 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2975,5 +3145,299 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3163,299 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -17164,7 +17245,7 @@ index 7d45d15..22c9cfe 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..8b0e5e6 100644
+index 771bce1..55ebf4b 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -17226,7 +17307,50 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -481,6 +504,24 @@ interface(`term_list_ptys',`
+@@ -384,6 +407,42 @@ interface(`term_getattr_pty_fs',`
+
+ ########################################
+ ## <summary>
++## Mount a pty filesystem
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_mount_pty_fs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:filesystem mount;
++')
++
++########################################
++## <summary>
++## Unmount a pty filesystem
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_unmount_pty_fs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:filesystem unmount;
++')
++
++########################################
++## <summary>
+ ## Relabel from and to pty filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -481,6 +540,24 @@ interface(`term_list_ptys',`
########################################
## <summary>
@@ -17251,7 +17375,7 @@ index 771bce1..8b0e5e6 100644
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
-@@ -620,7 +661,7 @@ interface(`term_use_generic_ptys',`
+@@ -620,7 +697,7 @@ interface(`term_use_generic_ptys',`
########################################
## <summary>
@@ -17260,7 +17384,7 @@ index 771bce1..8b0e5e6 100644
## write the generic pty type. This is
## generally only used in the targeted policy.
## </summary>
-@@ -635,6 +676,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+@@ -635,6 +712,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
@@ -17268,7 +17392,7 @@ index 771bce1..8b0e5e6 100644
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
-@@ -879,6 +921,26 @@ interface(`term_use_all_ptys',`
+@@ -879,6 +957,26 @@ interface(`term_use_all_ptys',`
########################################
## <summary>
@@ -17295,7 +17419,7 @@ index 771bce1..8b0e5e6 100644
## Do not audit attempts to read or write any ptys.
## </summary>
## <param name="domain">
-@@ -892,7 +954,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -892,7 +990,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -17304,7 +17428,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -912,7 +974,7 @@ interface(`term_relabel_all_ptys',`
+@@ -912,7 +1010,7 @@ interface(`term_relabel_all_ptys',`
')
dev_list_all_dev_nodes($1)
@@ -17313,7 +17437,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -940,7 +1002,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -940,7 +1038,7 @@ interface(`term_getattr_all_user_ptys',`
## </summary>
## <param name="domain">
## <summary>
@@ -17322,7 +17446,7 @@ index 771bce1..8b0e5e6 100644
## </summary>
## </param>
#
-@@ -1259,7 +1321,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1259,7 +1357,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -17371,7 +17495,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -1275,11 +1377,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1413,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -17385,7 +17509,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -1296,10 +1400,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1436,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -17398,7 +17522,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -1377,7 +1483,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1519,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -17427,7 +17551,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -1396,7 +1522,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1558,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -17436,7 +17560,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -1504,7 +1630,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1666,7 @@ interface(`term_use_all_user_ttys',`
## </summary>
## <param name="domain">
## <summary>
@@ -17445,7 +17569,7 @@ index 771bce1..8b0e5e6 100644
## </summary>
## </param>
#
-@@ -1512,3 +1638,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1512,3 +1674,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -26328,7 +26452,7 @@ index 016a770..1effeb4 100644
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 6c4b6ee..4ea7640 100644
+index 6c4b6ee..f512b72 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -13,6 +13,9 @@ role system_r types fsadm_t;
@@ -26357,7 +26481,15 @@ index 6c4b6ee..4ea7640 100644
# log files
allow fsadm_t fsadm_log_t:dir setattr;
-@@ -101,6 +110,8 @@ files_read_usr_files(fsadm_t)
+@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+ # Enable swapping to files
+ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
+
++kernel_get_sysvipc_info(fsadm_t)
+ kernel_read_system_state(fsadm_t)
+ kernel_read_kernel_sysctls(fsadm_t)
+ kernel_request_load_module(fsadm_t)
+@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
@@ -26366,7 +26498,7 @@ index 6c4b6ee..4ea7640 100644
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -120,6 +131,9 @@ fs_list_auto_mountpoints(fsadm_t)
+@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -26376,7 +26508,7 @@ index 6c4b6ee..4ea7640 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -133,21 +147,26 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -26394,6 +26526,7 @@ index 6c4b6ee..4ea7640 100644
+init_stream_connect(fsadm_t)
logging_send_syslog_msg(fsadm_t)
++logging_send_audit_msgs(fsadm_t)
+logging_stream_connect_syslog(fsadm_t)
-miscfiles_read_localization(fsadm_t)
@@ -26405,7 +26538,7 @@ index 6c4b6ee..4ea7640 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +185,11 @@ optional_policy(`
+@@ -166,6 +187,11 @@ optional_policy(`
')
optional_policy(`
@@ -26417,7 +26550,7 @@ index 6c4b6ee..4ea7640 100644
hal_dontaudit_write_log(fsadm_t)
')
-@@ -179,6 +203,10 @@ optional_policy(`
+@@ -179,6 +205,10 @@ optional_policy(`
')
optional_policy(`
@@ -26428,7 +26561,7 @@ index 6c4b6ee..4ea7640 100644
nis_use_ypbind(fsadm_t)
')
-@@ -192,6 +220,10 @@ optional_policy(`
+@@ -192,6 +222,10 @@ optional_policy(`
')
optional_policy(`
@@ -27940,7 +28073,7 @@ index 24e7804..1894886 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..99c538c 100644
+index dd3be8d..61531ce 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -28206,15 +28339,14 @@ index dd3be8d..99c538c 100644
+
+optional_policy(`
+ gnome_filetrans_home_content(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -28338,28 +28470,29 @@ index dd3be8d..99c538c 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
@@ -29002,7 +29135,7 @@ index dd3be8d..99c538c 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1353,187 @@ optional_policy(`
+@@ -896,3 +1353,191 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29184,11 +29317,15 @@ index dd3be8d..99c538c 100644
+allow initrc_domain systemprocess_entry:file { getattr open read execute };
+allow initrc_domain systemprocess:process transition;
+
++optional_policy(`
++ rgmanager_search_lib(initrc_domain)
++')
++
+ifdef(`direct_sysadm_daemon',`
-+ allow daemon direct_run_init:fd use;
-+ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
-+ allow daemon direct_run_init:process sigchld;
-+ allow direct_run_init direct_init_entry:file { getattr open read execute };
++ allow daemon direct_run_init:fd use;
++ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
++ allow daemon direct_run_init:process sigchld;
++ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 662e79b..626a689 100644
@@ -32614,7 +32751,7 @@ index 72c746e..f035d9f 100644
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..0755e25 100644
+index 4584457..e432df3 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@@ -32631,7 +32768,7 @@ index 4584457..0755e25 100644
')
########################################
-@@ -38,11 +45,103 @@ interface(`mount_domtrans',`
+@@ -38,11 +45,122 @@ interface(`mount_domtrans',`
#
interface(`mount_run',`
gen_require(`
@@ -32719,6 +32856,25 @@ index 4584457..0755e25 100644
+
+########################################
+## <summary>
++## Read/write mount PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mount_rw_pid_files',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ rw_files_pattern($1, mount_var_run_t, mount_var_run_t)
++ files_search_pids($1)
++')
++
++########################################
++## <summary>
+## Manage mount PID files.
+## </summary>
+## <param name="domain">
@@ -32737,7 +32893,7 @@ index 4584457..0755e25 100644
')
########################################
-@@ -91,7 +190,7 @@ interface(`mount_signal',`
+@@ -91,7 +209,7 @@ interface(`mount_signal',`
## </summary>
## <param name="domain">
## <summary>
@@ -32746,7 +32902,7 @@ index 4584457..0755e25 100644
## </summary>
## </param>
#
-@@ -131,45 +230,138 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',`
########################################
## <summary>
@@ -32806,14 +32962,19 @@ index 4584457..0755e25 100644
## <summary>
-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`mount_run_unconfined',`
+interface(`mount_exec_fusermount',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_mount_t;
+ type fusermount_exec_t;
-+ ')
-+
+ ')
+
+- mount_domtrans_unconfined($1)
+- role $2 types unconfined_mount_t;
+ can_exec($1, fusermount_exec_t)
+')
+
@@ -32824,19 +32985,14 @@ index 4584457..0755e25 100644
+## <param name="domain">
+## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`mount_run_unconfined',`
++## </summary>
++## </param>
++#
+interface(`mount_dontaudit_exec_fusermount',`
- gen_require(`
-- type unconfined_mount_t;
++ gen_require(`
+ type fusermount_exec_t;
- ')
-
-- mount_domtrans_unconfined($1)
-- role $2 types unconfined_mount_t;
++ ')
++
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
+')
+
@@ -32902,7 +33058,7 @@ index 4584457..0755e25 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..2fc14cd 100644
+index 6a50270..b34911e 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@@ -33003,7 +33159,7 @@ index 6a50270..2fc14cd 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t)
+@@ -60,31 +100,47 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -33019,6 +33175,7 @@ index 6a50270..2fc14cd 100644
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
++dev_rw_loop_control(mount_t)
+
+ifdef(`hide_broken_symptoms',`
+ dev_rw_generic_blk_files(mount_t)
@@ -33053,7 +33210,7 @@ index 6a50270..2fc14cd 100644
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
-@@ -92,28 +147,39 @@ files_list_mnt(mount_t)
+@@ -92,28 +148,39 @@ files_list_mnt(mount_t)
files_dontaudit_write_all_mountpoints(mount_t)
files_dontaudit_setattr_all_mountpoints(mount_t)
@@ -33099,7 +33256,7 @@ index 6a50270..2fc14cd 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -121,16 +187,21 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +188,21 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -33123,7 +33280,7 @@ index 6a50270..2fc14cd 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +218,27 @@ ifdef(`distro_ubuntu',`
')
')
@@ -33163,7 +33320,7 @@ index 6a50270..2fc14cd 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +251,8 @@ optional_policy(`
+@@ -179,6 +252,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -33172,7 +33329,7 @@ index 6a50270..2fc14cd 100644
')
optional_policy(`
-@@ -186,6 +260,36 @@ optional_policy(`
+@@ -186,6 +261,36 @@ optional_policy(`
')
optional_policy(`
@@ -33209,7 +33366,7 @@ index 6a50270..2fc14cd 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +298,128 @@ optional_policy(`
+@@ -194,24 +299,128 @@ optional_policy(`
')
optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index ab50247..43bfddb 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4367,7 +4367,7 @@ index 83e899c..e3bed6a 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..c388418 100644
+index 1a82e29..5e167ca 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,353 @@
@@ -5105,7 +5105,7 @@ index 1a82e29..c388418 100644
-fs_read_anon_inodefs_files(httpd_t)
fs_read_iso9660_files(httpd_t)
-fs_search_auto_mountpoints(httpd_t)
-+fs_read_anon_inodefs_files(httpd_t)
++fs_rw_anon_inodefs_files(httpd_t)
+fs_read_hugetlbfs_files(httpd_t)
+
+auth_use_nsswitch(httpd_t)
@@ -5728,10 +5728,11 @@ index 1a82e29..c388418 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache PHP script local policy
+#
+
@@ -5790,11 +5791,10 @@ index 1a82e29..c388418 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache suexec local policy
#
@@ -6006,7 +6006,7 @@ index 1a82e29..c388418 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1270,103 @@ optional_policy(`
+@@ -1077,172 +1270,104 @@ optional_policy(`
')
')
@@ -6031,11 +6031,11 @@ index 1a82e29..c388418 100644
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-+allow httpd_sys_script_t self:process getsched;
-
+-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
--
++allow httpd_sys_script_t self:process getsched;
+
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
@@ -6145,6 +6145,7 @@ index 1a82e29..c388418 100644
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
++fs_rw_anon_inodefs_files(httpd_sys_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_script_domains)
@@ -6172,7 +6173,8 @@ index 1a82e29..c388418 100644
-#
-
-allow httpd_sys_script_t self:tcp_socket { accept listen };
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -6202,8 +6204,7 @@ index 1a82e29..c388418 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6241,7 +6242,7 @@ index 1a82e29..c388418 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1374,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1375,70 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6335,7 +6336,7 @@ index 1a82e29..c388418 100644
########################################
#
-@@ -1315,8 +1445,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1446,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6352,7 +6353,7 @@ index 1a82e29..c388418 100644
')
########################################
-@@ -1324,49 +1461,36 @@ optional_policy(`
+@@ -1324,49 +1462,36 @@ optional_policy(`
# User content local policy
#
@@ -6416,7 +6417,7 @@ index 1a82e29..c388418 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1500,94 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1501,94 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -11806,7 +11807,7 @@ index 8e27a37..825f537 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 09f18e2..e891ec4 100644
+index 09f18e2..f0cade4 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@@ -11907,7 +11908,7 @@ index 09f18e2..e891ec4 100644
')
optional_policy(`
-@@ -133,3 +142,14 @@ optional_policy(`
+@@ -133,3 +142,16 @@ optional_policy(`
optional_policy(`
udev_read_db(colord_t)
')
@@ -11917,6 +11918,8 @@ index 09f18e2..e891ec4 100644
+ xserver_read_xdm_state(colord_t)
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
++ # allow to read /run/initial-setup-$username
++ xserver_read_xdm_pid(colord_t)
+')
+
+optional_policy(`
@@ -19337,10 +19340,10 @@ index 0000000..332a1c9
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
-index 0000000..ab083cf
+index 0000000..35455bf
--- /dev/null
+++ b/dirsrv-admin.te
-@@ -0,0 +1,144 @@
+@@ -0,0 +1,156 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -19373,6 +19376,7 @@ index 0000000..ab083cf
+#
+# Local policy for the daemon
+#
++
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
+allow dirsrvadmin_t self:process { setrlimit signal_perms };
@@ -19394,7 +19398,6 @@ index 0000000..ab083cf
+
+logging_search_logs(dirsrvadmin_t)
+
-+
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+
@@ -19415,7 +19418,7 @@ index 0000000..ab083cf
+ apache_content_template(dirsrvadmin)
+
+ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
-+ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++ allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
+ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
@@ -19428,7 +19431,12 @@ index 0000000..ab083cf
+
+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
+
++
++ corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t)
++ corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t)
+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
++
++ corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
@@ -19442,6 +19450,13 @@ index 0000000..ab083cf
+ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
+ optional_policy(`
++ apache_read_modules(httpd_dirsrvadmin_script_t)
++ apache_read_config(httpd_dirsrvadmin_script_t)
++ apache_signal(httpd_dirsrvadmin_script_t)
++ apache_signull(httpd_dirsrvadmin_script_t)
++ ')
++
++ optional_policy(`
+ # The CGI scripts must be able to manage dirsrv-admin
+ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
+ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
@@ -22582,7 +22597,7 @@ index 5cf6ac6..839999e 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index c8014f8..d84522b 100644
+index c8014f8..64e18e1 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
@@ -22603,7 +22618,7 @@ index c8014f8..d84522b 100644
# Local policy
#
-
-+allow firewalld_t self:capability dac_override;
++allow firewalld_t self:capability { dac_override net_admin };
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
@@ -23562,7 +23577,7 @@ index 1e29af1..a1c464e 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 93b0301..8561970 100644
+index 93b0301..9108ddc 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -23580,6 +23595,19 @@ index 93b0301..8561970 100644
## Determine whether Git system daemon
## can search home directories.
## </p>
+@@ -92,10 +84,10 @@ type git_session_t, git_daemon;
+ userdom_user_application_domain(git_session_t, gitd_exec_t)
+ role git_session_roles types git_session_t;
+
+-type git_sys_content_t;
++type git_sys_content_t alias git_system_content_t;
+ files_type(git_sys_content_t)
+
+-type git_user_content_t;
++type git_user_content_t alias git_session_content_t;
+ userdom_user_home_content(git_user_content_t)
+
+ ########################################
@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
@@ -33597,10 +33625,10 @@ index b9270f7..15f3748 100644
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
')
diff --git a/mailman.if b/mailman.if
-index 108c0f1..d28241c 100644
+index 108c0f1..a248501 100644
--- a/mailman.if
+++ b/mailman.if
-@@ -1,44 +1,66 @@
+@@ -1,44 +1,70 @@
-## <summary>Manage electronic mail discussion and e-newsletter lists.</summary>
+## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
@@ -33638,8 +33666,13 @@ index 108c0f1..d28241c 100644
+ # Declarations
+ #
- type mailman_$1_t;
+- type mailman_$1_t;
- type mailman_$1_exec_t;
++ gen_require(`
++ attribute mailman_domain;
++ ')
++
++ type mailman_$1_t, mailman_domain;
domain_type(mailman_$1_t)
+ type mailman_$1_exec_t;
domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
@@ -33684,7 +33717,7 @@ index 108c0f1..d28241c 100644
')
#######################################
-@@ -56,15 +78,12 @@ interface(`mailman_domtrans',`
+@@ -56,15 +82,12 @@ interface(`mailman_domtrans',`
type mailman_mail_exec_t, mailman_mail_t;
')
@@ -33701,7 +33734,7 @@ index 108c0f1..d28241c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -73,18 +92,18 @@ interface(`mailman_domtrans',`
+@@ -73,18 +96,18 @@ interface(`mailman_domtrans',`
## </param>
## <param name="role">
## <summary>
@@ -33723,7 +33756,7 @@ index 108c0f1..d28241c 100644
')
#######################################
-@@ -103,7 +122,6 @@ interface(`mailman_domtrans_cgi',`
+@@ -103,7 +126,6 @@ interface(`mailman_domtrans_cgi',`
type mailman_cgi_exec_t, mailman_cgi_t;
')
@@ -33731,7 +33764,7 @@ index 108c0f1..d28241c 100644
domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
')
-@@ -122,13 +140,12 @@ interface(`mailman_exec',`
+@@ -122,13 +144,12 @@ interface(`mailman_exec',`
type mailman_mail_exec_t;
')
@@ -33746,7 +33779,7 @@ index 108c0f1..d28241c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -146,7 +163,7 @@ interface(`mailman_signal_cgi',`
+@@ -146,7 +167,7 @@ interface(`mailman_signal_cgi',`
#######################################
## <summary>
@@ -33755,7 +33788,7 @@ index 108c0f1..d28241c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -159,13 +176,12 @@ interface(`mailman_search_data',`
+@@ -159,13 +180,12 @@ interface(`mailman_search_data',`
type mailman_data_t;
')
@@ -33770,7 +33803,7 @@ index 108c0f1..d28241c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -178,7 +194,6 @@ interface(`mailman_read_data_files',`
+@@ -178,7 +198,6 @@ interface(`mailman_read_data_files',`
type mailman_data_t;
')
@@ -33778,7 +33811,7 @@ index 108c0f1..d28241c 100644
list_dirs_pattern($1, mailman_data_t, mailman_data_t)
read_files_pattern($1, mailman_data_t, mailman_data_t)
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
-@@ -186,8 +201,8 @@ interface(`mailman_read_data_files',`
+@@ -186,8 +205,8 @@ interface(`mailman_read_data_files',`
#######################################
## <summary>
@@ -33789,7 +33822,7 @@ index 108c0f1..d28241c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -200,14 +215,13 @@ interface(`mailman_manage_data_files',`
+@@ -200,14 +219,13 @@ interface(`mailman_manage_data_files',`
type mailman_data_t;
')
@@ -33805,7 +33838,7 @@ index 108c0f1..d28241c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -220,13 +234,12 @@ interface(`mailman_list_data',`
+@@ -220,13 +238,12 @@ interface(`mailman_list_data',`
type mailman_data_t;
')
@@ -33820,7 +33853,7 @@ index 108c0f1..d28241c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -244,7 +257,7 @@ interface(`mailman_read_data_symlinks',`
+@@ -244,7 +261,7 @@ interface(`mailman_read_data_symlinks',`
#######################################
## <summary>
@@ -33829,7 +33862,7 @@ index 108c0f1..d28241c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -257,13 +270,12 @@ interface(`mailman_read_log',`
+@@ -257,13 +274,12 @@ interface(`mailman_read_log',`
type mailman_log_t;
')
@@ -33844,7 +33877,7 @@ index 108c0f1..d28241c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -276,14 +288,13 @@ interface(`mailman_append_log',`
+@@ -276,14 +292,13 @@ interface(`mailman_append_log',`
type mailman_log_t;
')
@@ -33860,7 +33893,7 @@ index 108c0f1..d28241c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -296,14 +307,13 @@ interface(`mailman_manage_log',`
+@@ -296,14 +311,13 @@ interface(`mailman_manage_log',`
type mailman_log_t;
')
@@ -33876,7 +33909,7 @@ index 108c0f1..d28241c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -316,7 +326,6 @@ interface(`mailman_read_archive',`
+@@ -316,7 +330,6 @@ interface(`mailman_read_archive',`
type mailman_archive_t;
')
@@ -33884,7 +33917,7 @@ index 108c0f1..d28241c 100644
allow $1 mailman_archive_t:dir list_dir_perms;
read_files_pattern($1, mailman_archive_t, mailman_archive_t)
read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
-@@ -324,8 +333,7 @@ interface(`mailman_read_archive',`
+@@ -324,8 +337,7 @@ interface(`mailman_read_archive',`
#######################################
## <summary>
@@ -33894,7 +33927,7 @@ index 108c0f1..d28241c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -338,6 +346,5 @@ interface(`mailman_domtrans_queue',`
+@@ -338,6 +350,5 @@ interface(`mailman_domtrans_queue',`
type mailman_queue_exec_t, mailman_queue_t;
')
@@ -33902,10 +33935,23 @@ index 108c0f1..d28241c 100644
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
diff --git a/mailman.te b/mailman.te
-index 8eaf51b..5e9f5bb 100644
+index 8eaf51b..16086a5 100644
--- a/mailman.te
+++ b/mailman.te
-@@ -56,10 +56,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
+@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4)
+ #
+ # Declarations
+ #
++## <desc>
++## <p>
++## Allow mailman to access FUSE file systems
++## </p>
++## </desc>
++gen_tunable(mailman_use_fusefs, false)
+
+ attribute mailman_domain;
+
+@@ -56,10 +62,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
logging_log_filetrans(mailman_domain, mailman_log_t, file)
kernel_read_kernel_sysctls(mailman_domain)
@@ -33916,7 +33962,7 @@ index 8eaf51b..5e9f5bb 100644
corenet_tcp_sendrecv_generic_if(mailman_domain)
corenet_tcp_sendrecv_generic_node(mailman_domain)
-@@ -82,10 +79,6 @@ fs_getattr_all_fs(mailman_domain)
+@@ -82,10 +85,6 @@ fs_getattr_all_fs(mailman_domain)
libs_exec_ld_so(mailman_domain)
libs_exec_lib_files(mailman_domain)
@@ -33927,7 +33973,7 @@ index 8eaf51b..5e9f5bb 100644
########################################
#
# CGI local policy
-@@ -115,8 +108,9 @@ optional_policy(`
+@@ -115,8 +114,9 @@ optional_policy(`
# Mail local policy
#
@@ -33939,7 +33985,7 @@ index 8eaf51b..5e9f5bb 100644
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-@@ -127,8 +121,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t)
+@@ -127,8 +127,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
@@ -33949,7 +33995,7 @@ index 8eaf51b..5e9f5bb 100644
dev_read_urand(mailman_mail_t)
-@@ -142,6 +136,10 @@ optional_policy(`
+@@ -142,6 +142,10 @@ optional_policy(`
')
optional_policy(`
@@ -33960,6 +34006,16 @@ index 8eaf51b..5e9f5bb 100644
cron_read_pipes(mailman_mail_t)
')
+@@ -182,3 +186,9 @@ optional_policy(`
+ optional_policy(`
+ su_exec(mailman_queue_t)
+ ')
++
++tunable_policy(`mailman_use_fusefs',`
++ fs_manage_fusefs_dirs(mailman_domain)
++ fs_manage_fusefs_files(mailman_domain)
++ fs_manage_fusefs_symlinks(mailman_domain)
++')
diff --git a/mailscanner.if b/mailscanner.if
index 0293f34..bd1d48e 100644
--- a/mailscanner.if
@@ -35673,10 +35729,10 @@ index 0000000..1446e6a
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..d27f8f3
+index 0000000..67b8b3d
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,245 @@
+@@ -0,0 +1,264 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -35729,6 +35785,8 @@ index 0000000..d27f8f3
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_t self:unix_dgram_socket create_socket_perms;
+
++allow mock_t mock_build_t:process { siginh noatsecure rlimitinh };
++
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
@@ -35752,7 +35810,6 @@ index 0000000..d27f8f3
+allow mock_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_t mock_var_lib_t:file relabel_file_perms;
+
-+kernel_list_proc(mock_t)
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_network_state(mock_t)
@@ -35760,6 +35817,13 @@ index 0000000..d27f8f3
+kernel_request_load_module(mock_t)
+kernel_dontaudit_setattr_proc_dirs(mock_t)
+kernel_read_fs_sysctls(mock_t)
++# we run mount in mock_t
++kernel_mount_proc(mock_t)
++kernel_unmount_proc(mock_t)
++
++fs_mount_tmpfs(mock_t)
++fs_unmount_tmpfs(mock_t)
++fs_unmount_xattr_fs(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
@@ -35771,23 +35835,28 @@ index 0000000..d27f8f3
+corenet_tcp_connect_all_ephemeral_ports(mock_t)
+
+dev_read_urand(mock_t)
-+dev_read_sysfs(mock_t)
++dev_rw_sysfs(mock_t)
+dev_setattr_sysfs_dirs(mock_t)
++dev_mount_sysfs_fs(mock_t)
++dev_unmount_sysfs_fs(mock_t)
+
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_runtime_files(mock_t)
+files_dontaudit_list_boot(mock_t)
++files_list_isid_type_dirs(mock_t)
+
+fs_getattr_all_fs(mock_t)
-+fs_search_all(mock_t)
+fs_manage_cgroup_dirs(mock_t)
-+files_list_isid_type_dirs(mock_t)
++fs_search_all(mock_t)
++fs_setattr_tmpfs_dirs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+term_search_ptys(mock_t)
++term_mount_pty_fs(mock_t)
++term_unmount_pty_fs(mock_t)
+
+auth_use_nsswitch(mock_t)
+
@@ -35827,17 +35896,23 @@ index 0000000..d27f8f3
+')
+
+optional_policy(`
-+ rpm_exec(mock_t)
++ apache_read_sys_content_rw_files(mock_t)
+')
+
+optional_policy(`
-+ mount_exec(mock_t)
++ rpm_exec(mock_t)
++ rpm_manage_cache(mock_t)
++ rpm_manage_db(mock_t)
++ rpm_manage_tmp_files(mock_t)
++ rpm_read_log(mock_t)
+')
+
+optional_policy(`
-+ apache_read_sys_content_rw_files(mock_t)
++ mount_exec(mock_t)
++ mount_rw_pid_files(mock_t)
+')
+
++
+########################################
+#
+# mock_build local policy
@@ -48314,7 +48389,7 @@ index 0000000..407386d
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..3c311bb
+index 0000000..989a48d
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,535 @@
@@ -48782,7 +48857,7 @@ index 0000000..3c311bb
+#
+# openshift_cron local policy
+#
-+allow openshift_cron_t self:capability { net_admin sys_admin };
++allow openshift_cron_t self:capability { dac_override net_admin sys_admin };
+allow openshift_cron_t self:process signal_perms;
+allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
+allow openshift_cron_t self:udp_socket create_socket_perms;
@@ -49245,7 +49320,7 @@ index 9b15730..14f29e4 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..3e42ef8 100644
+index 508fedf..9d7741b 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
@@ -49314,7 +49389,7 @@ index 508fedf..3e42ef8 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -57,33 +58,33 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -57,33 +58,34 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -49330,6 +49405,7 @@ index 508fedf..3e42ef8 100644
+kernel_request_load_module(openvswitch_t)
corecmd_exec_bin(openvswitch_t)
++corecmd_exec_shell(openvswitch_t)
+dev_read_rand(openvswitch_t)
dev_read_urand(openvswitch_t)
@@ -61360,10 +61436,28 @@ index cd51b96..f7e9c70 100644
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
-index 76f5b39..53f9a64 100644
+index 76f5b39..8bb80a2 100644
--- a/qpid.te
+++ b/qpid.te
-@@ -37,37 +37,40 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
+@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
+ type qpidd_initrc_exec_t;
+ init_script_file(qpidd_initrc_exec_t)
+
++type qpidd_tmp_t;
++files_tmp_file(qpidd_tmp_t)
++
+ type qpidd_tmpfs_t;
+ files_tmpfs_file(qpidd_tmpfs_t)
+
+@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms;
+ allow qpidd_t self:tcp_socket { accept listen };
+ allow qpidd_t self:unix_stream_socket { accept listen };
+
++manage_dirs_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
++manage_files_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
++files_tmp_filetrans(qpidd_t, qpidd_tmp_t, { dir file })
++
+ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
@@ -61411,9 +61505,13 @@ index 76f5b39..53f9a64 100644
optional_policy(`
- corosync_stream_connect(qpidd_t)
-+ rhcs_stream_connect_cluster(qpidd_t)
++ kerberos_use(qpidd_t)
')
+
++optional_policy(`
++ rhcs_stream_connect_cluster(qpidd_t)
++')
++
diff --git a/quantum.fc b/quantum.fc
index 70ab68b..e97da31 100644
--- a/quantum.fc
@@ -63244,7 +63342,7 @@ index bff31df..e38693b 100644
## <param name="domain">
## <summary>
diff --git a/realmd.te b/realmd.te
-index 9a8f052..9817f00 100644
+index 9a8f052..cffb3ca 100644
--- a/realmd.te
+++ b/realmd.te
@@ -1,4 +1,4 @@
@@ -63253,7 +63351,7 @@ index 9a8f052..9817f00 100644
########################################
#
-@@ -7,29 +7,37 @@ policy_module(realmd, 1.0.2)
+@@ -7,29 +7,38 @@ policy_module(realmd, 1.0.2)
type realmd_t;
type realmd_exec_t;
@@ -63297,10 +63395,11 @@ index 9a8f052..9817f00 100644
corenet_tcp_connect_http_port(realmd_t)
-corenet_tcp_sendrecv_http_port(realmd_t)
+corenet_tcp_connect_ldap_port(realmd_t)
++corenet_tcp_connect_smbd_port(realmd_t)
domain_use_interactive_fds(realmd_t)
-@@ -38,12 +46,20 @@ dev_read_urand(realmd_t)
+@@ -38,12 +47,20 @@ dev_read_urand(realmd_t)
fs_getattr_all_fs(realmd_t)
@@ -63323,7 +63422,7 @@ index 9a8f052..9817f00 100644
optional_policy(`
dbus_system_domain(realmd_t, realmd_exec_t)
-@@ -67,17 +83,25 @@ optional_policy(`
+@@ -67,17 +84,25 @@ optional_policy(`
optional_policy(`
nis_exec_ypbind(realmd_t)
@@ -63352,7 +63451,7 @@ index 9a8f052..9817f00 100644
')
optional_policy(`
-@@ -86,5 +110,26 @@ optional_policy(`
+@@ -86,5 +111,26 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
@@ -63634,7 +63733,7 @@ index 5421af0..91e69b8 100644
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
-index 1c2f9aa..8af1f78 100644
+index 1c2f9aa..a4133dc 100644
--- a/rgmanager.if
+++ b/rgmanager.if
@@ -1,13 +1,13 @@
@@ -63758,7 +63857,7 @@ index 1c2f9aa..8af1f78 100644
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -121,3 +158,47 @@ interface(`rgmanager_admin',`
+@@ -121,3 +158,66 @@ interface(`rgmanager_admin',`
files_list_pids($1)
admin_pattern($1, rgmanager_var_run_t)
')
@@ -63803,9 +63902,28 @@ index 1c2f9aa..8af1f78 100644
+ ')
+
+ files_list_var_lib($1)
-+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
++ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+ can_exec($1, rgmanager_var_lib_t)
+')
++
++######################################
++## <summary>
++## Allow the specified domain to search rgmanager's lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rgmanager_search_lib',`
++ gen_require(`
++ type rgmanager_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
++')
diff --git a/rgmanager.te b/rgmanager.te
index b418d1c..1ad9c12 100644
--- a/rgmanager.te
@@ -67709,10 +67827,10 @@ index c49828c..a323332 100644
sysnet_dns_name_resolve(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..54fe358 100644
+index ebe91fc..8dd55c5 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,69 @@
+@@ -1,61 +1,70 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -67765,6 +67883,7 @@ index ebe91fc..54fe358 100644
-/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
@@ -67827,7 +67946,7 @@ index ebe91fc..54fe358 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..dbe00f4 100644
+index 0628d50..c73d362 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -68033,13 +68152,31 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -276,14 +318,12 @@ interface(`rpm_append_log',`
+@@ -276,14 +318,30 @@ interface(`rpm_append_log',`
type rpm_log_t;
')
- logging_search_logs($1)
- append_files_pattern($1, rpm_log_t, rpm_log_t)
+ allow $1 rpm_log_t:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete the RPM log.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_read_log',`
++ gen_require(`
++ type rpm_log_t;
++ ')
++
++ read_files_pattern($1, rpm_log_t, rpm_log_t)
')
########################################
@@ -68050,7 +68187,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -302,7 +342,7 @@ interface(`rpm_manage_log',`
+@@ -302,7 +360,7 @@ interface(`rpm_manage_log',`
########################################
## <summary>
@@ -68059,7 +68196,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -320,8 +360,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +378,8 @@ interface(`rpm_use_script_fds',`
########################################
## <summary>
@@ -68070,7 +68207,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -335,12 +375,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +393,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -68087,7 +68224,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -353,14 +396,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +414,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -68105,7 +68242,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -374,12 +416,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +434,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -68121,7 +68258,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -399,7 +443,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +461,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
## <summary>
@@ -68130,7 +68267,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -420,8 +464,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +482,7 @@ interface(`rpm_read_cache',`
########################################
## <summary>
@@ -68140,7 +68277,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -442,7 +485,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +503,7 @@ interface(`rpm_manage_cache',`
########################################
## <summary>
@@ -68149,7 +68286,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,11 +502,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +520,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -68163,7 +68300,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -482,8 +526,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +544,7 @@ interface(`rpm_delete_db',`
########################################
## <summary>
@@ -68173,7 +68310,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -504,7 +547,7 @@ interface(`rpm_manage_db',`
+@@ -504,7 +565,7 @@ interface(`rpm_manage_db',`
########################################
## <summary>
## Do not audit attempts to create, read,
@@ -68182,7 +68319,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -517,7 +560,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +578,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -68191,7 +68328,7 @@ index 0628d50..dbe00f4 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +586,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +604,7 @@ interface(`rpm_read_pid_files',`
#####################################
## <summary>
@@ -68201,7 +68338,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -563,8 +605,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +623,7 @@ interface(`rpm_manage_pid_files',`
######################################
## <summary>
@@ -68211,7 +68348,7 @@ index 0628d50..dbe00f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -573,94 +614,72 @@ interface(`rpm_manage_pid_files',`
+@@ -573,94 +632,72 @@ interface(`rpm_manage_pid_files',`
## </param>
#
interface(`rpm_pid_filetrans',`
@@ -68315,15 +68452,15 @@ index 0628d50..dbe00f4 100644
-
- files_list_var($1)
- admin_pattern($1, rpm_cache_t)
--
++ typeattribute $1 rpm_transition_domain;
++ allow $1 rpm_script_t:process transition;
+
- files_list_tmp($1)
- admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
-
- files_list_var_lib($1)
- admin_pattern($1, rpm_var_lib_t)
-+ typeattribute $1 rpm_transition_domain;
-+ allow $1 rpm_script_t:process transition;
-
+-
- files_search_locks($1)
- admin_pattern($1, rpm_lock_t)
-
@@ -72942,7 +73079,7 @@ index cd6c213..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index a34eac4..114c9d2 100644
+index a34eac4..25ad7ec 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -73076,12 +73213,13 @@ index a34eac4..114c9d2 100644
')
optional_policy(`
-@@ -100,7 +117,7 @@ optional_policy(`
+@@ -100,7 +117,8 @@ optional_policy(`
')
optional_policy(`
- virt_kill_all_virt_domains(sanlock_t)
+ virt_kill_svirt(sanlock_t)
++ virt_kill(sanlock_t)
virt_manage_lib_files(sanlock_t)
- virt_signal_all_virt_domains(sanlock_t)
+ virt_signal_svirt(sanlock_t)
@@ -82487,7 +82625,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..7a80e6d 100644
+index 7116181..a6bd365 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -82536,7 +82674,7 @@ index 7116181..7a80e6d 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +74,48 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +74,52 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -82548,10 +82686,10 @@ index 7116181..7a80e6d 100644
files_dontaudit_search_home(tuned_t)
-files_dontaudit_list_tmp(tuned_t)
+files_list_tmp(tuned_t)
-+
-+fs_getattr_all_fs(tuned_t)
-fs_getattr_xattr_fs(tuned_t)
++fs_getattr_all_fs(tuned_t)
++
+auth_use_nsswitch(tuned_t)
logging_send_syslog_msg(tuned_t)
@@ -82568,6 +82706,10 @@ index 7116181..7a80e6d 100644
+ dbus_connect_system_bus(tuned_t)
+')
+
++optional_policy(`
++ dmidecode_domtrans(tuned_t)
++')
++
+# to allow disk tuning
+optional_policy(`
fstools_domtrans(tuned_t)
@@ -84188,7 +84330,7 @@ index c30da4c..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..8f6d2a3 100644
+index 9dec06c..fa2c674 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -85468,32 +85610,47 @@ index 9dec06c..8f6d2a3 100644
########################################
## <summary>
-## Read virt image files.
-+## Send a signal to virtual machines
++## Send a sigkill to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +867,17 @@ interface(`virt_search_images',`
+@@ -995,36 +867,35 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
-interface(`virt_read_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_kill',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-- ')
--
++ type virtd_t;
+ ')
+
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- list_dirs_pattern($1, virt_image_type, virt_image_type)
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
--
++ allow $1 virtd_t:process sigkill;
++')
+
- tunable_policy(`virt_use_nfs',`
- fs_list_nfs($1)
- fs_read_nfs_files($1)
- fs_read_nfs_symlinks($1)
++########################################
++## <summary>
++## Send a signal to virtual machines
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_signal_svirt',`
++ gen_require(`
+ attribute virt_domain;
')
@@ -85513,7 +85670,7 @@ index 9dec06c..8f6d2a3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,58 +885,57 @@ interface(`virt_read_images',`
+@@ -1032,58 +903,57 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -85593,7 +85750,7 @@ index 9dec06c..8f6d2a3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,95 +943,150 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,95 +961,150 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -88106,10 +88263,17 @@ index 1e3aec0..d17ff39 100644
+
')
diff --git a/wdmd.te b/wdmd.te
-index ebbdaf6..956f8f0 100644
+index ebbdaf6..144c0e7 100644
--- a/wdmd.te
+++ b/wdmd.te
-@@ -51,10 +51,8 @@ auth_use_nsswitch(wdmd_t)
+@@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t)
+ dev_read_watchdog(wdmd_t)
+ dev_write_watchdog(wdmd_t)
+
++fs_getattr_all_fs(wdmd_t)
+ fs_read_anon_inodefs_files(wdmd_t)
+
+ auth_use_nsswitch(wdmd_t)
logging_send_syslog_msg(wdmd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 90ff8f3..6f5e230 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 25%{?dist}
+Release: 26%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -526,6 +526,39 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Apr 5 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-26
+- Try to label on controlC devices up to 30 correctly
+- Add mount_rw_pid_files() interface
+- Add additional mount/umount interfaces needed by mock
+- fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk
+- Fix tabs
+- Allow initrc_domain to search rgmanager lib files
+- Add more fixes which make mock working together with confined users
+ * Allow mock_t to manage rpm files
+ * Allow mock_t to read rpm log files
+ * Allow mock to setattr on tmpfs, devpts
+ * Allow mount/umount filesystems
+- Add rpm_read_log() interface
+- yum-cron runs rpm from within it.
+- Allow tuned to transition to dmidecode
+- Allow firewalld to do net_admin
+- Allow mock to unmont tmpfs_t
+- Fix virt_sigkill() interface
+- Add additional fixes for mock. Mainly caused by mount running in mock_t
+- Allow mock to write sysfs_t and mount pid files
+- Add mailman_domain to mailman_template()
+- Allow openvswitch to execute shell
+- Allow qpidd to use kerberos
+- Allow mailman to use fusefs, needs back port to RHEL6
+- Allow apache and its scripts to use anon_inodefs
+- Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7
+- Realmd needs to connect to samba ports, needs back port to F18 also
+- Allow colord to read /run/initial-setup-
+- Allow sanlock-helper to send sigkill to virtd which is registred to sanlock
+- Add virt_kill() interface
+- Add rgmanager_search_lib() interface
+- Allow wdmd to getattr on all filesystems. Back ported from RHEL6
+
* Tue Apr 2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-25
- Allow realmd to create tmp files
- FIx ircssi_home_t type to irssi_home_t
More information about the scm-commits
mailing list