[selinux-policy] - Fix lockdev_manage_files() - Allow setroubleshootd to read var_lib_t to make email_alert working -
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 23 10:44:22 UTC 2013
commit d61e0b894f873f0941968435201fd8f2e456f32d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Apr 23 12:44:02 2013 +0200
- Fix lockdev_manage_files()
- Allow setroubleshootd to read var_lib_t to make email_alert working
- Add lockdev_manage_files()
- Call proper interface in virt.te
- Allow gkeyring_domain to create /var/run/UID/config/dbus file
- system dbus seems to be blocking suspend
- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need
- When you enter a container from root, you generate avcs with a leaked file descriptor
- Allow mpd getattr on file system directories
- Make sure realmd creates content with the correct label
- Allow systemd-tty-ask to write kmsg
- Allow mgetty to use lockdev library for device locking
- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music
- When you enter a container from root, you generate avcs with a leaked file descriptor
- Make sure init.fc files are labeled correctly at creation
- File name trans vconsole.conf
- Fix labeling for nagios plugins
- label shared libraries in /opt/google/chrome as testrel_shlib_t
policy-rawhide-base.patch | 176 ++++++---
policy-rawhide-contrib.patch | 839 +++++++++++++++++++++++++-----------------
selinux-policy.spec | 45 +++-
3 files changed, 662 insertions(+), 398 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a403f1c..4e0fbde 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3021,7 +3021,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..d2dbf35 100644
+index 644d4d7..4debbf2 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3179,7 +3179,7 @@ index 644d4d7..d2dbf35 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +246,28 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +246,30 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3189,7 +3189,9 @@ index 644d4d7..d2dbf35 100644
-/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
@@ -3215,7 +3217,7 @@ index 644d4d7..d2dbf35 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +282,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +284,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3231,7 +3233,7 @@ index 644d4d7..d2dbf35 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +303,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +305,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3252,7 +3254,7 @@ index 644d4d7..d2dbf35 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +329,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +331,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3268,7 +3270,7 @@ index 644d4d7..d2dbf35 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +352,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +354,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3293,7 +3295,7 @@ index 644d4d7..d2dbf35 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +385,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +387,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3322,7 +3324,7 @@ index 644d4d7..d2dbf35 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +454,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +456,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3339,7 +3341,7 @@ index 644d4d7..d2dbf35 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +472,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +474,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7749,7 +7751,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..dc4207f 100644
+index cf04cb5..ff7b3f4 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -7875,7 +7877,7 @@ index cf04cb5..dc4207f 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,266 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -7904,6 +7906,7 @@ index cf04cb5..dc4207f 100644
+ init_reboot(unconfined_domain_type)
+ init_halt(unconfined_domain_type)
+ init_undefined(unconfined_domain_type)
++ init_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -18526,10 +18529,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..83e6404 100644
+index 88d0028..4cc476f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,78 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -18583,6 +18586,7 @@ index 88d0028..83e6404 100644
+application_exec(sysadm_t)
+
++init_filetrans_named_content(sysadm_t)
init_exec(sysadm_t)
+init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t)
@@ -18619,7 +18623,7 @@ index 88d0028..83e6404 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +94,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +95,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -18634,7 +18638,7 @@ index 88d0028..83e6404 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +104,9 @@ optional_policy(`
+@@ -71,9 +105,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -18645,7 +18649,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -87,6 +120,7 @@ optional_policy(`
+@@ -87,6 +121,7 @@ optional_policy(`
optional_policy(`
asterisk_stream_connect(sysadm_t)
@@ -18653,7 +18657,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -110,6 +144,10 @@ optional_policy(`
+@@ -110,6 +145,10 @@ optional_policy(`
')
optional_policy(`
@@ -18664,7 +18668,7 @@ index 88d0028..83e6404 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -122,11 +160,19 @@ optional_policy(`
+@@ -122,11 +161,19 @@ optional_policy(`
')
optional_policy(`
@@ -18686,7 +18690,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -140,6 +186,10 @@ optional_policy(`
+@@ -140,6 +187,10 @@ optional_policy(`
')
optional_policy(`
@@ -18697,7 +18701,7 @@ index 88d0028..83e6404 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +206,11 @@ optional_policy(`
+@@ -156,11 +207,11 @@ optional_policy(`
')
optional_policy(`
@@ -18711,7 +18715,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -179,6 +229,13 @@ optional_policy(`
+@@ -179,6 +230,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -18725,7 +18729,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -186,15 +243,20 @@ optional_policy(`
+@@ -186,15 +244,20 @@ optional_policy(`
')
optional_policy(`
@@ -18749,7 +18753,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -214,22 +276,20 @@ optional_policy(`
+@@ -214,22 +277,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -18778,7 +18782,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -241,14 +301,27 @@ optional_policy(`
+@@ -241,14 +302,27 @@ optional_policy(`
')
optional_policy(`
@@ -18806,7 +18810,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -256,10 +329,20 @@ optional_policy(`
+@@ -256,10 +330,20 @@ optional_policy(`
')
optional_policy(`
@@ -18827,7 +18831,7 @@ index 88d0028..83e6404 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +353,36 @@ optional_policy(`
+@@ -270,31 +354,36 @@ optional_policy(`
')
optional_policy(`
@@ -18871,7 +18875,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -319,12 +407,18 @@ optional_policy(`
+@@ -319,12 +408,18 @@ optional_policy(`
')
optional_policy(`
@@ -18891,7 +18895,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -349,7 +443,18 @@ optional_policy(`
+@@ -349,7 +444,18 @@ optional_policy(`
')
optional_policy(`
@@ -18911,7 +18915,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -360,19 +465,15 @@ optional_policy(`
+@@ -360,19 +466,15 @@ optional_policy(`
')
optional_policy(`
@@ -18933,7 +18937,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -384,10 +485,6 @@ optional_policy(`
+@@ -384,10 +486,6 @@ optional_policy(`
')
optional_policy(`
@@ -18944,7 +18948,7 @@ index 88d0028..83e6404 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +492,9 @@ optional_policy(`
+@@ -395,6 +493,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -18954,7 +18958,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -402,31 +502,34 @@ optional_policy(`
+@@ -402,31 +503,34 @@ optional_policy(`
')
optional_policy(`
@@ -18995,7 +18999,7 @@ index 88d0028..83e6404 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +542,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +543,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19006,7 +19010,7 @@ index 88d0028..83e6404 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +562,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +563,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -26810,7 +26814,7 @@ index e4376aa..2c98c56 100644
+ allow $1 getty_unit_file_t:service start;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index fc38c9c..dce2d4e 100644
+index fc38c9c..61a1d24 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t)
@@ -26852,17 +26856,20 @@ index fc38c9c..dce2d4e 100644
# Support logging in from /dev/console
term_use_console(getty_t)
',`
-@@ -125,10 +130,6 @@ optional_policy(`
+@@ -121,11 +126,11 @@ tunable_policy(`console_login',`
+ ')
+
+ optional_policy(`
+- mta_send_mail(getty_t)
++ lockdev_manage_files(getty_t)
')
optional_policy(`
- nscd_use(getty_t)
--')
--
--optional_policy(`
- ppp_domtrans(getty_t)
++ mta_send_mail(getty_t)
')
+ optional_policy(`
diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
index 9dfecf7..6d00f5c 100644
--- a/policy/modules/system/hostname.fc
@@ -27074,7 +27081,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..1894886 100644
+index 24e7804..d0780a9 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -27959,7 +27966,7 @@ index 24e7804..1894886 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2284,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2284,306 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -28244,6 +28251,28 @@ index 24e7804..1894886 100644
+
+ allow $1 init_t:system undefined;
+')
++
++########################################
++## <summary>
++## Transition to init named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_filetrans_named_content',`
++ gen_require(`
++ type init_var_run_t;
++ type initrc_var_run_t;
++ type machineid_t;
++ ')
++
++ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
++ files_pid_filetrans($1, init_var_run_t, file, "random-seed")
++ files_etc_filetrans($1, machineid_t, file, "machine-id" )
++')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dd3be8d..969bda2 100644
--- a/policy/modules/system/init.te
@@ -30065,7 +30094,7 @@ index 5dfa44b..aa4d8fc 100644
optional_policy(`
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..aadfba0 100644
+index 73bb3c0..46439b4 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -30227,7 +30256,7 @@ index 73bb3c0..aadfba0 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +310,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +310,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -30383,6 +30412,7 @@ index 73bb3c0..aadfba0 100644
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
@@ -32307,7 +32337,7 @@ index 9fe8e01..fa82aac 100644
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..2f33076 100644
+index fc28bc3..2960ed7 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
@@ -32445,7 +32475,7 @@ index fc28bc3..2f33076 100644
')
########################################
-@@ -809,3 +882,60 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +882,61 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -32466,6 +32496,7 @@ index fc28bc3..2f33076 100644
+
+ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
+ files_etc_filetrans($1, locale_t, file, "locale.conf")
++ files_etc_filetrans($1, locale_t, file, "vconsole.conf")
+ files_etc_filetrans($1, locale_t, file, "locale.conf.new")
+ files_etc_filetrans($1, locale_t, file, "timezone")
+ files_etc_filetrans($1, locale_t, file, "clock")
@@ -37060,10 +37091,10 @@ index 0000000..5894afb
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b3ea12d
+index 0000000..2c9ccbf
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,642 @@
+@@ -0,0 +1,643 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -37308,6 +37339,7 @@ index 0000000..b3ea12d
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
++dev_write_kmsg(systemd_passwd_agent_t)
+
+term_read_console(systemd_passwd_agent_t)
+
@@ -39078,7 +39110,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..9799799 100644
+index 3c5dba7..b44b1c9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40360,7 +40392,7 @@ index 3c5dba7..9799799 100644
- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
+
-+ tunable_policy(`selinuxuser_user_share_music',`
++ tunable_policy(`selinuxuser_share_music',`
+ corenet_tcp_bind_daap_port($1_usertype)
+ ')
+
@@ -41745,7 +41777,7 @@ index 3c5dba7..9799799 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4197,1357 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4197,1393 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -42306,6 +42338,42 @@ index 3c5dba7..9799799 100644
+
+########################################
+## <summary>
++## Dontaudit Read files inherited from the admin home dir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_read_inherited_admin_home_files',`
++ gen_require(`
++ attribute admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file read_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Dontaudit append files inherited from the admin home dir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_append_inherited_admin_home_file',`
++ gen_require(`
++ attribute admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## Read/Write files inherited
+## in a user home subdirectory.
+## </summary>
@@ -43104,7 +43172,7 @@ index 3c5dba7..9799799 100644
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..6371ed6 100644
+index e2b538b..9e23738 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -43143,7 +43211,7 @@ index e2b538b..6371ed6 100644
## </p>
## </desc>
-gen_tunable(user_dmesg, false)
-+gen_tunable(selinuxuser_user_share_music, false)
++gen_tunable(selinuxuser_share_music, false)
## <desc>
## <p>
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 366b5d3..cc76d7e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4426,10 +4426,10 @@ index 83e899c..c0ece1b 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..25bd127 100644
+index 1a82e29..c2a14a5 100644
--- a/apache.te
+++ b/apache.te
-@@ -1,297 +1,353 @@
+@@ -1,297 +1,360 @@
-policy_module(apache, 2.6.10)
+policy_module(apache, 2.4.0)
+
@@ -4544,11 +4544,11 @@ index 1a82e29..25bd127 100644
-## connect to databases over the network.
-## </p>
+## <p>
-+## Allow HTTPD to connect to port 80 for graceful shutdown
++## Allow HTTPD scripts and modules to server cobbler files.
+## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_db, false)
-+gen_tunable(httpd_graceful_shutdown, false)
++gen_tunable(httpd_serve_cobbler_files, false)
## <desc>
-## <p>
@@ -4556,11 +4556,11 @@ index 1a82e29..25bd127 100644
-## ldap over the network.
-## </p>
+## <p>
-+## Allow HTTPD scripts and modules to connect to databases over the network.
++## Allow HTTPD to connect to port 80 for graceful shutdown
+## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_ldap, false)
-+gen_tunable(httpd_can_network_connect_db, false)
++gen_tunable(httpd_graceful_shutdown, false)
## <desc>
-## <p>
@@ -4568,17 +4568,24 @@ index 1a82e29..25bd127 100644
-## to memcache server over the network.
-## </p>
+## <p>
-+## Allow httpd to connect to memcache server
++## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_memcache, false)
-+gen_tunable(httpd_can_network_memcache, false)
++gen_tunable(httpd_can_network_connect_db, false)
## <desc>
-## <p>
-## Determine whether httpd can act as a relay.
-## </p>
+## <p>
++## Allow httpd to connect to memcache server
++## </p>
++## </desc>
++gen_tunable(httpd_can_network_memcache, false)
++
++## <desc>
++## <p>
+## Allow httpd to act as a relay
+## </p>
## </desc>
@@ -4932,7 +4939,7 @@ index 1a82e29..25bd127 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -299,10 +355,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -299,10 +362,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -4945,7 +4952,7 @@ index 1a82e29..25bd127 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +365,19 @@ role system_r types httpd_suexec_t;
+@@ -311,9 +372,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -4967,7 +4974,7 @@ index 1a82e29..25bd127 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -323,12 +387,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +394,19 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -4987,7 +4994,7 @@ index 1a82e29..25bd127 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +414,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -343,33 +421,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5038,7 +5045,7 @@ index 1a82e29..25bd127 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +456,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +463,36 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5080,7 +5087,7 @@ index 1a82e29..25bd127 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,6 +493,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,6 +500,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5089,7 +5096,7 @@ index 1a82e29..25bd127 100644
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -415,6 +503,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+@@ -415,6 +510,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -5100,7 +5107,7 @@ index 1a82e29..25bd127 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +537,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +544,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5328,7 +5335,7 @@ index 1a82e29..25bd127 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +703,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +710,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5384,7 +5391,7 @@ index 1a82e29..25bd127 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +751,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +758,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5469,7 +5476,7 @@ index 1a82e29..25bd127 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +792,29 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +799,42 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5512,18 +5519,27 @@ index 1a82e29..25bd127 100644
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-')
--
+
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_t)
-')
--
++optional_policy(`
++ cobbler_list_config(httpd_t)
++ cobbler_read_config(httpd_t)
+
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
--')
--
++ tunable_policy(`httpd_serve_cobbler_files',`
++ cobbler_manage_lib_files(httpd_t)
++',`
++ cobbler_read_lib_files(httpd_t)
++ cobbler_search_lib(httpd_t)
++ ')
+ ')
+
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_t)
+optional_policy(`
@@ -5535,22 +5551,22 @@ index 1a82e29..25bd127 100644
')
optional_policy(`
-@@ -744,12 +826,10 @@ optional_policy(`
+@@ -743,14 +845,6 @@ optional_policy(`
+ ccs_read_config(httpd_t)
')
- optional_policy(`
+-optional_policy(`
- clamav_domtrans_clamscan(httpd_t)
-')
-
-optional_policy(`
-+ cobbler_list_config(httpd_t)
- cobbler_read_config(httpd_t)
- cobbler_read_lib_files(httpd_t)
-+ cobbler_search_lib(httpd_t)
- ')
+- cobbler_read_config(httpd_t)
+- cobbler_read_lib_files(httpd_t)
+-')
optional_policy(`
-@@ -765,6 +845,23 @@ optional_policy(`
+ cron_system_entry(httpd_t, httpd_exec_t)
+@@ -765,6 +859,23 @@ optional_policy(`
')
optional_policy(`
@@ -5574,7 +5590,7 @@ index 1a82e29..25bd127 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +878,42 @@ optional_policy(`
+@@ -781,34 +892,42 @@ optional_policy(`
')
optional_policy(`
@@ -5628,7 +5644,7 @@ index 1a82e29..25bd127 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +921,18 @@ optional_policy(`
+@@ -816,8 +935,18 @@ optional_policy(`
')
optional_policy(`
@@ -5647,7 +5663,7 @@ index 1a82e29..25bd127 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +941,7 @@ optional_policy(`
+@@ -826,6 +955,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5655,7 +5671,7 @@ index 1a82e29..25bd127 100644
')
optional_policy(`
-@@ -836,20 +952,38 @@ optional_policy(`
+@@ -836,20 +966,38 @@ optional_policy(`
')
optional_policy(`
@@ -5700,7 +5716,7 @@ index 1a82e29..25bd127 100644
')
optional_policy(`
-@@ -857,6 +991,16 @@ optional_policy(`
+@@ -857,6 +1005,16 @@ optional_policy(`
')
optional_policy(`
@@ -5717,7 +5733,7 @@ index 1a82e29..25bd127 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,6 +1009,7 @@ optional_policy(`
+@@ -865,6 +1023,7 @@ optional_policy(`
')
optional_policy(`
@@ -5725,7 +5741,7 @@ index 1a82e29..25bd127 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -877,65 +1022,166 @@ optional_policy(`
+@@ -877,65 +1036,166 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5914,7 +5930,7 @@ index 1a82e29..25bd127 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1190,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1204,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6069,7 +6085,7 @@ index 1a82e29..25bd127 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1274,104 @@ optional_policy(`
+@@ -1077,172 +1288,104 @@ optional_policy(`
')
')
@@ -6089,7 +6105,8 @@ index 1a82e29..25bd127 100644
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
--
++allow httpd_sys_script_t self:process getsched;
+
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
@@ -6097,8 +6114,7 @@ index 1a82e29..25bd127 100644
-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-+allow httpd_sys_script_t self:process getsched;
-
+-
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
@@ -6240,8 +6256,7 @@ index 1a82e29..25bd127 100644
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@@ -6267,7 +6282,8 @@ index 1a82e29..25bd127 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6305,7 +6321,7 @@ index 1a82e29..25bd127 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1379,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1393,70 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6399,7 +6415,7 @@ index 1a82e29..25bd127 100644
########################################
#
-@@ -1315,8 +1450,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1464,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6416,7 +6432,7 @@ index 1a82e29..25bd127 100644
')
########################################
-@@ -1324,49 +1466,36 @@ optional_policy(`
+@@ -1324,49 +1480,36 @@ optional_policy(`
# User content local policy
#
@@ -6480,7 +6496,7 @@ index 1a82e29..25bd127 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1505,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1519,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -6502,29 +6518,20 @@ index 1a82e29..25bd127 100644
-allow httpd_gpg_t self:process setrlimit;
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
-
--allow httpd_gpg_t httpd_t:fd use;
--allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
--allow httpd_gpg_t httpd_t:process sigchld;
++
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
-
--dev_read_rand(httpd_gpg_t)
--dev_read_urand(httpd_gpg_t)
++
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
-
--files_read_usr_files(httpd_gpg_t)
++
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
-
--miscfiles_read_localization(httpd_gpg_t)
++
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
-
--tunable_policy(`httpd_gpg_anon_write',`
-- miscfiles_manage_public_files(httpd_gpg_t)
++
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
@@ -6544,21 +6551,30 @@ index 1a82e29..25bd127 100644
+miscfiles_read_public_files(httpd_script_type)
+
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
-+
+
+-allow httpd_gpg_t httpd_t:fd use;
+-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
+-allow httpd_gpg_t httpd_t:process sigchld;
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-+
+
+-dev_read_rand(httpd_gpg_t)
+-dev_read_urand(httpd_gpg_t)
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
-+
+
+-files_read_usr_files(httpd_gpg_t)
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
-+
+
+-miscfiles_read_localization(httpd_gpg_t)
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
-+
+
+-tunable_policy(`httpd_gpg_anon_write',`
+- miscfiles_manage_public_files(httpd_gpg_t)
+fs_getattr_xattr_fs(httpd_script_type)
+
+files_read_etc_runtime_files(httpd_script_type)
@@ -7300,7 +7316,7 @@ index 0000000..98ab9ed
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
-index 0000000..340b755
+index 0000000..f2aa4e6
--- /dev/null
+++ b/authconfig.te
@@ -0,0 +1,32 @@
@@ -7314,6 +7330,7 @@ index 0000000..340b755
+type authconfig_t;
+type authconfig_exec_t;
+application_domain(authconfig_t, authconfig_exec_t)
++role system_r types authconfig_t;
+
+type authconfig_var_lib_t;
+files_type(authconfig_var_lib_t)
@@ -7332,7 +7349,6 @@ index 0000000..340b755
+
+domain_use_interactive_fds(authconfig_t)
+
-+
+init_domtrans_script(authconfig_t)
+
+unconfined_domain_noaudit(authconfig_t)
@@ -9734,7 +9750,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..03e12b7 100644
+index 2354e21..fb8c9ed 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -9763,7 +9779,15 @@ index 2354e21..03e12b7 100644
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-@@ -49,16 +54,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
+
+ kernel_read_kernel_sysctls(certmonger_t)
+ kernel_read_system_state(certmonger_t)
++kernel_read_network_state(certmonger_t)
+
+ corenet_all_recvfrom_unlabeled(certmonger_t)
+ corenet_all_recvfrom_netlabel(certmonger_t)
+@@ -49,16 +55,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -9786,7 +9810,7 @@ index 2354e21..03e12b7 100644
files_list_tmp(certmonger_t)
fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +80,17 @@ init_getattr_all_script_files(certmonger_t)
+@@ -70,16 +81,17 @@ init_getattr_all_script_files(certmonger_t)
logging_send_syslog_msg(certmonger_t)
@@ -9806,7 +9830,7 @@ index 2354e21..03e12b7 100644
')
optional_policy(`
-@@ -92,11 +103,47 @@ optional_policy(`
+@@ -92,11 +104,47 @@ optional_policy(`
')
optional_policy(`
@@ -9856,10 +9880,10 @@ index 2354e21..03e12b7 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 403af41..48acf72 100644
+index 403af41..8f201ca 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -21,27 +21,31 @@ role certwatch_roles types certwatch_t;
+@@ -21,32 +21,40 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
@@ -9896,6 +9920,15 @@ index 403af41..48acf72 100644
apache_exec_modules(certwatch_t)
apache_read_config(certwatch_t)
')
+
+ optional_policy(`
++ mta_send_mail(certwatch_t)
++')
++
++optional_policy(`
+ cron_system_entry(certwatch_t, certwatch_exec_t)
+ ')
+
diff --git a/cfengine.if b/cfengine.if
index a731122..5279d4e 100644
--- a/cfengine.if
@@ -11525,8 +11558,20 @@ index d8e9958..0046a69 100644
optional_policy(`
corosync_stream_connect(cmirrord_t)
')
+diff --git a/cobbler.fc b/cobbler.fc
+index 973d208..2b650a7 100644
+--- a/cobbler.fc
++++ b/cobbler.fc
+@@ -4,6 +4,7 @@
+
+ /usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+
++/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+ /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+ /var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
-index c223f81..b2efe4b 100644
+index c223f81..83d5104 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
@@ -11566,11 +11611,27 @@ index c223f81..b2efe4b 100644
')
########################################
+@@ -199,7 +222,4 @@ interface(`cobbler_admin',`
+
+ logging_search_logs($1)
+ admin_pattern($1, cobbler_var_log_t)
+-
+- apache_search_sys_content($1)
+- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
+ ')
diff --git a/cobbler.te b/cobbler.te
-index 2a71346..7b64dc9 100644
+index 2a71346..bf24fca 100644
--- a/cobbler.te
+++ b/cobbler.te
-@@ -117,9 +117,7 @@ dev_read_urand(cobblerd_t)
+@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
++files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
+
+ append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -117,9 +118,7 @@ dev_read_urand(cobblerd_t)
files_list_boot(cobblerd_t)
files_list_tmp(cobblerd_t)
files_read_boot_files(cobblerd_t)
@@ -11580,7 +11641,7 @@ index 2a71346..7b64dc9 100644
fs_getattr_all_fs(cobblerd_t)
fs_read_iso9660_files(cobblerd_t)
-@@ -193,12 +191,11 @@ optional_policy(`
+@@ -193,12 +192,11 @@ optional_policy(`
optional_policy(`
rsync_read_config(cobblerd_t)
@@ -17866,7 +17927,7 @@ index afcf3a2..0730306 100644
+ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..5e0bf2f 100644
+index 2c2e7e1..78bbb7d 100644
--- a/dbus.te
+++ b/dbus.te
@@ -1,20 +1,18 @@
@@ -17914,7 +17975,7 @@ index 2c2e7e1..5e0bf2f 100644
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,57 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,58 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
@@ -17927,6 +17988,7 @@ index 2c2e7e1..5e0bf2f 100644
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+# cjp: dac_override should probably go in a distro_debian
++allow system_dbusd_t self:capability2 block_suspend;
allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
@@ -17990,7 +18052,7 @@ index 2c2e7e1..5e0bf2f 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +117,155 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +118,155 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -18160,7 +18222,7 @@ index 2c2e7e1..5e0bf2f 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +274,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +275,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -18185,7 +18247,7 @@ index 2c2e7e1..5e0bf2f 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +293,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +294,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -18193,7 +18255,7 @@ index 2c2e7e1..5e0bf2f 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +302,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +303,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -18235,7 +18297,7 @@ index 2c2e7e1..5e0bf2f 100644
')
########################################
-@@ -244,5 +339,6 @@ optional_policy(`
+@@ -244,5 +340,6 @@ optional_policy(`
# Unconfined access to this module
#
@@ -19308,7 +19370,7 @@ index b3b2188..5f91705 100644
miscfiles_read_localization(dirmngr_t)
diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
new file mode 100644
-index 0000000..fdf5675
+index 0000000..8c44697
--- /dev/null
+++ b/dirsrv-admin.fc
@@ -0,0 +1,15 @@
@@ -19326,13 +19388,13 @@ index 0000000..fdf5675
+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+
-+/var/lock/subsys/dirsrv -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
++/var/lock/subsys/dirsrv-admin -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
diff --git a/dirsrv-admin.if b/dirsrv-admin.if
new file mode 100644
-index 0000000..332a1c9
+index 0000000..30416f2
--- /dev/null
+++ b/dirsrv-admin.if
-@@ -0,0 +1,134 @@
+@@ -0,0 +1,133 @@
+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
+
+########################################
@@ -19465,14 +19527,13 @@ index 0000000..332a1c9
+
+ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
+ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
-+
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
-index 0000000..35455bf
+index 0000000..021c5ae
--- /dev/null
+++ b/dirsrv-admin.te
-@@ -0,0 +1,156 @@
+@@ -0,0 +1,157 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -19629,6 +19690,7 @@ index 0000000..35455bf
+ unconfined_domain(dirsrvadmin_unconfined_script_t)
+')
+
++
diff --git a/dirsrv.fc b/dirsrv.fc
new file mode 100644
index 0000000..0ea1ebb
@@ -19874,10 +19936,10 @@ index 0000000..b214253
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 0000000..8cf8ddd
+index 0000000..1a57396
--- /dev/null
+++ b/dirsrv.te
-@@ -0,0 +1,194 @@
+@@ -0,0 +1,193 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -20008,7 +20070,6 @@ index 0000000..8cf8ddd
+ dirsrvadmin_read_tmp(dirsrv_t)
+')
+
-+
+optional_policy(`
+ kerberos_use(dirsrv_t)
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
@@ -20911,7 +20972,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..d16e5e8 100644
+index a7bfaf0..93e583c 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -21098,7 +21159,7 @@ index a7bfaf0..d16e5e8 100644
init_getattr_utmp(dovecot_t)
-@@ -166,36 +160,29 @@ auth_use_nsswitch(dovecot_t)
+@@ -166,44 +160,42 @@ auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
@@ -21111,12 +21172,6 @@ index a7bfaf0..d16e5e8 100644
- fs_manage_nfs_files(dovecot_t)
- fs_manage_nfs_symlinks(dovecot_t)
-')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(dovecot_t)
-- fs_manage_cifs_files(dovecot_t)
-- fs_manage_cifs_symlinks(dovecot_t)
--')
+userdom_home_manager(dovecot_t)
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
@@ -21126,12 +21181,20 @@ index a7bfaf0..d16e5e8 100644
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_filetrans_home_content(dovecot_t)
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(dovecot_t)
+- fs_manage_cifs_files(dovecot_t)
+- fs_manage_cifs_symlinks(dovecot_t)
++optional_policy(`
++ mta_manage_home_rw(dovecot_t)
++ mta_manage_spool(dovecot_t)
+ ')
+
optional_policy(`
-- kerberos_keytab_template(dovecot, dovecot_t)
+ kerberos_keytab_template(dovecot, dovecot_t)
- kerberos_manage_host_rcache(dovecot_t)
- kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
-+ mta_manage_home_rw(dovecot_t)
-+ mta_manage_spool(dovecot_t)
++ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
')
optional_policy(`
@@ -21139,24 +21202,22 @@ index a7bfaf0..d16e5e8 100644
- mta_manage_mail_home_rw_content(dovecot_t)
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
-+ kerberos_keytab_template(dovecot_t, dovecot_t)
-+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
++ gnome_manage_data(dovecot_t)
')
optional_policy(`
- postgresql_stream_connect(dovecot_t)
-+ gnome_manage_data(dovecot_t)
++ postfix_manage_private_sockets(dovecot_t)
++ postfix_search_spool(dovecot_t)
')
optional_policy(`
-@@ -204,6 +191,11 @@ optional_policy(`
+- postfix_manage_private_sockets(dovecot_t)
+- postfix_search_spool(dovecot_t)
++ postgresql_stream_connect(dovecot_t)
')
optional_policy(`
-+ postgresql_stream_connect(dovecot_t)
-+')
-+
-+optional_policy(`
+ # Handle sieve scripts
sendmail_domtrans(dovecot_t)
')
@@ -26503,7 +26564,7 @@ index d03fd43..26023f7 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 20f726b..eb0d80a 100644
+index 20f726b..6af4e62 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
@@ -26547,7 +26608,7 @@ index 20f726b..eb0d80a 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,228 @@ type gconfd_exec_t;
+@@ -29,107 +47,227 @@ type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -26758,8 +26819,7 @@ index 20f726b..eb0d80a 100644
-allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
-+allow gkeyringd_domain config_home_t:dir add_entry_dir_perms;
-+allow gkeyringd_domain config_home_t:file write;
++manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t)
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
@@ -27890,9 +27950,18 @@ index 3226f52..68b2eb8 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
-index 25f09ae..2200e6d 100644
+index 25f09ae..aa94571 100644
--- a/gpsd.te
+++ b/gpsd.te
+@@ -28,7 +28,7 @@ files_pid_file(gpsd_var_run_t)
+ #
+
+ allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
+-dontaudit gpsd_t self:capability { dac_read_search dac_override };
++dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override };
+ allow gpsd_t self:process { setsched signal_perms };
+ allow gpsd_t self:shm create_shm_perms;
+ allow gpsd_t self:unix_dgram_socket sendto;
@@ -62,13 +62,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
term_use_unallocated_ttys(gpsd_t)
@@ -30494,7 +30563,7 @@ index 4fe75fd..8c702c9 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f9de9fc..138e1e2 100644
+index f9de9fc..11e6268 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -30571,7 +30640,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -69,45 +69,43 @@ interface(`kerberos_domtrans_kpropd',`
+@@ -69,45 +69,44 @@ interface(`kerberos_domtrans_kpropd',`
#
interface(`kerberos_use',`
gen_require(`
@@ -30594,6 +30663,7 @@ index f9de9fc..138e1e2 100644
-
selinux_dontaudit_validate_context($1)
- seutil_dontaudit_read_file_contexts($1)
++ seutil_read_file_contexts($1)
- tunable_policy(`allow_kerberos',`
+ tunable_policy(`kerberos_enabled',`
@@ -30631,7 +30701,7 @@ index f9de9fc..138e1e2 100644
pcscd_stream_connect($1)
')
')
-@@ -119,7 +117,7 @@ interface(`kerberos_use',`
+@@ -119,7 +118,7 @@ interface(`kerberos_use',`
########################################
## <summary>
@@ -30640,7 +30710,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -135,15 +133,13 @@ interface(`kerberos_read_config',`
+@@ -135,15 +134,13 @@ interface(`kerberos_read_config',`
files_search_etc($1)
allow $1 krb5_conf_t:file read_file_perms;
@@ -30658,7 +30728,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -156,13 +152,12 @@ interface(`kerberos_dontaudit_write_config',`
+@@ -156,13 +153,12 @@ interface(`kerberos_dontaudit_write_config',`
type krb5_conf_t;
')
@@ -30674,7 +30744,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -182,75 +177,7 @@ interface(`kerberos_rw_config',`
+@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',`
########################################
## <summary>
@@ -30751,7 +30821,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -270,7 +197,7 @@ interface(`kerberos_read_keytab',`
+@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',`
########################################
## <summary>
@@ -30760,7 +30830,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -289,40 +216,13 @@ interface(`kerberos_rw_keytab',`
+@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',`
########################################
## <summary>
@@ -30802,7 +30872,7 @@ index f9de9fc..138e1e2 100644
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
-@@ -334,13 +234,13 @@ interface(`kerberos_etc_filetrans_keytab',`
+@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',`
type krb5_keytab_t;
')
@@ -30819,7 +30889,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="prefix">
## <summary>
-@@ -354,21 +254,15 @@ interface(`kerberos_etc_filetrans_keytab',`
+@@ -354,21 +255,15 @@ interface(`kerberos_etc_filetrans_keytab',`
## </param>
#
template(`kerberos_keytab_template',`
@@ -30846,7 +30916,7 @@ index f9de9fc..138e1e2 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -376,7 +270,7 @@ template(`kerberos_keytab_template',`
+@@ -376,7 +271,7 @@ template(`kerberos_keytab_template',`
########################################
## <summary>
@@ -30855,7 +30925,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -396,8 +290,7 @@ interface(`kerberos_read_kdc_config',`
+@@ -396,8 +291,7 @@ interface(`kerberos_read_kdc_config',`
########################################
## <summary>
@@ -30865,7 +30935,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -411,34 +304,99 @@ interface(`kerberos_manage_host_rcache',`
+@@ -411,34 +305,99 @@ interface(`kerberos_manage_host_rcache',`
type krb5_host_rcache_t;
')
@@ -30973,7 +31043,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -452,12 +410,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -452,12 +411,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
type krb5_host_rcache_t;
')
@@ -30989,7 +31059,7 @@ index f9de9fc..138e1e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -465,82 +424,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -465,82 +425,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
## </summary>
## </param>
#
@@ -31470,17 +31540,16 @@ index 3465a9a..353c4ce 100644
sysnet_dns_name_resolve(kpropd_t)
diff --git a/kerneloops.if b/kerneloops.if
-index 714448f..656a998 100644
+index 714448f..fa0c994 100644
--- a/kerneloops.if
+++ b/kerneloops.if
-@@ -101,13 +101,17 @@ interface(`kerneloops_manage_tmp_files',`
+@@ -101,13 +101,16 @@ interface(`kerneloops_manage_tmp_files',`
#
interface(`kerneloops_admin',`
gen_require(`
- type kerneloops_t, kerneloops_initrc_exec_t;
- type kerneloops_tmp_t;
+ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
-+ type kerneloops_initrc_exec_t;
')
- allow $1 kerneloops_t:process { ptrace signal_perms };
@@ -31952,7 +32021,7 @@ index e736c45..4b1e1e4 100644
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
-index c530214..a3984cb 100644
+index c530214..eadf7e0 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
@@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',`
@@ -31985,13 +32054,14 @@ index c530214..a3984cb 100644
########################################
## <summary>
## All of the rules required to
-@@ -57,21 +80,25 @@ interface(`ksmtuned_initrc_domtrans',`
+@@ -57,21 +80,26 @@ interface(`ksmtuned_initrc_domtrans',`
#
interface(`ksmtuned_admin',`
gen_require(`
- type ksmtuned_t, ksmtuned_var_run_t;
- type ksmtuned_initrc_exec_t, ksmtuned_log_t;
+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t;
++ type ksmtuned_log_t;
')
- ksmtuned_initrc_domtrans($1)
@@ -32947,7 +33017,7 @@ index e354181..c6b2383 100644
########################################
diff --git a/livecd.te b/livecd.te
-index 33f64b5..dcffc00 100644
+index 33f64b5..a920c08 100644
--- a/livecd.te
+++ b/livecd.te
@@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t)
@@ -32964,14 +33034,18 @@ index 33f64b5..dcffc00 100644
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
-@@ -35,12 +37,13 @@ sysnet_etc_filetrans_config(livecd_t)
+@@ -35,12 +37,17 @@ sysnet_etc_filetrans_config(livecd_t)
optional_policy(`
hal_dbus_chat(livecd_t)
')
+
++optional_policy(`
++ mount_run(livecd_t, livecd_roles)
++')
++
optional_policy(`
- mount_run(livecd_t, livecd_roles)
-+ mount_run(livecd_t, livecd_roles)
++ rpm_transition_script(livecd_t)
')
optional_policy(`
@@ -33070,6 +33144,36 @@ index 6cbb977..bd5406a 100644
userdom_list_user_home_content(loadkeys_t)
ifdef(`hide_broken_symptoms',`
+diff --git a/lockdev.if b/lockdev.if
+index 4313b8b..cd1435c 100644
+--- a/lockdev.if
++++ b/lockdev.if
+@@ -1,5 +1,25 @@
+ ## <summary>Library for locking devices.</summary>
+
++#######################################
++## <summary>
++## Create, read, write, and delete
++## lockdev lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`lockdev_manage_files',`
++ gen_require(`
++ type lockdev_lock_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Role access for lockdev.
diff --git a/lockdev.te b/lockdev.te
index db87831..30bfb76 100644
--- a/lockdev.te
@@ -36354,7 +36458,7 @@ index 4462c0e..84944d1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..18e3a70 100644
+index 6ffaba2..90fd526 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -1,38 +1,63 @@
@@ -36380,7 +36484,7 @@ index 6ffaba2..18e3a70 100644
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.cache\mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -37171,7 +37275,7 @@ index 6194b80..116d9d2 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..c2bf3d9 100644
+index 6a306ee..3ac5d92 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -37602,7 +37706,7 @@ index 6a306ee..c2bf3d9 100644
')
optional_policy(`
-@@ -300,221 +309,173 @@ optional_policy(`
+@@ -300,221 +309,174 @@ optional_policy(`
########################################
#
@@ -37777,6 +37881,7 @@ index 6a306ee..c2bf3d9 100644
+corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
+corenet_tcp_connect_monopd_port(mozilla_plugin_t)
++corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
@@ -37918,7 +38023,7 @@ index 6a306ee..c2bf3d9 100644
')
optional_policy(`
-@@ -523,36 +484,47 @@ optional_policy(`
+@@ -523,36 +485,47 @@ optional_policy(`
')
optional_policy(`
@@ -37979,7 +38084,7 @@ index 6a306ee..c2bf3d9 100644
')
optional_policy(`
-@@ -560,7 +532,7 @@ optional_policy(`
+@@ -560,7 +533,7 @@ optional_policy(`
')
optional_policy(`
@@ -37988,7 +38093,7 @@ index 6a306ee..c2bf3d9 100644
')
optional_policy(`
-@@ -568,108 +540,109 @@ optional_policy(`
+@@ -568,108 +541,109 @@ optional_policy(`
')
optional_policy(`
@@ -38214,7 +38319,7 @@ index 5fa77c7..2e01c7d 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index 7c8afcc..0f46305 100644
+index 7c8afcc..97f2b6f 100644
--- a/mpd.te
+++ b/mpd.te
@@ -62,6 +62,9 @@ files_type(mpd_var_lib_t)
@@ -38255,15 +38360,18 @@ index 7c8afcc..0f46305 100644
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -139,7 +148,6 @@ dev_read_sound(mpd_t)
+@@ -139,9 +148,9 @@ dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
dev_read_sysfs(mpd_t)
-files_read_usr_files(mpd_t)
fs_getattr_all_fs(mpd_t)
++fs_getattr_all_dirs(mpd_t)
fs_list_inotifyfs(mpd_t)
-@@ -150,7 +158,9 @@ auth_use_nsswitch(mpd_t)
+ fs_rw_anon_inodefs_files(mpd_t)
+ fs_search_auto_mountpoints(mpd_t)
+@@ -150,7 +159,9 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
@@ -38274,7 +38382,7 @@ index 7c8afcc..0f46305 100644
tunable_policy(`mpd_enable_homedirs',`
userdom_search_user_home_dirs(mpd_t)
-@@ -199,6 +209,16 @@ optional_policy(`
+@@ -199,6 +210,16 @@ optional_policy(`
')
optional_policy(`
@@ -38424,10 +38532,10 @@ index c97c177..9411154 100644
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
-index f42896c..8654c3c 100644
+index f42896c..cb2791a 100644
--- a/mta.fc
+++ b/mta.fc
-@@ -2,33 +2,42 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+@@ -2,33 +2,43 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
@@ -38447,6 +38555,9 @@ index f42896c..8654c3c 100644
+/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
+-
+-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+')
@@ -38456,8 +38567,7 @@ index f42896c..8654c3c 100644
+/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-
--/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -41796,7 +41906,7 @@ index 0000000..90129ac
+ mysql_tcp_connect(httpd_mythtv_script_t)
+')
diff --git a/nagios.fc b/nagios.fc
-index d78dfc3..d80b4db 100644
+index d78dfc3..9590368 100644
--- a/nagios.fc
+++ b/nagios.fc
@@ -1,88 +1,93 @@
@@ -41926,14 +42036,15 @@ index d78dfc3..d80b4db 100644
/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-
+-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+# unconfined plugins
- /usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-
-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
--
++# label all nagios plugin as unconfined by default
++/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-
@@ -62916,10 +63027,20 @@ index 951db7f..6d6ec1d 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..fd31eb5 100644
+index 2c1730b..d75003d 100644
--- a/raid.te
+++ b/raid.te
-@@ -25,8 +25,8 @@ dev_associate(mdadm_var_run_t)
+@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
+ type mdadm_initrc_exec_t;
+ init_script_file(mdadm_initrc_exec_t)
+
++type mdadm_tmp_t;
++files_tmpfs_file(mdadm_tmp_t)
++
+ type mdadm_var_run_t alias mdadm_map_t;
+ files_pid_file(mdadm_var_run_t)
+ dev_associate(mdadm_var_run_t)
+@@ -25,23 +28,28 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -62930,7 +63051,11 @@ index 2c1730b..fd31eb5 100644
allow mdadm_t self:fifo_file rw_fifo_file_perms;
allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -34,14 +34,15 @@ manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
++manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
++manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
++files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
++
+ manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
@@ -62948,7 +63073,7 @@ index 2c1730b..fd31eb5 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -51,17 +52,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
+@@ -51,17 +59,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
@@ -62970,7 +63095,12 @@ index 2c1730b..fd31eb5 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -74,12 +77,12 @@ storage_write_scsi_generic(mdadm_t)
+@@ -70,16 +80,17 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+ storage_manage_fixed_disk(mdadm_t)
+ storage_read_scsi_generic(mdadm_t)
+ storage_write_scsi_generic(mdadm_t)
++storage_raw_read_removable_device(mdadm_t)
+
term_dontaudit_list_ptys(mdadm_t)
term_dontaudit_use_unallocated_ttys(mdadm_t)
@@ -63681,7 +63811,7 @@ index bff31df..e38693b 100644
## <param name="domain">
## <summary>
diff --git a/realmd.te b/realmd.te
-index 9a8f052..1d63c74 100644
+index 9a8f052..c558c79 100644
--- a/realmd.te
+++ b/realmd.te
@@ -1,4 +1,4 @@
@@ -63690,7 +63820,7 @@ index 9a8f052..1d63c74 100644
########################################
#
-@@ -7,43 +7,78 @@ policy_module(realmd, 1.0.2)
+@@ -7,47 +7,88 @@ policy_module(realmd, 1.0.2)
type realmd_t;
type realmd_exec_t;
@@ -63760,6 +63890,8 @@ index 9a8f052..1d63c74 100644
auth_use_nsswitch(realmd_t)
++init_filetrans_named_content(realmd_t)
++
+logging_manage_generic_logs(realmd_t)
logging_send_syslog_msg(realmd_t)
@@ -63781,7 +63913,15 @@ index 9a8f052..1d63c74 100644
optional_policy(`
dbus_system_domain(realmd_t, realmd_exec_t)
-@@ -63,21 +98,40 @@ optional_policy(`
+ optional_policy(`
++ certmonger_dbus_chat(realmd_t)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat(realmd_t)
+ ')
+
+@@ -63,21 +104,40 @@ optional_policy(`
optional_policy(`
kerberos_use(realmd_t)
kerberos_rw_keytab(realmd_t)
@@ -63825,7 +63965,7 @@ index 9a8f052..1d63c74 100644
')
optional_policy(`
-@@ -86,5 +140,27 @@ optional_policy(`
+@@ -86,5 +146,27 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
@@ -74446,7 +74586,7 @@ index d14b6bf..da5d41d 100644
+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/sendmail.if b/sendmail.if
-index 88e753f..e25aecc 100644
+index 88e753f..133d993 100644
--- a/sendmail.if
+++ b/sendmail.if
@@ -1,4 +1,4 @@
@@ -74628,73 +74768,79 @@ index 88e753f..e25aecc 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -299,18 +281,13 @@ interface(`sendmail_domtrans_unconfined',`
- ')
+@@ -285,58 +267,27 @@ interface(`sendmail_manage_tmp_files',`
- mta_sendmail_domtrans($1, unconfined_sendmail_t)
+ ########################################
+ ## <summary>
+-## Execute sendmail in the unconfined sendmail domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-#
+-interface(`sendmail_domtrans_unconfined',`
+- gen_require(`
+- type unconfined_sendmail_t;
+- ')
+-
+- mta_sendmail_domtrans($1, unconfined_sendmail_t)
-
- allow unconfined_sendmail_t $1:fd use;
- allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms;
- allow unconfined_sendmail_t $1:process sigchld;
- ')
-
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
-## Execute sendmail in the unconfined
-## sendmail domain, and allow the
-## specified role the unconfined
-## sendmail domain.
-+## Execute sendmail in the unconfined sendmail domain, and
-+## allow the specified role the unconfined sendmail domain,
-+## and use the caller's terminal.
++## Set the attributes of sendmail pid files.
## </summary>
## <param name="domain">
## <summary>
-@@ -326,17 +303,36 @@ interface(`sendmail_domtrans_unconfined',`
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
#
- interface(`sendmail_run_unconfined',`
+-interface(`sendmail_run_unconfined',`
++interface(`sendmail_setattr_pid_files',`
gen_require(`
- attribute_role sendmail_unconfined_roles;
-+ type unconfined_sendmail_t;
++ type sendmail_var_run_t;
')
- sendmail_domtrans_unconfined($1)
+- sendmail_domtrans_unconfined($1)
- roleattribute $2 sendmail_unconfined_roles;
-+ role $2 types unconfined_sendmail_t;
++ allow $1 sendmail_var_run_t:file setattr_file_perms;
++ files_search_pids($1)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an sendmail environment.
-+## Set the attributes of sendmail pid files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`sendmail_setattr_pid_files',`
-+ gen_require(`
-+ type sendmail_var_run_t;
-+ ')
-+
-+ allow $1 sendmail_var_run_t:file setattr_file_perms;
-+ files_search_pids($1)
-+')
-+
-+########################################
-+## <summary>
+## All of the rules required to administrate
+## an sendmail environment
## </summary>
## <param name="domain">
## <summary>
-@@ -354,12 +350,20 @@ interface(`sendmail_admin',`
+@@ -353,13 +304,17 @@ interface(`sendmail_run_unconfined',`
+ interface(`sendmail_admin',`
gen_require(`
type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
- type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+- type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
++ type sendmail_tmp_t, sendmail_var_run_t;
+ type mail_spool_t;
')
@@ -74704,18 +74850,14 @@ index 88e753f..e25aecc 100644
+ ps_process_pattern($1, sendmail_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sendmail_t:process ptrace;
-+ allow $1 unconfined_sendmail_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
-+ allow $1 unconfined_sendmail_t:process signal_perms;
-+ ps_process_pattern($1, unconfined_sendmail_t)
-+
+ sendmail_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 sendmail_initrc_exec_t system_r;
-@@ -372,6 +376,6 @@ interface(`sendmail_admin',`
+@@ -372,6 +327,6 @@ interface(`sendmail_admin',`
files_list_pids($1)
admin_pattern($1, sendmail_var_run_t)
@@ -75163,7 +75305,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..a89828e 100644
+index 49b12ae..a7c3d7c 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -75252,7 +75394,7 @@ index 49b12ae..a89828e 100644
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
-@@ -79,7 +85,6 @@ dev_getattr_mtrr_dev(setroubleshootd_t)
+@@ -79,13 +85,13 @@ dev_getattr_mtrr_dev(setroubleshootd_t)
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
domain_signull_all_domains(setroubleshootd_t)
@@ -75260,7 +75402,14 @@ index 49b12ae..a89828e 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
-@@ -107,27 +112,24 @@ init_read_utmp(setroubleshootd_t)
+ files_getattr_all_sockets(setroubleshootd_t)
+ files_read_all_symlinks(setroubleshootd_t)
+ files_read_mnt_files(setroubleshootd_t)
++files_read_var_lib_files(setroubleshootd_t)
+
+ fs_getattr_all_dirs(setroubleshootd_t)
+ fs_getattr_all_files(setroubleshootd_t)
+@@ -107,27 +113,24 @@ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
@@ -75293,7 +75442,7 @@ index 49b12ae..a89828e 100644
')
optional_policy(`
-@@ -135,10 +137,18 @@ optional_policy(`
+@@ -135,10 +138,18 @@ optional_policy(`
')
optional_policy(`
@@ -75312,7 +75461,7 @@ index 49b12ae..a89828e 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -148,15 +158,17 @@ optional_policy(`
+@@ -148,15 +159,17 @@ optional_policy(`
########################################
#
@@ -75331,7 +75480,7 @@ index 49b12ae..a89828e 100644
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,9 +177,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -165,9 +178,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
@@ -75346,7 +75495,7 @@ index 49b12ae..a89828e 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +191,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +192,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -82259,7 +82408,7 @@ index 67ca5c5..a1ef2d2 100644
fs_search_auto_mountpoints(timidity_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index a4a949c..a0b1618 100644
+index a4a949c..0ac90ac 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3)
@@ -82327,11 +82476,15 @@ index a4a949c..a0b1618 100644
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
-@@ -69,7 +78,15 @@ optional_policy(`
+@@ -69,7 +78,19 @@ optional_policy(`
')
optional_policy(`
- lpd_manage_spool(tmpreaper_t)
++ lpd_read_spool(tmpreaper_t)
++')
++
++optional_policy(`
+ mandb_delete_cache(tmpreaper_t)
+')
+
@@ -83072,7 +83225,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..a6bd365 100644
+index 7116181..ef6133e 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -83100,11 +83253,15 @@ index 7116181..a6bd365 100644
read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-@@ -44,7 +49,11 @@ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
- append_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
- create_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
- setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+@@ -41,10 +46,12 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
+ files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
+
+ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
+-append_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+-create_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+-setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-logging_log_filetrans(tuned_t, tuned_log_t, file)
++manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
+
+manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
@@ -83113,7 +83270,7 @@ index 7116181..a6bd365 100644
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
-@@ -57,6 +66,7 @@ kernel_request_load_module(tuned_t)
+@@ -57,6 +64,7 @@ kernel_request_load_module(tuned_t)
kernel_rw_kernel_sysctl(tuned_t)
kernel_rw_hotplug_sysctls(tuned_t)
kernel_rw_vm_sysctls(tuned_t)
@@ -83121,7 +83278,7 @@ index 7116181..a6bd365 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +74,52 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +72,52 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -84805,7 +84962,7 @@ index c30da4c..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..a202ead 100644
+index 9dec06c..cd873d3 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -85948,7 +86105,7 @@ index 9dec06c..a202ead 100644
- type virt_log_t;
+ type virtd_t, virtd_initrc_exec_t;
+ attribute virt_domain;
-+ type virt_lxc_t;
++ type virtd_lxc_t;
+ type virtd_unit_file_t;
')
@@ -85958,11 +86115,11 @@ index 9dec06c..a202ead 100644
+ ps_process_pattern($1, virtd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 virtd_t:process ptrace;
-+ allow $1 virt_lxc_t:process ptrace;
++ allow $1 virtd_lxc_t:process ptrace;
+ ')
+
-+ allow $1 virt_lxc_t:process signal_perms;
-+ ps_process_pattern($1, virt_lxc_t)
++ allow $1 virtd_lxc_t:process signal_perms;
++ ps_process_pattern($1, virtd_lxc_t)
+
+ init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+ domain_system_change_exemption($1)
@@ -86454,7 +86611,7 @@ index 9dec06c..a202ead 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..f42e134 100644
+index 1f22fba..832423f 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -86660,62 +86817,50 @@ index 1f22fba..f42e134 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,290 +165,125 @@ type virt_qmf_exec_t;
+@@ -155,290 +165,121 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t;
-type virt_bridgehelper_exec_t;
domain_type(virt_bridgehelper_t)
-+
-+type virt_bridgehelper_exec_t;
- domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
+-domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-role virt_bridgehelper_roles types virt_bridgehelper_t;
+-
+-type virtd_lxc_t;
+-type virtd_lxc_exec_t;
+-init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+
+-type virtd_lxc_var_run_t;
+-files_pid_file(virtd_lxc_var_run_t)
++type virt_bridgehelper_exec_t;
++domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
+role system_r types virt_bridgehelper_t;
-+
+
+-type svirt_lxc_file_t;
+-files_mountpoint(svirt_lxc_file_t)
+-fs_noxattr_type(svirt_lxc_file_t)
+-term_pty(svirt_lxc_file_t)
+# policy for qemu_ga
+type virt_qemu_ga_t;
+type virt_qemu_ga_exec_t;
+init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
-+
+
+-virt_lxc_domain_template(svirt_lxc_net)
+type virt_qemu_ga_var_run_t;
+files_pid_file(virt_qemu_ga_var_run_t)
-+
-+type virt_qemu_ga_log_t;
-+logging_log_file(virt_qemu_ga_log_t)
-+
-+########################################
-+#
-+# Declarations
-+#
-+attribute svirt_lxc_domain;
-
- type virtd_lxc_t;
- type virtd_lxc_exec_t;
- init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
--type virtd_lxc_var_run_t;
--files_pid_file(virtd_lxc_var_run_t)
-+type virt_lxc_var_run_t;
-+files_pid_file(virt_lxc_var_run_t)
-+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-
-+# virt lxc container files
- type svirt_lxc_file_t;
- files_mountpoint(svirt_lxc_file_t)
--fs_noxattr_type(svirt_lxc_file_t)
--term_pty(svirt_lxc_file_t)
--
--virt_lxc_domain_template(svirt_lxc_net)
--
-type virsh_t;
-type virsh_exec_t;
-init_system_domain(virsh_t, virsh_exec_t)
++type virt_qemu_ga_log_t;
++logging_log_file(virt_qemu_ga_log_t)
########################################
#
-# Common virt domain local policy
-+# svirt local policy
++# Declarations
#
++attribute svirt_lxc_domain;
-allow virt_domain self:process { signal getsched signull };
-allow virt_domain self:fifo_file rw_fifo_file_perms;
@@ -86868,47 +87013,42 @@ index 1f22fba..f42e134 100644
- fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain)
-')
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-optional_policy(`
- tunable_policy(`virt_use_xserver',`
- xserver_read_xdm_pid(virt_domain)
- xserver_stream_connect(virt_domain)
- ')
-')
-+corenet_udp_sendrecv_generic_if(svirt_t)
-+corenet_udp_sendrecv_generic_node(svirt_t)
-+corenet_udp_sendrecv_all_ports(svirt_t)
-+corenet_udp_bind_generic_node(svirt_t)
-+corenet_udp_bind_all_ports(svirt_t)
-+corenet_tcp_bind_all_ports(svirt_t)
-+corenet_tcp_connect_all_ports(svirt_t)
-
+-
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
-+miscfiles_read_generic_certs(svirt_t)
-
- optional_policy(`
+-
+-optional_policy(`
- nscd_use(virt_domain)
-+ xen_rw_image_files(svirt_t)
- ')
+-')
++type virtd_lxc_t;
++type virtd_lxc_exec_t;
++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
- optional_policy(`
+-optional_policy(`
- samba_domtrans_smbd(virt_domain)
-+ nscd_use(svirt_t)
- ')
+-')
++type virt_lxc_var_run_t;
++files_pid_file(virt_lxc_var_run_t)
++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-optional_policy(`
- xen_rw_image_files(virt_domain)
-')
--
--########################################
-+#######################################
++# virt lxc container files
++type svirt_lxc_file_t;
++files_mountpoint(svirt_lxc_file_t)
+
+ ########################################
#
--# svirt local policy
-+# svirt_prot_exec local policy
+ # svirt local policy
#
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -86921,9 +87061,7 @@ index 1f22fba..f42e134 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
@@ -86932,24 +87070,41 @@ index 1f22fba..f42e134 100644
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
--corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_tcp_sendrecv_generic_node(svirt_t)
--corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_tcp_sendrecv_all_ports(svirt_t)
--corenet_udp_sendrecv_all_ports(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_tcp_bind_generic_node(svirt_t)
--corenet_udp_bind_generic_node(svirt_t)
+ corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
--corenet_udp_bind_all_ports(svirt_t)
--corenet_tcp_bind_all_ports(svirt_t)
+ corenet_udp_bind_all_ports(svirt_t)
+ corenet_tcp_bind_all_ports(svirt_t)
-
-corenet_sendrecv_all_client_packets(svirt_t)
--corenet_tcp_connect_all_ports(svirt_t)
+ corenet_tcp_connect_all_ports(svirt_t)
+
++miscfiles_read_generic_certs(svirt_t)
++
++optional_policy(`
++ nscd_use(svirt_t)
++')
++
++#######################################
++#
++# svirt_prot_exec local policy
++#
++
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
++
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
+corenet_udp_sendrecv_all_ports(svirt_tcg_t)
@@ -86957,7 +87112,7 @@ index 1f22fba..f42e134 100644
+corenet_udp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_connect_all_ports(svirt_tcg_t)
-
++
########################################
#
# virtd local policy
@@ -87023,7 +87178,7 @@ index 1f22fba..f42e134 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +293,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +289,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -87069,28 +87224,28 @@ index 1f22fba..f42e134 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +327,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +323,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
--
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +339,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +335,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -87098,7 +87253,7 @@ index 1f22fba..f42e134 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,22 +347,12 @@ corecmd_exec_shell(virtd_t)
+@@ -520,22 +343,12 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -87122,7 +87277,7 @@ index 1f22fba..f42e134 100644
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
-@@ -548,22 +365,22 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +361,22 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -87150,7 +87305,7 @@ index 1f22fba..f42e134 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +411,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +407,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -87170,7 +87325,7 @@ index 1f22fba..f42e134 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +433,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +429,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -87205,7 +87360,7 @@ index 1f22fba..f42e134 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +459,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +455,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -87214,7 +87369,7 @@ index 1f22fba..f42e134 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -646,107 +472,327 @@ optional_policy(`
+@@ -646,107 +468,327 @@ optional_policy(`
consoletype_exec(virtd_t)
')
@@ -87428,7 +87583,7 @@ index 1f22fba..f42e134 100644
+fs_getattr_xattr_fs(virt_domain)
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
-+fs_rw_tmpfs_files(virt_domain)
++fs_rw_inherited_tmpfs_files(virt_domain)
+fs_getattr_hugetlbfs(virt_domain)
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
@@ -87600,7 +87755,7 @@ index 1f22fba..f42e134 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +804,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +800,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -87630,7 +87785,7 @@ index 1f22fba..f42e134 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +823,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +819,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -87657,7 +87812,7 @@ index 1f22fba..f42e134 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +843,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +839,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -87689,7 +87844,7 @@ index 1f22fba..f42e134 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,6 +876,10 @@ optional_policy(`
+@@ -847,6 +872,10 @@ optional_policy(`
')
optional_policy(`
@@ -87700,7 +87855,7 @@ index 1f22fba..f42e134 100644
rpm_exec(virsh_t)
')
-@@ -854,7 +887,7 @@ optional_policy(`
+@@ -854,7 +883,7 @@ optional_policy(`
xen_manage_image_dirs(virsh_t)
xen_append_log(virsh_t)
xen_domtrans(virsh_t)
@@ -87709,7 +87864,7 @@ index 1f22fba..f42e134 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +912,44 @@ optional_policy(`
+@@ -879,34 +908,44 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -87763,7 +87918,7 @@ index 1f22fba..f42e134 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +959,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +955,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -87781,7 +87936,7 @@ index 1f22fba..f42e134 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +981,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +977,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -87792,7 +87947,7 @@ index 1f22fba..f42e134 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +990,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +986,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -87800,7 +87955,7 @@ index 1f22fba..f42e134 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1002,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +998,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -87819,7 +87974,7 @@ index 1f22fba..f42e134 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1016,36 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1012,36 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -87864,7 +88019,7 @@ index 1f22fba..f42e134 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1053,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1049,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -87891,7 +88046,7 @@ index 1f22fba..f42e134 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1071,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1067,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -87910,7 +88065,7 @@ index 1f22fba..f42e134 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1090,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1086,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -87937,7 +88092,7 @@ index 1f22fba..f42e134 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1115,90 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1111,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -87949,6 +88104,8 @@ index 1f22fba..f42e134 100644
+systemd_read_unit_files(svirt_lxc_domain)
+
+userdom_use_inherited_user_terminals(svirt_lxc_domain)
++userdom_dontaudit_append_inherited_admin_home_file(svirt_lxc_domain)
++userdom_dontaudit_read_inherited_admin_home_files(svirt_lxc_domain)
+
+optional_policy(`
+ apache_exec_modules(svirt_lxc_domain)
@@ -88073,7 +88230,7 @@ index 1f22fba..f42e134 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1211,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1209,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -88088,7 +88245,7 @@ index 1f22fba..f42e134 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1229,8 @@ optional_policy(`
+@@ -1183,9 +1227,8 @@ optional_policy(`
########################################
#
@@ -88099,7 +88256,7 @@ index 1f22fba..f42e134 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1243,70 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1241,70 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b2df46e..e7cdbae 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 32%{?dist}
+Release: 35%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -229,8 +229,12 @@ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \
fi; \
-/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
-/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null; \
+if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
+ continue; \
+fi; \
+if /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null;then \
+ continue; \
+fi;
%define preInstall() \
if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
@@ -526,6 +530,41 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 23 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-35
+- Fix lockdev_manage_files()
+- Allow setroubleshootd to read var_lib_t to make email_alert working
+- Add lockdev_manage_files()
+- Call proper interface in virt.te
+- Allow gkeyring_domain to create /var/run/UID/config/dbus file
+- system dbus seems to be blocking suspend
+- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need
+- When you enter a container from root, you generate avcs with a leaked file descriptor
+- Allow mpd getattr on file system directories
+- Make sure realmd creates content with the correct label
+- Allow systemd-tty-ask to write kmsg
+- Allow mgetty to use lockdev library for device locking
+- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music
+- When you enter a container from root, you generate avcs with a leaked file descriptor
+- Make sure init.fc files are labeled correctly at creation
+- File name trans vconsole.conf
+- Fix labeling for nagios plugins
+- label shared libraries in /opt/google/chrome as testrel_shlib_t
+
+* Thu Apr 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-34
+- Allow certmonger to dbus communicate with realmd
+- Make realmd working
+
+* Thu Apr 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-33
+- Fix mozilla specification of homedir content
+- Allow certmonger to read network state
+- Allow tmpwatch to read tmp in /var/spool/{cups,lpd}
+- Label all nagios plugin as unconfined by default
+- Add httpd_serve_cobbler_files()
+- Allow mdadm to read /dev/sr0 and create tmp files
+- Allow certwatch to send mails
+- Fix labeling for nagios plugins
+- label shared libraries in /opt/google/chrome as testrel_shlib_t
+
* Wed Apr 17 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-32
- Allow realmd to run ipa, really needs to be an unconfined_domain
- Allow sandbox domains to use inherted terminals
More information about the scm-commits
mailing list