[selinux-policy/f19] - Fixes for *_admin interfaces - Allow iscsid auto-load kernel modules needed for proper iSCSI funct
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jun 7 10:54:36 UTC 2013
commit f3ef3e394c410fdd31378cfd769738e382bb90ec
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jun 7 12:54:11 2013 +0200
- Fixes for *_admin interfaces
- Allow iscsid auto-load kernel modules needed for proper iSCSI functionality
- Need to assign attribute for courier_domain to all courier_domains
- Fail2ban reads /etc/passwd
- postfix_virtual will create new files in postfix_spool_t
- abrt triggers sys_ptrace by running pidof
- Label ~/abc as mozilla_home_t, since java apps as plugin want to create it
- Add passenger fixes needed by foreman
- Remove dup interfaces
- Add additional interfaces for quantum
- Add new interfaces for dnsmasq
- Allow passenger to read localization and send signull to itself
- Allow dnsmasq to stream connect to quantum
- Add quantum_stream_connect()
- Make sure that mcollective starts the service with the correct labeling
- Add labels for ~/.manpath
- Dontaudit attempts by svirt_t to getpw* calls
- sandbox domains are trying to look at parent process data
- Allow courior auth to create its pid file in /var/spool/courier subdir
- Add fixes for beam to have it working with couchdb
- Add labeling for /run/nm-xl2tpd.con
- Allow apache to stream connect to thin
- Add systemd support for amand
- Make public types usable for fs mount points
- Call correct mandb interface in domain.te
- Allow iptables to r/w quantum inherited pipes and send sigchld
- Allow ifconfig domtrans to iptables and execute ldconfig
- Add labels for ~/.manpath
- Allow systemd to read iscsi lib files
- seunshare is trying to look at parent process data
policy-rawhide-base.patch | 326 +++++++++++-------
policy-rawhide-contrib.patch | 753 ++++++++++++++++++++++++++++-------------
selinux-policy.spec | 39 +++-
3 files changed, 753 insertions(+), 365 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 01faa3e..35366d1 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2865,7 +2865,7 @@ index d555767..4165b4d 100644
+ stapserver_manage_lib(useradd_t)
+')
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
-index 1dc7a85..dcc6337 100644
+index 1dc7a85..c6f4da0 100644
--- a/policy/modules/apps/seunshare.if
+++ b/policy/modules/apps/seunshare.if
@@ -43,18 +43,18 @@ interface(`seunshare_run',`
@@ -2894,7 +2894,7 @@ index 1dc7a85..dcc6337 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -66,15 +66,43 @@ interface(`seunshare_run',`
+@@ -66,15 +66,44 @@ interface(`seunshare_run',`
## </summary>
## </param>
#
@@ -2933,6 +2933,7 @@ index 1dc7a85..dcc6337 100644
+ ')
+
+ ps_process_pattern($3, $1_seunshare_t)
++ dontaudit $1_seunshare_t $3:file read;
+ allow $3 $1_seunshare_t:process signal_perms;
+ allow $3 $1_seunshare_t:fd use;
+
@@ -5537,7 +5538,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..3035b45 100644
+index b31c054..17e11e0 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -5571,15 +5572,25 @@ index b31c054..3035b45 100644
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -118,6 +122,7 @@
+@@ -106,6 +110,7 @@
+ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
+ /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/spidev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
+ /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
+@@ -118,6 +123,9 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
++/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0)
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +134,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +137,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -5594,7 +5605,7 @@ index b31c054..3035b45 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -198,12 +205,22 @@ ifdef(`distro_debian',`
+@@ -198,12 +208,22 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -8372,7 +8383,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..5376a48 100644
+index cf04cb5..29e6ec0 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8500,7 +8511,7 @@ index cf04cb5..5376a48 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +229,275 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +229,279 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8521,6 +8532,10 @@ index cf04cb5..5376a48 100644
+')
+
+optional_policy(`
++ mandb_filetrans_named_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ seutil_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -15703,7 +15718,7 @@ index 7d45d15..22c9cfe 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..55ebf4b 100644
+index 771bce1..5bbf50b 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -15715,7 +15730,33 @@ index 771bce1..55ebf4b 100644
# When user logs in from /dev/console, relabel it
# to user tty type as well.
type_change $1 console_device_t:chr_file $2;
-@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
+@@ -133,6 +133,25 @@ interface(`term_user_tty',`
+
+ ########################################
+ ## <summary>
++## Create the /dev/pts directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_create_pty_dir',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:dir create_dir_perms;
++ dev_filetrans($1, devpts_t, dir, "devpts")
++')
++
++########################################
++## <summary>
+ ## Create a pty in the /dev/pts directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -208,6 +227,27 @@ interface(`term_use_all_terms',`
########################################
## <summary>
@@ -15743,7 +15784,7 @@ index 771bce1..55ebf4b 100644
## Write to the console.
## </summary>
## <param name="domain">
-@@ -274,7 +295,6 @@ interface(`term_dontaudit_read_console',`
+@@ -274,7 +314,6 @@ interface(`term_dontaudit_read_console',`
## Domain allowed access.
## </summary>
## </param>
@@ -15751,7 +15792,7 @@ index 771bce1..55ebf4b 100644
#
interface(`term_use_console',`
gen_require(`
-@@ -299,9 +319,12 @@ interface(`term_use_console',`
+@@ -299,9 +338,12 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
@@ -15765,7 +15806,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -384,6 +407,42 @@ interface(`term_getattr_pty_fs',`
+@@ -384,6 +426,42 @@ interface(`term_getattr_pty_fs',`
########################################
## <summary>
@@ -15808,7 +15849,7 @@ index 771bce1..55ebf4b 100644
## Relabel from and to pty filesystem.
## </summary>
## <param name="domain">
-@@ -481,6 +540,24 @@ interface(`term_list_ptys',`
+@@ -481,6 +559,24 @@ interface(`term_list_ptys',`
########################################
## <summary>
@@ -15833,7 +15874,7 @@ index 771bce1..55ebf4b 100644
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
-@@ -620,7 +697,7 @@ interface(`term_use_generic_ptys',`
+@@ -620,7 +716,7 @@ interface(`term_use_generic_ptys',`
########################################
## <summary>
@@ -15842,7 +15883,7 @@ index 771bce1..55ebf4b 100644
## write the generic pty type. This is
## generally only used in the targeted policy.
## </summary>
-@@ -635,6 +712,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+@@ -635,6 +731,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
@@ -15850,7 +15891,7 @@ index 771bce1..55ebf4b 100644
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
-@@ -879,6 +957,26 @@ interface(`term_use_all_ptys',`
+@@ -879,6 +976,26 @@ interface(`term_use_all_ptys',`
########################################
## <summary>
@@ -15877,7 +15918,7 @@ index 771bce1..55ebf4b 100644
## Do not audit attempts to read or write any ptys.
## </summary>
## <param name="domain">
-@@ -892,7 +990,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -892,7 +1009,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -15886,7 +15927,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -912,7 +1010,7 @@ interface(`term_relabel_all_ptys',`
+@@ -912,7 +1029,7 @@ interface(`term_relabel_all_ptys',`
')
dev_list_all_dev_nodes($1)
@@ -15895,7 +15936,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -940,7 +1038,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -940,7 +1057,7 @@ interface(`term_getattr_all_user_ptys',`
## </summary>
## <param name="domain">
## <summary>
@@ -15904,7 +15945,7 @@ index 771bce1..55ebf4b 100644
## </summary>
## </param>
#
-@@ -1259,7 +1357,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1259,7 +1376,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -15953,7 +15994,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -1275,11 +1413,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1432,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -15967,7 +16008,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -1296,10 +1436,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1455,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -15980,7 +16021,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -1377,7 +1519,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1538,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -16009,7 +16050,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -1396,7 +1558,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1577,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -16018,7 +16059,7 @@ index 771bce1..55ebf4b 100644
')
########################################
-@@ -1504,7 +1666,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1685,7 @@ interface(`term_use_all_user_ttys',`
## </summary>
## <param name="domain">
## <summary>
@@ -16027,7 +16068,7 @@ index 771bce1..55ebf4b 100644
## </summary>
## </param>
#
-@@ -1512,3 +1674,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1512,3 +1693,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -16957,10 +16998,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..45f4d0a 100644
+index 88d0028..c461b2b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,80 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -17032,6 +17073,7 @@ index 88d0028..45f4d0a 100644
+sysnet_filetrans_named_content(sysadm_t)
# Add/remove user home directories
++userdom_manage_user_tmp_chr_files(sysadm_t)
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
+userdom_manage_tmp_role(sysadm_r, sysadm_t)
@@ -17051,7 +17093,7 @@ index 88d0028..45f4d0a 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +95,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +96,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -17066,7 +17108,7 @@ index 88d0028..45f4d0a 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +105,9 @@ optional_policy(`
+@@ -71,9 +106,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -17077,7 +17119,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -87,6 +121,7 @@ optional_policy(`
+@@ -87,6 +122,7 @@ optional_policy(`
optional_policy(`
asterisk_stream_connect(sysadm_t)
@@ -17085,7 +17127,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -110,11 +145,17 @@ optional_policy(`
+@@ -110,11 +146,17 @@ optional_policy(`
')
optional_policy(`
@@ -17103,7 +17145,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -122,11 +163,19 @@ optional_policy(`
+@@ -122,11 +164,19 @@ optional_policy(`
')
optional_policy(`
@@ -17125,7 +17167,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -140,6 +189,10 @@ optional_policy(`
+@@ -140,6 +190,10 @@ optional_policy(`
')
optional_policy(`
@@ -17136,7 +17178,7 @@ index 88d0028..45f4d0a 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +209,11 @@ optional_policy(`
+@@ -156,11 +210,11 @@ optional_policy(`
')
optional_policy(`
@@ -17150,7 +17192,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -179,6 +232,13 @@ optional_policy(`
+@@ -179,6 +233,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -17164,7 +17206,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -186,15 +246,20 @@ optional_policy(`
+@@ -186,15 +247,20 @@ optional_policy(`
')
optional_policy(`
@@ -17188,7 +17230,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -214,22 +279,20 @@ optional_policy(`
+@@ -214,22 +280,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -17217,7 +17259,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -241,14 +304,27 @@ optional_policy(`
+@@ -241,14 +305,27 @@ optional_policy(`
')
optional_policy(`
@@ -17245,7 +17287,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -256,10 +332,20 @@ optional_policy(`
+@@ -256,10 +333,20 @@ optional_policy(`
')
optional_policy(`
@@ -17266,7 +17308,7 @@ index 88d0028..45f4d0a 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +356,36 @@ optional_policy(`
+@@ -270,31 +357,36 @@ optional_policy(`
')
optional_policy(`
@@ -17310,7 +17352,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -319,12 +410,18 @@ optional_policy(`
+@@ -319,12 +411,18 @@ optional_policy(`
')
optional_policy(`
@@ -17330,7 +17372,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -349,7 +446,18 @@ optional_policy(`
+@@ -349,7 +447,18 @@ optional_policy(`
')
optional_policy(`
@@ -17350,7 +17392,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -360,19 +468,15 @@ optional_policy(`
+@@ -360,19 +469,15 @@ optional_policy(`
')
optional_policy(`
@@ -17372,7 +17414,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -384,10 +488,6 @@ optional_policy(`
+@@ -384,10 +489,6 @@ optional_policy(`
')
optional_policy(`
@@ -17383,7 +17425,7 @@ index 88d0028..45f4d0a 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +495,9 @@ optional_policy(`
+@@ -395,6 +496,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -17393,7 +17435,7 @@ index 88d0028..45f4d0a 100644
')
optional_policy(`
-@@ -402,31 +505,34 @@ optional_policy(`
+@@ -402,31 +506,34 @@ optional_policy(`
')
optional_policy(`
@@ -17434,7 +17476,7 @@ index 88d0028..45f4d0a 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +545,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +546,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17445,7 +17487,7 @@ index 88d0028..45f4d0a 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +565,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +566,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -26908,7 +26950,7 @@ index 24e7804..d0780a9 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..969bda2 100644
+index dd3be8d..8cda2bb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27095,7 +27137,7 @@ index dd3be8d..969bda2 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +222,48 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +222,49 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -27119,6 +27161,7 @@ index dd3be8d..969bda2 100644
+allow init_t security_t:security load_policy;
-term_use_all_terms(init_t)
++term_create_pty_dir(init_t)
+term_use_unallocated_ttys(init_t)
+term_use_console(init_t)
+term_use_all_inherited_terms(init_t)
@@ -27147,7 +27190,7 @@ index dd3be8d..969bda2 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +272,178 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +273,182 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -27175,9 +27218,14 @@ index dd3be8d..969bda2 100644
+
+optional_policy(`
+ gnome_filetrans_home_content(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
++ iscsi_read_lib_files(init_t)
+ ')
+
+ optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
+')
@@ -27306,14 +27354,13 @@ index dd3be8d..969bda2 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -27334,7 +27381,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -216,6 +451,27 @@ optional_policy(`
+@@ -216,6 +456,27 @@ optional_policy(`
')
optional_policy(`
@@ -27362,7 +27409,7 @@ index dd3be8d..969bda2 100644
unconfined_domain(init_t)
')
-@@ -225,8 +481,9 @@ optional_policy(`
+@@ -225,8 +486,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -27374,7 +27421,7 @@ index dd3be8d..969bda2 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +514,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +519,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -27391,7 +27438,7 @@ index dd3be8d..969bda2 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +539,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +544,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -27434,7 +27481,7 @@ index dd3be8d..969bda2 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +576,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +581,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -27446,7 +27493,7 @@ index dd3be8d..969bda2 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +588,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +593,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -27457,7 +27504,7 @@ index dd3be8d..969bda2 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +599,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +604,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -27467,7 +27514,7 @@ index dd3be8d..969bda2 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +608,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +613,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -27475,7 +27522,7 @@ index dd3be8d..969bda2 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +615,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +620,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -27483,7 +27530,7 @@ index dd3be8d..969bda2 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +623,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +628,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -27501,7 +27548,7 @@ index dd3be8d..969bda2 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +641,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +646,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -27515,7 +27562,7 @@ index dd3be8d..969bda2 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +656,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +661,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -27529,7 +27576,7 @@ index dd3be8d..969bda2 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +669,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +674,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -27537,7 +27584,7 @@ index dd3be8d..969bda2 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +681,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +686,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -27545,7 +27592,7 @@ index dd3be8d..969bda2 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +700,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +705,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -27569,7 +27616,7 @@ index dd3be8d..969bda2 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +733,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +738,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -27577,7 +27624,7 @@ index dd3be8d..969bda2 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +767,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +772,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -27588,7 +27635,7 @@ index dd3be8d..969bda2 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +791,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +796,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -27597,7 +27644,7 @@ index dd3be8d..969bda2 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +806,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +811,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -27605,7 +27652,7 @@ index dd3be8d..969bda2 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +827,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +832,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -27613,7 +27660,7 @@ index dd3be8d..969bda2 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +837,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +842,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -27658,7 +27705,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -558,14 +882,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +887,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -27690,7 +27737,7 @@ index dd3be8d..969bda2 100644
')
')
-@@ -576,6 +917,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +922,39 @@ ifdef(`distro_suse',`
')
')
@@ -27730,7 +27777,7 @@ index dd3be8d..969bda2 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +962,8 @@ optional_policy(`
+@@ -588,6 +967,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -27739,7 +27786,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -609,6 +985,7 @@ optional_policy(`
+@@ -609,6 +990,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -27747,7 +27794,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -625,6 +1002,17 @@ optional_policy(`
+@@ -625,6 +1007,17 @@ optional_policy(`
')
optional_policy(`
@@ -27765,7 +27812,7 @@ index dd3be8d..969bda2 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1029,13 @@ optional_policy(`
+@@ -641,9 +1034,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -27779,7 +27826,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -656,15 +1048,11 @@ optional_policy(`
+@@ -656,15 +1053,11 @@ optional_policy(`
')
optional_policy(`
@@ -27797,7 +27844,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -685,6 +1073,15 @@ optional_policy(`
+@@ -685,6 +1078,15 @@ optional_policy(`
')
optional_policy(`
@@ -27813,7 +27860,7 @@ index dd3be8d..969bda2 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1122,7 @@ optional_policy(`
+@@ -725,6 +1127,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -27821,7 +27868,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -742,7 +1140,14 @@ optional_policy(`
+@@ -742,7 +1145,14 @@ optional_policy(`
')
optional_policy(`
@@ -27836,7 +27883,7 @@ index dd3be8d..969bda2 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1170,10 @@ optional_policy(`
+@@ -765,6 +1175,10 @@ optional_policy(`
')
optional_policy(`
@@ -27847,7 +27894,7 @@ index dd3be8d..969bda2 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1183,20 @@ optional_policy(`
+@@ -774,10 +1188,20 @@ optional_policy(`
')
optional_policy(`
@@ -27868,7 +27915,7 @@ index dd3be8d..969bda2 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1205,10 @@ optional_policy(`
+@@ -786,6 +1210,10 @@ optional_policy(`
')
optional_policy(`
@@ -27879,7 +27926,7 @@ index dd3be8d..969bda2 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1230,6 @@ optional_policy(`
+@@ -807,8 +1235,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -27888,7 +27935,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -817,6 +1238,10 @@ optional_policy(`
+@@ -817,6 +1243,10 @@ optional_policy(`
')
optional_policy(`
@@ -27899,7 +27946,7 @@ index dd3be8d..969bda2 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1251,12 @@ optional_policy(`
+@@ -826,10 +1256,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -27912,7 +27959,7 @@ index dd3be8d..969bda2 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1283,27 @@ optional_policy(`
+@@ -856,12 +1288,27 @@ optional_policy(`
')
optional_policy(`
@@ -27941,7 +27988,7 @@ index dd3be8d..969bda2 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1313,18 @@ optional_policy(`
+@@ -871,6 +1318,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -27960,7 +28007,7 @@ index dd3be8d..969bda2 100644
')
optional_policy(`
-@@ -886,6 +1340,10 @@ optional_policy(`
+@@ -886,6 +1345,10 @@ optional_policy(`
')
optional_policy(`
@@ -27971,7 +28018,7 @@ index dd3be8d..969bda2 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1354,196 @@ optional_policy(`
+@@ -896,3 +1359,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28398,7 +28445,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..b6e9ebc 100644
+index 9e54bf9..468dc31 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28424,7 +28471,7 @@ index 9e54bf9..b6e9ebc 100644
allow ipsec_t self:fifo_file read_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+allow ipsec_t self:netlink_selinux_socket create_socket_perms;
-+allow ipsec_t self:unix_stream_socket create_stream_socket_perms;
++allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
@@ -28699,7 +28746,7 @@ index c42fbc3..174cfdb 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..022d91d 100644
+index 5dfa44b..2502d06 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -28796,15 +28843,20 @@ index 5dfa44b..022d91d 100644
')
optional_policy(`
-@@ -124,6 +129,7 @@ optional_policy(`
+@@ -124,6 +129,12 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
+ psad_write_log(iptables_t)
++')
++
++optional_policy(`
++ quantum_rw_inherited_pipes(iptables_t)
++ quantum_sigchld(iptables_t)
')
optional_policy(`
-@@ -135,9 +141,9 @@ optional_policy(`
+@@ -135,9 +146,9 @@ optional_policy(`
')
optional_policy(`
@@ -28816,7 +28868,7 @@ index 5dfa44b..022d91d 100644
optional_policy(`
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..46439b4 100644
+index 73bb3c0..dc79c6f 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -28978,7 +29030,7 @@ index 73bb3c0..46439b4 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +310,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +310,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -29013,6 +29065,7 @@ index 73bb3c0..46439b4 100644
-/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
++/usr/lib/libbcm_host\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
@@ -31286,7 +31339,7 @@ index fc28bc3..2960ed7 100644
+ files_var_filetrans($1, public_content_t, dir, "ftp")
+')
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index d6293de..3225647 100644
+index d6293de..1c5e447 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2)
@@ -31297,6 +31350,18 @@ index d6293de..3225647 100644
attribute cert_type;
#
+@@ -49,9 +48,11 @@ files_type(man_cache_t)
+ #
+ type public_content_t; #, customizable;
+ files_type(public_content_t)
++files_mountpoint(public_content_t)
+
+ type public_content_rw_t; #, customizable;
+ files_type(public_content_rw_t)
++files_mountpoint(public_content_rw_t)
+
+ #
+ # Base type for the tests directory.
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 9933677..b155a0d 100644
--- a/policy/modules/system/modutils.fc
@@ -32015,7 +32080,7 @@ index 4584457..e432df3 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..ca097a7 100644
+index 6a50270..8288fd0 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@@ -32096,7 +32161,7 @@ index 6a50270..ca097a7 100644
+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
-+files_pid_filetrans(mount_t,mount_var_run_t,dir)
++files_pid_filetrans(mount_t,mount_var_run_t,dir,"mount")
+files_var_filetrans(mount_t,mount_var_run_t,dir)
+dev_filetrans(mount_t, mount_var_run_t, dir)
+
@@ -32287,7 +32352,7 @@ index 6a50270..ca097a7 100644
')
optional_policy(`
-@@ -186,6 +262,36 @@ optional_policy(`
+@@ -186,6 +262,40 @@ optional_policy(`
')
optional_policy(`
@@ -32299,6 +32364,10 @@ index 6a50270..ca097a7 100644
+')
+
+optional_policy(`
++ fsadm_manage_pid(mount_t)
++')
++
++optional_policy(`
+ glusterd_domtrans(mount_t)
+')
+
@@ -32324,7 +32393,7 @@ index 6a50270..ca097a7 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +300,129 @@ optional_policy(`
+@@ -194,24 +304,128 @@ optional_policy(`
')
optional_policy(`
@@ -32393,16 +32462,16 @@ index 6a50270..ca097a7 100644
+optional_policy(`
+ unconfined_write_keys(mount_t)
+')
++
++optional_policy(`
++ virt_read_blk_images(mount_t)
++')
optional_policy(`
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
-+ virt_read_blk_images(mount_t)
- ')
-+
-+optional_policy(`
+ vmware_exec_host(mount_t)
-+')
+ ')
+
+######################################
+#
@@ -32460,7 +32529,6 @@ index 6a50270..ca097a7 100644
+fs_read_ecryptfs_files(mount_ecryptfs_t)
+
+auth_use_nsswitch(mount_ecryptfs_t)
-+
diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
index b263a8a..9348c8c 100644
--- a/policy/modules/system/netlabel.fc
@@ -34304,7 +34372,7 @@ index 6944526..ec17624 100644
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..fda9b8a 100644
+index b7686d5..9c7aa79 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -34636,7 +34704,7 @@ index b7686d5..fda9b8a 100644
')
optional_policy(`
-@@ -339,7 +423,11 @@ optional_policy(`
+@@ -339,7 +423,15 @@ optional_policy(`
')
optional_policy(`
@@ -34645,16 +34713,24 @@ index b7686d5..fda9b8a 100644
+')
+
+optional_policy(`
++ libs_exec_ldconfig(ifconfig_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(ifconfig_t)
')
optional_policy(`
-@@ -360,3 +448,9 @@ optional_policy(`
+@@ -360,3 +452,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
+
+optional_policy(`
++ iptables_domtrans(ifconfig_t)
++')
++
++optional_policy(`
+ tunable_policy(`dhcpc_exec_iptables',`
+ iptables_domtrans(dhcpc_t)
+ ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index f091d89..b897fb6 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -518,7 +518,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..5e60ff3 100644
+index cc43d25..b4c749b 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -668,8 +668,9 @@ index cc43d25..5e60ff3 100644
#
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
+-dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
- dontaudit abrt_t self:capability sys_rawio;
++dontaudit abrt_t self:capability { sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
allow abrt_t self:fifo_file rw_fifo_file_perms;
@@ -1883,24 +1884,41 @@ index cda6d20..fbe259e 100644
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
+diff --git a/amanda.fc b/amanda.fc
+index 7f4dfbc..4d750fa 100644
+--- a/amanda.fc
++++ b/amanda.fc
+@@ -13,6 +13,8 @@
+ /usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+ /usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
++/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0)
++
+ /usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+ /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+
diff --git a/amanda.te b/amanda.te
-index ed45974..46e2c0d 100644
+index ed45974..dec2fc7 100644
--- a/amanda.te
+++ b/amanda.te
-@@ -9,11 +9,10 @@ attribute_role amanda_recover_roles;
+@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
roleattribute system_r amanda_recover_roles;
type amanda_t;
+type amanda_exec_t;
type amanda_inetd_exec_t;
inetd_service_domain(amanda_t, amanda_inetd_exec_t)
++init_daemon_domain(amanda_t, amanda_exec_t)
++role system_r types amanda_t;
-type amanda_exec_t;
-domain_entry_file(amanda_t, amanda_exec_t)
++type amanda_unit_file_t;
++systemd_unit_file(amanda_unit_file_t)
type amanda_log_t;
logging_log_file(amanda_log_t)
-@@ -60,7 +59,7 @@ optional_policy(`
+@@ -60,7 +63,7 @@ optional_policy(`
#
allow amanda_t self:capability { chown dac_override setuid kill };
@@ -1909,7 +1927,7 @@ index ed45974..46e2c0d 100644
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
allow amanda_t self:tcp_socket { accept listen };
-@@ -71,6 +70,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
+@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
@@ -1917,7 +1935,7 @@ index ed45974..46e2c0d 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,7 +100,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -100,7 +104,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
@@ -1925,7 +1943,7 @@ index ed45974..46e2c0d 100644
corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_generic_if(amanda_t)
corenet_tcp_sendrecv_generic_node(amanda_t)
-@@ -170,7 +169,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +173,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -1933,7 +1951,7 @@ index ed45974..46e2c0d 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +193,12 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +197,12 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -4475,7 +4493,7 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..3a12c26 100644
+index 1a82e29..73b1638 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,360 @@
@@ -5788,7 +5806,7 @@ index 1a82e29..3a12c26 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,6 +1027,7 @@ optional_policy(`
+@@ -865,11 +1027,16 @@ optional_policy(`
')
optional_policy(`
@@ -5796,7 +5814,16 @@ index 1a82e29..3a12c26 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -877,65 +1040,166 @@ optional_policy(`
+
+ optional_policy(`
++ thin_stream_connect(httpd_t)
++')
++
++optional_policy(`
+ udev_read_db(httpd_t)
+ ')
+
+@@ -877,65 +1044,166 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5862,10 +5889,11 @@ index 1a82e29..3a12c26 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache PHP script local policy
+#
+
@@ -5924,11 +5952,10 @@ index 1a82e29..3a12c26 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache suexec local policy
#
@@ -5985,7 +6012,7 @@ index 1a82e29..3a12c26 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1208,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1212,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6140,7 +6167,7 @@ index 1a82e29..3a12c26 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1292,104 @@ optional_policy(`
+@@ -1077,172 +1296,104 @@ optional_policy(`
')
')
@@ -6160,10 +6187,10 @@ index 1a82e29..3a12c26 100644
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
--
--allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
+allow httpd_sys_script_t self:process getsched;
+-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
+-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-
@@ -6321,8 +6348,7 @@ index 1a82e29..3a12c26 100644
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
@@ -6330,7 +6356,8 @@ index 1a82e29..3a12c26 100644
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -6376,7 +6403,7 @@ index 1a82e29..3a12c26 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1397,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1401,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6473,7 +6500,7 @@ index 1a82e29..3a12c26 100644
########################################
#
-@@ -1315,8 +1472,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1476,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6490,7 +6517,7 @@ index 1a82e29..3a12c26 100644
')
########################################
-@@ -1324,49 +1488,36 @@ optional_policy(`
+@@ -1324,49 +1492,36 @@ optional_policy(`
# User content local policy
#
@@ -6554,7 +6581,7 @@ index 1a82e29..3a12c26 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1527,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1531,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -8331,7 +8358,7 @@ index 16ec525..1dd4059 100644
########################################
diff --git a/blueman.te b/blueman.te
-index bc5c984..d8af68f 100644
+index bc5c984..216e900 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4)
@@ -8353,6 +8380,15 @@ index bc5c984..d8af68f 100644
allow blueman_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
+@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
+ manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
+ files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
+
+-kernel_read_net_sysctls(blueman_t)
++kernel_rw_net_sysctls(blueman_t)
+ kernel_read_system_state(blueman_t)
+ kernel_request_load_module(blueman_t)
+
@@ -41,29 +42,40 @@ corecmd_exec_bin(blueman_t)
dev_read_rand(blueman_t)
dev_read_urand(blueman_t)
@@ -11437,10 +11473,10 @@ index 0000000..8ac848b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..def8328
+index 0000000..c158ef5
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,196 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -11618,6 +11654,7 @@ index 0000000..def8328
+
+corenet_tcp_bind_generic_node(mongod_t)
+corenet_tcp_bind_mongod_port(mongod_t)
++corenet_tcp_connect_mongod_port(mongod_t)
+corenet_tcp_connect_postgresql_port(mongod_t)
+
+kernel_read_vm_sysctls(mongod_t)
@@ -13352,10 +13389,36 @@ index c086302..4f33119 100644
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 83d6744..627ab43 100644
+index 83d6744..6afc08d 100644
--- a/couchdb.if
+++ b/couchdb.if
-@@ -10,6 +10,89 @@
+@@ -2,6 +2,25 @@
+
+ ########################################
+ ## <summary>
++## Allow to read couchdb lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_read_lib_files',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an couchdb environment.
+ ## </summary>
+@@ -10,6 +29,108 @@
## Domain allowed access.
## </summary>
## </param>
@@ -13390,6 +13453,25 @@ index 83d6744..627ab43 100644
+
+########################################
+## <summary>
++## Allow to read couchdb conf files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_read_conf_files',`
++ gen_require(`
++ type couchdb_conf_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
++')
++
++########################################
++## <summary>
+## Read couchdb PID files.
+## </summary>
+## <param name="domain">
@@ -13445,7 +13527,7 @@ index 83d6744..627ab43 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -19,14 +102,19 @@
+@@ -19,14 +140,19 @@
#
interface(`couchdb_admin',`
gen_require(`
@@ -13466,7 +13548,7 @@ index 83d6744..627ab43 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +134,13 @@ interface(`couchdb_admin',`
+@@ -46,4 +172,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -13537,10 +13619,10 @@ index 8a4b596..cbecde8 100644
/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
diff --git a/courier.if b/courier.if
-index 10f820f..4040ec2 100644
+index 10f820f..acdb179 100644
--- a/courier.if
+++ b/courier.if
-@@ -1,41 +1,50 @@
+@@ -1,12 +1,12 @@
-## <summary>Courier IMAP and POP3 email servers.</summary>
+## <summary>Courier IMAP and POP3 email servers</summary>
@@ -13558,19 +13640,16 @@ index 10f820f..4040ec2 100644
## </summary>
## </param>
#
- template(`courier_domain_template',`
-- gen_require(`
-- attribute courier_domain;
-- ')
+@@ -15,7 +15,7 @@ template(`courier_domain_template',`
+ attribute courier_domain;
+ ')
- ########################################
+ ##############################
#
# Declarations
#
-
-- type courier_$1_t, courier_domain;
-+ type courier_$1_t;
+@@ -24,18 +24,30 @@ template(`courier_domain_template',`
type courier_$1_exec_t;
init_daemon_domain(courier_$1_t, courier_$1_exec_t)
@@ -13605,7 +13684,7 @@ index 10f820f..4040ec2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -48,34 +57,32 @@ interface(`courier_domtrans_authdaemon',`
+@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',`
type courier_authdaemon_t, courier_authdaemon_exec_t;
')
@@ -13650,7 +13729,7 @@ index 10f820f..4040ec2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -88,13 +95,12 @@ interface(`courier_domtrans_pop',`
+@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',`
type courier_pop_t, courier_pop_exec_t;
')
@@ -13665,7 +13744,7 @@ index 10f820f..4040ec2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -127,7 +133,7 @@ interface(`courier_manage_spool_dirs',`
+@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',`
type courier_spool_t;
')
@@ -13674,7 +13753,7 @@ index 10f820f..4040ec2 100644
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
')
-@@ -136,7 +142,7 @@ interface(`courier_manage_spool_dirs',`
+@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',`
## Create, read, write, and delete courier
## spool files.
## </summary>
@@ -13683,7 +13762,7 @@ index 10f820f..4040ec2 100644
## <summary>
## Domain allowed access.
## </summary>
-@@ -147,7 +153,7 @@ interface(`courier_manage_spool_files',`
+@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',`
type courier_spool_t;
')
@@ -13692,7 +13771,7 @@ index 10f820f..4040ec2 100644
manage_files_pattern($1, courier_spool_t, courier_spool_t)
')
-@@ -166,13 +172,13 @@ interface(`courier_read_spool',`
+@@ -166,13 +175,13 @@ interface(`courier_read_spool',`
type courier_spool_t;
')
@@ -13708,7 +13787,7 @@ index 10f820f..4040ec2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -185,6 +191,5 @@ interface(`courier_rw_spool_pipes',`
+@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',`
type courier_spool_t;
')
@@ -13716,7 +13795,7 @@ index 10f820f..4040ec2 100644
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
')
diff --git a/courier.te b/courier.te
-index 77bb077..76b93d2 100644
+index 77bb077..5d39ee5 100644
--- a/courier.te
+++ b/courier.te
@@ -18,7 +18,7 @@ type courier_etc_t;
@@ -13752,7 +13831,15 @@ index 77bb077..76b93d2 100644
sysnet_read_config(courier_domain)
userdom_dontaudit_use_unpriv_user_fds(courier_domain)
-@@ -112,7 +107,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
+@@ -91,6 +86,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
+ create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+ manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+
++manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
+ manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
+
+ allow courier_authdaemon_t courier_tcpd_t:process sigchld;
+@@ -112,7 +108,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
libs_read_lib_files(courier_authdaemon_t)
@@ -13760,7 +13847,7 @@ index 77bb077..76b93d2 100644
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
-@@ -135,7 +129,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
+@@ -135,7 +130,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
@@ -13769,7 +13856,7 @@ index 77bb077..76b93d2 100644
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
-@@ -172,7 +166,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
+@@ -172,7 +167,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
dev_read_rand(courier_tcpd_t)
dev_read_urand(courier_tcpd_t)
@@ -16288,7 +16375,7 @@ index 949011e..afe482b 100644
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 06da9a0..ca832e1 100644
+index 06da9a0..6d69a2f 100644
--- a/cups.if
+++ b/cups.if
@@ -15,6 +15,11 @@
@@ -16348,7 +16435,13 @@ index 06da9a0..ca832e1 100644
## All of the rules required to
## administrate an cups environment.
## </summary>
-@@ -329,13 +360,18 @@ interface(`cups_admin',`
+@@ -324,18 +355,23 @@ interface(`cups_stream_connect_ptal',`
+ interface(`cups_admin',`
+ gen_require(`
+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
++ type cupsd_etc_t, cupsd_log_t;
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
@@ -16371,8 +16464,13 @@ index 06da9a0..ca832e1 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -353,8 +389,61 @@ interface(`cups_admin',`
+@@ -348,13 +384,63 @@ interface(`cups_admin',`
+ logging_list_logs($1)
+ admin_pattern($1, cupsd_log_t)
+- files_list_spool($1)
+- admin_pattern($1, cupsd_spool_t)
+-
files_list_tmp($1)
admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
-
@@ -20478,7 +20576,7 @@ index 23ab808..4a801b5 100644
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..b303b37 100644
+index 19aa0b8..531cf03 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -20489,7 +20587,7 @@ index 19aa0b8..b303b37 100644
interface(`dnsmasq_domtrans',`
gen_require(`
type dnsmasq_exec_t, dnsmasq_t;
-@@ -20,6 +19,24 @@ interface(`dnsmasq_domtrans',`
+@@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',`
domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
')
@@ -20511,10 +20609,28 @@ index 19aa0b8..b303b37 100644
+ can_exec($1, dnsmasq_exec_t)
+')
+
++########################################
++## <summary>
++## Allow read/write dnsmasq pipes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dnsmasq_rw_inherited_pipes',`
++ gen_require(`
++ type dnsmasq_t;
++ ')
++
++ allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
########################################
## <summary>
## Execute the dnsmasq init script in
-@@ -42,6 +59,29 @@ interface(`dnsmasq_initrc_domtrans',`
+@@ -42,6 +77,48 @@ interface(`dnsmasq_initrc_domtrans',`
########################################
## <summary>
@@ -20541,10 +20657,29 @@ index 19aa0b8..b303b37 100644
+
+########################################
+## <summary>
++## Send sigchld to dnsmasq.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`dnsmasq_sigchld',`
++ gen_require(`
++ type dnsmasq_t;
++ ')
++
++ allow $1 dnsmasq_t:process sigchld;
++')
++
++########################################
++## <summary>
## Send generic signals to dnsmasq.
## </summary>
## <param name="domain">
-@@ -145,12 +185,12 @@ interface(`dnsmasq_write_config',`
+@@ -145,15 +222,16 @@ interface(`dnsmasq_write_config',`
## </summary>
## </param>
#
@@ -20558,7 +20693,11 @@ index 19aa0b8..b303b37 100644
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -176,7 +216,7 @@ interface(`dnsmasq_manage_pid_files',`
++
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete
+@@ -176,7 +254,7 @@ interface(`dnsmasq_manage_pid_files',`
########################################
## <summary>
@@ -20567,7 +20706,7 @@ index 19aa0b8..b303b37 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -184,12 +224,12 @@ interface(`dnsmasq_manage_pid_files',`
+@@ -184,12 +262,12 @@ interface(`dnsmasq_manage_pid_files',`
## </summary>
## </param>
#
@@ -20581,7 +20720,7 @@ index 19aa0b8..b303b37 100644
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -214,37 +254,46 @@ interface(`dnsmasq_create_pid_dirs',`
+@@ -214,37 +292,46 @@ interface(`dnsmasq_create_pid_dirs',`
########################################
## <summary>
@@ -20593,22 +20732,22 @@ index 19aa0b8..b303b37 100644
## <param name="domain">
## <summary>
-## Domain allowed access.
-+## Domain allowed access.
- ## </summary>
- ## </param>
+-## </summary>
+-## </param>
-## <param name="file_type">
-+## <param name="private type">
- ## <summary>
+-## <summary>
-## Directory to transition on.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
--## </summary>
--## </param>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
-## <param name="name" optional="true">
--## <summary>
++## <param name="private type">
+ ## <summary>
-## The name of the object being created.
+## The type of the directory for the object to be created.
## </summary>
@@ -20646,7 +20785,7 @@ index 19aa0b8..b303b37 100644
')
########################################
-@@ -267,12 +316,17 @@ interface(`dnsmasq_spec_filetrans_pid',`
+@@ -267,12 +354,17 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
@@ -20666,7 +20805,13 @@ index 19aa0b8..b303b37 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -286,4 +340,8 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +373,13 @@ interface(`dnsmasq_admin',`
+ files_list_var_lib($1)
+ admin_pattern($1, dnsmasq_lease_t)
+
+- logging_seearch_logs($1)
++ logging_search_logs($1)
+ admin_pattern($1, dnsmasq_var_log_t)
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
@@ -20676,7 +20821,7 @@ index 19aa0b8..b303b37 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..869bba7 100644
+index ba14bcf..b27976c 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -20735,7 +20880,7 @@ index ba14bcf..869bba7 100644
')
optional_policy(`
-@@ -124,6 +138,13 @@ optional_policy(`
+@@ -124,6 +138,14 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -20746,6 +20891,7 @@ index ba14bcf..869bba7 100644
+
+optional_policy(`
+ quantum_manage_lib_files(dnsmasq_t)
++ quantum_stream_connect(dnsmasq_t)
+ quantum_rw_fifo_file(dnsmasq_t)
+ quantum_sigchld(dnsmasq_t)
+')
@@ -22681,7 +22827,7 @@ index 50d0084..6565422 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..d49f5ad 100644
+index 0872e50..5d49b4f 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
@@ -22726,7 +22872,7 @@ index 0872e50..d49f5ad 100644
iptables_domtrans(fail2ban_t)
')
-@@ -137,14 +137,10 @@ corecmd_exec_bin(fail2ban_client_t)
+@@ -137,14 +137,12 @@ corecmd_exec_bin(fail2ban_client_t)
domain_use_interactive_fds(fail2ban_client_t)
@@ -22734,6 +22880,8 @@ index 0872e50..d49f5ad 100644
-files_read_usr_files(fail2ban_client_t)
files_search_pids(fail2ban_client_t)
++auth_read_passwd(fail2ban_client_t)
++
logging_getattr_all_logs(fail2ban_client_t)
logging_search_all_logs(fail2ban_client_t)
@@ -29380,7 +29528,7 @@ index 1a35420..1d27695 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index 57304e4..7edd3d4 100644
+index 57304e4..4fbe254 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -9,8 +9,8 @@ type iscsid_t;
@@ -29416,7 +29564,7 @@ index 57304e4..7edd3d4 100644
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,10 +85,13 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,21 +85,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
@@ -29432,15 +29580,20 @@ index 57304e4..7edd3d4 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
-@@ -99,8 +102,6 @@ init_stream_connect_script(iscsid_t)
+
++files_read_kernel_modules(iscsid_t)
++
+ auth_use_nsswitch(iscsid_t)
+
+ init_stream_connect_script(iscsid_t)
logging_send_syslog_msg(iscsid_t)
-miscfiles_read_localization(iscsid_t)
--
++modutils_read_module_config(iscsid_t)
+
optional_policy(`
tgtd_manage_semaphores(iscsid_t)
- ')
diff --git a/isns.te b/isns.te
index bc11034..e393434 100644
--- a/isns.te
@@ -33085,7 +33238,7 @@ index 19f2b97..fbc0e48 100644
ppp_signal(l2tpd_t)
ppp_kill(l2tpd_t)
diff --git a/ldap.fc b/ldap.fc
-index bc25c95..dcdbe9b 100644
+index bc25c95..6692d91 100644
--- a/ldap.fc
+++ b/ldap.fc
@@ -1,8 +1,11 @@
@@ -33098,7 +33251,7 @@ index bc25c95..dcdbe9b 100644
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
-+/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:slapd_unit_file_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
@@ -33116,7 +33269,7 @@ index bc25c95..dcdbe9b 100644
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index ee0c7cc..6ec5f73 100644
+index ee0c7cc..446c507 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,68 @@
@@ -33282,7 +33435,7 @@ index ee0c7cc..6ec5f73 100644
- type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
- type slapd_db_t;
+ type slapd_initrc_exec_t;
-+ type ldap_unit_file_t;
++ type slapd_unit_file_t;
')
- allow $1 slapd_t:process { ptrace signal_perms };
@@ -33319,8 +33472,8 @@ index ee0c7cc..6ec5f73 100644
admin_pattern($1, slapd_var_run_t)
+
+ ldap_systemctl($1)
-+ admin_pattern($1, ldap_unit_file_t)
-+ allow $1 ldap_unit_file_t:service all_service_perms;
++ admin_pattern($1, slapd_unit_file_t)
++ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
index d7d9b09..562c288 100644
@@ -35294,10 +35447,10 @@ index e08c55d..9e634bd 100644
+
+')
diff --git a/mandb.fc b/mandb.fc
-index 2de0f64..85c3827 100644
+index 2de0f64..50f34fd 100644
--- a/mandb.fc
+++ b/mandb.fc
-@@ -1 +1,7 @@
+@@ -1 +1,9 @@
/etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
@@ -35305,8 +35458,10 @@ index 2de0f64..85c3827 100644
+/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
+
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
++
++HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
diff --git a/mandb.if b/mandb.if
-index 327f3f7..8d5841f 100644
+index 327f3f7..4f61561 100644
--- a/mandb.if
+++ b/mandb.if
@@ -1,14 +1,14 @@
@@ -35449,7 +35604,7 @@ index 327f3f7..8d5841f 100644
')
########################################
-@@ -99,37 +129,63 @@ interface(`mandb_read_cache_content',`
+@@ -99,37 +129,82 @@ interface(`mandb_read_cache_content',`
## </summary>
## </param>
#
@@ -35462,13 +35617,34 @@ index 327f3f7..8d5841f 100644
+
+ files_search_var($1)
+ manage_files_pattern($1, mandb_cache_t, mandb_cache_t)
++')
++
++########################################
++## <summary>
++## Manage mandb cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mandb_manage_cache_dirs',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an mandb environment.
-+## Manage mandb cache dirs.
++## Create configuration files in user
++## home directories with a named file
++## type transition.
## </summary>
## <param name="domain">
## <summary>
@@ -35477,16 +35653,14 @@ index 327f3f7..8d5841f 100644
## </param>
-## <param name="role">
+#
-+interface(`mandb_manage_cache_dirs',`
++interface(`mandb_filetrans_named_home_content',`
+ gen_require(`
-+ type mandb_cache_t;
++ type mandb_home_t;
+ ')
+
-+ files_search_var($1)
-+ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
++ userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath")
+')
+
-+
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -35525,10 +35699,10 @@ index 327f3f7..8d5841f 100644
+ ')
')
diff --git a/mandb.te b/mandb.te
-index 5a414e0..fd54e2b 100644
+index 5a414e0..7fee444 100644
--- a/mandb.te
+++ b/mandb.te
-@@ -10,28 +10,45 @@ roleattribute system_r mandb_roles;
+@@ -10,28 +10,51 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
@@ -35539,6 +35713,9 @@ index 5a414e0..fd54e2b 100644
+type mandb_cache_t;
+files_type(mandb_cache_t)
+
++type mandb_home_t;
++userdom_user_home_content(mandb_home_t)
++
+type mandb_lock_t;
+files_lock_file(mandb_lock_t)
+
@@ -35558,6 +35735,9 @@ index 5a414e0..fd54e2b 100644
+files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
+can_exec(mandb_t, mandb_exec_t)
+
++userdom_search_user_home_dirs(mandb_t)
++allow mandb_t mandb_home_t:file read_file_perms;
++
+allow mandb_t mandb_lock_t:file manage_file_perms;
+files_lock_filetrans(mandb_t, mandb_lock_t, file)
+
@@ -37069,10 +37249,16 @@ index 7e534cf..3652584 100644
+ ')
+')
diff --git a/mongodb.te b/mongodb.te
-index 4de8949..5c237c3 100644
+index 4de8949..d705316 100644
--- a/mongodb.te
+++ b/mongodb.te
-@@ -54,8 +54,5 @@ corenet_tcp_bind_generic_node(mongod_t)
+@@ -49,13 +49,11 @@ corenet_all_recvfrom_unlabeled(mongod_t)
+ corenet_all_recvfrom_netlabel(mongod_t)
+ corenet_tcp_sendrecv_generic_if(mongod_t)
+ corenet_tcp_sendrecv_generic_node(mongod_t)
++corenet_tcp_connect_mongodb_port(mongod_t)
+ corenet_tcp_bind_generic_node(mongod_t)
+
dev_read_sysfs(mongod_t)
dev_read_urand(mongod_t)
@@ -37123,10 +37309,10 @@ index 4462c0e..84944d1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..d341a52 100644
+index 6ffaba2..bb33a48 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,64 @@
+@@ -1,38 +1,65 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -37158,6 +37344,7 @@ index 6ffaba2..d341a52 100644
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/abc -- gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -37226,7 +37413,7 @@ index 6ffaba2..d341a52 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..879f5db 100644
+index 6194b80..af1201e 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -37865,7 +38052,7 @@ index 6194b80..879f5db 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +448,51 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +448,52 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -37931,6 +38118,7 @@ index 6194b80..879f5db 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
@@ -37942,7 +38130,7 @@ index 6194b80..879f5db 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..30005c3 100644
+index 6a306ee..7337554 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -38387,7 +38575,7 @@ index 6a306ee..30005c3 100644
')
optional_policy(`
-@@ -300,221 +323,177 @@ optional_policy(`
+@@ -300,221 +323,178 @@ optional_policy(`
########################################
#
@@ -38567,6 +38755,7 @@ index 6a306ee..30005c3 100644
-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
++corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t)
+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
-dev_read_generic_usb_dev(mozilla_plugin_t)
@@ -38705,7 +38894,7 @@ index 6a306ee..30005c3 100644
')
optional_policy(`
-@@ -523,36 +502,48 @@ optional_policy(`
+@@ -523,36 +503,48 @@ optional_policy(`
')
optional_policy(`
@@ -38767,7 +38956,7 @@ index 6a306ee..30005c3 100644
')
optional_policy(`
-@@ -560,7 +551,7 @@ optional_policy(`
+@@ -560,7 +552,7 @@ optional_policy(`
')
optional_policy(`
@@ -38776,7 +38965,7 @@ index 6a306ee..30005c3 100644
')
optional_policy(`
-@@ -568,108 +559,118 @@ optional_policy(`
+@@ -568,108 +560,118 @@ optional_policy(`
')
optional_policy(`
@@ -43390,10 +43579,10 @@ index 56c0fbd..173a2c0 100644
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
-index a1fb3c3..8fe1d63 100644
+index a1fb3c3..82f8ae6 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
-@@ -1,43 +1,43 @@
+@@ -1,43 +1,44 @@
-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -43458,6 +43647,7 @@ index a1fb3c3..8fe1d63 100644
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
@@ -49497,10 +49687,10 @@ index 0000000..6c841fa
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..461f551
+index 0000000..d94eda8
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,541 @@
+@@ -0,0 +1,545 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -49594,6 +49784,7 @@ index 0000000..461f551
+#
+# openshift initrc local policy
+#
++
+unconfined_domain_noaudit(openshift_initrc_t)
+mcs_process_set_categories(openshift_initrc_t)
+
@@ -49623,6 +49814,9 @@ index 0000000..461f551
+dontaudit openshift_domain openshift_initrc_t:process signull;
+dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write };
+
++init_domtrans_script(openshift_initrc_t)
++init_initrc_domain(openshift_initrc_t)
++
+#######################################################
+#
+# Policy for all openshift domains
@@ -51119,7 +51313,7 @@ index bf59ef7..c050b37 100644
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
')
diff --git a/passenger.te b/passenger.te
-index 4e114ff..c016f25 100644
+index 4e114ff..6691677 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
@@ -51138,7 +51332,7 @@ index 4e114ff..c016f25 100644
type passenger_var_lib_t;
files_type(passenger_var_lib_t)
-@@ -22,22 +25,23 @@ files_pid_file(passenger_var_run_t)
+@@ -22,22 +25,24 @@ files_pid_file(passenger_var_run_t)
########################################
#
@@ -51147,9 +51341,11 @@ index 4e114ff..c016f25 100644
#
allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
- allow passenger_t self:process { setpgid setsched sigkill signal };
+-allow passenger_t self:process { setpgid setsched sigkill signal };
++allow passenger_t self:process { setpgid setsched sigkill signal signull };
allow passenger_t self:fifo_file rw_fifo_file_perms;
-allow passenger_t self:unix_stream_socket { accept connectto listen };
++allow passenger_t self:tcp_socket listen;
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+can_exec(passenger_t, passenger_exec_t)
@@ -51168,7 +51364,7 @@ index 4e114ff..c016f25 100644
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
-@@ -45,19 +49,19 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+@@ -45,19 +50,20 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
@@ -51190,29 +51386,29 @@ index 4e114ff..c016f25 100644
-corenet_sendrecv_http_client_packets(passenger_t)
corenet_tcp_connect_http_port(passenger_t)
-corenet_tcp_sendrecv_http_port(passenger_t)
++corenet_tcp_connect_postgresql_port(passenger_t)
corecmd_exec_bin(passenger_t)
corecmd_exec_shell(passenger_t)
-@@ -66,14 +70,11 @@ dev_read_urand(passenger_t)
+@@ -66,8 +72,6 @@ dev_read_urand(passenger_t)
domain_read_all_domains_state(passenger_t)
-files_read_etc_files(passenger_t)
-
+-
auth_use_nsswitch(passenger_t)
logging_send_syslog_msg(passenger_t)
-
--miscfiles_read_localization(passenger_t)
--
- userdom_dontaudit_use_user_terminals(passenger_t)
-
- optional_policy(`
-@@ -90,14 +91,16 @@ optional_policy(`
+@@ -90,14 +94,21 @@ optional_policy(`
')
optional_policy(`
- puppet_manage_lib_files(passenger_t)
++ mysql_stream_connect(passenger_t)
++ mysql_list_db(passenger_t)
++')
++
++optional_policy(`
+ puppet_domtrans_master(passenger_t)
+ puppet_manage_lib(passenger_t)
puppet_read_config(passenger_t)
@@ -55950,7 +56146,7 @@ index 2e23946..589bbf2 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..aa3e5f0 100644
+index 191a66f..93a04c2 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -56779,7 +56975,8 @@ index 191a66f..aa3e5f0 100644
-allow postfix_virtual_t self:process setrlimit;
+allow postfix_virtual_t self:process { setsched setrlimit };
- allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+-allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
++manage_files_pattern(postfix_virtual_t, postfix_spool_t, postfix_spool_t)
+# connect to master process
stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
@@ -62860,10 +63057,10 @@ index 70ab68b..e97da31 100644
/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
diff --git a/quantum.if b/quantum.if
-index afc0068..b25d41e 100644
+index afc0068..5fb7731 100644
--- a/quantum.if
+++ b/quantum.if
-@@ -2,41 +2,252 @@
+@@ -2,41 +2,292 @@
########################################
## <summary>
@@ -62888,7 +63085,25 @@ index afc0068..b25d41e 100644
+
+########################################
+## <summary>
-+## Read quantum's log files.
++## Allow read/write quantum pipes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_rw_inherited_pipes',`
++ gen_require(`
++ type quantum_t;
++ ')
++
++ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## Send sigchld to quantum.
## </summary>
## <param name="domain">
## <summary>
@@ -62896,8 +63111,28 @@ index afc0068..b25d41e 100644
## </summary>
## </param>
-## <param name="role">
-+## <rolecap/>
+#
++#
++interface(`quantum_sigchld',`
++ gen_require(`
++ type quantum_t;
++ ')
++
++ allow $1 quantum_t:process sigchld;
++')
++
++########################################
++## <summary>
++## Read quantum's log files.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## Role allowed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+interface(`quantum_read_log',`
+ gen_require(`
+ type quantum_log_t;
@@ -62912,8 +63147,7 @@ index afc0068..b25d41e 100644
+## Append to quantum log files.
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access.
++## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
@@ -63042,9 +63276,10 @@ index afc0068..b25d41e 100644
+ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
-+########################################
++#####################################
+## <summary>
-+## Allow domain to send sigchld to quantum process.
++## Connect to quantum over a unix domain
++## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -63052,13 +63287,15 @@ index afc0068..b25d41e 100644
+## </summary>
+## </param>
+#
-+interface(`quantum_sigchld',`
++interface(`quantum_stream_connect',`
+ gen_require(`
-+ type quantum_t;
++ type quantum_var_lib_t;
+ ')
+
-+ allow $1 quantum_t:process sigchld;
++ files_search_pids($1)
++ stream_connect_pattern($1, quantum_var_lib_t, quantum_var_lib_t, quantum_t )
+')
++
+########################################
+## <summary>
+## Execute quantum server in the quantum domain.
@@ -63092,10 +63329,9 @@ index afc0068..b25d41e 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
++## </summary>
++## </param>
++#
interface(`quantum_admin',`
gen_require(`
- type quantum_t, quantum_initrc_exec_t, quantum_log_t;
@@ -63605,7 +63841,7 @@ index c5ad6de..c67dbef 100644
/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..a68f9f1 100644
+index 3698b51..42caa6c 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -54,6 +54,8 @@ kernel_read_system_state(rabbitmq_beam_t)
@@ -63617,7 +63853,7 @@ index 3698b51..a68f9f1 100644
corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
-@@ -68,11 +70,13 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +70,28 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
@@ -63629,12 +63865,20 @@ index 3698b51..a68f9f1 100644
+auth_read_passwd(rabbitmq_beam_t)
-miscfiles_read_localization(rabbitmq_beam_t)
++fs_getattr_xattr_fs(rabbitmq_beam_t)
++
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
sysnet_dns_name_resolve(rabbitmq_beam_t)
-@@ -81,7 +85,6 @@ sysnet_dns_name_resolve(rabbitmq_beam_t)
++optional_policy(`
++ couchdb_read_conf_files(rabbitmq_beam_t)
++ couchdb_read_lib_files(rabbitmq_beam_t)
++')
++
+ ########################################
+ #
# Epmd local policy
#
@@ -63642,7 +63886,7 @@ index 3698b51..a68f9f1 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +102,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +109,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -73712,10 +73956,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..1b21b7b
+index 0000000..5da5bff
--- /dev/null
+++ b/sandboxX.if
-@@ -0,0 +1,391 @@
+@@ -0,0 +1,392 @@
+
+## <summary>policy for sandboxX </summary>
+
@@ -73754,6 +73998,7 @@ index 0000000..1b21b7b
+ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
+ allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
++ dontaudit sandbox_xserver_t $1:file read;
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
@@ -83088,10 +83333,10 @@ index 0000000..7f4bce8
+/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
diff --git a/thin.if b/thin.if
new file mode 100644
-index 0000000..d000122
+index 0000000..b9f811d
--- /dev/null
+++ b/thin.if
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,66 @@
+## <summary>thin policy</summary>
+
+#######################################
@@ -83136,12 +83381,34 @@ index 0000000..d000122
+
+ can_exec($1, thin_exec_t)
+')
++
++#####################################
++## <summary>
++## Connect to thin over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`thin_stream_connect',`
++ gen_require(`
++ type thin_t, thin_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t)
++')
++
++
diff --git a/thin.te b/thin.te
new file mode 100644
-index 0000000..555b49e
+index 0000000..dda7934
--- /dev/null
+++ b/thin.te
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,113 @@
+policy_module(thin, 1.0)
+
+########################################
@@ -83205,6 +83472,10 @@ index 0000000..555b49e
+kernel_read_kernel_sysctls(thin_domain)
+
+optional_policy(`
++ apache_read_sys_content(thin_domain)
++')
++
++optional_policy(`
+ sysnet_read_config(thin_domain)
+')
+
@@ -83224,6 +83495,7 @@ index 0000000..555b49e
+logging_log_filetrans(thin_t, thin_log_t, { file dir })
+
+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
++manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+files_pid_filetrans(thin_t, thin_var_run_t, { file })
+
+corenet_tcp_bind_ntop_port(thin_t)
@@ -87873,7 +88145,7 @@ index 9dec06c..7877729 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..a8390d3 100644
+index 1f22fba..253d98d 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -88079,7 +88351,7 @@ index 1f22fba..a8390d3 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,290 +165,130 @@ type virt_qmf_exec_t;
+@@ -155,290 +165,134 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t;
@@ -88264,60 +88536,78 @@ index 1f22fba..a8390d3 100644
- fs_manage_nfs_named_sockets(virt_domain)
- fs_read_nfs_symlinks(virt_domain)
-')
--
++type virtd_lxc_t;
++type virtd_lxc_exec_t;
++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+
-tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs(virt_domain)
- fs_manage_cifs_files(virt_domain)
- fs_manage_cifs_named_sockets(virt_domain)
- fs_read_cifs_symlinks(virt_domain)
-')
--
++type virt_lxc_var_run_t;
++files_pid_file(virt_lxc_var_run_t)
++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
+
-tunable_policy(`virt_use_sysfs',`
- dev_rw_sysfs(virt_domain)
-')
--
++# virt lxc container files
++type svirt_lxc_file_t;
++files_mountpoint(svirt_lxc_file_t)
+
-tunable_policy(`virt_use_usb',`
- dev_rw_usbfs(virt_domain)
- dev_read_sysfs(virt_domain)
- fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain)
-')
--
++########################################
++#
++# svirt local policy
++#
+
-optional_policy(`
- tunable_policy(`virt_use_xserver',`
- xserver_read_xdm_pid(virt_domain)
- xserver_stream_connect(virt_domain)
- ')
-')
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
--
++corenet_udp_sendrecv_generic_if(svirt_t)
++corenet_udp_sendrecv_generic_node(svirt_t)
++corenet_udp_sendrecv_all_ports(svirt_t)
++corenet_udp_bind_generic_node(svirt_t)
++corenet_udp_bind_all_ports(svirt_t)
++corenet_tcp_bind_all_ports(svirt_t)
++corenet_tcp_connect_all_ports(svirt_t)
+
-optional_policy(`
- nscd_use(virt_domain)
-')
-+type virtd_lxc_t;
-+type virtd_lxc_exec_t;
-+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
++miscfiles_read_generic_certs(svirt_t)
--optional_policy(`
+ optional_policy(`
- samba_domtrans_smbd(virt_domain)
--')
-+type virt_lxc_var_run_t;
-+files_pid_file(virt_lxc_var_run_t)
-+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
++ nscd_dontaudit_write_sock_file(svirt_t)
+ ')
--optional_policy(`
+ optional_policy(`
- xen_rw_image_files(virt_domain)
--')
-+# virt lxc container files
-+type svirt_lxc_file_t;
-+files_mountpoint(svirt_lxc_file_t)
++ sssd_dontaudit_stream_connect(svirt_t)
+ ')
- ########################################
+-########################################
++#######################################
#
- # svirt local policy
+-# svirt local policy
++# svirt_prot_exec local policy
#
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -88334,13 +88624,11 @@ index 1f22fba..a8390d3 100644
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
- corenet_udp_sendrecv_generic_if(svirt_t)
- corenet_udp_sendrecv_generic_node(svirt_t)
- corenet_udp_sendrecv_all_ports(svirt_t)
- corenet_udp_bind_generic_node(svirt_t)
+-
+-corenet_udp_sendrecv_generic_if(svirt_t)
+-corenet_udp_sendrecv_generic_node(svirt_t)
+-corenet_udp_sendrecv_all_ports(svirt_t)
+-corenet_udp_bind_generic_node(svirt_t)
-
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
@@ -88354,26 +88642,13 @@ index 1f22fba..a8390d3 100644
-corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
- corenet_udp_bind_all_ports(svirt_t)
- corenet_tcp_bind_all_ports(svirt_t)
--
--corenet_sendrecv_all_client_packets(svirt_t)
- corenet_tcp_connect_all_ports(svirt_t)
-
-+miscfiles_read_generic_certs(svirt_t)
-+
-+optional_policy(`
-+ nscd_use(svirt_t)
-+')
-+
-+#######################################
-+#
-+# svirt_prot_exec local policy
-+#
-+
+-corenet_udp_bind_all_ports(svirt_t)
+-corenet_tcp_bind_all_ports(svirt_t)
+allow svirt_tcg_t self:process { execmem execstack };
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-+
+
+-corenet_sendrecv_all_client_packets(svirt_t)
+-corenet_tcp_connect_all_ports(svirt_t)
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
+corenet_udp_sendrecv_all_ports(svirt_tcg_t)
@@ -88381,7 +88656,7 @@ index 1f22fba..a8390d3 100644
+corenet_udp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_connect_all_ports(svirt_tcg_t)
-+
+
########################################
#
# virtd local policy
@@ -88447,7 +88722,7 @@ index 1f22fba..a8390d3 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +298,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +302,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -88493,28 +88768,28 @@ index 1f22fba..a8390d3 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +332,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +336,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
-can_exec(virtd_t, virt_tmp_t)
-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +344,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +348,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -88522,7 +88797,7 @@ index 1f22fba..a8390d3 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +352,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +356,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -88550,7 +88825,7 @@ index 1f22fba..a8390d3 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +372,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +376,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -88579,7 +88854,7 @@ index 1f22fba..a8390d3 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +419,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +423,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -88599,7 +88874,7 @@ index 1f22fba..a8390d3 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +445,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -88634,7 +88909,7 @@ index 1f22fba..a8390d3 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +471,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -88643,7 +88918,7 @@ index 1f22fba..a8390d3 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,95 +492,321 @@ optional_policy(`
+@@ -658,95 +496,321 @@ optional_policy(`
')
optional_policy(`
@@ -89013,7 +89288,7 @@ index 1f22fba..a8390d3 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +818,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +822,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -89043,7 +89318,7 @@ index 1f22fba..a8390d3 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +837,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +841,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -89070,7 +89345,7 @@ index 1f22fba..a8390d3 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +857,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +861,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -89102,7 +89377,7 @@ index 1f22fba..a8390d3 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +890,20 @@ optional_policy(`
+@@ -847,14 +894,20 @@ optional_policy(`
')
optional_policy(`
@@ -89124,7 +89399,7 @@ index 1f22fba..a8390d3 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +928,44 @@ optional_policy(`
+@@ -879,34 +932,44 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -89178,7 +89453,7 @@ index 1f22fba..a8390d3 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +975,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +979,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -89196,7 +89471,7 @@ index 1f22fba..a8390d3 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +997,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +1001,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -89207,7 +89482,7 @@ index 1f22fba..a8390d3 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1006,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1010,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -89215,7 +89490,7 @@ index 1f22fba..a8390d3 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1018,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1022,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -89234,7 +89509,7 @@ index 1f22fba..a8390d3 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1032,36 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1036,36 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -89279,7 +89554,7 @@ index 1f22fba..a8390d3 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1069,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1073,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -89306,7 +89581,7 @@ index 1f22fba..a8390d3 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1087,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1091,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -89325,7 +89600,7 @@ index 1f22fba..a8390d3 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1106,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1110,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -89352,7 +89627,7 @@ index 1f22fba..a8390d3 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1131,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1135,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -89491,7 +89766,7 @@ index 1f22fba..a8390d3 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1229,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1233,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -89506,7 +89781,7 @@ index 1f22fba..a8390d3 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1247,8 @@ optional_policy(`
+@@ -1183,9 +1251,8 @@ optional_policy(`
########################################
#
@@ -89517,7 +89792,7 @@ index 1f22fba..a8390d3 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1261,114 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1265,114 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e7e810d..c504796 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 48%{?dist}
+Release: 49%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,43 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jun 7 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-49
+- Fix courier_domain_template() interface
+- Allow blueman to write ip_forward
+- Allow mongodb to connect to mongodb port
+- Allow mongodb to connect to mongodb port
+- Allow java to bind jobss_debug port
+- Fixes for *_admin interfaces
+- Allow iscsid auto-load kernel modules needed for proper iSCSI functionality
+- Need to assign attribute for courier_domain to all courier_domains
+- Fail2ban reads /etc/passwd
+- postfix_virtual will create new files in postfix_spool_t
+- abrt triggers sys_ptrace by running pidof
+- Label ~/abc as mozilla_home_t, since java apps as plugin want to create it
+- Add passenger fixes needed by foreman
+- Remove dup interfaces
+- Add additional interfaces for quantum
+- Add new interfaces for dnsmasq
+- Allow passenger to read localization and send signull to itself
+- Allow dnsmasq to stream connect to quantum
+- Add quantum_stream_connect()
+- Make sure that mcollective starts the service with the correct labeling
+- Add labels for ~/.manpath
+- Dontaudit attempts by svirt_t to getpw* calls
+- sandbox domains are trying to look at parent process data
+- Allow courior auth to create its pid file in /var/spool/courier subdir
+- Add fixes for beam to have it working with couchdb
+- Add labeling for /run/nm-xl2tpd.con
+- Allow apache to stream connect to thin
+- Add systemd support for amand
+- Make public types usable for fs mount points
+- Call correct mandb interface in domain.te
+- Allow iptables to r/w quantum inherited pipes and send sigchld
+- Allow ifconfig domtrans to iptables and execute ldconfig
+- Add labels for ~/.manpath
+- Allow systemd to read iscsi lib files
+- seunshare is trying to look at parent process data
+
* Mon Jun 3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-48
- Fix openshift_search_lib
- Add support for abrt-uefioops-oops
More information about the scm-commits
mailing list