[selinux-policy] - Add prosody policy written by Michael Scherer - Allow nagios plugins to read /sys info - ntpd need
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jul 8 07:18:38 UTC 2013
commit d1027c54b94f2f2eb93e3fdefa1e3dd907301c51
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jul 8 09:18:11 2013 +0200
- Add prosody policy written by Michael Scherer
- Allow nagios plugins to read /sys info
- ntpd needs to manage own log files
- Add support for HOME_DIR/.IBMERS
- Allow iptables commands to read firewalld config
- Allow consolekit_t to read utmp
- Fix filename transitions on .razor directory
- Add additional fixes to make DSPAM with LDA working
- Allow snort to read /etc/passwd
- Allow fail2ban to communicate with firewalld over dbus
- Dontaudit openshift_cgreoup_file_t read/write leaked dev
- Allow nfsd to use mountd port
- Call th proper interface
- Allow openvswitch to read sys and execute plymouth
- Allow tmpwatch to read /var/spool/cups/tmp
- Add support for /usr/libexec/telepathy-rakia
- Add systemd support for zoneminder
- Allow mysql to create files/directories under /var/log/mysql
- Allow zoneminder apache scripts to rw zoneminder tmpfs
- Allow httpd to manage zoneminder lib files
- Add zoneminder_run_sudo boolean to allow to start zoneminder
- Allow zoneminder to send mails
- gssproxy_t sock_file can be under /var/lib
- Allow web domains to connect to whois port.
- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
- We really need to add an interface to corenet to define what a web_client_domain i
- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain
- Add labeling for cmpiLMI_LogicalFile-cimprovagt
- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain at
- Update policy rules for pegasus_openlmi_logicalfile_t
- Add initial types for logicalfile/unconfined OpenLMI providers
- mailmanctl needs to read own log
- Allow logwatch manage own lock files
- Allow nrpe to read meminfo
- Allow httpd to read certs located in pki-ca
- Add pki_read_tomcat_cert() interface
- Add support for nagios openshift plugins
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
modules-targeted-contrib.conf | 7 +
policy-rawhide-base.patch | 70 ++--
policy-rawhide-contrib.patch | 982 +++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 43 ++-
4 files changed, 890 insertions(+), 212 deletions(-)
---
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index c2cb18d..6cffca0 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -2250,3 +2250,10 @@ pesign = module
# Fast and lean authoritative DNS Name Server
#
nsd = module
+
+# Layer: contrib
+# Module: iodine
+#
+# Fast and lean authoritative DNS Name Server
+#
+iodine = module
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 377dc48..2efeb50 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5170,7 +5170,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..68176bb 100644
+index 4edc40d..b48abbe 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5400,7 +5400,7 @@ index 4edc40d..68176bb 100644
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +255,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +255,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5415,6 +5415,7 @@ index 4edc40d..68176bb 100644
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
+network_port(time, tcp,37,s0, udp,37,s0)
++network_port(redis, tcp,6379,s0)
network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@@ -5449,7 +5450,7 @@ index 4edc40d..68176bb 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +302,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +303,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5460,7 +5461,7 @@ index 4edc40d..68176bb 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +314,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +315,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5473,7 +5474,7 @@ index 4edc40d..68176bb 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +338,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +339,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -5492,7 +5493,7 @@ index 4edc40d..68176bb 100644
########################################
#
-@@ -330,6 +380,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +381,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5501,7 +5502,7 @@ index 4edc40d..68176bb 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +394,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +395,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -33356,15 +33357,14 @@ index 3822072..1029e3b 100644
+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..64db314 100644
+index ec01d0b..e2b829b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
-@@ -11,14 +11,17 @@ gen_require(`
+@@ -11,14 +11,16 @@ gen_require(`
attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;
+attribute setfiles_domain;
-+attribute seutil_semanage_domain;
+attribute policy_manager_domain;
-attribute_role newrole_roles;
@@ -33382,7 +33382,7 @@ index ec01d0b..64db314 100644
#
# selinux_config_t is the type applied to
-@@ -28,7 +31,13 @@ roleattribute system_r semanage_roles;
+@@ -28,7 +30,13 @@ roleattribute system_r semanage_roles;
# in the domain_type interface
# (fix dup decl)
type selinux_config_t;
@@ -33397,7 +33397,7 @@ index ec01d0b..64db314 100644
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
-@@ -40,14 +49,14 @@ role system_r types checkpolicy_t;
+@@ -40,14 +48,14 @@ role system_r types checkpolicy_t;
# /etc/selinux/*/contexts/*
#
type default_context_t;
@@ -33414,7 +33414,7 @@ index ec01d0b..64db314 100644
type load_policy_t;
type load_policy_exec_t;
-@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
+@@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t)
domain_role_change_exemption(newrole_t)
domain_obj_id_change_exemption(newrole_t)
domain_interactive_fd(newrole_t)
@@ -33438,7 +33438,7 @@ index ec01d0b..64db314 100644
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
-@@ -83,7 +98,6 @@ type restorecond_t;
+@@ -83,7 +97,6 @@ type restorecond_t;
type restorecond_exec_t;
init_daemon_domain(restorecond_t, restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
@@ -33446,7 +33446,7 @@ index ec01d0b..64db314 100644
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-@@ -92,25 +106,32 @@ type run_init_t;
+@@ -92,25 +105,32 @@ type run_init_t;
type run_init_exec_t;
application_domain(run_init_t, run_init_exec_t)
domain_system_change_exemption(run_init_t)
@@ -33485,7 +33485,7 @@ index ec01d0b..64db314 100644
type semanage_var_lib_t;
files_type(semanage_var_lib_t)
-@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
+@@ -120,6 +140,11 @@ type setfiles_exec_t alias restorecon_exec_t;
init_system_domain(setfiles_t, setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)
@@ -33497,7 +33497,7 @@ index ec01d0b..64db314 100644
########################################
#
# Checkpolicy local policy
-@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
+@@ -137,6 +162,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
allow checkpolicy_t selinux_config_t:dir search_dir_perms;
@@ -33505,7 +33505,7 @@ index ec01d0b..64db314 100644
domain_use_interactive_fds(checkpolicy_t)
-@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
+@@ -151,7 +177,7 @@ term_use_console(checkpolicy_t)
init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)
@@ -33514,7 +33514,7 @@ index ec01d0b..64db314 100644
userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
-@@ -188,13 +215,13 @@ term_list_ptys(load_policy_t)
+@@ -188,13 +214,13 @@ term_list_ptys(load_policy_t)
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
@@ -33531,7 +33531,7 @@ index ec01d0b..64db314 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -205,6 +232,7 @@ ifdef(`distro_ubuntu',`
+@@ -205,6 +231,7 @@ ifdef(`distro_ubuntu',`
ifdef(`hide_broken_symptoms',`
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
@@ -33539,7 +33539,7 @@ index ec01d0b..64db314 100644
optional_policy(`
unconfined_dontaudit_read_pipes(load_policy_t)
-@@ -215,12 +243,17 @@ optional_policy(`
+@@ -215,12 +242,17 @@ optional_policy(`
portage_dontaudit_use_fds(load_policy_t)
')
@@ -33558,7 +33558,7 @@ index ec01d0b..64db314 100644
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-@@ -232,7 +265,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -232,7 +264,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -33567,7 +33567,7 @@ index ec01d0b..64db314 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -249,6 +282,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -249,6 +281,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
@@ -33575,7 +33575,7 @@ index ec01d0b..64db314 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t)
+@@ -276,25 +309,34 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -33617,7 +33617,7 @@ index ec01d0b..64db314 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -309,7 +352,7 @@ if(secure_mode) {
+@@ -309,7 +351,7 @@ if(secure_mode) {
userdom_spec_domtrans_all_users(newrole_t)
}
@@ -33626,7 +33626,7 @@ index ec01d0b..64db314 100644
files_polyinstantiate_all(newrole_t)
')
-@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t)
+@@ -328,9 +370,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -33641,7 +33641,7 @@ index ec01d0b..64db314 100644
fs_list_inotifyfs(restorecond_t)
selinux_validate_context(restorecond_t)
-@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t)
+@@ -341,16 +387,17 @@ selinux_compute_user_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_read_non_auth_files(restorecond_t)
@@ -33661,7 +33661,7 @@ index ec01d0b..64db314 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -366,21 +414,24 @@ optional_policy(`
+@@ -366,21 +413,24 @@ optional_policy(`
# Run_init local policy
#
@@ -33688,7 +33688,7 @@ index ec01d0b..64db314 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
-@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t)
+@@ -398,23 +448,30 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -33724,7 +33724,7 @@ index ec01d0b..64db314 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
-@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -425,6 +482,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -33744,7 +33744,7 @@ index ec01d0b..64db314 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -440,81 +511,87 @@ optional_policy(`
+@@ -440,81 +510,87 @@ optional_policy(`
# semodule local policy
#
@@ -33885,7 +33885,7 @@ index ec01d0b..64db314 100644
')
########################################
-@@ -522,108 +599,181 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +598,181 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -34151,7 +34151,7 @@ index ec01d0b..64db314 100644
+userdom_use_user_ptys(policy_manager_domain)
+
+files_rw_inherited_generic_pid_files(setfiles_domain)
-+files_rw_inherited_generic_pid_files(seutil_semanage_domain)
++files_rw_inherited_generic_pid_files(policy_manager_domain)
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
index bea4629..06e2834 100644
--- a/policy/modules/system/setrans.fc
@@ -38249,7 +38249,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..4f43578 100644
+index 3c5dba7..4129aa6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39192,7 +39192,7 @@ index 3c5dba7..4f43578 100644
+ allow $1_t self:process ~{ ptrace execmem execstack execheap };
+
+ tunable_policy(`selinuxuser_use_ssh_chroot',`
-+ allow $1_t self:capability { setuid sys_chroot };
++ allow $1_t self:capability { setuid setgid sys_chroot };
+ ')
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 203ed18..ae88cc0 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4528,7 +4528,7 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..392480e 100644
+index 1a82e29..69725f8 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5611,17 +5611,17 @@ index 1a82e29..392480e 100644
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
--')
--
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ')
+
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
- fs_manage_cifs_files(httpd_t)
- fs_manage_cifs_symlinks(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ')
-
+-')
+-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
-')
@@ -5791,7 +5791,7 @@ index 1a82e29..392480e 100644
')
optional_policy(`
-@@ -836,20 +984,38 @@ optional_policy(`
+@@ -836,20 +984,39 @@ optional_policy(`
')
optional_policy(`
@@ -5817,6 +5817,7 @@ index 1a82e29..392480e 100644
+ pki_manage_apache_lib(httpd_t)
+ pki_manage_apache_log_files(httpd_t)
+ pki_manage_apache_run(httpd_t)
++ pki_read_tomcat_cert(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
@@ -5836,7 +5837,7 @@ index 1a82e29..392480e 100644
')
optional_policy(`
-@@ -857,6 +1023,16 @@ optional_policy(`
+@@ -857,6 +1024,16 @@ optional_policy(`
')
optional_policy(`
@@ -5853,7 +5854,7 @@ index 1a82e29..392480e 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,11 +1041,16 @@ optional_policy(`
+@@ -865,11 +1042,16 @@ optional_policy(`
')
optional_policy(`
@@ -5870,7 +5871,7 @@ index 1a82e29..392480e 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1058,165 @@ optional_policy(`
+@@ -877,65 +1059,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5880,6 +5881,11 @@ index 1a82e29..392480e 100644
+ zarafa_search_config(httpd_t)
+')
+
++optional_policy(`
++ zoneminder_manage_lib_dirs(httpd_t)
++ zoneminder_manage_lib_files(httpd_t)
++')
++
########################################
#
-# Helper local policy
@@ -6058,7 +6064,7 @@ index 1a82e29..392480e 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1225,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1231,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6213,7 +6219,7 @@ index 1a82e29..392480e 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1309,104 @@ optional_policy(`
+@@ -1077,172 +1315,104 @@ optional_policy(`
')
')
@@ -6238,8 +6244,7 @@ index 1a82e29..392480e 100644
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-+allow httpd_sys_script_t self:process getsched;
-
+-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6247,7 +6252,8 @@ index 1a82e29..392480e 100644
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
--
++allow httpd_sys_script_t self:process getsched;
+
-corecmd_exec_all_executables(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
@@ -6392,10 +6398,10 @@ index 1a82e29..392480e 100644
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
-
-kernel_read_kernel_sysctls(httpd_sys_script_t)
+-
+-fs_search_auto_mountpoints(httpd_sys_script_t)
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
--fs_search_auto_mountpoints(httpd_sys_script_t)
--
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
@@ -6449,7 +6455,7 @@ index 1a82e29..392480e 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1414,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1420,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6546,7 +6552,7 @@ index 1a82e29..392480e 100644
########################################
#
-@@ -1315,8 +1489,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1495,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6563,7 +6569,7 @@ index 1a82e29..392480e 100644
')
########################################
-@@ -1324,49 +1505,36 @@ optional_policy(`
+@@ -1324,49 +1511,36 @@ optional_policy(`
# User content local policy
#
@@ -6627,7 +6633,7 @@ index 1a82e29..392480e 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1544,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1550,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -10494,10 +10500,10 @@ index 0000000..5977d96
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..f4a8884
+index 0000000..25f2d55
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,237 @@
+@@ -0,0 +1,238 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -10595,6 +10601,7 @@ index 0000000..f4a8884
+corenet_tcp_connect_tor_port(chrome_sandbox_t)
+corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
+corenet_tcp_connect_vnc_port(chrome_sandbox_t)
++corenet_tcp_connect_whois_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
+
@@ -13298,7 +13305,7 @@ index 5b830ec..0647a3b 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
-index 5f0c793..f473adf 100644
+index 5f0c793..ecd0397 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,12 +19,16 @@ type consolekit_var_run_t;
@@ -13318,7 +13325,7 @@ index 5f0c793..f473adf 100644
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
-@@ -54,17 +58,13 @@ dev_read_sysfs(consolekit_t)
+@@ -54,37 +58,35 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -13336,7 +13343,11 @@ index 5f0c793..f473adf 100644
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
-@@ -74,17 +74,17 @@ auth_write_login_records(consolekit_t)
+ auth_manage_pam_console_data(consolekit_t)
+ auth_write_login_records(consolekit_t)
+
++init_read_utmp(consolekit_t)
++
logging_send_syslog_msg(consolekit_t)
logging_send_audit_msgs(consolekit_t)
@@ -13360,7 +13371,7 @@ index 5f0c793..f473adf 100644
')
ifdef(`distro_debian',`
-@@ -112,13 +112,6 @@ optional_policy(`
+@@ -112,13 +114,6 @@ optional_policy(`
')
')
@@ -22435,7 +22446,7 @@ index 18f2452..a446210 100644
+
')
diff --git a/dspam.te b/dspam.te
-index 266cb8f..63643a8 100644
+index 266cb8f..c736297 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@@ -22448,12 +22459,22 @@ index 266cb8f..63643a8 100644
allow dspam_t self:fifo_file rw_fifo_file_perms;
allow dspam_t self:unix_stream_socket { accept listen };
-@@ -64,14 +67,33 @@ auth_use_nsswitch(dspam_t)
+@@ -58,20 +61,42 @@ corenet_tcp_bind_spamd_port(dspam_t)
+ corenet_tcp_connect_spamd_port(dspam_t)
+ corenet_tcp_sendrecv_spamd_port(dspam_t)
+
++kernel_read_system_state(dspam_t)
++
++corecmd_exec_shell(dspam_t)
++
+ files_search_spool(dspam_t)
+
+ auth_use_nsswitch(dspam_t)
logging_send_syslog_msg(dspam_t)
-miscfiles_read_localization(dspam_t)
-
+-
optional_policy(`
apache_content_template(dspam)
@@ -22485,13 +22506,14 @@ index 266cb8f..63643a8 100644
')
optional_policy(`
-@@ -87,3 +109,11 @@ optional_policy(`
+@@ -87,3 +112,12 @@ optional_policy(`
postgresql_tcp_connect(dspam_t)
')
+
+optional_policy(`
+ postfix_rw_inherited_master_pipes(dspam_t)
++ postfix_list_spool(dspam_t)
+')
+
+optional_policy(`
@@ -23073,9 +23095,18 @@ index 50d0084..6565422 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..d336d7f 100644
+index 0872e50..598e4ee 100644
--- a/fail2ban.te
+++ b/fail2ban.te
+@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
+ #
+
+ allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
+-allow fail2ban_t self:process signal;
++allow fail2ban_t self:process { setsched signal };
+ allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+ allow fail2ban_t self:unix_stream_socket { accept connectto listen };
+ allow fail2ban_t self:tcp_socket { accept listen };
@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
@@ -23092,7 +23123,7 @@ index 0872e50..d336d7f 100644
files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t)
-@@ -92,12 +90,10 @@ auth_use_nsswitch(fail2ban_t)
+@@ -92,22 +90,33 @@ auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)
@@ -23107,7 +23138,19 @@ index 0872e50..d336d7f 100644
optional_policy(`
apache_read_log(fail2ban_t)
-@@ -108,6 +104,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client(fail2ban_t)
++ dbus_connect_system_bus(fail2ban_t)
++
++ optional_policy(`
++ firewalld_dbus_chat(fail2ban_t)
++ ')
++')
++
++optional_policy(`
+ ftp_read_log(fail2ban_t)
')
optional_policy(`
@@ -23118,7 +23161,18 @@ index 0872e50..d336d7f 100644
iptables_domtrans(fail2ban_t)
')
-@@ -129,6 +129,7 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -116,6 +125,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpm_exec(fail2ban_t)
++')
++
++optional_policy(`
+ shorewall_domtrans(fail2ban_t)
+ ')
+
+@@ -129,22 +142,24 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -23126,8 +23180,12 @@ index 0872e50..d336d7f 100644
stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
kernel_read_system_state(fail2ban_client_t)
-@@ -137,14 +138,12 @@ corecmd_exec_bin(fail2ban_client_t)
+ corecmd_exec_bin(fail2ban_client_t)
+
++dev_read_urand(fail2ban_client_t)
++dev_read_rand(fail2ban_client_t)
++
domain_use_interactive_fds(fail2ban_client_t)
-files_read_etc_files(fail2ban_client_t)
@@ -23308,14 +23366,14 @@ index 21d7b84..0e272bd 100644
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
-index 5cf6ac6..62547ee 100644
+index 5cf6ac6..0fc685b 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,6 +2,66 @@
########################################
## <summary>
-+## Execute a domain transition to run firewalld.
++## Read firewalld config
+## </summary>
+## <param name="domain">
+## <summary>
@@ -23323,15 +23381,15 @@ index 5cf6ac6..62547ee 100644
+## </summary>
+## </param>
+#
-+interface(`firewalld_domtrans',`
++interface(`firewalld_read_config',`
+ gen_require(`
-+ type firewalld_t, firewalld_exec_t;
++ type firewalld_etc_rw_t;
+ ')
+
-+ domtrans_pattern($1, firewalld_exec_t, firewalld_t)
++ files_search_etc($1)
++ read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t)
+')
+
-+
+########################################
+## <summary>
+## Execute firewalld server in the firewalld domain.
@@ -28645,10 +28703,10 @@ index 0000000..f4659d1
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
-index 0000000..072ddb0
+index 0000000..28263c7
--- /dev/null
+++ b/gssproxy.if
-@@ -0,0 +1,203 @@
+@@ -0,0 +1,204 @@
+
+## <summary>policy for gssproxy</summary>
+
@@ -28803,11 +28861,12 @@ index 0000000..072ddb0
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
-+ type gssproxy_t, gssproxy_var_run_t;
++ type gssproxy_t, gssproxy_var_run_t, gssproxy_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
++ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
@@ -34651,7 +34710,7 @@ index 7bab8e5..3baae66 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..0311d82 100644
+index 4256a4c..a8dde53 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6)
@@ -34664,7 +34723,17 @@ index 4256a4c..0311d82 100644
type logwatch_cache_t;
files_type(logwatch_cache_t)
-@@ -67,10 +68,11 @@ files_list_var(logwatch_t)
+@@ -37,7 +38,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
+ manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
+ manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
+
+-allow logwatch_t logwatch_lock_t:file manage_file_perms;
++manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
++manage_dirs_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
+ files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
+
+ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
+@@ -67,10 +69,11 @@ files_list_var(logwatch_t)
files_search_all(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
@@ -34677,7 +34746,7 @@ index 4256a4c..0311d82 100644
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
-@@ -92,13 +94,12 @@ libs_read_lib_files(logwatch_t)
+@@ -92,13 +95,12 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
@@ -34692,7 +34761,7 @@ index 4256a4c..0311d82 100644
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-@@ -137,6 +138,11 @@ optional_policy(`
+@@ -137,6 +139,11 @@ optional_policy(`
')
optional_policy(`
@@ -34704,7 +34773,7 @@ index 4256a4c..0311d82 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -164,6 +170,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +171,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -35387,7 +35456,7 @@ index 108c0f1..a248501 100644
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
diff --git a/mailman.te b/mailman.te
-index 8eaf51b..16086a5 100644
+index 8eaf51b..3229e0f 100644
--- a/mailman.te
+++ b/mailman.te
@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4)
@@ -35403,7 +35472,14 @@ index 8eaf51b..16086a5 100644
attribute mailman_domain;
-@@ -56,10 +62,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
+@@ -50,16 +56,11 @@ manage_lnk_files_pattern(mailman_domain, mailman_data_t, mailman_data_t)
+ manage_files_pattern(mailman_domain, mailman_lock_t, mailman_lock_t)
+ files_lock_filetrans(mailman_domain, mailman_lock_t, file)
+
+-append_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
+-create_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
+-setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
++manage_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
logging_log_filetrans(mailman_domain, mailman_log_t, file)
kernel_read_kernel_sysctls(mailman_domain)
@@ -35414,7 +35490,7 @@ index 8eaf51b..16086a5 100644
corenet_tcp_sendrecv_generic_if(mailman_domain)
corenet_tcp_sendrecv_generic_node(mailman_domain)
-@@ -82,10 +85,6 @@ fs_getattr_all_fs(mailman_domain)
+@@ -82,10 +83,6 @@ fs_getattr_all_fs(mailman_domain)
libs_exec_ld_so(mailman_domain)
libs_exec_lib_files(mailman_domain)
@@ -35425,7 +35501,7 @@ index 8eaf51b..16086a5 100644
########################################
#
# CGI local policy
-@@ -115,8 +114,9 @@ optional_policy(`
+@@ -115,8 +112,9 @@ optional_policy(`
# Mail local policy
#
@@ -35437,7 +35513,7 @@ index 8eaf51b..16086a5 100644
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-@@ -127,8 +127,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t)
+@@ -127,8 +125,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
@@ -35447,7 +35523,7 @@ index 8eaf51b..16086a5 100644
dev_read_urand(mailman_mail_t)
-@@ -142,6 +142,10 @@ optional_policy(`
+@@ -142,6 +140,10 @@ optional_policy(`
')
optional_policy(`
@@ -35458,7 +35534,7 @@ index 8eaf51b..16086a5 100644
cron_read_pipes(mailman_mail_t)
')
-@@ -182,3 +186,9 @@ optional_policy(`
+@@ -182,3 +184,9 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
')
@@ -36083,7 +36159,7 @@ index 9dbe694..f89651e 100644
admin_pattern($1, mcelog_var_run_t)
')
diff --git a/mcelog.te b/mcelog.te
-index 13ea191..b5fdecf 100644
+index 13ea191..c146d9c 100644
--- a/mcelog.te
+++ b/mcelog.te
@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
@@ -36115,7 +36191,7 @@ index 13ea191..b5fdecf 100644
-
mls_file_read_all_levels(mcelog_t)
-+auth_read_passwd(mcelog_t)
++auth_use_nsswitch(mcelog_t)
+
locallogin_use_fds(mcelog_t)
@@ -37715,10 +37791,10 @@ index 4462c0e..84944d1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..99d4eeb 100644
+index 6ffaba2..154cade 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,66 @@
+@@ -1,38 +1,67 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -37760,6 +37836,7 @@ index 6ffaba2..99d4eeb 100644
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+
+#
@@ -37820,7 +37897,7 @@ index 6ffaba2..99d4eeb 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..5fe7031 100644
+index 6194b80..f54f1e8 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -38532,13 +38609,13 @@ index 6194b80..5fe7031 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
-+ #userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "POkemon Advanced Adventure")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..cfaf593 100644
+index 6a306ee..5222893 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -38982,7 +39059,7 @@ index 6a306ee..cfaf593 100644
')
optional_policy(`
-@@ -300,221 +324,181 @@ optional_policy(`
+@@ -300,221 +324,182 @@ optional_policy(`
########################################
#
@@ -39161,6 +39238,7 @@ index 6a306ee..cfaf593 100644
+corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
corenet_tcp_connect_vnc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
++corenet_tcp_connect_whois_port(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
+corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t)
@@ -39303,7 +39381,7 @@ index 6a306ee..cfaf593 100644
')
optional_policy(`
-@@ -523,36 +507,48 @@ optional_policy(`
+@@ -523,36 +508,48 @@ optional_policy(`
')
optional_policy(`
@@ -39365,7 +39443,7 @@ index 6a306ee..cfaf593 100644
')
optional_policy(`
-@@ -560,7 +556,7 @@ optional_policy(`
+@@ -560,7 +557,7 @@ optional_policy(`
')
optional_policy(`
@@ -39374,7 +39452,7 @@ index 6a306ee..cfaf593 100644
')
optional_policy(`
-@@ -568,108 +564,118 @@ optional_policy(`
+@@ -568,108 +565,118 @@ optional_policy(`
')
optional_policy(`
@@ -42132,7 +42210,7 @@ index 97370e4..27d3100 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
-index c48dc17..43f60de 100644
+index c48dc17..f93fa69 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -1,11 +1,24 @@
@@ -42183,7 +42261,8 @@ index c48dc17..43f60de 100644
+/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
- /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
++/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
-/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
@@ -42722,7 +42801,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..2b85b52 100644
+index 9f6179e..5f38792 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -42773,7 +42852,7 @@ index 9f6179e..2b85b52 100644
type mysqld_initrc_exec_t;
init_script_file(mysqld_initrc_exec_t)
-@@ -62,26 +59,26 @@ files_pid_file(mysqlmanagerd_var_run_t)
+@@ -62,27 +59,29 @@ files_pid_file(mysqlmanagerd_var_run_t)
# Local policy
#
@@ -42804,11 +42883,15 @@ index 9f6179e..2b85b52 100644
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
-allow mysqld_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-+allow mysqld_t mysqld_log_t:file manage_file_perms;
- logging_log_filetrans(mysqld_t, mysqld_log_t, file)
+-logging_log_filetrans(mysqld_t, mysqld_log_t, file)
++manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
++manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
++manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
++logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -93,50 +90,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+ manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+@@ -93,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
@@ -42880,7 +42963,7 @@ index 9f6179e..2b85b52 100644
')
optional_policy(`
-@@ -144,6 +145,10 @@ optional_policy(`
+@@ -144,6 +147,10 @@ optional_policy(`
')
optional_policy(`
@@ -42891,7 +42974,7 @@ index 9f6179e..2b85b52 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -153,29 +158,22 @@ optional_policy(`
+@@ -153,29 +160,22 @@ optional_policy(`
#######################################
#
@@ -42926,7 +43009,7 @@ index 9f6179e..2b85b52 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,17 +185,21 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -187,17 +187,21 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -42954,7 +43037,7 @@ index 9f6179e..2b85b52 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +207,7 @@ optional_policy(`
+@@ -205,7 +209,7 @@ optional_policy(`
########################################
#
@@ -42963,7 +43046,7 @@ index 9f6179e..2b85b52 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +216,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +218,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -42981,7 +43064,7 @@ index 9f6179e..2b85b52 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +229,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +231,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -43243,10 +43326,10 @@ index 0000000..90129ac
+ mysql_tcp_connect(httpd_mythtv_script_t)
+')
diff --git a/nagios.fc b/nagios.fc
-index d78dfc3..9590368 100644
+index d78dfc3..a00cc2d 100644
--- a/nagios.fc
+++ b/nagios.fc
-@@ -1,88 +1,93 @@
+@@ -1,88 +1,97 @@
-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
@@ -43379,12 +43462,15 @@ index d78dfc3..9590368 100644
+/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
-+# label all nagios plugin as unconfined by default
-+/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
++# openshift plugins
++/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
++/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
--
++# label all nagios plugin as unconfined by default
++/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
-
@@ -43631,7 +43717,7 @@ index 0641e97..d7d9a79 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 44ad3b7..d731adf 100644
+index 44ad3b7..c738393 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -43643,7 +43729,25 @@ index 44ad3b7..d731adf 100644
type nagios_var_lib_t;
files_type(nagios_var_lib_t)
-@@ -63,19 +63,20 @@ files_pid_file(nrpe_var_run_t)
+@@ -39,6 +39,7 @@ nagios_plugin_template(services)
+ nagios_plugin_template(system)
+ nagios_plugin_template(unconfined)
+ nagios_plugin_template(eventhandler)
++nagios_plugin_template(openshift)
+
+ type nagios_eventhandler_plugin_tmp_t;
+ files_tmp_file(nagios_eventhandler_plugin_tmp_t)
+@@ -46,6 +47,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t)
+ type nagios_system_plugin_tmp_t;
+ files_tmp_file(nagios_system_plugin_tmp_t)
+
++type nagios_openshift_plugin_tmp_t;
++files_tmp_file(nagios_openshift_plugin_tmp_t)
++
+ type nrpe_t;
+ type nrpe_exec_t;
+ init_daemon_domain(nrpe_t, nrpe_exec_t)
+@@ -63,19 +67,20 @@ files_pid_file(nrpe_var_run_t)
allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
@@ -43659,18 +43763,19 @@ index 44ad3b7..d731adf 100644
-
dev_read_urand(nagios_plugin_domain)
dev_read_rand(nagios_plugin_domain)
++dev_read_sysfs(nagios_plugin_domain)
-files_read_usr_files(nagios_plugin_domain)
-
-miscfiles_read_localization(nagios_plugin_domain)
-
+-
-userdom_use_user_terminals(nagios_plugin_domain)
+userdom_use_inherited_user_ptys(nagios_plugin_domain)
+userdom_use_inherited_user_ttys(nagios_plugin_domain)
########################################
#
-@@ -110,7 +111,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+@@ -110,7 +115,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
@@ -43680,7 +43785,7 @@ index 44ad3b7..d731adf 100644
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-@@ -123,7 +125,6 @@ kernel_read_software_raid_state(nagios_t)
+@@ -123,7 +129,6 @@ kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
@@ -43688,7 +43793,7 @@ index 44ad3b7..d731adf 100644
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
-@@ -143,7 +144,6 @@ domain_read_all_domains_state(nagios_t)
+@@ -143,7 +148,6 @@ domain_read_all_domains_state(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
@@ -43696,7 +43801,7 @@ index 44ad3b7..d731adf 100644
files_search_spool(nagios_t)
fs_getattr_all_fs(nagios_t)
-@@ -153,8 +153,6 @@ auth_use_nsswitch(nagios_t)
+@@ -153,8 +157,6 @@ auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
@@ -43705,7 +43810,7 @@ index 44ad3b7..d731adf 100644
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
-@@ -178,6 +176,7 @@ optional_policy(`
+@@ -178,6 +180,7 @@ optional_policy(`
#
# CGI local policy
#
@@ -43713,15 +43818,18 @@ index 44ad3b7..d731adf 100644
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -231,7 +230,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin
+@@ -229,9 +232,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
+
++kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
kernel_read_software_raid_state(nrpe_t)
-kernel_read_system_state(nrpe_t)
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
-@@ -253,7 +251,6 @@ domain_use_interactive_fds(nrpe_t)
+@@ -253,7 +256,6 @@ domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
@@ -43729,7 +43837,7 @@ index 44ad3b7..d731adf 100644
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -262,8 +259,6 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,8 +264,6 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
@@ -43738,7 +43846,7 @@ index 44ad3b7..d731adf 100644
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
-@@ -310,15 +305,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +310,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -43757,7 +43865,7 @@ index 44ad3b7..d731adf 100644
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +340,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,6 +345,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
@@ -43767,7 +43875,7 @@ index 44ad3b7..d731adf 100644
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
-@@ -357,9 +355,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +360,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
@@ -43781,7 +43889,7 @@ index 44ad3b7..d731adf 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -391,6 +391,7 @@ optional_policy(`
+@@ -391,6 +396,7 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
@@ -43789,7 +43897,7 @@ index 44ad3b7..d731adf 100644
')
optional_policy(`
-@@ -411,6 +412,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -411,6 +417,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -43797,7 +43905,7 @@ index 44ad3b7..d731adf 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +422,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,10 +427,10 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
@@ -43810,7 +43918,7 @@ index 44ad3b7..d731adf 100644
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
-@@ -442,6 +444,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,11 +449,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -43824,8 +43932,32 @@ index 44ad3b7..d731adf 100644
+
########################################
#
- # Unconfined plugin policy
-@@ -450,3 +460,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
+-# Unconfined plugin policy
++# nagios openshift plugin policy
++#
++
++allow nagios_openshift_plugin_t self:capability sys_ptrace;
++
++manage_dirs_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
++manage_files_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
++files_tmp_filetrans(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, { file dir })
++
++corecmd_exec_bin(nagios_openshift_plugin_t)
++corecmd_exec_shell(nagios_openshift_plugin_t)
++
++domain_read_all_domains_state(nagios_openshift_plugin_t)
++
++fs_getattr_all_fs(nagios_openshift_plugin_t)
++
++optional_policy(`
++ apache_read_config(nagios_openshift_plugin_t)
++')
++
++######################################
++#
++# nagios plugin domain policy
+ #
+
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -47972,7 +48104,7 @@ index b59196f..017b36f 100644
+ files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
')
diff --git a/ntp.te b/ntp.te
-index b90e343..71042cd 100644
+index b90e343..8369b61 100644
--- a/ntp.te
+++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -47985,7 +48117,18 @@ index b90e343..71042cd 100644
type ntp_conf_t;
files_config_file(ntp_conf_t)
-@@ -83,21 +86,16 @@ kernel_read_system_state(ntpd_t)
+@@ -60,9 +63,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+ read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+
+ allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
+-append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+-create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+-setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
++manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+ logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
+
+ manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
+@@ -83,21 +84,16 @@ kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
@@ -48009,7 +48152,7 @@ index b90e343..71042cd 100644
corecmd_exec_bin(ntpd_t)
corecmd_exec_shell(ntpd_t)
-@@ -110,13 +108,15 @@ domain_use_interactive_fds(ntpd_t)
+@@ -110,13 +106,15 @@ domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
files_read_etc_runtime_files(ntpd_t)
@@ -48026,7 +48169,7 @@ index b90e343..71042cd 100644
auth_use_nsswitch(ntpd_t)
-@@ -124,8 +124,6 @@ init_exec_script_files(ntpd_t)
+@@ -124,8 +122,6 @@ init_exec_script_files(ntpd_t)
logging_send_syslog_msg(ntpd_t)
@@ -50206,10 +50349,10 @@ index 0000000..fdc4a03
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..35f9df0
+index 0000000..c1eed44
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,547 @@
+@@ -0,0 +1,549 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -50651,6 +50794,8 @@ index 0000000..35f9df0
+
+kernel_read_system_state(openshift_cgroup_read_t)
+
++term_dontaudit_use_generic_ptys(openshift_cgroup_read_t)
++
+miscfiles_read_localization(openshift_cgroup_read_t)
+
+optional_policy(`
@@ -51167,7 +51312,7 @@ index 9b15730..eedd136 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..9d7741b 100644
+index 508fedf..ba9ff22 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
@@ -51190,7 +51335,7 @@ index 508fedf..9d7741b 100644
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
-@@ -24,20 +21,26 @@ logging_log_file(openvswitch_log_t)
+@@ -24,20 +21,28 @@ logging_log_file(openvswitch_log_t)
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
@@ -51206,6 +51351,8 @@ index 508fedf..9d7741b 100644
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
-allow openvswitch_t self:process { setrlimit setsched signal };
+allow openvswitch_t self:capability { net_admin ipc_lock sys_nice sys_resource };
++allow openvswitch_t openvswitch_t : capability { sys_module };
++allow openvswitch_t openvswitch_t : capability2 { block_suspend };
+allow openvswitch_t self:process { fork setsched setrlimit signal };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
-allow openvswitch_t self:rawip_socket create_socket_perms;
@@ -51213,19 +51360,19 @@ index 508fedf..9d7741b 100644
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
++
++can_exec(openvswitch_t, openvswitch_exec_t)
-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-+can_exec(openvswitch_t, openvswitch_exec_t)
-+
+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,9 +48,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,9 +50,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -51236,7 +51383,7 @@ index 508fedf..9d7741b 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -57,33 +58,34 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -57,33 +60,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -51256,6 +51403,7 @@ index 508fedf..9d7741b 100644
+dev_read_rand(openvswitch_t)
dev_read_urand(openvswitch_t)
++dev_read_sysfs(openvswitch_t)
domain_use_interactive_fds(openvswitch_t)
@@ -51280,6 +51428,9 @@ index 508fedf..9d7741b 100644
iptables_domtrans(openvswitch_t)
')
+
++optional_policy(`
++ plymouthd_exec_plymouth(openvswitch_t)
++')
diff --git a/pacemaker.fc b/pacemaker.fc
index 2f0ad56..d4da0b8 100644
--- a/pacemaker.fc
@@ -52037,10 +52188,10 @@ index 96db654..ff3aadd 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..173813f 100644
+index dfd46e4..2f407d6 100644
--- a/pegasus.fc
+++ b/pegasus.fc
-@@ -1,15 +1,15 @@
+@@ -1,15 +1,16 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
-/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
-
@@ -52065,6 +52216,7 @@ index dfd46e4..173813f 100644
+
+#openlmi agents
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677..ded726f 100644
--- a/pegasus.if
@@ -52166,7 +52318,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..fa856e9 100644
+index 7bcf327..c1035d4 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -52190,12 +52342,14 @@ index 7bcf327..fa856e9 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,73 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,115 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
+# pegasus openlmi providers
+pegasus_openlmi_domain_template(account)
++pegasus_openlmi_domain_template(logicalfile)
++pegasus_openlmi_domain_template(unconfined)
+
+#######################################
+#
@@ -52246,6 +52400,46 @@ index 7bcf327..fa856e9 100644
+ usermanage_domtrans_useradd(pegasus_openlmi_account_t)
+')
+
++######################################
++#
++# pegasus openlmi logicalfile local policy
++#
++
++allow pegasus_openlmi_logicalfile_t self:capability { setuid setgid dac_override };
++files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t)
++files_manage_non_security_files(pegasus_openlmi_logicalfile_t)
++
++dev_getattr_all_blk_files(pegasus_openlmi_logicalfile_t)
++dev_getattr_all_chr_files(pegasus_openlmi_logicalfile_t)
++
++files_list_all(pegasus_openlmi_logicalfile_t)
++files_read_all_files(pegasus_openlmi_logicalfile_t)
++files_read_all_symlinks(pegasus_openlmi_logicalfile_t)
++files_read_all_blk_files(pegasus_openlmi_logicalfile_t)
++files_read_all_chr_files(pegasus_openlmi_logicalfile_t)
++files_getattr_all_pipes(pegasus_openlmi_logicalfile_t)
++files_getattr_all_sockets(pegasus_openlmi_logicalfile_t)
++
++# Add/remove user home directories
++userdom_home_filetrans_user_home_dir(pegasus_openlmi_logicalfile_t)
++userdom_manage_home_role(system_r, pegasus_openlmi_logicalfile_t)
++userdom_delete_all_user_home_content(pegasus_openlmi_logicalfile_t)
++
++optional_policy(`
++ # it can delete/create empty dirs
++ # so we want to have unconfined_domain attribute for filename rules
++ unconfined_domain(pegasus_openlmi_logicalfile_t)
++')
++
++######################################
++#
++# pegasus openlmi unconfined local policy
++#
++
++optional_policy(`
++ unconfined_domain(pegasus_openlmi_unconfined_t)
++')
++
########################################
#
-# Local policy
@@ -52269,7 +52463,7 @@ index 7bcf327..fa856e9 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +106,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +148,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -52300,7 +52494,7 @@ index 7bcf327..fa856e9 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +132,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +174,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -52333,7 +52527,7 @@ index 7bcf327..fa856e9 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +160,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +202,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -52341,7 +52535,7 @@ index 7bcf327..fa856e9 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +175,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +217,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -52359,21 +52553,21 @@ index 7bcf327..fa856e9 100644
- dbus_connect_system_bus(pegasus_t)
+ dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t)
-
-- optional_policy(`
-- networkmanager_dbus_chat(pegasus_t)
-- ')
++
+ optional_policy(`
+ networkmanager_dbus_chat(pegasus_t)
+ ')
+')
-+
+
+- optional_policy(`
+- networkmanager_dbus_chat(pegasus_t)
+- ')
+optional_policy(`
+ rhcs_stream_connect_cluster(pegasus_t)
')
optional_policy(`
-@@ -151,16 +205,23 @@ optional_policy(`
+@@ -151,16 +247,23 @@ optional_policy(`
')
optional_policy(`
@@ -52401,7 +52595,7 @@ index 7bcf327..fa856e9 100644
')
optional_policy(`
-@@ -168,7 +229,7 @@ optional_policy(`
+@@ -168,7 +271,7 @@ optional_policy(`
')
optional_policy(`
@@ -53579,12 +53773,13 @@ index 0000000..0c167b7
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..6329c9c
+index 0000000..898a5e8
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,292 @@
+
+## <summary>policy for pki</summary>
++
+########################################
+## <summary>
+## Allow read and write pki cert files.
@@ -53607,6 +53802,24 @@ index 0000000..6329c9c
+
+########################################
+## <summary>
++## Allow domain to read pki cert files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pki_read_tomcat_cert',`
++ gen_require(`
++ type pki_tomcat_cert_t;
++ ')
++
++ read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
++')
++
++########################################
++## <summary>
+## Create a set of derived types for apache
+## web content.
+## </summary>
@@ -59833,6 +60046,346 @@ index d447152..a911295 100644
sendmail_domtrans(procmail_t)
sendmail_signal(procmail_t)
sendmail_dontaudit_rw_tcp_sockets(procmail_t)
+diff --git a/prosody.fc b/prosody.fc
+new file mode 100644
+index 0000000..96a0d9f
+--- /dev/null
++++ b/prosody.fc
+@@ -0,0 +1,8 @@
++/usr/bin/prosody -- gen_context(system_u:object_r:prosody_exec_t,s0)
++/usr/bin/prosodyctl -- gen_context(system_u:object_r:prosody_exec_t,s0)
++
++/usr/lib/systemd/system/prosody.service -- gen_context(system_u:object_r:prosody_unit_file_t,s0)
++
++/var/lib/prosody(/.*)? gen_context(system_u:object_r:prosody_var_lib_t,s0)
++
++/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0)
+diff --git a/prosody.if b/prosody.if
+new file mode 100644
+index 0000000..8867237
+--- /dev/null
++++ b/prosody.if
+@@ -0,0 +1,239 @@
++
++## <summary>policy for prosody</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the prosody domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`prosody_domtrans',`
++ gen_require(`
++ type prosody_t, prosody_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, prosody_exec_t, prosody_t)
++')
++
++########################################
++## <summary>
++## Search prosody lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`prosody_search_lib',`
++ gen_require(`
++ type prosody_var_lib_t;
++ ')
++
++ allow $1 prosody_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read prosody lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`prosody_read_lib_files',`
++ gen_require(`
++ type prosody_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage prosody lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`prosody_manage_lib_files',`
++ gen_require(`
++ type prosody_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage prosody lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`prosody_manage_lib_dirs',`
++ gen_require(`
++ type prosody_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read prosody PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`prosody_read_pid_files',`
++ gen_require(`
++ type prosody_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, prosody_var_run_t, prosody_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute prosody server in the prosody domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`prosody_systemctl',`
++ gen_require(`
++ type prosody_t;
++ type prosody_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 prosody_unit_file_t:file read_file_perms;
++ allow $1 prosody_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, prosody_t)
++')
++
++
++########################################
++## <summary>
++## Execute prosody in the prosody domain, and
++## allow the specified role the prosody domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the prosody domain.
++## </summary>
++## </param>
++#
++interface(`prosody_run',`
++ gen_require(`
++ type prosody_t;
++ attribute_role prosody_roles;
++ ')
++
++ prosody_domtrans($1)
++ roleattribute $2 prosody_roles;
++')
++
++########################################
++## <summary>
++## Role access for prosody
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`prosody_role',`
++ gen_require(`
++ type prosody_t;
++ attribute_role prosody_roles;
++ ')
++
++ roleattribute $1 prosody_roles;
++
++ prosody_domtrans($2)
++
++ ps_process_pattern($2, prosody_t)
++ allow $2 prosody_t:process { signull signal sigkill };
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an prosody environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`prosody_admin',`
++ gen_require(`
++ type prosody_t;
++ type prosody_var_lib_t;
++ type prosody_var_run_t;
++ type prosody_unit_file_t;
++ ')
++
++ allow $1 prosody_t:process { ptrace signal_perms };
++ ps_process_pattern($1, prosody_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, prosody_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, prosody_var_run_t)
++
++ prosody_systemctl($1)
++ admin_pattern($1, prosody_unit_file_t)
++ allow $1 prosody_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/prosody.te b/prosody.te
+new file mode 100644
+index 0000000..4f6badd
+--- /dev/null
++++ b/prosody.te
+@@ -0,0 +1,75 @@
++policy_module(prosody, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Permit to prosody to bind apache port.
++## Need to be activated to use BOSH.
++## </p>
++## </desc>
++gen_tunable(prosody_bind_http_port, false)
++
++type prosody_t;
++type prosody_exec_t;
++init_daemon_domain(prosody_t, prosody_exec_t)
++
++type prosody_var_lib_t;
++files_type(prosody_var_lib_t)
++
++type prosody_var_run_t;
++files_pid_file(prosody_var_run_t)
++
++type prosody_unit_file_t;
++systemd_unit_file(prosody_unit_file_t)
++
++########################################
++#
++# prosody local policy
++#
++allow prosody_t self:capability { setuid setgid };
++allow prosody_t self:process signal_perms;
++allow prosody_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
++manage_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
++manage_lnk_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
++files_var_lib_filetrans(prosody_t, prosody_var_lib_t, { dir file lnk_file })
++
++manage_dirs_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
++manage_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
++manage_lnk_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
++files_pid_filetrans(prosody_t, prosody_var_run_t, { dir file lnk_file })
++
++can_exec(prosody_t, prosody_exec_t)
++
++kernel_read_system_state(prosody_t)
++
++corecmd_exec_bin(prosody_t)
++corecmd_exec_shell(prosody_t)
++
++corenet_udp_bind_generic_node(prosody_t)
++corenet_tcp_connect_jabber_interserver_port(prosody_t)
++corenet_tcp_connect_jabber_client_port(prosody_t)
++corenet_tcp_bind_jabber_client_port(prosody_t)
++corenet_tcp_bind_jabber_interserver_port(prosody_t)
++corenet_tcp_bind_jabber_router_port(prosody_t)
++tunable_policy(`prosody_bind_http_port',`
++ corenet_tcp_bind_http_port(prosody_t)
++')
++
++dev_read_urand(prosody_t)
++
++domain_use_interactive_fds(prosody_t)
++
++files_read_etc_files(prosody_t)
++
++auth_use_nsswitch(prosody_t)
++sysnet_read_config(prosody_t)
++
++logging_send_syslog_msg(prosody_t)
++
++miscfiles_read_localization(prosody_t)
diff --git a/psad.if b/psad.if
index d4dcf78..59ab964 100644
--- a/psad.if
@@ -69907,7 +70460,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..df782bf 100644
+index e5212e6..4fb05d7 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -70118,7 +70671,7 @@ index e5212e6..df782bf 100644
')
########################################
-@@ -195,41 +141,56 @@ optional_policy(`
+@@ -195,41 +141,57 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -70146,6 +70699,7 @@ index e5212e6..df782bf 100644
-
-corecmd_exec_shell(nfsd_t)
+corenet_udp_bind_mountd_port(nfsd_t)
++corenet_tcp_bind_mountd_port(nfsd_t)
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
@@ -70182,7 +70736,7 @@ index e5212e6..df782bf 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -238,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -238,7 +200,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -70190,7 +70744,7 @@ index e5212e6..df782bf 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -250,12 +210,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -250,12 +211,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -70205,7 +70759,7 @@ index e5212e6..df782bf 100644
')
########################################
-@@ -271,6 +231,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -271,6 +232,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -70213,7 +70767,7 @@ index e5212e6..df782bf 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -279,25 +240,29 @@ kernel_signal(gssd_t)
+@@ -279,25 +241,29 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -70246,7 +70800,7 @@ index e5212e6..df782bf 100644
')
optional_policy(`
-@@ -306,8 +271,11 @@ optional_policy(`
+@@ -306,8 +272,11 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
@@ -75111,10 +75665,10 @@ index 0000000..5da5bff
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..5021551
+index 0000000..ce3ac47
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,467 @@
+@@ -0,0 +1,481 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -75463,21 +76017,35 @@ index 0000000..5021551
+corenet_tcp_sendrecv_squid_port(sandbox_web_type)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
-+corenet_tcp_connect_http_port(sandbox_web_type)
-+corenet_tcp_connect_http_cache_port(sandbox_web_type)
-+corenet_tcp_connect_squid_port(sandbox_web_type)
++corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
++corenet_tcp_connect_aol_port(sandbox_web_type)
++corenet_tcp_connect_asterisk_port(sandbox_web_type)
++corenet_tcp_connect_commplex_link_port(sandbox_web_type)
++corenet_tcp_connect_couchdb_port(sandbox_web_type)
+corenet_tcp_connect_flash_port(sandbox_web_type)
+corenet_tcp_connect_ftp_port(sandbox_web_type)
-+corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
++corenet_tcp_connect_gatekeeper_port(sandbox_web_type)
++corenet_tcp_connect_generic_port(sandbox_web_type)
++corenet_tcp_connect_http_cache_port(sandbox_web_type)
++corenet_tcp_connect_http_port(sandbox_web_type)
+corenet_tcp_connect_ipp_port(sandbox_web_type)
++corenet_tcp_connect_ipsecnat_port(sandbox_web_type)
++corenet_tcp_connect_ircd_port(sandbox_web_type)
++corenet_tcp_connect_jabber_client_port(sandbox_web_type)
++corenet_tcp_connect_jboss_management_port(sandbox_web_type)
++corenet_tcp_connect_mmcc_port(sandbox_web_type)
++corenet_tcp_connect_monopd_port(sandbox_web_type)
++corenet_tcp_connect_msnp_port(sandbox_web_type)
+corenet_tcp_connect_ms_streaming_port(sandbox_web_type)
-+corenet_tcp_connect_rtsp_port(sandbox_web_type)
+corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
-+corenet_tcp_connect_tor_port(sandbox_web_type)
-+corenet_tcp_connect_speech_port(sandbox_web_type)
-+corenet_tcp_connect_generic_port(sandbox_web_type)
++corenet_tcp_connect_rtsp_port(sandbox_web_type)
+corenet_tcp_connect_soundd_port(sandbox_web_type)
+corenet_tcp_connect_speech_port(sandbox_web_type)
++corenet_tcp_connect_squid_port(sandbox_web_type)
++corenet_tcp_connect_tor_port(sandbox_web_type)
++corenet_tcp_connect_transproxy_port(sandbox_web_type)
++corenet_tcp_connect_vnc_port(sandbox_web_type)
++corenet_tcp_connect_whois_port(sandbox_web_type)
+corenet_sendrecv_http_client_packets(sandbox_web_type)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
+corenet_sendrecv_squid_client_packets(sandbox_web_type)
@@ -79361,7 +79929,7 @@ index 7d86b34..5f58180 100644
+ files_list_pids($1)
')
diff --git a/snort.te b/snort.te
-index ccd28bb..b9e856e 100644
+index ccd28bb..80106ac 100644
--- a/snort.te
+++ b/snort.te
@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
@@ -79387,7 +79955,7 @@ index ccd28bb..b9e856e 100644
corenet_all_recvfrom_netlabel(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
-@@ -86,7 +88,6 @@ dev_rw_generic_usb_dev(snort_t)
+@@ -86,18 +88,17 @@ dev_rw_generic_usb_dev(snort_t)
domain_use_interactive_fds(snort_t)
@@ -79395,7 +79963,11 @@ index ccd28bb..b9e856e 100644
files_dontaudit_read_etc_runtime_files(snort_t)
fs_getattr_all_fs(snort_t)
-@@ -96,8 +97,6 @@ init_read_utmp(snort_t)
+ fs_search_auto_mountpoints(snort_t)
+
++auth_read_passwd(snort_t)
++
+ init_read_utmp(snort_t)
logging_send_syslog_msg(snort_t)
@@ -79512,16 +80084,18 @@ index db1bc6f..b6c0d16 100644
userdom_dontaudit_use_unpriv_user_fds(soundd_t)
diff --git a/spamassassin.fc b/spamassassin.fc
-index e9bd097..80c9e56 100644
+index e9bd097..e059e27 100644
--- a/spamassassin.fc
+++ b/spamassassin.fc
-@@ -1,20 +1,24 @@
+@@ -1,20 +1,26 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
-HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -79548,7 +80122,7 @@ index e9bd097..80c9e56 100644
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
-@@ -25,7 +29,25 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
+@@ -25,7 +31,22 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
@@ -79559,9 +80133,6 @@ index e9bd097..80c9e56 100644
/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+
-+/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
-+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
-+
+/etc/pyzor(/.*)? gen_context(system_u:object_r:spamd_etc_t, s0)
+/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
@@ -79577,7 +80148,7 @@ index e9bd097..80c9e56 100644
+/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0)
diff --git a/spamassassin.if b/spamassassin.if
-index 1499b0b..3052bd2 100644
+index 1499b0b..6950cab 100644
--- a/spamassassin.if
+++ b/spamassassin.if
@@ -2,39 +2,45 @@
@@ -79929,7 +80500,7 @@ index 1499b0b..3052bd2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -348,19 +323,60 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+@@ -348,19 +323,62 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
## </summary>
## </param>
#
@@ -79963,6 +80534,7 @@ index 1499b0b..3052bd2 100644
+ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor")
+ userdom_user_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin")
+ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd")
++ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".razor")
+')
+
+######################################
@@ -79983,6 +80555,7 @@ index 1499b0b..3052bd2 100644
+ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor")
+ userdom_admin_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin")
+ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd")
++ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".razor")
+')
+
+
@@ -79995,7 +80568,7 @@ index 1499b0b..3052bd2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -369,20 +385,22 @@ interface(`spamassassin_stream_connect_spamd',`
+@@ -369,20 +387,22 @@ interface(`spamassassin_stream_connect_spamd',`
## </param>
## <param name="role">
## <summary>
@@ -80022,7 +80595,7 @@ index 1499b0b..3052bd2 100644
init_labeled_script_domtrans($1, spamd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -403,6 +421,4 @@ interface(`spamassassin_admin',`
+@@ -403,6 +423,4 @@ interface(`spamassassin_admin',`
files_list_pids($1)
admin_pattern($1, spamd_var_run_t)
@@ -82647,10 +83220,10 @@ index ac8213a..20fa71f 100644
-
-miscfiles_read_localization(tcsd_t)
diff --git a/telepathy.fc b/telepathy.fc
-index c7de0cf..a275bd6 100644
+index c7de0cf..9813503 100644
--- a/telepathy.fc
+++ b/telepathy.fc
-@@ -1,34 +1,21 @@
+@@ -1,34 +1,22 @@
-HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
@@ -82700,6 +83273,7 @@ index c7de0cf..a275bd6 100644
+/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
+/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
+/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
++/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/telepathy.if b/telepathy.if
@@ -84793,7 +85367,7 @@ index 67ca5c5..a1ef2d2 100644
fs_search_auto_mountpoints(timidity_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index a4a949c..0ac90ac 100644
+index a4a949c..e56b59e 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3)
@@ -84861,11 +85435,12 @@ index a4a949c..0ac90ac 100644
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
-@@ -69,7 +78,19 @@ optional_policy(`
+@@ -69,7 +78,20 @@ optional_policy(`
')
optional_policy(`
- lpd_manage_spool(tmpreaper_t)
++ lpd_list_spool(tmpreaper_t)
+ lpd_read_spool(tmpreaper_t)
+')
+
@@ -94273,10 +94848,10 @@ index b0803c2..13da3cf 100644
+')
diff --git a/zoneminder.fc b/zoneminder.fc
new file mode 100644
-index 0000000..e1602ec
+index 0000000..a468da3
--- /dev/null
+++ b/zoneminder.fc
-@@ -0,0 +1,24 @@
+@@ -0,0 +1,26 @@
+/etc/rc\.d/init\.d/motion -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
+
+/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
@@ -94285,6 +94860,8 @@ index 0000000..e1602ec
+
+/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
+
++/usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0)
++
+/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0)
+
+/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
@@ -94646,10 +95223,10 @@ index 0000000..c72a70d
+
diff --git a/zoneminder.te b/zoneminder.te
new file mode 100644
-index 0000000..67b461b
+index 0000000..bdb821a
--- /dev/null
+++ b/zoneminder.te
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,174 @@
+policy_module(zoneminder, 1.0.0)
+
+########################################
@@ -94659,16 +95236,31 @@ index 0000000..67b461b
+
+## <desc>
+## <p>
++## Allow ZoneMinder to run su/sudo.
++## </p>
++## </desc>
++gen_tunable(zoneminder_run_sudo, false)
++
++
++## <desc>
++## <p>
+## Allow ZoneMinder to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(zoneminder_anon_write, false)
+
++gen_require(`
++ class passwd rootok;
++ ')
++
+type zoneminder_t;
+type zoneminder_exec_t;
+init_daemon_domain(zoneminder_t, zoneminder_exec_t)
+
++type zoneminder_unit_file_t;
++systemd_unit_file(zoneminder_unit_file_t)
++
+type zoneminder_initrc_exec_t;
+init_script_file(zoneminder_initrc_exec_t)
+
@@ -94709,7 +95301,8 @@ index 0000000..67b461b
+manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
-+files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file })
++manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file lnk_file sock_file })
+
+manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
+manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
@@ -94722,6 +95315,8 @@ index 0000000..67b461b
+
+kernel_read_system_state(zoneminder_t)
+
++domain_read_all_domains_state(zoneminder_t)
++
+corecmd_exec_bin(zoneminder_t)
+corecmd_exec_shell(zoneminder_t)
+
@@ -94735,15 +95330,45 @@ index 0000000..67b461b
+dev_read_video_dev(zoneminder_t)
+dev_write_video_dev(zoneminder_t)
+
-+
+auth_use_nsswitch(zoneminder_t)
+
+logging_send_syslog_msg(zoneminder_t)
++logging_send_audit_msgs(zoneminder_t)
++
++mta_send_mail(zoneminder_t)
+
+tunable_policy(`zoneminder_anon_write',`
+ miscfiles_manage_public_files(zoneminder_t)
+')
+
++tunable_policy(`zoneminder_run_sudo',`
++ allow zoneminder_t self:capability { setuid setgid sys_resource };
++ allow zoneminder_t self:process { setrlimit setsched };
++ allow zoneminder_t self:key write;
++ allow zoneminder_t self:passwd rootok;
++
++ auth_rw_lastlog(zoneminder_t)
++
++ selinux_compute_access_vector(zoneminder_t)
++
++ systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
++ systemd_dbus_chat_logind(zoneminder_t)
++
++ xserver_exec_xauth(zoneminder_t)
++')
++
++optional_policy(`
++ tunable_policy(`zoneminder_run_sudo',`
++ dbus_system_bus_client(zoneminder_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`zoneminder_run_sudo',`
++ sudo_exec(zoneminder_t)
++ su_exec(zoneminder_t)
++ ')
++')
+optional_policy(`
+ mysql_stream_connect(zoneminder_t)
+')
@@ -94760,7 +95385,12 @@ index 0000000..67b461b
+ #allow httpd_zoneminder_script_t self:shm create_shm_perms;
+
+ manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++
++ rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++
+ zoneminder_stream_connect(httpd_zoneminder_script_t)
++
++ can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
+
+ files_search_var_lib(httpd_zoneminder_script_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index eddfbfc..2fcda05 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 58%{?dist}
+Release: 59%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,47 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jul 3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-59
+- Add prosody policy written by Michael Scherer
+- Allow nagios plugins to read /sys info
+- ntpd needs to manage own log files
+- Add support for HOME_DIR/.IBMERS
+- Allow iptables commands to read firewalld config
+- Allow consolekit_t to read utmp
+- Fix filename transitions on .razor directory
+- Add additional fixes to make DSPAM with LDA working
+- Allow snort to read /etc/passwd
+- Allow fail2ban to communicate with firewalld over dbus
+- Dontaudit openshift_cgreoup_file_t read/write leaked dev
+- Allow nfsd to use mountd port
+- Call th proper interface
+- Allow openvswitch to read sys and execute plymouth
+- Allow tmpwatch to read /var/spool/cups/tmp
+- Add support for /usr/libexec/telepathy-rakia
+- Add systemd support for zoneminder
+- Allow mysql to create files/directories under /var/log/mysql
+- Allow zoneminder apache scripts to rw zoneminder tmpfs
+- Allow httpd to manage zoneminder lib files
+- Add zoneminder_run_sudo boolean to allow to start zoneminder
+- Allow zoneminder to send mails
+- gssproxy_t sock_file can be under /var/lib
+- Allow web domains to connect to whois port.
+- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
+- We really need to add an interface to corenet to define what a web_client_domain is and
+- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain.
+- Add labeling for cmpiLMI_LogicalFile-cimprovagt
+- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules
+- Update policy rules for pegasus_openlmi_logicalfile_t
+- Add initial types for logicalfile/unconfined OpenLMI providers
+- mailmanctl needs to read own log
+- Allow logwatch manage own lock files
+- Allow nrpe to read meminfo
+- Allow httpd to read certs located in pki-ca
+- Add pki_read_tomcat_cert() interface
+- Add support for nagios openshift plugins
+- Add port definition for redis port
+- fix selinuxuser_use_ssh_chroot boolean
+
* Fri Jun 28 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-58
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
- Allow bootloader to manage generic log files
More information about the scm-commits
mailing list