[selinux-policy] * Tue Jul 9 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-62 - Fix definition of sandbox.disabled t
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jul 9 19:53:34 UTC 2013
commit 60ad55be4d0f1848db253dd3a3267adbe118bfeb
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jul 9 21:53:12 2013 +0200
* Tue Jul 9 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-62
- Fix definition of sandbox.disabled to sandbox.pp.disabled
policy-rawhide-base.patch | 176 +++++++++++------
policy-rawhide-contrib.patch | 459 ++++++++++++++++++++++++++----------------
selinux-policy.spec | 35 +++-
3 files changed, 439 insertions(+), 231 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 2efeb50..b74e6f2 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3042,7 +3042,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..38a8a2d 100644
+index 644d4d7..51181b8 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3229,7 +3229,7 @@ index 644d4d7..38a8a2d 100644
+/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/systemd/system-sleep/(.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
@@ -8257,7 +8257,7 @@ index 6529bd9..831344c 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..adafd25 100644
+index 6a1e4d1..c691385 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -8296,6 +8296,15 @@ index 6a1e4d1..adafd25 100644
')
########################################
+@@ -128,7 +103,7 @@ interface(`domain_entry_file',`
+ ')
+
+ allow $1 $2:file entrypoint;
+- allow $1 $2:file { mmap_file_perms ioctl lock };
++ allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };
+
+ typeattribute $2 entry_type;
+
@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',`
########################################
@@ -9055,7 +9064,7 @@ index c2c6e05..be423a7 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..fe6d89c 100644
+index 64ff4d7..3e91f7d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -11585,7 +11594,7 @@ index 64ff4d7..fe6d89c 100644
')
allow $1 var_t:dir search_dir_perms;
-@@ -6562,3 +7839,474 @@ interface(`files_unconfined',`
+@@ -6562,3 +7839,491 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -12060,6 +12069,23 @@ index 64ff4d7..fe6d89c 100644
+ allow $1 file_type:service all_service_perms;
+')
+
++########################################
++## <summary>
++## Get the status of etc_t files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_status_etc',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ allow $1 etc_t:service status;
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 148d87a..822f6be 100644
--- a/policy/modules/kernel/files.te
@@ -16648,10 +16674,10 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..3577c24 100644
+index 5da7870..1a2de40 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,67 @@ policy_module(staff, 2.3.1)
+@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -16683,6 +16709,7 @@ index 5da7870..3577c24 100644
+dev_read_kmsg(staff_t)
+
+domain_read_all_domains_state(staff_t)
++domain_getsched_all_domains(staff_t)
+domain_getattr_all_domains(staff_t)
+domain_obj_id_change_exemption(staff_t)
+
@@ -16719,7 +16746,7 @@ index 5da7870..3577c24 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +78,102 @@ optional_policy(`
+@@ -23,11 +79,102 @@ optional_policy(`
')
optional_policy(`
@@ -16823,7 +16850,7 @@ index 5da7870..3577c24 100644
')
optional_policy(`
-@@ -35,15 +181,31 @@ optional_policy(`
+@@ -35,15 +182,31 @@ optional_policy(`
')
optional_policy(`
@@ -16857,7 +16884,7 @@ index 5da7870..3577c24 100644
')
optional_policy(`
-@@ -52,10 +214,55 @@ optional_policy(`
+@@ -52,10 +215,55 @@ optional_policy(`
')
optional_policy(`
@@ -16913,7 +16940,7 @@ index 5da7870..3577c24 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +272,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +273,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16924,7 +16951,7 @@ index 5da7870..3577c24 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +281,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +282,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -16935,7 +16962,7 @@ index 5da7870..3577c24 100644
')
optional_policy(`
-@@ -101,10 +300,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +301,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16946,7 +16973,7 @@ index 5da7870..3577c24 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +320,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +321,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16957,7 +16984,7 @@ index 5da7870..3577c24 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +332,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +333,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16968,7 +16995,7 @@ index 5da7870..3577c24 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +363,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +364,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -17020,10 +17047,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..c461b2b 100644
+index 88d0028..c3275cb 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,80 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,81 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -17056,6 +17083,7 @@ index 88d0028..c461b2b 100644
+
+files_read_kernel_modules(sysadm_t)
+files_filetrans_named_content(sysadm_t)
++files_status_etc(sysadm_t)
+
+fs_mount_fusefs(sysadm_t)
+
@@ -17115,7 +17143,7 @@ index 88d0028..c461b2b 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +96,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +97,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -17130,7 +17158,7 @@ index 88d0028..c461b2b 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +106,9 @@ optional_policy(`
+@@ -71,9 +107,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -17141,7 +17169,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -87,6 +122,7 @@ optional_policy(`
+@@ -87,6 +123,7 @@ optional_policy(`
optional_policy(`
asterisk_stream_connect(sysadm_t)
@@ -17149,7 +17177,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -110,11 +146,17 @@ optional_policy(`
+@@ -110,11 +147,17 @@ optional_policy(`
')
optional_policy(`
@@ -17167,7 +17195,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -122,11 +164,19 @@ optional_policy(`
+@@ -122,11 +165,19 @@ optional_policy(`
')
optional_policy(`
@@ -17189,7 +17217,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -140,6 +190,10 @@ optional_policy(`
+@@ -140,6 +191,10 @@ optional_policy(`
')
optional_policy(`
@@ -17200,7 +17228,7 @@ index 88d0028..c461b2b 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +210,11 @@ optional_policy(`
+@@ -156,11 +211,11 @@ optional_policy(`
')
optional_policy(`
@@ -17214,7 +17242,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -179,6 +233,13 @@ optional_policy(`
+@@ -179,6 +234,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -17228,7 +17256,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -186,15 +247,20 @@ optional_policy(`
+@@ -186,15 +248,20 @@ optional_policy(`
')
optional_policy(`
@@ -17252,7 +17280,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -214,22 +280,20 @@ optional_policy(`
+@@ -214,22 +281,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -17281,7 +17309,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -241,14 +305,27 @@ optional_policy(`
+@@ -241,14 +306,27 @@ optional_policy(`
')
optional_policy(`
@@ -17309,7 +17337,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -256,10 +333,20 @@ optional_policy(`
+@@ -256,10 +334,20 @@ optional_policy(`
')
optional_policy(`
@@ -17330,7 +17358,7 @@ index 88d0028..c461b2b 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +357,36 @@ optional_policy(`
+@@ -270,31 +358,36 @@ optional_policy(`
')
optional_policy(`
@@ -17374,7 +17402,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -319,12 +411,18 @@ optional_policy(`
+@@ -319,12 +412,18 @@ optional_policy(`
')
optional_policy(`
@@ -17394,7 +17422,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -349,7 +447,18 @@ optional_policy(`
+@@ -349,7 +448,18 @@ optional_policy(`
')
optional_policy(`
@@ -17414,7 +17442,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -360,19 +469,15 @@ optional_policy(`
+@@ -360,19 +470,15 @@ optional_policy(`
')
optional_policy(`
@@ -17436,7 +17464,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -384,10 +489,6 @@ optional_policy(`
+@@ -384,10 +490,6 @@ optional_policy(`
')
optional_policy(`
@@ -17447,7 +17475,7 @@ index 88d0028..c461b2b 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +496,9 @@ optional_policy(`
+@@ -395,6 +497,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -17457,7 +17485,7 @@ index 88d0028..c461b2b 100644
')
optional_policy(`
-@@ -402,31 +506,34 @@ optional_policy(`
+@@ -402,31 +507,34 @@ optional_policy(`
')
optional_policy(`
@@ -17498,7 +17526,7 @@ index 88d0028..c461b2b 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +546,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +547,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17509,7 +17537,7 @@ index 88d0028..c461b2b 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +566,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +567,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23933,10 +23961,10 @@ index 1b6619e..be02b96 100644
+ allow $1 application_domain_type:socket_class_set getattr;
+')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..cd80b96 100644
+index c6fdab7..af71c62 100644
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
-@@ -6,12 +6,33 @@ attribute application_domain_type;
+@@ -6,15 +6,40 @@ attribute application_domain_type;
# Executables to be run by user
attribute application_exec_type;
@@ -23957,11 +23985,11 @@ index c6fdab7..cd80b96 100644
+ afs_rw_udp_sockets(application_domain_type)
+')
+
-+optional_policy(`
+ optional_policy(`
+ cfengine_append_inherited_log(application_domain_type)
+')
+
- optional_policy(`
++optional_policy(`
+ cron_rw_inherited_user_spool_files(application_domain_type)
cron_sigchld(application_domain_type)
')
@@ -23971,6 +23999,13 @@ index c6fdab7..cd80b96 100644
ssh_rw_stream_sockets(application_domain_type)
')
+ optional_policy(`
++ screen_sigchld(application_domain_type)
++')
++
++optional_policy(`
+ sudo_sigchld(application_domain_type)
+ ')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 28ad538..ebe81bf 100644
--- a/policy/modules/system/authlogin.fc
@@ -28588,7 +28623,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..468dc31 100644
+index 9e54bf9..9a068f6 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28756,7 +28791,18 @@ index 9e54bf9..468dc31 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -370,13 +397,12 @@ kernel_request_load_module(racoon_t)
+@@ -322,6 +349,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ l2tpd_read_pid_files(ipsec_mgmt_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(ipsec_mgmt_t)
+ ')
+
+@@ -370,13 +401,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -28776,7 +28822,7 @@ index 9e54bf9..468dc31 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +427,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +431,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -28789,7 +28835,7 @@ index 9e54bf9..468dc31 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +465,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -28889,7 +28935,7 @@ index c42fbc3..174cfdb 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..2502d06 100644
+index 5dfa44b..4abf7fd 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -28971,7 +29017,7 @@ index 5dfa44b..2502d06 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,11 +104,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -28980,13 +29026,19 @@ index 5dfa44b..2502d06 100644
')
optional_policy(`
- firstboot_use_fds(iptables_t)
- firstboot_rw_pipes(iptables_t)
-+ firewalld_dontaudit_write_tmp_files(iptables_t)
+@@ -110,6 +114,11 @@ optional_policy(`
')
optional_policy(`
-@@ -124,6 +129,12 @@ optional_policy(`
++ firewalld_read_config(iptables_t)
++ firewalld_dontaudit_write_tmp_files(iptables_t)
++')
++
++optional_policy(`
+ modutils_run_insmod(iptables_t, iptables_roles)
+ ')
+
+@@ -124,6 +133,12 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -28999,7 +29051,7 @@ index 5dfa44b..2502d06 100644
')
optional_policy(`
-@@ -135,9 +146,9 @@ optional_policy(`
+@@ -135,9 +150,9 @@ optional_policy(`
')
optional_policy(`
@@ -34933,10 +34985,10 @@ index b7686d5..431d2f1 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..4e12420
+index 0000000..2cd29ba
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,43 @@
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
+
@@ -34952,6 +35004,7 @@ index 0000000..4e12420
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
++/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
@@ -36218,10 +36271,10 @@ index 0000000..6862d53
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..87474b2
+index 0000000..b43a6c1
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,647 @@
+@@ -0,0 +1,654 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -36285,6 +36338,9 @@ index 0000000..87474b2
+type power_unit_file_t;
+systemd_unit_file(power_unit_file_t)
+
++type systemd_vconsole_unit_file_t;
++systemd_unit_file(systemd_vconsole_unit_file_t)
++
+# executable for systemctl
+type systemd_systemctl_exec_t;
+corecmd_executable_file(systemd_systemctl_exec_t)
@@ -36696,9 +36752,13 @@ index 0000000..87474b2
+
+dev_write_kmsg(systemd_localed_t)
+
++init_dbus_chat(systemd_localed_t)
++
+logging_stream_connect_syslog(systemd_localed_t)
+logging_send_syslog_msg(systemd_localed_t)
+
++allow systemd_localed_t systemd_vconsole_unit_file_t:service start;
++
+miscfiles_manage_localization(systemd_localed_t)
+miscfiles_etc_filetrans_localization(systemd_localed_t)
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index ae88cc0..69b3776 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4528,7 +4528,7 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..69725f8 100644
+index 1a82e29..ffff859 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5837,7 +5837,7 @@ index 1a82e29..69725f8 100644
')
optional_policy(`
-@@ -857,6 +1024,16 @@ optional_policy(`
+@@ -857,19 +1024,35 @@ optional_policy(`
')
optional_policy(`
@@ -5854,7 +5854,9 @@ index 1a82e29..69725f8 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,11 +1042,16 @@ optional_policy(`
+ optional_policy(`
+ smokeping_read_lib_files(httpd_t)
++ smokeping_read_pid_files(httpd_t)
')
optional_policy(`
@@ -5871,7 +5873,7 @@ index 1a82e29..69725f8 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1059,170 @@ optional_policy(`
+@@ -877,65 +1060,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6064,7 +6066,7 @@ index 1a82e29..69725f8 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1231,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1232,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6219,7 +6221,7 @@ index 1a82e29..69725f8 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1315,104 @@ optional_policy(`
+@@ -1077,172 +1316,104 @@ optional_policy(`
')
')
@@ -6455,7 +6457,7 @@ index 1a82e29..69725f8 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1420,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1421,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6552,7 +6554,7 @@ index 1a82e29..69725f8 100644
########################################
#
-@@ -1315,8 +1495,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1496,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6569,7 +6571,7 @@ index 1a82e29..69725f8 100644
')
########################################
-@@ -1324,49 +1511,36 @@ optional_policy(`
+@@ -1324,49 +1512,36 @@ optional_policy(`
# User content local policy
#
@@ -6633,7 +6635,7 @@ index 1a82e29..69725f8 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1550,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1551,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -23095,7 +23097,7 @@ index 50d0084..6565422 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..598e4ee 100644
+index 0872e50..95bb886 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -23172,11 +23174,12 @@ index 0872e50..598e4ee 100644
shorewall_domtrans(fail2ban_t)
')
-@@ -129,22 +142,24 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -129,22 +142,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
++allow fail2ban_client_t fail2ban_var_run_t:dir write;
stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
kernel_read_system_state(fail2ban_client_t)
@@ -23192,7 +23195,7 @@ index 0872e50..598e4ee 100644
-files_read_usr_files(fail2ban_client_t)
files_search_pids(fail2ban_client_t)
-+auth_read_passwd(fail2ban_client_t)
++auth_use_nsswitch(fail2ban_client_t)
+
logging_getattr_all_logs(fail2ban_client_t)
logging_search_all_logs(fail2ban_client_t)
@@ -29464,11 +29467,66 @@ index 5aab5d0..5967395 100644
mta_send_mail(innd_t)
+diff --git a/iodine.fc b/iodine.fc
+index ca07a87..6ea129c 100644
+--- a/iodine.fc
++++ b/iodine.fc
+@@ -1,3 +1,5 @@
+ /etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/iodine-server.* -- gen_context(system_u:object_r:iodined_unit_file_t,s0)
++
+ /usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
+diff --git a/iodine.if b/iodine.if
+index a0bfbd0..6f5dbdf 100644
+--- a/iodine.if
++++ b/iodine.if
+@@ -2,6 +2,30 @@
+
+ ########################################
+ ## <summary>
++## Execute iodined server in the iodined domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`iodined_systemctl',`
++ gen_require(`
++ type iodined_t;
++ type iodined_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 iodined_unit_file_t:file read_file_perms;
++ allow $1 iodined_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, iodined_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an iodined environment
+ ## </summary>
diff --git a/iodine.te b/iodine.te
-index 94ec5f8..801417b 100644
+index 94ec5f8..8556c27 100644
--- a/iodine.te
+++ b/iodine.te
-@@ -43,7 +43,6 @@ corenet_udp_sendrecv_dns_port(iodined_t)
+@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
+ type iodined_initrc_exec_t;
+ init_script_file(iodined_initrc_exec_t)
+
++type iodined_unit_file_t;
++systemd_unit_file(iodined_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -43,7 +46,6 @@ corenet_udp_sendrecv_dns_port(iodined_t)
corecmd_exec_shell(iodined_t)
@@ -33530,7 +33588,7 @@ index 73e2803..2fc7570 100644
files_search_pids($1)
admin_pattern($1, l2tpd_var_run_t)
diff --git a/l2tp.te b/l2tp.te
-index 19f2b97..fbc0e48 100644
+index 19f2b97..bbbda10 100644
--- a/l2tp.te
+++ b/l2tp.te
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
@@ -33542,7 +33600,13 @@ index 19f2b97..fbc0e48 100644
allow l2tpd_t self:fifo_file rw_fifo_file_perms;
allow l2tpd_t self:netlink_socket create_socket_perms;
allow l2tpd_t self:rawip_socket create_socket_perms;
-@@ -47,6 +47,8 @@ files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file })
+@@ -42,11 +42,13 @@ manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+ manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+ manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+ manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+-files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file })
++files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
+
manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
@@ -33551,7 +33615,7 @@ index 19f2b97..fbc0e48 100644
corenet_all_recvfrom_unlabeled(l2tpd_t)
corenet_all_recvfrom_netlabel(l2tpd_t)
corenet_raw_sendrecv_generic_if(l2tpd_t)
-@@ -75,19 +77,35 @@ corecmd_exec_bin(l2tpd_t)
+@@ -75,19 +77,37 @@ corecmd_exec_bin(l2tpd_t)
dev_read_urand(l2tpd_t)
@@ -33561,10 +33625,12 @@ index 19f2b97..fbc0e48 100644
term_use_generic_ptys(l2tpd_t)
term_use_ptmx(l2tpd_t)
- logging_send_syslog_msg(l2tpd_t)
+-logging_send_syslog_msg(l2tpd_t)
++auth_read_passwd(l2tpd_t)
-miscfiles_read_localization(l2tpd_t)
--
++logging_send_syslog_msg(l2tpd_t)
+
sysnet_dns_name_resolve(l2tpd_t)
optional_policy(`
@@ -38615,7 +38681,7 @@ index 6194b80..f54f1e8 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..5222893 100644
+index 6a306ee..4440013 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -38889,12 +38955,12 @@ index 6a306ee..5222893 100644
-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -39024,34 +39090,34 @@ index 6a306ee..5222893 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
-+')
-+
-+optional_policy(`
-+ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ lpd_domtrans_lpr(mozilla_t)
++ java_domtrans(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ nscd_socket_use(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
++ nscd_socket_use(mozilla_t)
++')
++
++optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -39059,7 +39125,7 @@ index 6a306ee..5222893 100644
')
optional_policy(`
-@@ -300,221 +324,182 @@ optional_policy(`
+@@ -300,221 +324,183 @@ optional_policy(`
########################################
#
@@ -39142,12 +39208,12 @@ index 6a306ee..5222893 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
--
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -39161,6 +39227,7 @@ index 6a306ee..5222893 100644
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
+corecmd_dontaudit_access_all_executables(mozilla_plugin_t)
++corecmd_getattr_all_executables(mozilla_plugin_t)
-corenet_all_recvfrom_netlabel(mozilla_plugin_t)
-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
@@ -39316,12 +39383,12 @@ index 6a306ee..5222893 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -39381,7 +39448,7 @@ index 6a306ee..5222893 100644
')
optional_policy(`
-@@ -523,36 +508,48 @@ optional_policy(`
+@@ -523,36 +509,48 @@ optional_policy(`
')
optional_policy(`
@@ -39422,18 +39489,18 @@ index 6a306ee..5222893 100644
optional_policy(`
- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
+ lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
++')
++
++optional_policy(`
++ mplayer_exec(mozilla_plugin_t)
++ mplayer_manage_generic_home_content(mozilla_plugin_t)
++ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
')
optional_policy(`
- mplayer_exec(mozilla_plugin_t)
- mplayer_manage_generic_home_content(mozilla_plugin_t)
- mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
-+ mplayer_exec(mozilla_plugin_t)
-+ mplayer_manage_generic_home_content(mozilla_plugin_t)
-+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
-+')
-+
-+optional_policy(`
+ pulseaudio_exec(mozilla_plugin_t)
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
@@ -39443,7 +39510,7 @@ index 6a306ee..5222893 100644
')
optional_policy(`
-@@ -560,7 +557,7 @@ optional_policy(`
+@@ -560,7 +558,7 @@ optional_policy(`
')
optional_policy(`
@@ -39452,7 +39519,7 @@ index 6a306ee..5222893 100644
')
optional_policy(`
-@@ -568,108 +565,118 @@ optional_policy(`
+@@ -568,108 +566,124 @@ optional_policy(`
')
optional_policy(`
@@ -39481,22 +39548,23 @@ index 6a306ee..5222893 100644
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-
+-
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
--
++allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
-+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
@@ -39506,31 +39574,35 @@ index 6a306ee..5222893 100644
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
-+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
-
--filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+dev_read_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
--can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
--ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
--kernel_read_system_state(mozilla_plugin_config_t)
--kernel_request_load_module(mozilla_plugin_config_t)
+-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+-kernel_read_system_state(mozilla_plugin_config_t)
+-kernel_request_load_module(mozilla_plugin_config_t)
++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
++userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file })
+
corecmd_exec_bin(mozilla_plugin_config_t)
corecmd_exec_shell(mozilla_plugin_config_t)
@@ -43717,7 +43789,7 @@ index 0641e97..d7d9a79 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 44ad3b7..c738393 100644
+index 44ad3b7..ce55650 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -43775,7 +43847,26 @@ index 44ad3b7..c738393 100644
########################################
#
-@@ -110,7 +115,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+@@ -96,11 +101,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms;
+ allow nagios_t nagios_etc_t:file read_file_perms;
+ allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms;
+
+-allow nagios_t nagios_log_t:dir setattr_dir_perms;
+-append_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+-create_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+-setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+-logging_log_filetrans(nagios_t, nagios_log_t, file)
++#allow nagios_t nagios_log_t:dir setattr_dir_perms;
++#append_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
++#create_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
++#setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
++manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
++manage_dirs_pattern(nagios_t, nagios_log_t, nagios_log_t)
++logging_log_filetrans(nagios_t, nagios_log_t, { dir file })
+
+ manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
+ manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
+@@ -110,7 +117,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
@@ -43785,7 +43876,7 @@ index 44ad3b7..c738393 100644
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-@@ -123,7 +129,6 @@ kernel_read_software_raid_state(nagios_t)
+@@ -123,7 +131,6 @@ kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
@@ -43793,7 +43884,7 @@ index 44ad3b7..c738393 100644
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
-@@ -143,7 +148,6 @@ domain_read_all_domains_state(nagios_t)
+@@ -143,7 +150,6 @@ domain_read_all_domains_state(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
@@ -43801,7 +43892,7 @@ index 44ad3b7..c738393 100644
files_search_spool(nagios_t)
fs_getattr_all_fs(nagios_t)
-@@ -153,8 +157,6 @@ auth_use_nsswitch(nagios_t)
+@@ -153,8 +159,6 @@ auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
@@ -43810,7 +43901,7 @@ index 44ad3b7..c738393 100644
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
-@@ -178,6 +180,7 @@ optional_policy(`
+@@ -178,6 +182,7 @@ optional_policy(`
#
# CGI local policy
#
@@ -43818,7 +43909,7 @@ index 44ad3b7..c738393 100644
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -229,9 +232,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+@@ -229,9 +234,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
@@ -43829,7 +43920,7 @@ index 44ad3b7..c738393 100644
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
-@@ -253,7 +256,6 @@ domain_use_interactive_fds(nrpe_t)
+@@ -253,7 +258,6 @@ domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
@@ -43837,7 +43928,7 @@ index 44ad3b7..c738393 100644
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -262,8 +264,6 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,8 +266,6 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
@@ -43846,7 +43937,7 @@ index 44ad3b7..c738393 100644
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
-@@ -310,15 +310,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +312,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -43865,7 +43956,7 @@ index 44ad3b7..c738393 100644
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +345,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,6 +347,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
@@ -43875,7 +43966,7 @@ index 44ad3b7..c738393 100644
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
-@@ -357,9 +360,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +362,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
@@ -43889,7 +43980,7 @@ index 44ad3b7..c738393 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -391,6 +396,7 @@ optional_policy(`
+@@ -391,6 +398,7 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
@@ -43897,7 +43988,7 @@ index 44ad3b7..c738393 100644
')
optional_policy(`
-@@ -411,6 +417,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -411,6 +419,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -43905,7 +43996,7 @@ index 44ad3b7..c738393 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +427,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,10 +429,10 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
@@ -43918,7 +44009,7 @@ index 44ad3b7..c738393 100644
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
-@@ -442,11 +449,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,11 +451,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -46666,7 +46757,7 @@ index a9c60ff..ad4f14a 100644
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/nsd.te b/nsd.te
-index dde7f42..82e97aa 100644
+index dde7f42..b3662dd 100644
--- a/nsd.te
+++ b/nsd.te
@@ -1,4 +1,4 @@
@@ -46734,7 +46825,7 @@ index dde7f42..82e97aa 100644
corenet_all_recvfrom_netlabel(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
-@@ -72,16 +65,16 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
+@@ -72,16 +65,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
corenet_udp_sendrecv_all_ports(nsd_t)
corenet_tcp_bind_generic_node(nsd_t)
corenet_udp_bind_generic_node(nsd_t)
@@ -46745,6 +46836,7 @@ index dde7f42..82e97aa 100644
+corenet_sendrecv_dns_server_packets(nsd_t)
dev_read_sysfs(nsd_t)
++dev_read_urand(nsd_t)
domain_use_interactive_fds(nsd_t)
@@ -46753,25 +46845,16 @@ index dde7f42..82e97aa 100644
fs_getattr_all_fs(nsd_t)
fs_search_auto_mountpoints(nsd_t)
-@@ -90,12 +83,16 @@ auth_use_nsswitch(nsd_t)
+@@ -90,8 +84,6 @@ auth_use_nsswitch(nsd_t)
logging_send_syslog_msg(nsd_t)
-miscfiles_read_localization(nsd_t)
-+sysnet_dns_name_resolve(nsd_t)
-
+-
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
userdom_dontaudit_search_user_home_dirs(nsd_t)
- optional_policy(`
-+ nis_use_ypbind(nsd_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(nsd_t)
- ')
-
-@@ -105,23 +102,24 @@ optional_policy(`
+@@ -105,23 +97,24 @@ optional_policy(`
########################################
#
@@ -46804,7 +46887,7 @@ index dde7f42..82e97aa 100644
manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
-@@ -133,29 +131,41 @@ kernel_read_system_state(nsd_crond_t)
+@@ -133,27 +126,27 @@ kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
@@ -46822,7 +46905,6 @@ index dde7f42..82e97aa 100644
+corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_sendrecv_all_client_packets(nsd_crond_t)
-+# for SSP
dev_read_urand(nsd_crond_t)
domain_dontaudit_read_all_domains_state(nsd_crond_t)
@@ -46835,22 +46917,10 @@ index dde7f42..82e97aa 100644
logging_send_syslog_msg(nsd_crond_t)
-miscfiles_read_localization(nsd_crond_t)
-+
-+sysnet_read_config(nsd_crond_t)
-
+-
userdom_dontaudit_search_user_home_dirs(nsd_crond_t)
optional_policy(`
- cron_system_entry(nsd_crond_t, nsd_exec_t)
- ')
-+
-+optional_policy(`
-+ nis_use_ypbind(nsd_crond_t)
-+')
-+
-+optional_policy(`
-+ nscd_read_pid(nsd_crond_t)
-+')
diff --git a/nslcd.fc b/nslcd.fc
index 402100e..ce913b2 100644
--- a/nslcd.fc
@@ -48450,7 +48520,7 @@ index 57c0161..54bd4d7 100644
+ ps_process_pattern($1, swift_t)
')
diff --git a/nut.te b/nut.te
-index 0c9deb7..98a02f8 100644
+index 0c9deb7..ebfaeb8 100644
--- a/nut.te
+++ b/nut.te
@@ -1,4 +1,4 @@
@@ -48562,12 +48632,12 @@ index 0c9deb7..98a02f8 100644
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
-+
+
+# pid file
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
-
++
+kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
@@ -48607,7 +48677,7 @@ index 0c9deb7..98a02f8 100644
mta_send_mail(nut_upsmon_t)
optional_policy(`
-@@ -124,14 +118,27 @@ optional_policy(`
+@@ -124,14 +118,29 @@ optional_policy(`
########################################
#
@@ -48621,6 +48691,8 @@ index 0c9deb7..98a02f8 100644
+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
++
++can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
+
@@ -48637,7 +48709,7 @@ index 0c9deb7..98a02f8 100644
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
-@@ -139,22 +146,34 @@ dev_read_urand(nut_upsdrvctl_t)
+@@ -139,22 +148,34 @@ dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
@@ -51312,7 +51384,7 @@ index 9b15730..eedd136 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..ba9ff22 100644
+index 508fedf..f025b03 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
@@ -51335,7 +51407,7 @@ index 508fedf..ba9ff22 100644
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
-@@ -24,20 +21,28 @@ logging_log_file(openvswitch_log_t)
+@@ -24,20 +21,27 @@ logging_log_file(openvswitch_log_t)
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
@@ -51350,9 +51422,8 @@ index 508fedf..ba9ff22 100644
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
-allow openvswitch_t self:process { setrlimit setsched signal };
-+allow openvswitch_t self:capability { net_admin ipc_lock sys_nice sys_resource };
-+allow openvswitch_t openvswitch_t : capability { sys_module };
-+allow openvswitch_t openvswitch_t : capability2 { block_suspend };
++allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource };
++allow openvswitch_t self:capability2 block_suspend;
+allow openvswitch_t self:process { fork setsched setrlimit signal };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
-allow openvswitch_t self:rawip_socket create_socket_perms;
@@ -51372,7 +51443,7 @@ index 508fedf..ba9ff22 100644
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,9 +50,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,9 +49,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -51383,7 +51454,7 @@ index 508fedf..ba9ff22 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -57,33 +60,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -57,33 +59,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -65092,10 +65163,19 @@ index c5ad6de..c67dbef 100644
/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..42caa6c 100644
+index 3698b51..7b56492 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
-@@ -54,6 +54,8 @@ kernel_read_system_state(rabbitmq_beam_t)
+@@ -45,6 +45,8 @@ setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+ manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+
++ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t)
++
+ can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
+
+ domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+@@ -54,6 +56,8 @@ kernel_read_system_state(rabbitmq_beam_t)
corecmd_exec_bin(rabbitmq_beam_t)
corecmd_exec_shell(rabbitmq_beam_t)
@@ -65104,20 +65184,20 @@ index 3698b51..42caa6c 100644
corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
-@@ -68,20 +70,28 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +72,28 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-dev_read_sysfs(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
++
++auth_read_passwd(rabbitmq_beam_t)
-files_read_etc_files(rabbitmq_beam_t)
-+auth_read_passwd(rabbitmq_beam_t)
++fs_getattr_all_fs(rabbitmq_beam_t)
-miscfiles_read_localization(rabbitmq_beam_t)
-+fs_getattr_xattr_fs(rabbitmq_beam_t)
-+
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
@@ -65137,7 +65217,7 @@ index 3698b51..42caa6c 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +109,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +111,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -65493,7 +65573,7 @@ index 951db7f..6d6ec1d 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..0e15502 100644
+index 2c1730b..e9c20b8 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
@@ -65506,7 +65586,7 @@ index 2c1730b..0e15502 100644
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
-@@ -25,23 +28,28 @@ dev_associate(mdadm_var_run_t)
+@@ -25,23 +28,31 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -65516,11 +65596,12 @@ index 2c1730b..0e15502 100644
+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
-
++allow mdadm_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
-+
+
manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
@@ -65529,6 +65610,8 @@ index 2c1730b..0e15502 100644
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file })
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
++
++can_exec(mdadm_t, mdadm_exec_t)
kernel_getattr_core_if(mdadm_t)
kernel_read_system_state(mdadm_t)
@@ -65539,13 +65622,15 @@ index 2c1730b..0e15502 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -49,19 +57,23 @@ corecmd_exec_shell(mdadm_t)
+@@ -49,19 +60,25 @@ corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_read_crash(mdadm_t)
++dev_read_framebuffer(mdadm_t)
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
++dev_read_kvm(mdadm_t)
+dev_read_nvram(mdadm_t)
+dev_read_generic_files(mdadm_t)
@@ -65565,7 +65650,7 @@ index 2c1730b..0e15502 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,16 +82,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +87,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -65582,10 +65667,10 @@ index 2c1730b..0e15502 100644
logging_send_syslog_msg(mdadm_t)
-miscfiles_read_localization(mdadm_t)
--
++systemd_exec_systemctl(mdadm_t)
+
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
- userdom_dontaudit_use_user_terminals(mdadm_t)
diff --git a/razor.fc b/razor.fc
index 6723f4d..6e26673 100644
--- a/razor.fc
@@ -73867,7 +73952,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..fccf544 100644
+index 57c034b..ea8d79d 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -74138,7 +74223,7 @@ index 57c034b..fccf544 100644
')
optional_policy(`
-@@ -245,38 +236,48 @@ optional_policy(`
+@@ -245,44 +236,56 @@ optional_policy(`
')
optional_policy(`
@@ -74199,7 +74284,15 @@ index 57c034b..fccf544 100644
manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t)
filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
-@@ -292,6 +293,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+
+ manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
+ manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
++manage_fifo_files_pattern(smbd_t, samba_share_t, samba_share_t)
++manage_sock_files_pattern(smbd_t, samba_share_t, samba_share_t)
+ manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
+ allow smbd_t samba_share_t:filesystem { getattr quotaget };
+
+@@ -292,6 +295,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -74208,7 +74301,7 @@ index 57c034b..fccf544 100644
manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
-@@ -301,11 +304,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+@@ -301,11 +306,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
@@ -74224,7 +74317,7 @@ index 57c034b..fccf544 100644
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -315,43 +318,33 @@ kernel_read_kernel_sysctls(smbd_t)
+@@ -315,43 +320,33 @@ kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
@@ -74279,7 +74372,7 @@ index 57c034b..fccf544 100644
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
-@@ -360,44 +353,54 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -360,44 +355,54 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
@@ -74345,7 +74438,7 @@ index 57c034b..fccf544 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -413,20 +416,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -413,20 +418,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -74368,7 +74461,7 @@ index 57c034b..fccf544 100644
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -435,6 +428,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -435,6 +430,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -74376,7 +74469,7 @@ index 57c034b..fccf544 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -442,17 +436,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -442,17 +438,6 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -74394,7 +74487,7 @@ index 57c034b..fccf544 100644
optional_policy(`
ccs_read_config(smbd_t)
')
-@@ -473,6 +456,11 @@ optional_policy(`
+@@ -473,6 +458,11 @@ optional_policy(`
')
optional_policy(`
@@ -74406,7 +74499,7 @@ index 57c034b..fccf544 100644
lpd_exec_lpr(smbd_t)
')
-@@ -493,9 +481,33 @@ optional_policy(`
+@@ -493,9 +483,33 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -74441,7 +74534,7 @@ index 57c034b..fccf544 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +518,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +520,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -74456,7 +74549,7 @@ index 57c034b..fccf544 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +534,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +536,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -74480,7 +74573,7 @@ index 57c034b..fccf544 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +551,40 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +553,40 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -74545,7 +74638,7 @@ index 57c034b..fccf544 100644
')
optional_policy(`
-@@ -600,17 +597,24 @@ optional_policy(`
+@@ -600,17 +599,24 @@ optional_policy(`
########################################
#
@@ -74574,7 +74667,7 @@ index 57c034b..fccf544 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -620,16 +624,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +626,12 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -74592,7 +74685,7 @@ index 57c034b..fccf544 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +637,23 @@ optional_policy(`
+@@ -637,22 +639,23 @@ optional_policy(`
########################################
#
@@ -74624,7 +74717,7 @@ index 57c034b..fccf544 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -661,26 +662,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +664,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -74660,7 +74753,7 @@ index 57c034b..fccf544 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -692,58 +689,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +691,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -74752,7 +74845,7 @@ index 57c034b..fccf544 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +768,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +770,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -74776,7 +74869,7 @@ index 57c034b..fccf544 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -770,36 +782,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +784,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -74819,7 +74912,7 @@ index 57c034b..fccf544 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -811,10 +812,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +814,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -74833,7 +74926,7 @@ index 57c034b..fccf544 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -837,13 +839,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+@@ -837,13 +841,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
@@ -74853,7 +74946,7 @@ index 57c034b..fccf544 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +857,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +859,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -74864,7 +74957,7 @@ index 57c034b..fccf544 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +868,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +870,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -74894,7 +74987,7 @@ index 57c034b..fccf544 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +891,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +893,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -74915,7 +75008,7 @@ index 57c034b..fccf544 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +909,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +911,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -74926,7 +75019,7 @@ index 57c034b..fccf544 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,18 +917,24 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,18 +919,24 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -74953,7 +75046,7 @@ index 57c034b..fccf544 100644
optional_policy(`
ctdbd_stream_connect(winbind_t)
-@@ -936,7 +942,12 @@ optional_policy(`
+@@ -936,7 +944,12 @@ optional_policy(`
')
optional_policy(`
@@ -74966,7 +75059,7 @@ index 57c034b..fccf544 100644
')
optional_policy(`
-@@ -952,31 +963,29 @@ optional_policy(`
+@@ -952,31 +965,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -75004,7 +75097,7 @@ index 57c034b..fccf544 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +999,38 @@ optional_policy(`
+@@ -990,25 +1001,38 @@ optional_policy(`
########################################
#
@@ -76839,7 +76932,7 @@ index ac04d27..b73334e 100644
+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/screen.if b/screen.if
-index c21ddcc..ee00be2 100644
+index c21ddcc..4dd623e 100644
--- a/screen.if
+++ b/screen.if
@@ -1,4 +1,4 @@
@@ -76934,7 +77027,7 @@ index c21ddcc..ee00be2 100644
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
-@@ -87,3 +85,22 @@ template(`screen_role_template',`
+@@ -87,3 +85,41 @@ template(`screen_role_template',`
fs_nfs_domtrans($1_screen_t, $3)
')
')
@@ -76957,6 +77050,25 @@ index c21ddcc..ee00be2 100644
+
+ can_exec($1, screen_exec_t)
+')
++
++########################################
++## <summary>
++## Send a SIGCHLD signal to the screen domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`screen_sigchld',`
++ gen_require(`
++ attribute screen_domain;
++ ')
++
++ allow $1 screen_domain:process sigchld;
++')
++
diff --git a/screen.te b/screen.te
index f095081..ee69aa7 100644
--- a/screen.te
@@ -85142,10 +85254,10 @@ index 0000000..74cd27c
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..780a62e
+index 0000000..07820b6
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,144 @@
+@@ -0,0 +1,145 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -85263,6 +85375,7 @@ index 0000000..780a62e
+optional_policy(`
+ # .config
+ gnome_dontaudit_search_config(thumb_t)
++ gnome_dontaudit_write_config_files(thumb_t)
+ gnome_append_generic_cache_files(thumb_t)
+ gnome_read_generic_data_home_files(thumb_t)
+ gnome_dontaudit_rw_generic_cache_files(thumb_t)
@@ -87805,10 +87918,10 @@ index 0be8535..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index c30da4c..e97572f 100644
+index c30da4c..898ce74 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,52 +1,86 @@
+@@ -1,52 +1,87 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -87818,6 +87931,7 @@ index c30da4c..e97572f 100644
+HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -87935,7 +88049,7 @@ index c30da4c..e97572f 100644
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..7877729 100644
+index 9dec06c..378880d 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -89384,7 +89498,7 @@ index 9dec06c..7877729 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,95 +997,168 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,95 +997,169 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -89420,6 +89534,7 @@ index 9dec06c..7877729 100644
+ optional_policy(`
+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2fcda05..7ecc0d1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 59%{?dist}
+Release: 62%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,39 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jul 9 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-62
+- Fix definition of sandbox.disabled to sandbox.pp.disabled
+
+* Mon Jul 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-61
+- Allow mdamd to execute systemctl
+- Allow mdadm to read /dev/kvm
+- Allow ipsec_mgmt_t to read l2tpd pid content
+
+* Mon Jul 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-60
+- Allow nsd_t to read /dev/urand
+- Allow mdadm_t to read framebuffer
+- Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t
+- Allow mozilla_plugin_config_t to create tmp files
+- Cleanup openvswitch policy
+- Allow mozilla plugin to getattr on all executables
+- Allow l2tpd_t to create fifo_files in /var/run
+- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory
+- Allow mdadm to connecto its own unix_stream_socket
+- FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now.
+- Allow apache to access smokeping pid files
+- Allow rabbitmq_beam_t to getattr on all filesystems
+- Add systemd support for iodined
+- Allow nup_upsdrvctl_t to execute its entrypoint
+- Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch
+- add labeling for ~/.cache/libvirt-sandbox
+- Add interface to allow domains transitioned to by confined users to send sigchld to screen program
+- Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab
+- Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service
+- Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs.
+- Allow staff to getsched all domains, required to run htop
+- Add port definition for redis port
+- fix selinuxuser_use_ssh_chroot boolean
+
* Wed Jul 3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-59
- Add prosody policy written by Michael Scherer
- Allow nagios plugins to read /sys info
More information about the scm-commits
mailing list