[selinux-policy/f19] - Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t - Add labeling for /usr/libexec/kde4/polkit
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jul 16 08:18:21 UTC 2013
commit f0746761dbdb4a3acaeb6b15a4fe5a9982df9db8
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jul 16 10:16:16 2013 +0200
- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t
- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1
- Allow all domains that can domtrans to shutdown, to start the power services script to shutdown
- consolekit needs to be able to shut down system
- Move around interfaces
- Remove nfsd_rw_t and nfsd_ro_t, they don't do anything
- Add additional fixes for rabbitmq_beam to allow getattr on mountpoints
- Allow gconf-defaults-m to read /etc/passwd
- Fix pki_rw_tomcat_cert() interface to support lnk_files
policy-rawhide-base.patch | 164 ++++++++--------
policy-rawhide-contrib.patch | 440 +++++++++++++++++++++++-------------------
selinux-policy.spec | 14 ++-
3 files changed, 332 insertions(+), 286 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 8694412..85db2a1 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5171,7 +5171,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..f13d33f 100644
+index 4edc40d..8fd1cbb 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5428,7 +5428,8 @@ index 4edc40d..f13d33f 100644
network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
- network_port(rtsp, tcp,554,s0, udp,554,s0)
+-network_port(rtsp, tcp,554,s0, udp,554,s0)
++network_port(rtsp, tcp,554,s0, udp,554,s0, tcp,8554,s0, udp,8554,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
@@ -14414,7 +14415,7 @@ index 649e458..d47750f 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..1470f08 100644
+index 6fac350..5a087a7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -14606,15 +14607,17 @@ index 6fac350..1470f08 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -334,7 +394,6 @@ optional_policy(`
+@@ -332,9 +392,6 @@ optional_policy(`
- rpc_manage_nfs_ro_content(kernel_t)
- rpc_manage_nfs_rw_content(kernel_t)
+ sysnet_read_config(kernel_t)
+
+- rpc_manage_nfs_ro_content(kernel_t)
+- rpc_manage_nfs_rw_content(kernel_t)
- rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +402,7 @@ optional_policy(`
+@@ -343,9 +400,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -14625,7 +14628,7 @@ index 6fac350..1470f08 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +411,7 @@ optional_policy(`
+@@ -354,7 +409,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -14634,7 +14637,7 @@ index 6fac350..1470f08 100644
')
')
-@@ -367,6 +424,15 @@ optional_policy(`
+@@ -367,6 +422,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -14650,7 +14653,7 @@ index 6fac350..1470f08 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +475,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +473,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -31341,7 +31344,7 @@ index e8c59a5..d2df072 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..5985e0f 100644
+index 9fe8e01..a70c055 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
@@ -31384,12 +31387,8 @@ index 9fe8e01..5985e0f 100644
/usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -75,9 +74,11 @@ ifdef(`distro_redhat',`
-
- /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
-+/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0)
@@ -31397,7 +31396,7 @@ index 9fe8e01..5985e0f 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +91,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -38366,7 +38365,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..4129aa6 100644
+index 3c5dba7..33a39dc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39213,7 +39212,7 @@ index 3c5dba7..4129aa6 100644
')
')
-@@ -693,32 +859,36 @@ template(`userdom_common_user_template',`
+@@ -693,32 +859,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -39223,7 +39222,6 @@ index 3c5dba7..4129aa6 100644
+
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
-+ rpc_manage_nfs_rw_content($1_usertype)
+ ')
+
+ optional_policy(`
@@ -39261,7 +39259,7 @@ index 3c5dba7..4129aa6 100644
')
')
-@@ -743,17 +913,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +912,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -39299,7 +39297,7 @@ index 3c5dba7..4129aa6 100644
userdom_change_password_template($1)
-@@ -761,82 +947,99 @@ template(`userdom_login_user_template', `
+@@ -761,82 +946,99 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -39435,7 +39433,7 @@ index 3c5dba7..4129aa6 100644
')
')
-@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -39448,7 +39446,7 @@ index 3c5dba7..4129aa6 100644
##############################
#
# Local policy
-@@ -908,41 +1117,97 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -908,41 +1116,97 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -39559,7 +39557,7 @@ index 3c5dba7..4129aa6 100644
')
optional_policy(`
-@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1215,29 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -39590,7 +39588,7 @@ index 3c5dba7..4129aa6 100644
')
#######################################
-@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1271,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -39628,7 +39626,7 @@ index 3c5dba7..4129aa6 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1308,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -39699,7 +39697,7 @@ index 3c5dba7..4129aa6 100644
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -39710,7 +39708,7 @@ index 3c5dba7..4129aa6 100644
')
')
-@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -39719,7 +39717,7 @@ index 3c5dba7..4129aa6 100644
')
##############################
-@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -39727,7 +39725,7 @@ index 3c5dba7..4129aa6 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -39737,7 +39735,7 @@ index 3c5dba7..4129aa6 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -39745,7 +39743,7 @@ index 3c5dba7..4129aa6 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -39760,7 +39758,7 @@ index 3c5dba7..4129aa6 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -39803,7 +39801,7 @@ index 3c5dba7..4129aa6 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -39812,7 +39810,7 @@ index 3c5dba7..4129aa6 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -39831,7 +39829,7 @@ index 3c5dba7..4129aa6 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -39840,7 +39838,7 @@ index 3c5dba7..4129aa6 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -39852,7 +39850,7 @@ index 3c5dba7..4129aa6 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -39895,7 +39893,7 @@ index 3c5dba7..4129aa6 100644
')
optional_policy(`
-@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -39914,7 +39912,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -39966,7 +39964,7 @@ index 3c5dba7..4129aa6 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -39998,7 +39996,7 @@ index 3c5dba7..4129aa6 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -40013,7 +40011,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -40025,7 +40023,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -40068,7 +40066,7 @@ index 3c5dba7..4129aa6 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -40077,7 +40075,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -40092,7 +40090,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1772,7 +2247,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2246,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -40101,7 +40099,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,19 +2255,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1780,19 +2254,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -40125,7 +40123,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1800,31 +2273,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1800,31 +2272,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -40165,7 +40163,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1848,6 +2321,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2320,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -40191,7 +40189,7 @@ index 3c5dba7..4129aa6 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2370,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2369,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -40229,7 +40227,7 @@ index 3c5dba7..4129aa6 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2410,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2409,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -40247,7 +40245,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -1941,7 +2458,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2457,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -40274,7 +40272,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1951,17 +2486,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2485,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -40295,7 +40293,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2502,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2501,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -40346,7 +40344,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -2010,8 +2579,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2578,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -40356,7 +40354,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -2027,20 +2595,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2594,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -40381,7 +40379,7 @@ index 3c5dba7..4129aa6 100644
########################################
## <summary>
-@@ -2123,7 +2685,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2684,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -40390,7 +40388,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2693,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2692,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -40414,7 +40412,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2711,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2710,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -40430,7 +40428,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -2393,11 +2953,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2952,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -40445,7 +40443,7 @@ index 3c5dba7..4129aa6 100644
files_search_tmp($1)
')
-@@ -2417,7 +2977,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2976,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -40454,7 +40452,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -2664,6 +3224,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3223,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -40480,7 +40478,7 @@ index 3c5dba7..4129aa6 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3259,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3258,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -40496,7 +40494,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3287,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3286,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -40505,7 +40503,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,19 +3295,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,19 +3294,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -40528,7 +40526,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2735,25 +3313,43 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2735,25 +3312,43 @@ interface(`userdom_manage_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -40578,7 +40576,7 @@ index 3c5dba7..4129aa6 100644
gen_require(`
type user_tty_device_t;
')
-@@ -2817,6 +3413,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3412,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -40603,7 +40601,7 @@ index 3c5dba7..4129aa6 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3449,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3448,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -40646,7 +40644,7 @@ index 3c5dba7..4129aa6 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3485,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3484,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -40684,7 +40682,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -2885,8 +3530,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3529,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -40714,7 +40712,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -2958,69 +3622,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3621,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -40815,7 +40813,7 @@ index 3c5dba7..4129aa6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3691,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3690,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -40830,7 +40828,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -3097,7 +3760,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3759,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -40839,7 +40837,7 @@ index 3c5dba7..4129aa6 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3776,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3775,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -40873,7 +40871,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -3217,7 +3864,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3863,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -40900,7 +40898,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -3272,7 +3937,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3936,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -40966,7 +40964,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -3290,7 +4012,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4011,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -40975,7 +40973,7 @@ index 3c5dba7..4129aa6 100644
')
########################################
-@@ -3309,6 +4031,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4030,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -40983,7 +40981,7 @@ index 3c5dba7..4129aa6 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4108,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4107,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -41026,7 +41024,7 @@ index 3c5dba7..4129aa6 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4164,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4163,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -41051,7 +41049,7 @@ index 3c5dba7..4129aa6 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4215,1455 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4214,1455 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 9ddeed7..a3352be 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -6774,10 +6774,10 @@ index 5ec0e13..1c37fe1 100644
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
-index f3c0aba..7b24e98 100644
+index f3c0aba..b6afc90 100644
--- a/apcupsd.if
+++ b/apcupsd.if
-@@ -125,6 +125,29 @@ interface(`apcupsd_cgi_script_domtrans',`
+@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',`
########################################
## <summary>
@@ -6804,10 +6804,30 @@ index f3c0aba..7b24e98 100644
+
+########################################
+## <summary>
++## Create configuration files in /var/lock
++## with a named file type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apcupsd_filetrans_named_content',`
++ gen_require(`
++ type apcupsd_lock_t;
++ ')
++
++ files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
++ files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
++')
++
++########################################
++## <summary>
## All of the rules required to
## administrate an apcupsd environment.
## </summary>
-@@ -144,11 +167,16 @@ interface(`apcupsd_admin',`
+@@ -144,11 +187,16 @@ interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
@@ -6825,7 +6845,7 @@ index f3c0aba..7b24e98 100644
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
-@@ -165,4 +193,28 @@ interface(`apcupsd_admin',`
+@@ -165,4 +213,8 @@ interface(`apcupsd_admin',`
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
@@ -6833,29 +6853,9 @@ index f3c0aba..7b24e98 100644
+ apcupsd_systemctl($1)
+ admin_pattern($1, apcupsd_unit_file_t)
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Create configuration files in /var/lock
-+## with a named file type transition.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`apcupsd_filetrans_named_content',`
-+ gen_require(`
-+ type apcupsd_lock_t;
-+ ')
-+
-+ files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
-+ files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
')
diff --git a/apcupsd.te b/apcupsd.te
-index b236327..f194ee1 100644
+index b236327..ea24c5d 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -6895,7 +6895,7 @@ index b236327..f194ee1 100644
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +75,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +75,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
@@ -6919,11 +6919,13 @@ index b236327..f194ee1 100644
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
++systemd_start_power_services(apcupsd_t)
++
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
-@@ -112,7 +117,6 @@ optional_policy(`
+@@ -112,7 +119,6 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
@@ -13334,7 +13336,7 @@ index 5b830ec..0647a3b 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
-index 5f0c793..ecd0397 100644
+index 5f0c793..d11e25b 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,12 +19,16 @@ type consolekit_var_run_t;
@@ -13354,7 +13356,7 @@ index 5f0c793..ecd0397 100644
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
-@@ -54,37 +58,35 @@ dev_read_sysfs(consolekit_t)
+@@ -54,37 +58,36 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -13382,6 +13384,7 @@ index 5f0c793..ecd0397 100644
-miscfiles_read_localization(consolekit_t)
+systemd_exec_systemctl(consolekit_t)
++systemd_start_power_services(consolekit_t)
+userdom_read_all_users_state(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
@@ -13400,7 +13403,7 @@ index 5f0c793..ecd0397 100644
')
ifdef(`distro_debian',`
-@@ -112,13 +114,6 @@ optional_policy(`
+@@ -112,13 +115,6 @@ optional_policy(`
')
')
@@ -27341,7 +27344,7 @@ index d03fd43..26023f7 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 20f726b..8e905be 100644
+index 20f726b..c6ff2a1 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
@@ -27385,7 +27388,7 @@ index 20f726b..8e905be 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,227 @@ type gconfd_exec_t;
+@@ -29,107 +47,226 @@ type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -27439,41 +27442,41 @@ index 20f726b..8e905be 100644
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
-+
+
+-domain_use_interactive_fds(gnomedomain)
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
-+
+
+-files_read_etc_files(gnomedomain)
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
--domain_use_interactive_fds(gnomedomain)
-
--files_read_etc_files(gnomedomain)
-
-miscfiles_read_localization(gnomedomain)
-+logging_send_syslog_msg(gconfd_t)
-logging_send_syslog_msg(gnomedomain)
+
+-userdom_use_user_terminals(gnomedomain)
++logging_send_syslog_msg(gconfd_t)
++
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
--userdom_use_user_terminals(gnomedomain)
-+optional_policy(`
-+ nscd_dontaudit_search_pid(gconfd_t)
-+')
-
optional_policy(`
- xserver_rw_xdm_pipes(gnomedomain)
- xserver_use_xdm_fds(gnomedomain)
-+ xserver_use_xdm_fds(gconfd_t)
-+ xserver_rw_xdm_pipes(gconfd_t)
++ nscd_dontaudit_search_pid(gconfd_t)
')
-##############################
++optional_policy(`
++ xserver_use_xdm_fds(gconfd_t)
++ xserver_rw_xdm_pipes(gconfd_t)
++')
++
+#######################################
#
-# Conf daemon local Policy
@@ -27494,10 +27497,10 @@ index 20f726b..8e905be 100644
-manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
++auth_read_passwd(gconfdefaultsm_t)
-userdom_manage_user_tmp_dirs(gconfd_t)
-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
-+
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
+gnome_manage_gconf_config(gconfdefaultsm_t)
+
@@ -27530,8 +27533,7 @@ index 20f726b..8e905be 100644
+userdom_home_manager(gconfdefaultsm_t)
+
+#######################################
- #
--# Keyring-daemon local policy
++#
+# gnome-system-monitor-mechanisms local policy
+#
+
@@ -27550,7 +27552,6 @@ index 20f726b..8e905be 100644
+domain_signal_all_domains(gnomesystemmm_t)
+domain_sigstop_all_domains(gnomesystemmm_t)
+
-+
+fs_getattr_xattr_fs(gnomesystemmm_t)
+
+auth_read_passwd(gnomesystemmm_t)
@@ -27584,7 +27585,8 @@ index 20f726b..8e905be 100644
+')
+
+######################################
-+#
+ #
+-# Keyring-daemon local policy
+# gnome-keyring-daemon local policy
#
@@ -48601,7 +48603,7 @@ index 57c0161..54bd4d7 100644
+ ps_process_pattern($1, swift_t)
')
diff --git a/nut.te b/nut.te
-index 0c9deb7..ebfaeb8 100644
+index 0c9deb7..76988d6 100644
--- a/nut.te
+++ b/nut.te
@@ -1,4 +1,4 @@
@@ -48610,7 +48612,7 @@ index 0c9deb7..ebfaeb8 100644
########################################
#
-@@ -22,100 +22,94 @@ type nut_upsdrvctl_t, nut_domain;
+@@ -22,116 +22,126 @@ type nut_upsdrvctl_t, nut_domain;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
@@ -48754,11 +48756,13 @@ index 0c9deb7..ebfaeb8 100644
+
auth_use_nsswitch(nut_upsmon_t)
-+
mta_send_mail(nut_upsmon_t)
++systemd_start_power_services(nut_upsmon_t)
++
optional_policy(`
-@@ -124,14 +118,29 @@ optional_policy(`
+ shutdown_domtrans(nut_upsmon_t)
+ ')
########################################
#
@@ -48790,7 +48794,7 @@ index 0c9deb7..ebfaeb8 100644
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
-@@ -139,22 +148,34 @@ dev_read_urand(nut_upsdrvctl_t)
+@@ -139,22 +149,34 @@ dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
@@ -53910,10 +53914,10 @@ index 0000000..f788d35
+logging_send_syslog_msg(pkcsslotd_t)
diff --git a/pki.fc b/pki.fc
new file mode 100644
-index 0000000..0c167b7
+index 0000000..726d992
--- /dev/null
+++ b/pki.fc
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,56 @@
+/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
@@ -53949,6 +53953,7 @@ index 0000000..0c167b7
+/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
++/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
@@ -53971,10 +53976,10 @@ index 0000000..0c167b7
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..898a5e8
+index 0000000..051f952
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,292 @@
+@@ -0,0 +1,293 @@
+
+## <summary>policy for pki</summary>
+
@@ -53996,6 +54001,7 @@ index 0000000..898a5e8
+
+ allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
+ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
++ create_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
@@ -55030,10 +55036,10 @@ index a14b3bc..b196183 100644
userdom_signal_unpriv_users(podsleuth_t)
diff --git a/policykit.fc b/policykit.fc
-index 1d76c72..eeb33d9 100644
+index 1d76c72..93d09d9 100644
--- a/policykit.fc
+++ b/policykit.fc
-@@ -1,23 +1,21 @@
+@@ -1,23 +1,22 @@
-/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-
@@ -55060,6 +55066,7 @@ index 1d76c72..eeb33d9 100644
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
++/usr/libexec/kde4/polkit-kde-authentication-agent-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
@@ -65299,7 +65306,7 @@ index c5ad6de..c67dbef 100644
/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..2d320e6 100644
+index 3698b51..bc25bbc 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -45,6 +45,8 @@ setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -65320,20 +65327,23 @@ index 3698b51..2d320e6 100644
corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
-@@ -68,20 +72,29 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +72,32 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-dev_read_sysfs(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
-+
-+auth_read_passwd(rabbitmq_beam_t)
-files_read_etc_files(rabbitmq_beam_t)
-+fs_getattr_all_fs(rabbitmq_beam_t)
++auth_read_passwd(rabbitmq_beam_t)
-miscfiles_read_localization(rabbitmq_beam_t)
++files_getattr_all_mountpoints(rabbitmq_beam_t)
++
++fs_getattr_all_fs(rabbitmq_beam_t)
++fs_getattr_cgroup(rabbitmq_beam_t)
++
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
@@ -65354,7 +65364,7 @@ index 3698b51..2d320e6 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +112,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +115,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -69823,7 +69833,7 @@ index 2ab3ed1..23d579c 100644
role_transition $2 ricci_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/ricci.te b/ricci.te
-index 9702ed2..eeb9e48 100644
+index 9702ed2..a265af9 100644
--- a/ricci.te
+++ b/ricci.te
@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
@@ -69842,16 +69852,16 @@ index 9702ed2..eeb9e48 100644
files_read_etc_runtime_files(ricci_t)
files_create_boot_flag(ricci_t)
-@@ -149,8 +147,6 @@ locallogin_dontaudit_use_fds(ricci_t)
+@@ -149,7 +147,7 @@ locallogin_dontaudit_use_fds(ricci_t)
logging_send_syslog_msg(ricci_t)
-miscfiles_read_localization(ricci_t)
--
++systemd_start_power_services(ricci_t)
+
sysnet_dns_name_resolve(ricci_t)
- optional_policy(`
-@@ -235,13 +231,8 @@ init_domtrans_script(ricci_modcluster_t)
+@@ -235,13 +233,8 @@ init_domtrans_script(ricci_modcluster_t)
logging_send_syslog_msg(ricci_modcluster_t)
@@ -69866,7 +69876,7 @@ index 9702ed2..eeb9e48 100644
')
optional_policy(`
-@@ -271,7 +262,7 @@ optional_policy(`
+@@ -271,7 +264,7 @@ optional_policy(`
')
optional_policy(`
@@ -69875,7 +69885,7 @@ index 9702ed2..eeb9e48 100644
')
########################################
-@@ -336,23 +327,16 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+@@ -336,23 +329,16 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
logging_send_syslog_msg(ricci_modclusterd_t)
@@ -69900,7 +69910,7 @@ index 9702ed2..eeb9e48 100644
')
optional_policy(`
-@@ -374,12 +358,10 @@ corecmd_exec_bin(ricci_modlog_t)
+@@ -374,12 +360,10 @@ corecmd_exec_bin(ricci_modlog_t)
domain_read_all_domains_state(ricci_modlog_t)
@@ -69913,7 +69923,7 @@ index 9702ed2..eeb9e48 100644
optional_policy(`
nscd_dontaudit_search_pid(ricci_modlog_t)
-@@ -401,9 +383,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
+@@ -401,9 +385,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
corecmd_exec_bin(ricci_modrpm_t)
files_search_usr(ricci_modrpm_t)
@@ -69924,7 +69934,7 @@ index 9702ed2..eeb9e48 100644
optional_policy(`
oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
-@@ -428,14 +409,13 @@ kernel_read_system_state(ricci_modservice_t)
+@@ -428,14 +411,13 @@ kernel_read_system_state(ricci_modservice_t)
corecmd_exec_bin(ricci_modservice_t)
corecmd_exec_shell(ricci_modservice_t)
@@ -69940,7 +69950,7 @@ index 9702ed2..eeb9e48 100644
optional_policy(`
ccs_read_config(ricci_modservice_t)
-@@ -460,7 +440,6 @@ optional_policy(`
+@@ -460,7 +442,6 @@ optional_policy(`
allow ricci_modstorage_t self:capability { mknod sys_nice };
allow ricci_modstorage_t self:process { setsched signal };
@@ -69948,7 +69958,7 @@ index 9702ed2..eeb9e48 100644
allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
kernel_read_kernel_sysctls(ricci_modstorage_t)
-@@ -480,21 +459,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
+@@ -480,21 +461,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
files_manage_etc_files(ricci_modstorage_t)
files_read_etc_runtime_files(ricci_modstorage_t)
@@ -70272,7 +70282,7 @@ index a6fb30c..b0c22f7 100644
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index 3bd6446..a61764b 100644
+index 3bd6446..8bde316 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
@@ -70463,161 +70473,179 @@ index 3bd6446..a61764b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -159,7 +231,30 @@ interface(`rpc_initrc_domtrans_nfsd',`
+@@ -159,7 +231,7 @@ interface(`rpc_initrc_domtrans_nfsd',`
########################################
## <summary>
-## Execute rpcd in the rpcd domain.
+## Execute nfsd server in the nfsd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -167,120 +239,108 @@ interface(`rpc_initrc_domtrans_nfsd',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`rpc_domtrans_rpcd',`
+interface(`rpc_systemctl_nfsd',`
-+ gen_require(`
+ gen_require(`
+- type rpcd_t, rpcd_exec_t;
+ type nfsd_unit_file_t;
+ type nfsd_t;
-+ ')
-+
+ ')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+-')
+ systemd_exec_systemctl($1)
+ allow $1 nfsd_unit_file_t:file read_file_perms;
+ allow $1 nfsd_unit_file_t:service manage_service_perms;
-+
+
+-#######################################
+-## <summary>
+-## Execute rpcd init scripts in
+-## the initrc domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-#
+-interface(`rpc_initrc_domtrans_rpcd',`
+- gen_require(`
+- type rpcd_initrc_exec_t;
+- ')
+-
+- init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
+ ps_process_pattern($1, nfsd_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read nfs exported content.
+## Execute domain in rpcd domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -172,14 +267,39 @@ interface(`rpc_domtrans_rpcd',`
- type rpcd_t, rpcd_exec_t;
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`rpc_read_nfs_content',`
++interface(`rpc_domtrans_rpcd',`
+ gen_require(`
+- type nfsd_ro_t, nfsd_rw_t;
++ type rpcd_t, rpcd_exec_t;
')
-- corecmd_search_bin($1)
- domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+- allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
+- allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
+- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
++ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+ allow rpcd_t $1:process signal;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## nfs exported read write content.
+## Execute rpcd in the rcpd domain, and
+## allow the specified role the rpcd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
-+#
+ ## <rolecap/>
+ #
+-interface(`rpc_manage_nfs_rw_content',`
+interface(`rpc_run_rpcd',`
-+ gen_require(`
+ gen_require(`
+- type nfsd_rw_t;
+ type rpcd_t;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t)
+- manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+- manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+ rpc_domtrans_rpcd($1)
+ role $2 types rpcd_t;
')
- #######################################
+-########################################
++#######################################
## <summary>
--## Execute rpcd init scripts in
--## the initrc domain.
+-## Create, read, write, and delete
+-## nfs exported read only content.
+## Execute domain in rpcd domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -197,7 +317,30 @@ interface(`rpc_initrc_domtrans_rpcd',`
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`rpc_manage_nfs_ro_content',`
++interface(`rpc_initrc_domtrans_rpcd',`
+ gen_require(`
+- type nfsd_ro_t;
++ type rpcd_initrc_exec_t;
+ ')
+
+- manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t)
+- manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+- manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
++ init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
+ ')
########################################
## <summary>
--## Read nfs exported content.
+-## Read and write to nfsd tcp sockets.
+## Execute rpcd server in the rpcd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`rpc_tcp_rw_nfs_sockets',`
+interface(`rpc_systemctl_rpcd',`
-+ gen_require(`
+ gen_require(`
+- type nfsd_t;
+ type rpcd_unit_file_t;
+ type rpcd_t;
-+ ')
-+
+ ')
+
+- allow $1 nfsd_t:tcp_socket rw_socket_perms;
+ systemd_exec_systemctl($1)
+ allow $1 rpcd_unit_file_t:file read_file_perms;
+ allow $1 rpcd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rpcd_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read NFS exported content.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -218,8 +361,7 @@ interface(`rpc_read_nfs_content',`
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## nfs exported read write content.
-+## Allow domain to create read and write NFS directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -240,8 +382,7 @@ interface(`rpc_manage_nfs_rw_content',`
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## nfs exported read only content.
-+## Allow domain to create read and write NFS directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -262,25 +403,7 @@ interface(`rpc_manage_nfs_ro_content',`
+ ')
########################################
## <summary>
--## Read and write to nfsd tcp sockets.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`rpc_tcp_rw_nfs_sockets',`
-- gen_require(`
-- type nfsd_t;
-- ')
--
-- allow $1 nfsd_t:tcp_socket rw_socket_perms;
--')
--
--########################################
--## <summary>
-## Read and write to nfsd udp sockets.
+## Allow domain to read and write to an NFS UDP socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -312,7 +435,7 @@ interface(`rpc_udp_send_nfs',`
+@@ -312,7 +372,7 @@ interface(`rpc_udp_send_nfs',`
########################################
## <summary>
@@ -70626,7 +70654,7 @@ index 3bd6446..a61764b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -326,12 +449,12 @@ interface(`rpc_search_nfs_state_data',`
+@@ -326,12 +386,12 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
@@ -70641,7 +70669,7 @@ index 3bd6446..a61764b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -339,19 +462,18 @@ interface(`rpc_search_nfs_state_data',`
+@@ -339,19 +399,18 @@ interface(`rpc_search_nfs_state_data',`
## </summary>
## </param>
#
@@ -70664,7 +70692,7 @@ index 3bd6446..a61764b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -359,62 +481,31 @@ interface(`rpc_read_nfs_state_data',`
+@@ -359,62 +418,31 @@ interface(`rpc_read_nfs_state_data',`
## </summary>
## </param>
#
@@ -70736,7 +70764,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..4fb05d7 100644
+index e5212e6..97bb4a0 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -70780,7 +70808,7 @@ index e5212e6..4fb05d7 100644
type exports_t;
files_config_file(exports_t)
-@@ -36,16 +32,24 @@ files_tmp_file(gssd_tmp_t)
+@@ -36,110 +32,49 @@ files_tmp_file(gssd_tmp_t)
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
@@ -70799,13 +70827,16 @@ index e5212e6..4fb05d7 100644
type nfsd_initrc_exec_t;
init_script_file(nfsd_initrc_exec_t)
+-type nfsd_rw_t;
+-files_type(nfsd_rw_t)
+-
+-type nfsd_ro_t;
+-files_type(nfsd_ro_t)
+type nfsd_unit_file_t;
+systemd_unit_file(nfsd_unit_file_t)
-+
- type nfsd_rw_t;
- files_type(nfsd_rw_t)
-@@ -57,89 +61,26 @@ files_mountpoint(var_lib_nfs_t)
+ type var_lib_nfs_t;
+ files_mountpoint(var_lib_nfs_t)
########################################
#
@@ -70901,7 +70932,7 @@ index e5212e6..4fb05d7 100644
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -160,13 +101,14 @@ fs_getattr_all_fs(rpcd_t)
+@@ -160,13 +95,14 @@ fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
@@ -70919,7 +70950,7 @@ index e5212e6..4fb05d7 100644
optional_policy(`
automount_signal(rpcd_t)
-@@ -174,19 +116,23 @@ optional_policy(`
+@@ -174,19 +110,23 @@ optional_policy(`
')
optional_policy(`
@@ -70947,14 +70978,14 @@ index e5212e6..4fb05d7 100644
')
########################################
-@@ -195,41 +141,57 @@ optional_policy(`
+@@ -195,41 +135,56 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+dontaudit nfsd_t self:capability sys_rawio;
allow nfsd_t exports_t:file read_file_perms;
- allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+# for /proc/fs/nfs/exports - should we have a new type?
+kernel_read_system_state(nfsd_t)
@@ -71012,7 +71043,7 @@ index e5212e6..4fb05d7 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -238,7 +200,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -238,7 +193,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -71020,7 +71051,7 @@ index e5212e6..4fb05d7 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -250,12 +211,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -250,12 +204,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -71035,7 +71066,7 @@ index e5212e6..4fb05d7 100644
')
########################################
-@@ -271,6 +232,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -271,6 +225,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -71043,7 +71074,7 @@ index e5212e6..4fb05d7 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -279,25 +241,29 @@ kernel_signal(gssd_t)
+@@ -279,25 +234,29 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -71076,7 +71107,7 @@ index e5212e6..4fb05d7 100644
')
optional_policy(`
-@@ -306,8 +272,11 @@ optional_policy(`
+@@ -306,8 +265,11 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
@@ -89922,7 +89953,7 @@ index 9dec06c..378880d 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..6d3d147 100644
+index 1f22fba..a8d17af 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,97 @@
@@ -91577,7 +91608,7 @@ index 1f22fba..6d3d147 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1274,114 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1274,115 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -91632,6 +91663,7 @@ index 1f22fba..6d3d147 100644
+sysnet_dns_name_resolve(virt_qemu_ga_t)
+
+systemd_exec_systemctl(virt_qemu_ga_t)
++systemd_start_power_services(virt_qemu_ga_t)
+
+userdom_use_user_ptys(virt_qemu_ga_t)
+
@@ -91726,7 +91758,7 @@ index 20a1fb2..470ea95 100644
allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
diff --git a/vmware.te b/vmware.te
-index 3a56513..5721057 100644
+index 3a56513..d7ec42b 100644
--- a/vmware.te
+++ b/vmware.te
@@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
@@ -91765,7 +91797,7 @@ index 3a56513..5721057 100644
fs_getattr_all_fs(vmware_host_t)
fs_search_auto_mountpoints(vmware_host_t)
-@@ -138,8 +138,6 @@ libs_exec_ld_so(vmware_host_t)
+@@ -138,23 +138,27 @@ libs_exec_ld_so(vmware_host_t)
logging_send_syslog_msg(vmware_host_t)
@@ -91774,7 +91806,11 @@ index 3a56513..5721057 100644
sysnet_dns_name_resolve(vmware_host_t)
sysnet_domtrans_ifconfig(vmware_host_t)
-@@ -149,12 +147,16 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
++systemd_start_power_services(vmware_host_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
+ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+
netutils_domtrans_ping(vmware_host_t)
optional_policy(`
@@ -91793,7 +91829,7 @@ index 3a56513..5721057 100644
optional_policy(`
samba_read_config(vmware_host_t)
-@@ -244,9 +246,7 @@ dev_search_sysfs(vmware_t)
+@@ -244,9 +248,7 @@ dev_search_sysfs(vmware_t)
domain_use_interactive_fds(vmware_t)
@@ -91803,7 +91839,7 @@ index 3a56513..5721057 100644
files_list_home(vmware_t)
fs_getattr_all_fs(vmware_t)
-@@ -258,9 +258,8 @@ storage_raw_write_removable_device(vmware_t)
+@@ -258,9 +260,8 @@ storage_raw_write_removable_device(vmware_t)
libs_exec_ld_so(vmware_t)
libs_read_lib_files(vmware_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c46a931..ba46f5d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 64%{?dist}
+Release: 65%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -424,6 +424,7 @@ Obsoletes: cachefilesd-selinux <= 0.10-1
Conflicts: seedit
Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
Conflicts: pki-selinux < 10-0.0-0.45.b1
+Conflicts: freeipa <= 3.2.1-1
%description targeted
SELinux Reference policy targeted base module.
@@ -539,6 +540,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jul 16 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-65
+- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t
+- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1
+- Allow all domains that can domtrans to shutdown, to start the power services script to shutdown
+- consolekit needs to be able to shut down system
+- Move around interfaces
+- Remove nfsd_rw_t and nfsd_ro_t, they don't do anything
+- Add additional fixes for rabbitmq_beam to allow getattr on mountpoints
+- Allow gconf-defaults-m to read /etc/passwd
+- Fix pki_rw_tomcat_cert() interface to support lnk_files
+
* Fri Jul 12 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-64
- Add support for gluster ports
- Make sure that all keys located in /etc/ssh/ are labeled correctly
More information about the scm-commits
mailing list