[selinux-policy/f19] - Make systemd-notify working if pcsd is used - Add support for netlabel and label /usr/sbin/netlabe
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jul 24 13:19:41 UTC 2013
commit 29a17a40e0d5fc34621dd38ba9bd9f9c10765d94
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Jul 24 15:19:03 2013 +0200
- Make systemd-notify working if pcsd is used
- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t
- Instead of having all unconfined domains get all of the named transition rules,
- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default.
- Add definition for the salt ports
- Allow xdm_t to create link files in xdm_var_run_t
- Dontaudit reads of blk files or chr files leaked into ldconfig_t
- Allow sys_chroot for useradd_t
- Allow net_raw cap for ipsec_t
- Allow sysadm_t to reload services
- Add additional fixes to make strongswan working with a simple conf
- Allow sysadm_t to enable/disable init_t services
- Add additional glusterd perms
- Allow apache to read lnk files in the /mnt directory
- Allow glusterd to ask the kernel to load a module
- Fix description of ftpd_use_fusefs boolean
- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and p
- Allow glusterds to request load a kernel module
- Allow boinc to stream connect to xserver_t
- Allow sblim domains to read /etc/passwd
- Allow mdadm to read usb devices
- Allow collectd to use ping plugin
- Make foghorn working with SNMP
- Allow sssd to read ldap certs
- Allow haproxy to connect to RTP media ports
- Add additional trans rules for aide_db
- Add labeling for /usr/lib/pcsd/pcsd
- Add labeling for /var/log/pcsd
- Add support for pcs which is a corosync and pacemaker configuration tool
policy-f19-base.patch | 421 +++++++++++++++++++++---------
policy-f19-contrib.patch | 637 ++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 38 +++-
3 files changed, 746 insertions(+), 350 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 6debbcb..4497b28 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -668,7 +668,7 @@ index 3a45f23..f4754f0 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index 28802c5..943c42e 100644
+index 28802c5..ee01d6e 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process
@@ -679,7 +679,7 @@ index 28802c5..943c42e 100644
}
-@@ -393,6 +394,10 @@ class system
+@@ -393,6 +394,13 @@ class system
syslog_mod
syslog_console
module_request
@@ -687,10 +687,13 @@ index 28802c5..943c42e 100644
+ reboot
+ status
+ undefined
++ enable
++ disable
++ reload
}
#
-@@ -443,10 +448,12 @@ class capability
+@@ -443,10 +451,12 @@ class capability
class capability2
{
mac_override # unused by SELinux
@@ -704,7 +707,7 @@ index 28802c5..943c42e 100644
}
#
-@@ -827,6 +834,9 @@ class kernel_service
+@@ -827,6 +837,9 @@ class kernel_service
class tun_socket
inherits socket
@@ -714,7 +717,7 @@ index 28802c5..943c42e 100644
class x_pointer
inherits x_device
-@@ -862,3 +872,20 @@ inherits database
+@@ -862,3 +875,20 @@ inherits database
implement
execute
}
@@ -2376,7 +2379,7 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..9365051 100644
+index d555767..68f6887 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2724,7 +2727,7 @@ index d555767..9365051 100644
#
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
-+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource };
++allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
+
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -5171,7 +5174,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..8fd1cbb 100644
+index 4edc40d..6f8cc7f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5257,7 +5260,7 @@ index 4edc40d..8fd1cbb 100644
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
-@@ -96,6 +118,7 @@ network_port(boinc, tcp,31416,s0)
+@@ -96,18 +118,18 @@ network_port(boinc, tcp,31416,s0)
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
@@ -5265,7 +5268,12 @@ index 4edc40d..8fd1cbb 100644
network_port(chronyd, udp,323,s0)
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
-@@ -107,7 +130,6 @@ network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
+ network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
+ network_port(cma, tcp,1050,s0, udp,1050,s0)
+ network_port(cobbler, tcp,25151,s0)
+-network_port(commplex_link, tcp,5001,s0, udp,5001,s0)
++network_port(commplex_link, tcp,4331,s0, tcp,5001,s0, udp,5001,s0)
+ network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
network_port(comsat, udp,512,s0)
network_port(condor, tcp,9618,s0, udp,9618,s0)
network_port(couchdb, tcp,5984,s0, udp,5984,s0)
@@ -5273,7 +5281,7 @@ index 4edc40d..8fd1cbb 100644
network_port(ctdb, tcp,4379,s0, udp,4397,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -119,19 +141,25 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+@@ -119,19 +141,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -5288,6 +5296,7 @@ index 4edc40d..8fd1cbb 100644
network_port(epmd, tcp,4369,s0, udp,4369,s0)
network_port(fingerd, tcp,79,s0)
-network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
++network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
+network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
@@ -5301,7 +5310,7 @@ index 4edc40d..8fd1cbb 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +167,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +168,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5367,7 +5376,7 @@ index 4edc40d..8fd1cbb 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,24 +219,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,24 +220,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5403,7 +5412,7 @@ index 4edc40d..8fd1cbb 100644
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +256,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +257,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5429,8 +5438,10 @@ index 4edc40d..8fd1cbb 100644
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
-network_port(rtsp, tcp,554,s0, udp,554,s0)
++network_port(rtp_media, tcp,5004-5005,s0, udp,5004-5005,s0)
+network_port(rtsp, tcp,554,s0, udp,554,s0, tcp,8554,s0, udp,8554,s0)
network_port(rwho, udp,513,s0)
++network_port(salt, tcp,4505,s0, tcp,4506,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
network_port(servistaitsm, tcp,3636,s0, udp,3636,s0)
@@ -5454,7 +5465,7 @@ index 4edc40d..8fd1cbb 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +304,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +307,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5465,7 +5476,7 @@ index 4edc40d..8fd1cbb 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +316,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +319,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5478,7 +5489,7 @@ index 4edc40d..8fd1cbb 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +340,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +343,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -5497,7 +5508,7 @@ index 4edc40d..8fd1cbb 100644
########################################
#
-@@ -330,6 +382,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +385,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5506,7 +5517,7 @@ index 4edc40d..8fd1cbb 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +396,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +399,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -8408,7 +8419,7 @@ index 6a1e4d1..c691385 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..d02fa9e 100644
+index cf04cb5..e8e2506 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8536,7 +8547,7 @@ index cf04cb5..d02fa9e 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +229,292 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +229,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8569,6 +8580,9 @@ index cf04cb5..d02fa9e 100644
+term_filetrans_all_named_dev(unconfined_domain_type)
+
+optional_policy(`
++ init_disable_services(unconfined_domain_type)
++ init_enable_services(unconfined_domain_type)
++ init_reload_services(unconfined_domain_type)
+ init_status(unconfined_domain_type)
+ init_reboot(unconfined_domain_type)
+ init_halt(unconfined_domain_type)
@@ -16685,7 +16699,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..1a2de40 100644
+index 5da7870..28cfc6a 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1)
@@ -16757,7 +16771,7 @@ index 5da7870..1a2de40 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +79,102 @@ optional_policy(`
+@@ -23,11 +79,106 @@ optional_policy(`
')
optional_policy(`
@@ -16858,10 +16872,14 @@ index 5da7870..1a2de40 100644
+ polipo_role(staff_r, staff_t)
+ polipo_named_filetrans_cache_home_dirs(staff_t)
+ polipo_named_filetrans_config_home_files(staff_t)
++')
++
++optional_policy(`
++ openvpn_exec(staff_t)
')
optional_policy(`
-@@ -35,15 +182,31 @@ optional_policy(`
+@@ -35,15 +186,31 @@ optional_policy(`
')
optional_policy(`
@@ -16895,7 +16913,7 @@ index 5da7870..1a2de40 100644
')
optional_policy(`
-@@ -52,10 +215,55 @@ optional_policy(`
+@@ -52,10 +219,55 @@ optional_policy(`
')
optional_policy(`
@@ -16951,7 +16969,7 @@ index 5da7870..1a2de40 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +273,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +277,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16962,7 +16980,7 @@ index 5da7870..1a2de40 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +282,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +286,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -16973,7 +16991,7 @@ index 5da7870..1a2de40 100644
')
optional_policy(`
-@@ -101,10 +301,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +305,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16984,7 +17002,7 @@ index 5da7870..1a2de40 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +321,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +325,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16995,7 +17013,7 @@ index 5da7870..1a2de40 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +333,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +337,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17006,7 +17024,7 @@ index 5da7870..1a2de40 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +364,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +368,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -17058,10 +17076,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..e7c0869 100644
+index 88d0028..0459d20 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,82 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -17117,6 +17135,9 @@ index 88d0028..e7c0869 100644
+application_exec(sysadm_t)
+
+init_filetrans_named_content(sysadm_t)
++init_disable_services(sysadm_t)
++init_enable_services(sysadm_t)
++init_reload_services(sysadm_t)
init_exec(sysadm_t)
+init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t)
@@ -17155,7 +17176,7 @@ index 88d0028..e7c0869 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +98,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +101,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -17170,7 +17191,7 @@ index 88d0028..e7c0869 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +108,9 @@ optional_policy(`
+@@ -71,9 +111,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -17181,7 +17202,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -87,6 +124,7 @@ optional_policy(`
+@@ -87,6 +127,7 @@ optional_policy(`
optional_policy(`
asterisk_stream_connect(sysadm_t)
@@ -17189,7 +17210,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -110,11 +148,17 @@ optional_policy(`
+@@ -110,11 +151,17 @@ optional_policy(`
')
optional_policy(`
@@ -17207,7 +17228,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -122,11 +166,19 @@ optional_policy(`
+@@ -122,11 +169,19 @@ optional_policy(`
')
optional_policy(`
@@ -17229,7 +17250,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -140,6 +192,10 @@ optional_policy(`
+@@ -140,6 +195,10 @@ optional_policy(`
')
optional_policy(`
@@ -17240,7 +17261,7 @@ index 88d0028..e7c0869 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +212,11 @@ optional_policy(`
+@@ -156,11 +215,11 @@ optional_policy(`
')
optional_policy(`
@@ -17254,7 +17275,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -179,6 +235,13 @@ optional_policy(`
+@@ -179,6 +238,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -17268,7 +17289,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -186,15 +249,20 @@ optional_policy(`
+@@ -186,15 +252,20 @@ optional_policy(`
')
optional_policy(`
@@ -17292,7 +17313,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -214,22 +282,20 @@ optional_policy(`
+@@ -214,22 +285,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -17321,7 +17342,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -241,14 +307,27 @@ optional_policy(`
+@@ -241,14 +310,27 @@ optional_policy(`
')
optional_policy(`
@@ -17349,7 +17370,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -256,10 +335,20 @@ optional_policy(`
+@@ -256,10 +338,20 @@ optional_policy(`
')
optional_policy(`
@@ -17370,7 +17391,7 @@ index 88d0028..e7c0869 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +359,36 @@ optional_policy(`
+@@ -270,31 +362,36 @@ optional_policy(`
')
optional_policy(`
@@ -17414,7 +17435,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -319,12 +413,18 @@ optional_policy(`
+@@ -319,12 +416,18 @@ optional_policy(`
')
optional_policy(`
@@ -17434,7 +17455,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -349,7 +449,18 @@ optional_policy(`
+@@ -349,7 +452,18 @@ optional_policy(`
')
optional_policy(`
@@ -17454,7 +17475,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -360,19 +471,15 @@ optional_policy(`
+@@ -360,19 +474,15 @@ optional_policy(`
')
optional_policy(`
@@ -17476,7 +17497,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -384,10 +491,6 @@ optional_policy(`
+@@ -384,10 +494,6 @@ optional_policy(`
')
optional_policy(`
@@ -17487,7 +17508,7 @@ index 88d0028..e7c0869 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +498,9 @@ optional_policy(`
+@@ -395,6 +501,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -17497,7 +17518,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -402,31 +508,34 @@ optional_policy(`
+@@ -402,31 +511,34 @@ optional_policy(`
')
optional_policy(`
@@ -17538,7 +17559,7 @@ index 88d0028..e7c0869 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +548,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +551,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17549,7 +17570,7 @@ index 88d0028..e7c0869 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +568,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +571,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22453,7 +22474,7 @@ index 6bf0ecc..266289c 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..fcf58c6 100644
+index 2696452..7e081fb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -22798,7 +22819,7 @@ index 2696452..fcf58c6 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +408,106 @@ optional_policy(`
+@@ -299,64 +408,107 @@ optional_policy(`
# XDM Local policy
#
@@ -22890,6 +22911,7 @@ index 2696452..fcf58c6 100644
manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
++manage_lnk_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
-files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
@@ -22915,7 +22937,7 @@ index 2696452..fcf58c6 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +516,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +517,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -22945,7 +22967,7 @@ index 2696452..fcf58c6 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +546,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +547,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -22998,7 +23020,7 @@ index 2696452..fcf58c6 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +598,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +599,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23027,7 +23049,7 @@ index 2696452..fcf58c6 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +628,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +629,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23074,7 +23096,7 @@ index 2696452..fcf58c6 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +673,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +674,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23225,7 +23247,7 @@ index 2696452..fcf58c6 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +824,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +825,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -23252,7 +23274,7 @@ index 2696452..fcf58c6 100644
')
optional_policy(`
-@@ -514,12 +851,72 @@ optional_policy(`
+@@ -514,12 +852,72 @@ optional_policy(`
')
optional_policy(`
@@ -23325,7 +23347,7 @@ index 2696452..fcf58c6 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +934,78 @@ optional_policy(`
+@@ -537,28 +935,78 @@ optional_policy(`
')
optional_policy(`
@@ -23413,7 +23435,7 @@ index 2696452..fcf58c6 100644
')
optional_policy(`
-@@ -570,6 +1017,14 @@ optional_policy(`
+@@ -570,6 +1018,14 @@ optional_policy(`
')
optional_policy(`
@@ -23428,7 +23450,7 @@ index 2696452..fcf58c6 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +1049,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1050,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23441,7 +23463,7 @@ index 2696452..fcf58c6 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1066,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1067,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23457,7 +23479,7 @@ index 2696452..fcf58c6 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1082,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1083,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23468,7 +23490,7 @@ index 2696452..fcf58c6 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1097,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1098,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23490,7 +23512,7 @@ index 2696452..fcf58c6 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1117,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1118,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23504,7 +23526,7 @@ index 2696452..fcf58c6 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1143,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1144,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23536,7 +23558,7 @@ index 2696452..fcf58c6 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1175,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1176,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23554,7 +23576,7 @@ index 2696452..fcf58c6 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1198,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1199,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23578,7 +23600,7 @@ index 2696452..fcf58c6 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1217,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1218,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23587,7 +23609,7 @@ index 2696452..fcf58c6 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1261,44 @@ optional_policy(`
+@@ -775,16 +1262,44 @@ optional_policy(`
')
optional_policy(`
@@ -23633,7 +23655,7 @@ index 2696452..fcf58c6 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1307,10 @@ optional_policy(`
+@@ -793,6 +1308,10 @@ optional_policy(`
')
optional_policy(`
@@ -23644,7 +23666,7 @@ index 2696452..fcf58c6 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1326,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1327,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23658,7 +23680,7 @@ index 2696452..fcf58c6 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1337,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1338,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23667,7 +23689,7 @@ index 2696452..fcf58c6 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1350,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1351,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23702,7 +23724,7 @@ index 2696452..fcf58c6 100644
')
optional_policy(`
-@@ -902,7 +1415,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1416,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23711,7 +23733,7 @@ index 2696452..fcf58c6 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1469,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1470,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23743,7 +23765,7 @@ index 2696452..fcf58c6 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1515,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1516,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -25995,7 +26017,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..d0780a9 100644
+index 24e7804..c4155c7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -26880,7 +26902,7 @@ index 24e7804..d0780a9 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2284,306 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2284,360 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -27131,6 +27153,60 @@ index 24e7804..d0780a9 100644
+
+########################################
+## <summary>
++## Tell init to enable the services.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_enable_services',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system enable;
++')
++
++########################################
++## <summary>
++## Tell init to disable the services.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_disable_services',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system disable;
++')
++
++########################################
++## <summary>
++## Tell init to reload the services.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_reload_services',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system reload;
++')
++
++########################################
++## <summary>
+## Tell init to halt the system.
+## </summary>
+## <param name="domain">
@@ -28690,7 +28766,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..9a068f6 100644
+index 9e54bf9..a0ba260 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28703,24 +28779,37 @@ index 9e54bf9..9a068f6 100644
type ipsec_mgmt_lock_t;
files_lock_file(ipsec_mgmt_lock_t)
-@@ -73,13 +76,15 @@ role system_r types setkey_t;
+@@ -72,14 +75,18 @@ role system_r types setkey_t;
+ # ipsec Local policy
#
- allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
++allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid };
+dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
++allow ipsec_t self:packet_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
allow ipsec_t self:fifo_file read_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+allow ipsec_t self:netlink_selinux_socket create_socket_perms;
+allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write };
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-@@ -128,20 +133,21 @@ corecmd_exec_shell(ipsec_t)
+@@ -113,7 +120,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+ allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
+
+ kernel_read_kernel_sysctls(ipsec_t)
+-kernel_read_net_sysctls(ipsec_t)
++kernel_rw_net_sysctls(ipsec_t)
+ kernel_list_proc(ipsec_t)
+ kernel_read_proc_symlinks(ipsec_t)
+ # allow pluto to access /proc/net/ipsec_eroute;
+@@ -128,20 +135,22 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@@ -28742,6 +28831,7 @@ index 9e54bf9..9a068f6 100644
corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_ipsecnat_port(ipsec_t)
++corenet_udp_bind_dhcpc_port(ipsec_t)
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)
+corenet_tcp_connect_http_port(ipsec_t)
@@ -28749,7 +28839,7 @@ index 9e54bf9..9a068f6 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,6 +163,8 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,6 +166,8 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -28758,7 +28848,7 @@ index 9e54bf9..9a068f6 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -165,11 +173,13 @@ auth_use_nsswitch(ipsec_t)
+@@ -165,11 +176,13 @@ auth_use_nsswitch(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@@ -28773,7 +28863,7 @@ index 9e54bf9..9a068f6 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -187,10 +197,10 @@ optional_policy(`
+@@ -187,10 +200,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -28788,7 +28878,7 @@ index 9e54bf9..9a068f6 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -210,6 +220,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+@@ -210,6 +223,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -28796,7 +28886,7 @@ index 9e54bf9..9a068f6 100644
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
-@@ -246,6 +257,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +260,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -28813,7 +28903,7 @@ index 9e54bf9..9a068f6 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +276,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +279,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -28822,7 +28912,7 @@ index 9e54bf9..9a068f6 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +301,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +304,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -28834,7 +28924,7 @@ index 9e54bf9..9a068f6 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +314,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +317,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -28858,7 +28948,7 @@ index 9e54bf9..9a068f6 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +349,10 @@ optional_policy(`
+@@ -322,6 +352,10 @@ optional_policy(`
')
optional_policy(`
@@ -28869,7 +28959,16 @@ index 9e54bf9..9a068f6 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -370,13 +401,12 @@ kernel_request_load_module(racoon_t)
+@@ -335,7 +369,7 @@ optional_policy(`
+ #
+
+ allow racoon_t self:capability { net_admin net_bind_service };
+-allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
++allow racoon_t self:netlink_route_socket { create_netlink_socket_perms };
+ allow racoon_t self:unix_dgram_socket { connect create ioctl write };
+ allow racoon_t self:netlink_selinux_socket { bind create read };
+ allow racoon_t self:udp_socket create_socket_perms;
+@@ -370,13 +404,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -28889,7 +28988,7 @@ index 9e54bf9..9a068f6 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +431,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +434,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -28902,7 +29001,7 @@ index 9e54bf9..9a068f6 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +472,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -29619,7 +29718,7 @@ index 808ba93..9d8f729 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 23a645e..1982e9c 100644
+index 23a645e..f0cbd38 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@@ -29694,17 +29793,19 @@ index 23a645e..1982e9c 100644
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -114,6 +126,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -114,6 +126,11 @@ ifdef(`hide_broken_symptoms',`
')
')
+ dev_dontaudit_rw_lvm_control(ldconfig_t)
++ dev_dontaudit_read_all_chr_files(ldconfig_t)
++ dev_dontaudit_read_all_blk_files(ldconfig_t)
+ term_dontaudit_use_unallocated_ttys(ldconfig_t)
+
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
-@@ -131,6 +146,14 @@ optional_policy(`
+@@ -131,6 +148,14 @@ optional_policy(`
')
optional_policy(`
@@ -29719,7 +29820,7 @@ index 23a645e..1982e9c 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +164,3 @@ optional_policy(`
+@@ -141,6 +166,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -29804,7 +29905,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..799d194 100644
+index c04ac46..ed59137 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -29928,7 +30029,7 @@ index c04ac46..799d194 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,37 +211,55 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,37 +211,56 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -29950,6 +30051,7 @@ index c04ac46..799d194 100644
+auth_use_nsswitch(sulogin_t)
init_getpgid_script(sulogin_t)
++init_getpgid(sulogin_t)
logging_send_syslog_msg(sulogin_t)
@@ -29986,7 +30088,7 @@ index c04ac46..799d194 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -30496,7 +30598,7 @@ index 4e94884..55d2481 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..7094526 100644
+index 39ea221..692b00d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -30591,13 +30693,12 @@ index 39ea221..7094526 100644
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +204,16 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
-miscfiles_read_localization(auditd_t)
+auth_use_nsswitch(auditd_t)
-+
mls_file_read_all_levels(auditd_t)
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
@@ -30608,11 +30709,13 @@ index 39ea221..7094526 100644
sysnet_dns_name_resolve(auditd_t)
-userdom_use_user_terminals(auditd_t)
++systemd_start_systemd_services(auditd_t)
++
+userdom_use_inherited_user_terminals(auditd_t)
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,19 +258,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -30643,7 +30746,7 @@ index 39ea221..7094526 100644
')
########################################
-@@ -268,7 +299,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
corecmd_exec_bin(audisp_remote_t)
@@ -30651,7 +30754,7 @@ index 39ea221..7094526 100644
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,10 +310,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -30671,7 +30774,7 @@ index 39ea221..7094526 100644
sysnet_dns_name_resolve(audisp_remote_t)
-@@ -326,7 +364,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t)
logging_send_syslog_msg(klogd_t)
@@ -30679,7 +30782,7 @@ index 39ea221..7094526 100644
mls_file_read_all_levels(klogd_t)
-@@ -354,12 +391,12 @@ optional_policy(`
+@@ -354,12 +392,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -30695,7 +30798,7 @@ index 39ea221..7094526 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,6 +406,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+@@ -369,6 +407,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -30703,7 +30806,7 @@ index 39ea221..7094526 100644
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -377,6 +415,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -377,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -30711,7 +30814,7 @@ index 39ea221..7094526 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,22 +425,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,22 +426,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -30746,7 +30849,7 @@ index 39ea221..7094526 100644
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)
corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,9 +475,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +476,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -30774,7 +30877,7 @@ index 39ea221..7094526 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -442,14 +507,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +508,19 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
@@ -30794,7 +30897,7 @@ index 39ea221..7094526 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +531,10 @@ init_use_fds(syslogd_t)
+@@ -461,11 +532,10 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -30808,7 +30911,7 @@ index 39ea221..7094526 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +571,36 @@ optional_policy(`
+@@ -502,15 +572,36 @@ optional_policy(`
')
optional_policy(`
@@ -30845,7 +30948,7 @@ index 39ea221..7094526 100644
')
optional_policy(`
-@@ -521,3 +611,26 @@ optional_policy(`
+@@ -521,3 +612,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -35097,10 +35200,10 @@ index 0000000..2cd29ba
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..6862d53
+index 0000000..1a254f8
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1231 @@
+@@ -0,0 +1,1286 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -35906,6 +36009,61 @@ index 0000000..6862d53
+ init_config_all_script_files($1)
+')
+
++########################################
++## <summary>
++## Allow the specified domain to start systemd services.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_start_systemd_services',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ allow $1 systemd_unit_file_t:service start;
++')
++
++#######################################
++## <summary>
++## Allow the specified domain to reload all systemd services.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_reload_systemd_services',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ allow $1 systemd_unit_file_t:service reload;
++')
++
++########################################
++## <summary>
++## Allow the specified domain to modify the systemd configuration of
++## all systemd services
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_config_systemd_services',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ allow $1 systemd_unit_file_t:service all_service_perms;
++ init_config_all_script_files($1)
++')
+
+########################################
+## <summary>
@@ -36334,10 +36492,10 @@ index 0000000..6862d53
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b43a6c1
+index 0000000..13712f9
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,654 @@
+@@ -0,0 +1,661 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -36720,6 +36878,7 @@ index 0000000..b43a6c1
+')
+
+optional_policy(`
++ lpd_manage_spool(systemd_tmpfiles_t)
+ lpd_relabel_spool(systemd_tmpfiles_t)
+')
+
@@ -36747,6 +36906,7 @@ index 0000000..b43a6c1
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
++allow systemd_notify_t self:unix_dgram_socket create_socket_perms;
+
+domain_use_interactive_fds(systemd_notify_t)
+
@@ -36757,6 +36917,10 @@ index 0000000..b43a6c1
+init_rw_stream_sockets(systemd_notify_t)
+
+optional_policy(`
++ rhcs_read_log_cluster(systemd_notify_t)
++')
++
++optional_policy(`
+ readahead_manage_pid_files(systemd_notify_t)
+')
+
@@ -36972,6 +37136,8 @@ index 0000000..b43a6c1
+
+init_stream_connect(systemd_sysctl_t)
+
++logging_send_syslog_msg(systemd_sysctl_t)
++
+########################################
+#
+# Common rules for systemd domains
@@ -36991,7 +37157,6 @@ index 0000000..b43a6c1
+optional_policy(`
+ policykit_dbus_chat(systemd_domain)
+')
-+
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..49fd32e 100644
--- a/policy/modules/system/udev.fc
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 7e02bb9..da225f8 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -1468,7 +1468,7 @@ index 01cbb67..94a4a24 100644
files_list_etc($1)
diff --git a/aide.te b/aide.te
-index 4b28ab3..6e8746f 100644
+index 4b28ab3..f781a7a 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1479,16 +1479,21 @@ index 4b28ab3..6e8746f 100644
role aide_roles types aide_t;
type aide_log_t;
-@@ -23,7 +24,7 @@ files_type(aide_db_t)
+@@ -23,22 +24,30 @@ files_type(aide_db_t)
# Local policy
#
-allow aide_t self:capability { dac_override fowner };
-+allow aide_t self:capability { dac_override fowner ipc_lock };
++allow aide_t self:capability { dac_override fowner ipc_lock sys_admin };
manage_files_pattern(aide_t, aide_db_t, aide_db_t)
++files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
-@@ -34,11 +35,20 @@ logging_log_filetrans(aide_t, aide_log_t, file)
+-create_files_pattern(aide_t, aide_log_t, aide_log_t)
+-append_files_pattern(aide_t, aide_log_t, aide_log_t)
+-setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
++manage_files_pattern(aide_t, aide_log_t, aide_log_t)
+ logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
@@ -4528,7 +4533,7 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..ffff859 100644
+index 1a82e29..a68bd53 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5216,7 +5221,7 @@ index 1a82e29..ffff859 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +551,164 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5298,6 +5303,7 @@ index 1a82e29..ffff859 100644
-files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
files_list_mnt(httpd_t)
++files_read_mnt_symlinks(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
@@ -5445,7 +5451,7 @@ index 1a82e29..ffff859 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +718,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +719,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5505,7 +5511,7 @@ index 1a82e29..ffff859 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +770,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +771,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5590,7 +5596,7 @@ index 1a82e29..ffff859 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +811,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +812,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5671,7 +5677,7 @@ index 1a82e29..ffff859 100644
')
optional_policy(`
-@@ -743,14 +863,6 @@ optional_policy(`
+@@ -743,14 +864,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5686,7 +5692,7 @@ index 1a82e29..ffff859 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +877,23 @@ optional_policy(`
+@@ -765,6 +878,23 @@ optional_policy(`
')
optional_policy(`
@@ -5710,7 +5716,7 @@ index 1a82e29..ffff859 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +910,42 @@ optional_policy(`
+@@ -781,34 +911,42 @@ optional_policy(`
')
optional_policy(`
@@ -5764,7 +5770,7 @@ index 1a82e29..ffff859 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +953,18 @@ optional_policy(`
+@@ -816,8 +954,18 @@ optional_policy(`
')
optional_policy(`
@@ -5783,7 +5789,7 @@ index 1a82e29..ffff859 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +973,7 @@ optional_policy(`
+@@ -826,6 +974,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5791,7 +5797,7 @@ index 1a82e29..ffff859 100644
')
optional_policy(`
-@@ -836,20 +984,39 @@ optional_policy(`
+@@ -836,20 +985,39 @@ optional_policy(`
')
optional_policy(`
@@ -5837,7 +5843,7 @@ index 1a82e29..ffff859 100644
')
optional_policy(`
-@@ -857,19 +1024,35 @@ optional_policy(`
+@@ -857,19 +1025,35 @@ optional_policy(`
')
optional_policy(`
@@ -5873,7 +5879,7 @@ index 1a82e29..ffff859 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1060,170 @@ optional_policy(`
+@@ -877,65 +1061,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6066,7 +6072,7 @@ index 1a82e29..ffff859 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1232,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1233,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6221,7 +6227,7 @@ index 1a82e29..ffff859 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1316,104 @@ optional_policy(`
+@@ -1077,172 +1317,104 @@ optional_policy(`
')
')
@@ -6457,7 +6463,7 @@ index 1a82e29..ffff859 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1421,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1422,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6554,7 +6560,7 @@ index 1a82e29..ffff859 100644
########################################
#
-@@ -1315,8 +1496,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1497,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6571,7 +6577,7 @@ index 1a82e29..ffff859 100644
')
########################################
-@@ -1324,49 +1512,36 @@ optional_policy(`
+@@ -1324,49 +1513,36 @@ optional_policy(`
# User content local policy
#
@@ -6635,7 +6641,7 @@ index 1a82e29..ffff859 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1551,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1552,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -12297,7 +12303,7 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..ace40ae 100644
+index 6471fa8..b2709d1 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
@@ -12357,7 +12363,16 @@ index 6471fa8..ace40ae 100644
logging_send_syslog_msg(collectd_t)
-@@ -80,11 +90,17 @@ optional_policy(`
+@@ -75,16 +85,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+ ')
+
+ optional_policy(`
++ netutils_domtrans_ping(collectd_t)
++')
++
++optional_policy(`
+ virt_read_config(collectd_t)
+ ')
########################################
#
@@ -24110,7 +24125,7 @@ index d062080..97fb494 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..d9dca45 100644
+index e50f33c..6edd471 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -24140,7 +24155,7 @@ index e50f33c..d9dca45 100644
+
+## <desc>
+## <p>
-+## Allow samba to export ntfs/fusefs volumes.
++## Allow ftpd to use ntfs/fusefs volumes.
+## </p>
+## </desc>
+gen_tunable(ftpd_use_fusefs, false)
@@ -25003,10 +25018,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..6ceb963
+index 0000000..cbe51a9
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,160 @@
+@@ -0,0 +1,164 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
@@ -25065,7 +25080,8 @@ index 0000000..6ceb963
+#
+
+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid };
-+allow glusterd_t self:process { getcap setcap setrlimit signal };
++allow glusterd_t self:capability2 block_suspend;
++allow glusterd_t self:process { getcap setcap setrlimit signal_perms };
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
+allow glusterd_t self:unix_stream_socket { accept listen connectto };
@@ -25096,6 +25112,9 @@ index 0000000..6ceb963
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
++kernel_read_network_state(glusterd_t)
++kernel_read_net_sysctls(glusterd_t)
++kernel_request_load_module(glusterd_t)
+
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
@@ -25447,10 +25466,10 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..26023f7 100644
+index d03fd43..567f963 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,123 +1,154 @@
+@@ -1,123 +1,155 @@
-## <summary>GNU network object model environment.</summary>
+## <summary>GNU network object model environment (GNOME)</summary>
@@ -25641,6 +25660,7 @@ index d03fd43..26023f7 100644
+
+ optional_policy(`
+ telepathy_mission_control_read_state($1_gkeyringd_t)
++ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
+ ')
+ ')
+')
@@ -25682,7 +25702,7 @@ index d03fd43..26023f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -125,18 +156,18 @@ template(`gnome_role_template',`
+@@ -125,18 +157,18 @@ template(`gnome_role_template',`
## </summary>
## </param>
#
@@ -25706,7 +25726,7 @@ index d03fd43..26023f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -144,119 +175,114 @@ interface(`gnome_exec_gconf',`
+@@ -144,119 +176,114 @@ interface(`gnome_exec_gconf',`
## </summary>
## </param>
#
@@ -25863,7 +25883,7 @@ index d03fd43..26023f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -264,15 +290,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -264,15 +291,21 @@ interface(`gnome_create_generic_home_dirs',`
## </summary>
## </param>
#
@@ -25890,7 +25910,7 @@ index d03fd43..26023f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -280,57 +312,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -280,57 +313,89 @@ interface(`gnome_setattr_config_dirs',`
## </summary>
## </param>
#
@@ -25998,7 +26018,7 @@ index d03fd43..26023f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -338,15 +402,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -338,15 +403,18 @@ interface(`gnome_read_generic_home_content',`
## </summary>
## </param>
#
@@ -26022,7 +26042,7 @@ index d03fd43..26023f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -354,22 +421,18 @@ interface(`gnome_manage_config',`
+@@ -354,22 +422,18 @@ interface(`gnome_manage_config',`
## </summary>
## </param>
#
@@ -26050,7 +26070,7 @@ index d03fd43..26023f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -377,53 +440,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -377,53 +441,37 @@ interface(`gnome_manage_generic_home_content',`
## </summary>
## </param>
#
@@ -26112,7 +26132,7 @@ index d03fd43..26023f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -431,17 +478,18 @@ interface(`gnome_home_filetrans',`
+@@ -431,17 +479,18 @@ interface(`gnome_home_filetrans',`
## </summary>
## </param>
#
@@ -26135,7 +26155,7 @@ index d03fd43..26023f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -449,23 +497,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -449,23 +498,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
## </summary>
## </param>
#
@@ -26163,7 +26183,7 @@ index d03fd43..26023f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -473,82 +516,72 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -473,82 +517,72 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary>
## </param>
#
@@ -26269,7 +26289,7 @@ index d03fd43..26023f7 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -557,52 +590,76 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -557,52 +591,76 @@ interface(`gnome_home_filetrans_gconf_home',`
## </summary>
## </param>
#
@@ -26367,7 +26387,7 @@ index d03fd43..26023f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -610,93 +667,126 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -610,93 +668,126 @@ interface(`gnome_gconf_home_filetrans',`
## </summary>
## </param>
#
@@ -26528,7 +26548,7 @@ index d03fd43..26023f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -704,12 +794,811 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +795,811 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@@ -31543,7 +31563,7 @@ index 182ab8b..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index e7f5c81..8ff6f51 100644
+index e7f5c81..1a8d69e 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -1,4 +1,4 @@
@@ -31601,7 +31621,7 @@ index e7f5c81..8ff6f51 100644
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
-files_read_usr_files(kdumpgui_t)
-+fs_read_dos_files(kdumpgui_t)
++fs_manage_dos_files(kdumpgui_t)
fs_getattr_all_fs(kdumpgui_t)
fs_list_hugetlbfs(kdumpgui_t)
-fs_read_dos_files(kdumpgui_t)
@@ -33762,7 +33782,7 @@ index bc25c95..6692d91 100644
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index ee0c7cc..446c507 100644
+index ee0c7cc..c54e3d2 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,68 @@
@@ -33804,10 +33824,9 @@ index ee0c7cc..446c507 100644
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
-
- ########################################
- ## <summary>
--## List ldap database directories.
++
++########################################
++## <summary>
+## Execute slapd server in the slapd domain.
+## </summary>
+## <param name="domain">
@@ -33828,9 +33847,10 @@ index ee0c7cc..446c507 100644
+
+ ps_process_pattern($1, slapd_t)
+')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## List ldap database directories.
+## Read the contents of the OpenLDAP
+## database directories.
## </summary>
@@ -33870,41 +33890,82 @@ index ee0c7cc..446c507 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -55,8 +133,7 @@ interface(`ldap_use',`
+@@ -41,22 +119,27 @@ interface(`ldap_read_config',`
+
+ ########################################
+ ## <summary>
+-## Use LDAP over TCP connection. (Deprecated)
++## Read the OpenLDAP cert files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`ldap_use',`
+- refpolicywarn(`$0($*) has been deprecated.')
++interface(`ldap_read_certs',`
++ gen_require(`
++ type slapd_cert_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, slapd_cert_t, slapd_cert_t)
+ ')
########################################
## <summary>
-## Connect to slapd over an unix
-## stream socket.
-+## Connect to slapd over an unix stream socket.
++## Use LDAP over TCP connection. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
-@@ -75,29 +152,8 @@ interface(`ldap_stream_connect',`
+@@ -64,18 +147,13 @@ interface(`ldap_use',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`ldap_stream_connect',`
+- gen_require(`
+- type slapd_t, slapd_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
++interface(`ldap_use',`
++ refpolicywarn(`$0($*) has been deprecated.')
+ ')
########################################
## <summary>
-## Connect to ldap over the network.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## Connect to slapd over an unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -83,21 +161,19 @@ interface(`ldap_stream_connect',`
+ ## </summary>
+ ## </param>
+ #
-interface(`ldap_tcp_connect',`
-- gen_require(`
++interface(`ldap_stream_connect',`
+ gen_require(`
- type slapd_t;
-- ')
--
++ type slapd_t, slapd_var_run_t;
+ ')
+
- corenet_sendrecv_ldap_client_packets($1)
- corenet_tcp_connect_ldap_port($1)
- corenet_tcp_recvfrom_labeled($1, slapd_t)
- corenet_tcp_sendrecv_ldap_port($1)
--')
--
--########################################
--## <summary>
++ files_search_pids($1)
++ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
+ ')
+
+ ########################################
+ ## <summary>
-## All of the rules required to
-## administrate an ldap environment.
+## All of the rules required to administrate
@@ -33912,7 +33973,7 @@ index ee0c7cc..446c507 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -106,7 +162,7 @@ interface(`ldap_tcp_connect',`
+@@ -106,7 +182,7 @@ interface(`ldap_tcp_connect',`
## </param>
## <param name="role">
## <summary>
@@ -33921,7 +33982,7 @@ index ee0c7cc..446c507 100644
## </summary>
## </param>
## <rolecap/>
-@@ -115,28 +171,28 @@ interface(`ldap_admin',`
+@@ -115,28 +191,28 @@ interface(`ldap_admin',`
gen_require(`
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
@@ -33959,7 +34020,7 @@ index ee0c7cc..446c507 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -144,4 +200,8 @@ interface(`ldap_admin',`
+@@ -144,4 +220,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -36731,14 +36792,15 @@ index 4926208..293e577 100644
-miscfiles_read_localization(memcached_t)
diff --git a/milter.fc b/milter.fc
-index 89409eb..64ac6f0 100644
+index 89409eb..67e42f6 100644
--- a/milter.fc
+++ b/milter.fc
-@@ -1,18 +1,26 @@
+@@ -1,18 +1,29 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
++/usr/sbin/opendmarc -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
@@ -36756,6 +36818,7 @@ index 89409eb..64ac6f0 100644
-/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
++/var/run/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
@@ -36771,6 +36834,7 @@ index 89409eb..64ac6f0 100644
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
++/var/spool/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/milter.if b/milter.if
index cba62db..562833a 100644
--- a/milter.if
@@ -38048,7 +38112,7 @@ index 6ffaba2..154cade 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..f54f1e8 100644
+index 6194b80..97e35b2 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -38364,7 +38428,7 @@ index 6194b80..f54f1e8 100644
')
########################################
-@@ -303,102 +195,98 @@ interface(`mozilla_domtrans',`
+@@ -303,102 +195,99 @@ interface(`mozilla_domtrans',`
type mozilla_t, mozilla_exec_t;
')
@@ -38398,6 +38462,7 @@ index 6194b80..f54f1e8 100644
+ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+ allow mozilla_plugin_t $1:process signull;
+ dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms;
++ dontaudit mozilla_plugin_t $1:process signal;
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 mozilla_plugin_t:fd use;
+
@@ -38514,7 +38579,7 @@ index 6194b80..f54f1e8 100644
')
########################################
-@@ -424,8 +312,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +313,7 @@ interface(`mozilla_dbus_chat',`
########################################
## <summary>
@@ -38524,7 +38589,7 @@ index 6194b80..f54f1e8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -433,76 +320,108 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +321,108 @@ interface(`mozilla_dbus_chat',`
## </summary>
## </param>
#
@@ -38662,7 +38727,7 @@ index 6194b80..f54f1e8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -510,19 +429,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +430,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
## </summary>
## </param>
#
@@ -38687,7 +38752,7 @@ index 6194b80..f54f1e8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +448,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +449,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -39842,7 +39907,7 @@ index 5fa77c7..2e01c7d 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index 7c8afcc..97f2b6f 100644
+index 7c8afcc..2f41af9 100644
--- a/mpd.te
+++ b/mpd.te
@@ -62,6 +62,9 @@ files_type(mpd_var_lib_t)
@@ -39905,6 +39970,15 @@ index 7c8afcc..97f2b6f 100644
tunable_policy(`mpd_enable_homedirs',`
userdom_search_user_home_dirs(mpd_t)
+@@ -191,7 +202,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- pulseaudio_domtrans(mpd_t)
++ pulseaudio_exec(mpd_t)
+ ')
+
+ optional_policy(`
@@ -199,6 +210,16 @@ optional_policy(`
')
@@ -42150,7 +42224,7 @@ index b744fe3..4c1b6a8 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..27d3100 100644
+index 97370e4..92138ca 100644
--- a/munin.te
+++ b/munin.te
@@ -40,12 +40,15 @@ munin_plugin_template(services)
@@ -42250,7 +42324,13 @@ index 97370e4..27d3100 100644
')
optional_policy(`
-@@ -246,17 +232,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
+@@ -242,21 +228,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+
+ rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
++kernel_read_fs_sysctls(disk_munin_plugin_t)
++
+ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
@@ -42262,7 +42342,7 @@ index 97370e4..27d3100 100644
dev_read_urand(disk_munin_plugin_t)
-
-files_read_etc_runtime_files(disk_munin_plugin_t)
-+dev_read_all_blk_files(munin_disk_plugin_t)
++dev_read_all_blk_files(disk_munin_plugin_t)
fs_getattr_all_fs(disk_munin_plugin_t)
fs_getattr_all_dirs(disk_munin_plugin_t)
@@ -42272,7 +42352,18 @@ index 97370e4..27d3100 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -275,27 +261,36 @@ optional_policy(`
+@@ -268,6 +256,10 @@ optional_policy(`
+ fstools_exec(disk_munin_plugin_t)
+ ')
+
++optional_policy(`
++ rpc_search_nfs_state_data(disk_munin_plugin_t)
++')
++
+ ####################################
+ #
+ # Mail local policy
+@@ -275,27 +267,36 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -42313,7 +42404,16 @@ index 97370e4..27d3100 100644
')
optional_policy(`
-@@ -353,7 +348,11 @@ optional_policy(`
+@@ -331,7 +332,7 @@ dev_read_rand(services_munin_plugin_t)
+ sysnet_read_config(services_munin_plugin_t)
+
+ optional_policy(`
+- bind_read_config(munin_services_plugin_t)
++ bind_read_config(services_munin_plugin_t)
+ ')
+
+ optional_policy(`
+@@ -353,7 +354,11 @@ optional_policy(`
')
optional_policy(`
@@ -42326,7 +42426,7 @@ index 97370e4..27d3100 100644
')
optional_policy(`
-@@ -385,6 +384,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +390,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -42334,7 +42434,7 @@ index 97370e4..27d3100 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +413,31 @@ optional_policy(`
+@@ -413,3 +419,31 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -44798,7 +44898,7 @@ index 0e8508c..0b68b86 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..c71f8e5 100644
+index 0b48a30..2de59df 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -44829,7 +44929,7 @@ index 0b48a30..c71f8e5 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -39,24 +42,42 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,25 +42,44 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
@@ -44874,14 +44974,16 @@ index 0b48a30..c71f8e5 100644
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
-+
+
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
-
++
++read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
-@@ -68,6 +89,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+ filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
+@@ -68,6 +90,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -44889,7 +44991,7 @@ index 0b48a30..c71f8e5 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,9 +103,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,9 +104,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -44899,7 +45001,7 @@ index 0b48a30..c71f8e5 100644
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
-@@ -91,7 +110,6 @@ kernel_request_load_module(NetworkManager_t)
+@@ -91,7 +111,6 @@ kernel_request_load_module(NetworkManager_t)
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
@@ -44907,7 +45009,7 @@ index 0b48a30..c71f8e5 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +120,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +121,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -44933,7 +45035,7 @@ index 0b48a30..c71f8e5 100644
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
-@@ -125,13 +136,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +137,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@@ -44947,7 +45049,7 @@ index 0b48a30..c71f8e5 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +144,17 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,6 +145,17 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -44965,7 +45067,7 @@ index 0b48a30..c71f8e5 100644
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
-@@ -148,10 +163,11 @@ init_domtrans_script(NetworkManager_t)
+@@ -148,10 +164,11 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -44978,7 +45080,7 @@ index 0b48a30..c71f8e5 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +182,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +183,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -45015,7 +45117,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -196,10 +223,6 @@ optional_policy(`
+@@ -196,10 +224,6 @@ optional_policy(`
')
optional_policy(`
@@ -45026,7 +45128,7 @@ index 0b48a30..c71f8e5 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +233,11 @@ optional_policy(`
+@@ -210,16 +234,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -45045,7 +45147,7 @@ index 0b48a30..c71f8e5 100644
')
')
-@@ -231,18 +249,19 @@ optional_policy(`
+@@ -231,18 +250,19 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -45068,7 +45170,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -250,6 +269,10 @@ optional_policy(`
+@@ -250,6 +270,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -45079,7 +45181,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -257,11 +280,10 @@ optional_policy(`
+@@ -257,11 +281,10 @@ optional_policy(`
')
optional_policy(`
@@ -45095,7 +45197,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -274,10 +296,17 @@ optional_policy(`
+@@ -274,10 +297,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -45113,7 +45215,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -289,6 +318,7 @@ optional_policy(`
+@@ -289,6 +319,7 @@ optional_policy(`
')
optional_policy(`
@@ -45121,7 +45223,7 @@ index 0b48a30..c71f8e5 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +326,7 @@ optional_policy(`
+@@ -296,7 +327,7 @@ optional_policy(`
')
optional_policy(`
@@ -45130,7 +45232,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -307,6 +337,7 @@ optional_policy(`
+@@ -307,6 +338,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -45138,7 +45240,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -320,13 +351,19 @@ optional_policy(`
+@@ -320,13 +352,19 @@ optional_policy(`
')
optional_policy(`
@@ -45162,7 +45264,7 @@ index 0b48a30..c71f8e5 100644
')
optional_policy(`
-@@ -356,6 +393,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +394,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -51062,20 +51164,54 @@ index 0000000..c1eed44
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
diff --git a/openvpn.fc b/openvpn.fc
-index 300213f..6f0d2e4 100644
+index 300213f..4cdfe09 100644
--- a/openvpn.fc
+++ b/openvpn.fc
-@@ -1,4 +1,5 @@
+@@ -1,10 +1,13 @@
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0)
/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
+
+ /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
+
++/var/lib/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_lib_t,s0)
++
+ /var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
+ /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
+
diff --git a/openvpn.if b/openvpn.if
-index 6837e9a..af8f9d0 100644
+index 6837e9a..21e6dae 100644
--- a/openvpn.if
+++ b/openvpn.if
-@@ -147,9 +147,13 @@ interface(`openvpn_admin',`
+@@ -23,6 +23,25 @@ interface(`openvpn_domtrans',`
+ ########################################
+ ## <summary>
+ ## Execute openvpn clients in the
++## caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`openvpn_exec',`
++ gen_require(`
++ type openvpn_exec_t;
++ ')
++
++ can_exec($1, openvpn_exec_t)
++')
++
++########################################
++## <summary>
++## Execute openvpn clients in the
+ ## openvpn domain, and allow the
+ ## specified role the openvpn domain.
+ ## </summary>
+@@ -147,9 +166,13 @@ interface(`openvpn_admin',`
type openvpn_status_t;
')
@@ -51091,7 +51227,7 @@ index 6837e9a..af8f9d0 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..8e252e4 100644
+index 3270ff9..8a6fbc2 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -51108,7 +51244,7 @@ index 3270ff9..8e252e4 100644
## <p>
## Determine whether openvpn can
## read generic user home content files.
-@@ -26,6 +33,9 @@ files_config_file(openvpn_etc_t)
+@@ -26,12 +33,18 @@ files_config_file(openvpn_etc_t)
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -51118,7 +51254,16 @@ index 3270ff9..8e252e4 100644
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
-@@ -43,7 +53,7 @@ files_pid_file(openvpn_var_run_t)
+ type openvpn_status_t;
+ logging_log_file(openvpn_status_t)
+
++type openvpn_var_lib_t;
++files_type(openvpn_var_lib_t)
++
+ type openvpn_var_log_t;
+ logging_log_file(openvpn_var_log_t)
+
+@@ -43,7 +56,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
@@ -51127,17 +51272,20 @@ index 3270ff9..8e252e4 100644
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
-@@ -62,6 +72,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -62,6 +75,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
++manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
++files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
++
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-@@ -83,7 +96,6 @@ kernel_request_load_module(openvpn_t)
+@@ -83,7 +102,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -51145,7 +51293,7 @@ index 3270ff9..8e252e4 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -105,11 +117,12 @@ corenet_tcp_bind_http_port(openvpn_t)
+@@ -105,11 +123,12 @@ corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_sendrecv_http_port(openvpn_t)
@@ -51159,7 +51307,7 @@ index 3270ff9..8e252e4 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -121,18 +134,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -121,18 +140,24 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t)
@@ -51187,7 +51335,7 @@ index 3270ff9..8e252e4 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -155,3 +174,27 @@ optional_policy(`
+@@ -155,3 +180,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -57268,7 +57416,7 @@ index 2e23946..589bbf2 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..5acf87c 100644
+index 191a66f..cddce7d 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -57357,7 +57505,7 @@ index 191a66f..5acf87c 100644
type postfix_data_t;
files_type(postfix_data_t)
-@@ -102,160 +102,64 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -102,160 +102,61 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
@@ -57521,19 +57669,19 @@ index 191a66f..5acf87c 100644
-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
-
+-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
- delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
- rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
- setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
--
+
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
-
-can_exec(postfix_master_t, postfix_exec_t)
++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
@@ -57543,7 +57691,7 @@ index 191a66f..5acf87c 100644
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,50 +167,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,50 +164,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -57612,7 +57760,7 @@ index 191a66f..5acf87c 100644
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
-@@ -316,14 +214,11 @@ optional_policy(`
+@@ -316,14 +211,11 @@ optional_policy(`
')
optional_policy(`
@@ -57628,7 +57776,7 @@ index 191a66f..5acf87c 100644
postgrey_search_spool(postfix_master_t)
')
-@@ -333,12 +228,14 @@ optional_policy(`
+@@ -333,12 +225,14 @@ optional_policy(`
########################################
#
@@ -57645,7 +57793,7 @@ index 191a66f..5acf87c 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,37 +252,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,37 +249,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -57692,7 +57840,7 @@ index 191a66f..5acf87c 100644
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
-@@ -393,36 +287,50 @@ optional_policy(`
+@@ -393,36 +284,50 @@ optional_policy(`
########################################
#
@@ -57752,7 +57900,7 @@ index 191a66f..5acf87c 100644
')
optional_policy(`
-@@ -434,6 +342,7 @@ optional_policy(`
+@@ -434,6 +339,7 @@ optional_policy(`
')
optional_policy(`
@@ -57760,7 +57908,7 @@ index 191a66f..5acf87c 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +353,10 @@ optional_policy(`
+@@ -444,6 +350,10 @@ optional_policy(`
')
optional_policy(`
@@ -57771,7 +57919,7 @@ index 191a66f..5acf87c 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +371,17 @@ optional_policy(`
+@@ -458,15 +368,17 @@ optional_policy(`
########################################
#
@@ -57795,7 +57943,7 @@ index 191a66f..5acf87c 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +391,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -57815,7 +57963,7 @@ index 191a66f..5acf87c 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +408,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -57823,7 +57971,7 @@ index 191a66f..5acf87c 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +415,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -57849,7 +57997,7 @@ index 191a66f..5acf87c 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +440,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +437,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -57869,7 +58017,7 @@ index 191a66f..5acf87c 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +491,26 @@ optional_policy(`
+@@ -576,19 +488,26 @@ optional_policy(`
########################################
#
@@ -57901,7 +58049,7 @@ index 191a66f..5acf87c 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +525,7 @@ optional_policy(`
+@@ -603,10 +522,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -57913,7 +58061,7 @@ index 191a66f..5acf87c 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +540,24 @@ optional_policy(`
+@@ -621,17 +537,24 @@ optional_policy(`
#######################################
#
@@ -57941,7 +58089,7 @@ index 191a66f..5acf87c 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +573,77 @@ optional_policy(`
+@@ -647,67 +570,77 @@ optional_policy(`
########################################
#
@@ -58037,7 +58185,7 @@ index 191a66f..5acf87c 100644
')
optional_policy(`
-@@ -720,29 +656,30 @@ optional_policy(`
+@@ -720,29 +653,30 @@ optional_policy(`
########################################
#
@@ -58076,7 +58224,7 @@ index 191a66f..5acf87c 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
dovecot_stream_connect(postfix_smtpd_t)
-@@ -754,6 +691,7 @@ optional_policy(`
+@@ -754,6 +688,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -58084,7 +58232,7 @@ index 191a66f..5acf87c 100644
')
optional_policy(`
-@@ -764,31 +702,99 @@ optional_policy(`
+@@ -764,31 +699,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -65760,7 +65908,7 @@ index 951db7f..7736755 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..f60c494 100644
+index 2c1730b..1e9ad6b 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
@@ -65812,7 +65960,7 @@ index 2c1730b..f60c494 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -49,19 +63,25 @@ corecmd_exec_shell(mdadm_t)
+@@ -49,19 +63,26 @@ corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -65823,6 +65971,7 @@ index 2c1730b..f60c494 100644
+dev_read_kvm(mdadm_t)
+dev_read_nvram(mdadm_t)
+dev_read_generic_files(mdadm_t)
++dev_read_generic_usb_dev(mdadm_t)
+domain_read_all_domains_state(mdadm_t)
domain_use_interactive_fds(mdadm_t)
@@ -65840,7 +65989,7 @@ index 2c1730b..f60c494 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +90,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +91,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -65861,7 +66010,7 @@ index 2c1730b..f60c494 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -97,9 +121,17 @@ optional_policy(`
+@@ -97,9 +122,17 @@ optional_policy(`
')
optional_policy(`
@@ -67533,10 +67682,10 @@ index b418d1c..1ad9c12 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..347ddf7 100644
+index 47de2d6..98a4280 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,80 @@
+@@ -1,31 +1,85 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -67607,6 +67756,7 @@ index 47de2d6..347ddf7 100644
+
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
++/usr/lib/systemd/system/pcsd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+
+/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
@@ -67618,12 +67768,15 @@ index 47de2d6..347ddf7 100644
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
++/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
++
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/corosync(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/openais(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/var/lib/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pengine(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+
+/var/run/aisexec.* gen_context(system_u:object_r:cluster_var_run_t,s0)
@@ -67640,6 +67793,7 @@ index 47de2d6..347ddf7 100644
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
++/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
index 56bc01f..4699b1b 100644
--- a/rhcs.if
@@ -68347,7 +68501,7 @@ index 56bc01f..4699b1b 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..2a210ef 100644
+index 2c2de9a..a4a6d82 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -68736,6 +68890,15 @@ index 2c2de9a..2a210ef 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
+@@ -182,7 +461,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- corosync_exec(fenced_t)
++ rhcs_exec_cluster(fenced_t)
+ ')
+
+ optional_policy(`
@@ -190,10 +469,6 @@ optional_policy(`
')
@@ -68761,12 +68924,15 @@ index 2c2de9a..2a210ef 100644
#######################################
#
# foghorn local policy
-@@ -223,14 +505,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -221,16 +503,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+ corenet_tcp_connect_agentx_port(foghorn_t)
+ corenet_tcp_sendrecv_agentx_port(foghorn_t)
++corenet_tcp_connect_snmp_port(foghorn_t)
++
dev_read_urand(foghorn_t)
-files_read_usr_files(foghorn_t)
-+
+logging_send_syslog_msg(foghorn_t)
optional_policy(`
@@ -68775,7 +68941,6 @@ index 2c2de9a..2a210ef 100644
optional_policy(`
- snmp_read_snmp_var_lib_files(foghorn_t)
-+ #snmp_manage_var_lib_dirs(foghorn_t)
+ snmp_manage_var_lib_files(foghorn_t)
snmp_stream_connect(foghorn_t)
')
@@ -68789,7 +68954,7 @@ index 2c2de9a..2a210ef 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +561,36 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +561,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -68823,12 +68988,15 @@ index 2c2de9a..2a210ef 100644
+corenet_tcp_connect_commplex_main_port(haproxy_t)
+corenet_tcp_bind_commplex_main_port(haproxy_t)
+
++corenet_tcp_connect_fmpro_internal_port(haproxy_t)
++corenet_tcp_connect_rtp_media_port(haproxy_t)
++
+sysnet_dns_name_resolve(haproxy_t)
+
######################################
#
# qdiskd local policy
-@@ -321,6 +633,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +636,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -77050,7 +77218,7 @@ index 98c9e0a..df51942 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 4a23d84..49c7362 100644
+index 4a23d84..d90604c 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3)
@@ -77080,7 +77248,7 @@ index 4a23d84..49c7362 100644
corenet_tcp_sendrecv_generic_if(sblim_domain)
corenet_tcp_sendrecv_generic_node(sblim_domain)
-@@ -44,19 +37,13 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
+@@ -44,19 +37,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
dev_read_sysfs(sblim_domain)
@@ -77089,7 +77257,8 @@ index 4a23d84..49c7362 100644
-files_read_etc_files(sblim_domain)
-
-miscfiles_read_localization(sblim_domain)
--
++auth_read_passwd(sblim_domain)
+
########################################
#
# Gatherd local policy
@@ -77102,7 +77271,7 @@ index 4a23d84..49c7362 100644
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
-@@ -84,6 +71,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
+@@ -84,6 +73,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
init_read_utmp(sblim_gatherd_t)
@@ -77111,7 +77280,7 @@ index 4a23d84..49c7362 100644
sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +92,9 @@ optional_policy(`
+@@ -103,8 +94,9 @@ optional_policy(`
')
optional_policy(`
@@ -77122,8 +77291,12 @@ index 4a23d84..49c7362 100644
')
optional_policy(`
-@@ -119,4 +109,6 @@ optional_policy(`
+@@ -117,6 +109,10 @@ optional_policy(`
+ # Reposd local policy
+ #
++corenet_tcp_bind_generic_node(sblim_reposd_t)
++
corenet_sendrecv_repository_server_packets(sblim_reposd_t)
corenet_tcp_bind_repository_port(sblim_reposd_t)
-corenet_tcp_bind_generic_node(sblim_domain)
@@ -79292,13 +79465,15 @@ index ca32e89..98278dd 100644
+
')
diff --git a/slpd.te b/slpd.te
-index 66ac42a..f28fadc 100644
+index 66ac42a..1a4c952 100644
--- a/slpd.te
+++ b/slpd.te
-@@ -50,6 +50,8 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
+@@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
corenet_tcp_bind_svrloc_port(slpd_t)
corenet_udp_bind_svrloc_port(slpd_t)
++corenet_udp_bind_dhcpc_port(slpd_t)
++
+dev_read_urand(slpd_t)
+
auth_use_nsswitch(slpd_t)
@@ -82329,7 +82504,7 @@ index a240455..54c5c1f 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 8b537aa..eaa7a83 100644
+index 8b537aa..e9632c3 100644
--- a/sssd.te
+++ b/sssd.te
@@ -1,4 +1,4 @@
@@ -82418,7 +82593,7 @@ index 8b537aa..eaa7a83 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +105,30 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +105,31 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -82448,6 +82623,7 @@ index 8b537aa..eaa7a83 100644
+
+optional_policy(`
+ ldap_stream_connect(sssd_t)
++ ldap_read_certs(sssd_t)
+')
+
+userdom_home_reader(sssd_t)
@@ -83618,7 +83794,7 @@ index c7de0cf..9813503 100644
+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/telepathy.if b/telepathy.if
-index 42946bc..95a9aa3 100644
+index 42946bc..3d30062 100644
--- a/telepathy.if
+++ b/telepathy.if
@@ -2,45 +2,39 @@
@@ -83698,7 +83874,7 @@ index 42946bc..95a9aa3 100644
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
-@@ -63,91 +62,61 @@ template(`telepathy_role_template',`
+@@ -63,91 +62,79 @@ template(`telepathy_role_template',`
type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
type telepathy_msn_exec_t;
@@ -83712,11 +83888,14 @@ index 42946bc..95a9aa3 100644
-
- allow $3 telepathy_domain:process { ptrace signal_perms };
- ps_process_pattern($3, telepathy_domain)
--
++ role $1 types telepathy_domain;
+
- telepathy_gabble_stream_connect($3)
- telepathy_msn_stream_connect($3)
- telepathy_salut_stream_connect($3)
--
++ allow $2 telepathy_domain:process signal_perms;
++ ps_process_pattern($2, telepathy_domain)
+
- dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t)
- dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
- dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t)
@@ -83726,30 +83905,13 @@ index 42946bc..95a9aa3 100644
- dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t)
- dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
- dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t)
--
-- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
-- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
-- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
--
-- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms };
-- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms };
-- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms };
-+ role $1 types telepathy_domain;
-
-- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
-- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky")
-+ allow $2 telepathy_domain:process signal_perms;
-+ ps_process_pattern($2, telepathy_domain)
-
-- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
-- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger")
+ telepathy_gabble_stream_connect($2)
+ telepathy_msn_stream_connect($2)
+ telepathy_salut_stream_connect($2)
-- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control")
-- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
-- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
+ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
+ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
+ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
@@ -83760,6 +83922,20 @@ index 42946bc..95a9aa3 100644
+ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
+ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
+- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms };
+- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms };
+- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms };
+-
+- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
+- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky")
+-
+- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger")
+-
+- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control")
+- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+-
- userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
-
- # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy")
@@ -83799,8 +83975,7 @@ index 42946bc..95a9aa3 100644
## <summary>
-## Send dbus messages to and from
-## gabble.
-+## Send DBus messages to and from
-+## Telepathy Gabble.
++## Allow Telepathy Gabble to stream connect to a domain.
## </summary>
## <param name="domain">
-## <summary>
@@ -83810,11 +83985,30 @@ index 42946bc..95a9aa3 100644
## </param>
#
-interface(`telepathy_gabble_dbus_chat',`
++interface(`telepathy_gabble_stream_connect_to', `
++ gen_require(`
++ type telepathy_gabble_t;
++ ')
++
++ stream_connect_pattern(telepathy_gabble_t, $2, $2, $1)
++')
++
++########################################
++## <summary>
++## Send DBus messages to and from
++## Telepathy Gabble.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`telepathy_gabble_dbus_chat', `
gen_require(`
type telepathy_gabble_t;
class dbus send_msg;
-@@ -159,10 +128,10 @@ interface(`telepathy_gabble_dbus_chat',`
+@@ -159,10 +146,10 @@ interface(`telepathy_gabble_dbus_chat',`
########################################
## <summary>
@@ -83827,7 +84021,7 @@ index 42946bc..95a9aa3 100644
## Domain allowed access.
## </summary>
## </param>
-@@ -173,15 +142,12 @@ interface(`telepathy_mission_control_read_state',`
+@@ -173,15 +160,12 @@ interface(`telepathy_mission_control_read_state',`
')
kernel_search_proc($1)
@@ -83845,7 +84039,7 @@ index 42946bc..95a9aa3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -189,19 +155,18 @@ interface(`telepathy_mission_control_read_state',`
+@@ -189,19 +173,18 @@ interface(`telepathy_mission_control_read_state',`
## </summary>
## </param>
#
@@ -83868,7 +84062,7 @@ index 42946bc..95a9aa3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -209,11 +174,138 @@ interface(`telepathy_msn_stream_connect',`
+@@ -209,11 +192,138 @@ interface(`telepathy_msn_stream_connect',`
## </summary>
## </param>
#
@@ -85712,7 +85906,7 @@ index 67ca5c5..a1ef2d2 100644
fs_search_auto_mountpoints(timidity_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index a4a949c..e56b59e 100644
+index a4a949c..9ae28c6 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3)
@@ -85780,13 +85974,12 @@ index a4a949c..e56b59e 100644
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
-@@ -69,7 +78,20 @@ optional_policy(`
+@@ -69,7 +78,19 @@ optional_policy(`
')
optional_policy(`
- lpd_manage_spool(tmpreaper_t)
-+ lpd_list_spool(tmpreaper_t)
-+ lpd_read_spool(tmpreaper_t)
++ lpd_manage_spool(tmpreaper_t)
+')
+
+optional_policy(`
@@ -89960,7 +90153,7 @@ index 9dec06c..378880d 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..a8d17af 100644
+index 1f22fba..6b715d6 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,97 @@
@@ -91327,7 +91520,7 @@ index 1f22fba..a8d17af 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1041,40 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1041,39 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -91370,13 +91563,12 @@ index 1f22fba..a8d17af 100644
-
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
-+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock };
+allow svirt_lxc_domain self:key manage_key_perms;
-+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid setrlimit };
++allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid setrlimit };
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1082,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -91403,7 +91595,7 @@ index 1f22fba..a8d17af 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1100,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91423,7 +91615,7 @@ index 1f22fba..a8d17af 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1119,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -91450,7 +91642,7 @@ index 1f22fba..a8d17af 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1144,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1143,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -91496,11 +91688,12 @@ index 1f22fba..a8d17af 100644
+virt_lxc_domain_template(svirt_lxc_net)
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap };
++allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write;
++allow svirt_lxc_net_t self:process { execstack execmem };
+allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
+allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
@@ -95065,7 +95258,7 @@ index 3416401..ef64e73 100644
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/zebra.te b/zebra.te
-index b0803c2..13da3cf 100644
+index b0803c2..f1fa5f7 100644
--- a/zebra.te
+++ b/zebra.te
@@ -1,4 +1,4 @@
@@ -95140,7 +95333,7 @@ index b0803c2..13da3cf 100644
corenet_all_recvfrom_netlabel(zebra_t)
corenet_tcp_sendrecv_generic_if(zebra_t)
corenet_udp_sendrecv_generic_if(zebra_t)
-@@ -79,48 +78,42 @@ corenet_raw_sendrecv_generic_if(zebra_t)
+@@ -79,48 +78,44 @@ corenet_raw_sendrecv_generic_if(zebra_t)
corenet_tcp_sendrecv_generic_node(zebra_t)
corenet_udp_sendrecv_generic_node(zebra_t)
corenet_raw_sendrecv_generic_node(zebra_t)
@@ -95167,6 +95360,8 @@ index b0803c2..13da3cf 100644
dev_associate_usbfs(zebra_var_run_t)
dev_list_all_dev_nodes(zebra_t)
++dev_read_rand(zebra_t)
++dev_read_urand(zebra_t)
dev_read_sysfs(zebra_t)
dev_rw_zero(zebra_t)
@@ -95201,7 +95396,7 @@ index b0803c2..13da3cf 100644
manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
')
-@@ -139,3 +132,7 @@ optional_policy(`
+@@ -139,3 +134,7 @@ optional_policy(`
optional_policy(`
udev_read_db(zebra_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4118406..100ca13 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 65%{?dist}
+Release: 66%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,42 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jul 24 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-66
+- Allow systemd-tmpfile to handle tmp content in print spool dir
+- Allow systemd-sysctl to send system log messages
+- Add support for RTP media ports and fmpro-internal
+- Make auditd working if audit is configured to perform SINGLE action on disk error
+- Add interfaces to handle systemd units
+- Make systemd-notify working if pcsd is used
+- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t
+- Instead of having all unconfined domains get all of the named transition rules,
+- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default.
+- Add definition for the salt ports
+- Allow xdm_t to create link files in xdm_var_run_t
+- Dontaudit reads of blk files or chr files leaked into ldconfig_t
+- Allow sys_chroot for useradd_t
+- Allow net_raw cap for ipsec_t
+- Allow sysadm_t to reload services
+- Add additional fixes to make strongswan working with a simple conf
+- Allow sysadm_t to enable/disable init_t services
+- Add additional glusterd perms
+- Allow apache to read lnk files in the /mnt directory
+- Allow glusterd to ask the kernel to load a module
+- Fix description of ftpd_use_fusefs boolean
+- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t
+- Allow glusterds to request load a kernel module
+- Allow boinc to stream connect to xserver_t
+- Allow sblim domains to read /etc/passwd
+- Allow mdadm to read usb devices
+- Allow collectd to use ping plugin
+- Make foghorn working with SNMP
+- Allow sssd to read ldap certs
+- Allow haproxy to connect to RTP media ports
+- Add additional trans rules for aide_db
+- Add labeling for /usr/lib/pcsd/pcsd
+- Add labeling for /var/log/pcsd
+- Add support for pcs which is a corosync and pacemaker configuration tool
+
* Tue Jul 16 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-65
- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t
- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1
More information about the scm-commits
mailing list