[selinux-policy/f18] - Allow ssh_t to use /dev/ptmx - Allow syslogd to search psad lib files - Label umount.crypt as lvm_
Lukas Vrabec
lvrabec at fedoraproject.org
Thu Aug 29 20:32:21 UTC 2013
commit 3453dcd1c5e66167b949d0b5099268e4784848a3
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Thu Aug 29 22:29:09 2013 +0200
- Allow ssh_t to use /dev/ptmx
- Allow syslogd to search psad lib files
- Label umount.crypt as lvm_exec_t
- Add support for .Xauthority-n
- activate labeling for /usr/lib/libmpg123 as textrel_shlib_t
- Add interface corenet_relabel_tun_tap_dev
- Add interface dev_rw_vfio_dev
- Add userdom_relabel_user_tmp_files interface
- Add userdom_setattr_user_tmp_files interface
- Add setrans_manage_pid_files interface
- Add userdom_dontaudit_append_inherited_admin_home_file interface
- Rename userdom_dontaudit_append_inherited_admin_home_files to
userdom_dontaudit_append_inherited_admin_home_file
- Add userdom_dontaudit_read_inherited_admin_home_file to userdom.if
- Allow dovecot_domain to read all system and network state
- Allow abrt domain to write abrt.socket
- Add psad_search_lib_files()
- Add support for abrt-upload-watch
- Allow roles which can run mock to read mock lib files to view results
- Fix rhcs_domain_template()
- Dontaudit thumb_t trying to look in /proc
- Fix abrt policy
- Fix dovecot policy
- Fix syntax error in mock policy
- Add interface rpm_read_log
- Fix interface rpm_read_log
- Fix userdom_dontaudit_read_inherited_admin_home_file interface in
virt.te
- Add userhelper_dontaudit_write_config interface
policy-f18-base.patch | 733 ++++++++++++++++++++++++++--------------------
policy-f18-contrib.patch | 511 +++++++++++++++++++++++----------
selinux-policy.spec | 31 ++-
3 files changed, 808 insertions(+), 467 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index cd32a73..1f60169 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -113007,7 +113007,7 @@ index f9b25c1..9af1f7a 100644
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 07126bd..d6ec4a8 100644
+index 07126bd..affff65 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
@@ -113202,8 +113202,9 @@ index 07126bd..d6ec4a8 100644
gen_require(`
- type port_t;
+ type port_t, unreserved_port_t, ephemeral_port_t;
-+ ')
-+
+ ')
+
+- allow $1 port_t:tcp_socket { send_msg recv_msg };
+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
+')
+
@@ -113222,9 +113223,8 @@ index 07126bd..d6ec4a8 100644
+interface(`corenet_dontaudit_dccp_sendrecv_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- allow $1 port_t:tcp_socket { send_msg recv_msg };
++ ')
++
+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
')
@@ -113389,8 +113389,9 @@ index 07126bd..d6ec4a8 100644
gen_require(`
- type port_t;
+ type port_t, unreserved_port_t, ephemeral_port_t;
-+ ')
-+
+ ')
+
+- allow $1 port_t:tcp_socket name_connect;
+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect;
+')
+
@@ -113407,9 +113408,8 @@ index 07126bd..d6ec4a8 100644
+interface(`corenet_dccp_sendrecv_all_ports',`
+ gen_require(`
+ attribute port_type;
- ')
-
-- allow $1 port_t:tcp_socket name_connect;
++ ')
++
+ allow $1 port_type:dccp_socket { send_msg recv_msg };
')
@@ -113617,31 +113617,10 @@ index 07126bd..d6ec4a8 100644
## Send and receive TCP network traffic on all reserved ports.
## </summary>
## <param name="domain">
-@@ -1752,12 +2124,210 @@ interface(`corenet_udp_receive_all_reserved_ports',`
- attribute reserved_port_type;
- ')
+@@ -1772,6 +2144,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
-- allow $1 reserved_port_type:udp_socket recv_msg;
-+ allow $1 reserved_port_type:udp_socket recv_msg;
-+')
-+
-+########################################
-+## <summary>
-+## Send and receive UDP network traffic on all reserved ports.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`corenet_udp_sendrecv_all_reserved_ports',`
-+ corenet_udp_send_all_reserved_ports($1)
-+ corenet_udp_receive_all_reserved_ports($1)
-+')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+## Bind DCCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
@@ -113661,19 +113640,15 @@ index 07126bd..d6ec4a8 100644
+
+########################################
+## <summary>
-+## Bind TCP sockets to all reserved ports.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`corenet_tcp_bind_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
+ ## Bind TCP sockets to all reserved ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1785,31 +2176,176 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
+ attribute reserved_port_type;
+ ')
+
+- allow $1 reserved_port_type:tcp_socket name_bind;
+- allow $1 self:capability net_bind_service;
+ allow $1 reserved_port_type:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
@@ -113825,51 +113800,52 @@ index 07126bd..d6ec4a8 100644
########################################
## <summary>
--## Send and receive UDP network traffic on all reserved ports.
+-## Do not audit attempts to bind TCP sockets to all reserved ports.
+## Bind UDP sockets to all ports > 32768.
## </summary>
## <param name="domain">
## <summary>
-@@ -1765,14 +2335,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`corenet_udp_sendrecv_all_reserved_ports',`
-- corenet_udp_send_all_reserved_ports($1)
-- corenet_udp_receive_all_reserved_ports($1)
+-interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+interface(`corenet_udp_bind_all_ephemeral_ports',`
-+ gen_require(`
+ gen_require(`
+- attribute reserved_port_type;
+ attribute ephemeral_port_type;
-+ ')
-+
+ ')
+
+- dontaudit $1 reserved_port_type:tcp_socket name_bind;
+ allow $1 ephemeral_port_type:udp_socket name_bind;
')
########################################
## <summary>
--## Bind TCP sockets to all reserved ports.
+-## Bind UDP sockets to all reserved ports.
+## Connect DCCP sockets to reserved ports.
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,36 +2353,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
+@@ -1817,36 +2353,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
## </summary>
## </param>
#
--interface(`corenet_tcp_bind_all_reserved_ports',`
+-interface(`corenet_udp_bind_all_reserved_ports',`
+interface(`corenet_dccp_connect_all_reserved_ports',`
gen_require(`
attribute reserved_port_type;
')
-- allow $1 reserved_port_type:tcp_socket name_bind;
+- allow $1 reserved_port_type:udp_socket name_bind;
- allow $1 self:capability net_bind_service;
+ allow $1 reserved_port_type:dccp_socket name_connect;
')
########################################
## <summary>
--## Do not audit attempts to bind TCP sockets to all reserved ports.
+-## Do not audit attempts to bind UDP sockets to all reserved ports.
+## Connect TCP sockets to reserved ports.
## </summary>
## <param name="domain">
@@ -113879,137 +113855,102 @@ index 07126bd..d6ec4a8 100644
## </summary>
## </param>
#
--interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+-interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+interface(`corenet_tcp_connect_all_reserved_ports',`
gen_require(`
attribute reserved_port_type;
')
-- dontaudit $1 reserved_port_type:tcp_socket name_bind;
+- dontaudit $1 reserved_port_type:udp_socket name_bind;
+ allow $1 reserved_port_type:tcp_socket name_connect;
')
########################################
## <summary>
--## Bind UDP sockets to all reserved ports.
+-## Bind TCP sockets to all ports > 1024.
+## Connect DCCP sockets to all ports > 1024.
## </summary>
## <param name="domain">
## <summary>
-@@ -1817,36 +2389,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+@@ -1854,17 +2389,35 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
## </summary>
## </param>
#
--interface(`corenet_udp_bind_all_reserved_ports',`
+-interface(`corenet_tcp_bind_all_unreserved_ports',`
+interface(`corenet_dccp_connect_all_unreserved_ports',`
gen_require(`
-- attribute reserved_port_type;
-+ attribute unreserved_port_type;
+ attribute unreserved_port_type;
')
-- allow $1 reserved_port_type:udp_socket name_bind;
-- allow $1 self:capability net_bind_service;
+- allow $1 unreserved_port_type:tcp_socket name_bind;
+ allow $1 unreserved_port_type:dccp_socket name_connect;
- ')
-
--########################################
++')
++
+#######################################
- ## <summary>
--## Do not audit attempts to bind UDP sockets to all reserved ports.
++## <summary>
+## Connect TCP sockets to ports > 1024.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain to not audit.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
-- gen_require(`
-- attribute reserved_port_type;
-- ')
++## </param>
++#
+interface(`corenet_tcp_connect_unreserved_ports',`
+ gen_require(`
+ type unreserved_port_t;
+ ')
-
-- dontaudit $1 reserved_port_type:udp_socket name_bind;
++
+ allow $1 unreserved_port_t:tcp_socket name_connect;
')
########################################
## <summary>
--## Bind TCP sockets to all ports > 1024.
+-## Bind UDP sockets to all ports > 1024.
+## Connect TCP sockets to all ports > 1024.
## </summary>
## <param name="domain">
## <summary>
-@@ -1854,17 +2425,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+@@ -1872,17 +2425,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
## </summary>
## </param>
#
--interface(`corenet_tcp_bind_all_unreserved_ports',`
+-interface(`corenet_udp_bind_all_unreserved_ports',`
+interface(`corenet_tcp_connect_all_unreserved_ports',`
gen_require(`
attribute unreserved_port_type;
')
-- allow $1 unreserved_port_type:tcp_socket name_bind;
+- allow $1 unreserved_port_type:udp_socket name_bind;
+ allow $1 unreserved_port_type:tcp_socket name_connect;
')
########################################
## <summary>
--## Bind UDP sockets to all ports > 1024.
+-## Connect TCP sockets to reserved ports.
+## Connect TCP sockets to all ports > 32768.
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,67 +2443,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
+@@ -1890,30 +2443,31 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
## </summary>
## </param>
#
--interface(`corenet_udp_bind_all_unreserved_ports',`
+-interface(`corenet_tcp_connect_all_reserved_ports',`
+interface(`corenet_tcp_connect_all_ephemeral_ports',`
gen_require(`
-- attribute unreserved_port_type;
+- attribute reserved_port_type;
+ attribute ephemeral_port_type;
')
-- allow $1 unreserved_port_type:udp_socket name_bind;
-+ allow $1 ephemeral_port_type:tcp_socket name_connect;
- ')
-
- ########################################
- ## <summary>
--## Connect TCP sockets to reserved ports.
-+## Do not audit attempts to connect DCCP sockets
-+## all reserved ports.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`corenet_tcp_connect_all_reserved_ports',`
-+interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- allow $1 reserved_port_type:tcp_socket name_connect;
-+ dontaudit $1 reserved_port_type:dccp_socket name_connect;
++ allow $1 ephemeral_port_type:tcp_socket name_connect;
')
########################################
## <summary>
-## Connect TCP sockets to all ports > 1024.
-+## Do not audit attempts to connect TCP sockets
++## Do not audit attempts to connect DCCP sockets
+## all reserved ports.
## </summary>
## <param name="domain">
@@ -114020,41 +113961,42 @@ index 07126bd..d6ec4a8 100644
## </param>
#
-interface(`corenet_tcp_connect_all_unreserved_ports',`
-+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
++interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
gen_require(`
- attribute unreserved_port_type;
+ attribute reserved_port_type;
')
- allow $1 unreserved_port_type:tcp_socket name_connect;
-+ dontaudit $1 reserved_port_type:tcp_socket name_connect;
++ dontaudit $1 reserved_port_type:dccp_socket name_connect;
')
########################################
+@@ -1937,6 +2491,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+
+ ########################################
## <summary>
--## Do not audit attempts to connect TCP sockets
--## all reserved ports.
+## Connect DCCP sockets to rpc ports.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
++## </summary>
++## </param>
++#
+interface(`corenet_dccp_connect_all_rpc_ports',`
- gen_require(`
-- attribute reserved_port_type;
++ gen_require(`
+ attribute rpc_port_type;
- ')
-
-- dontaudit $1 reserved_port_type:tcp_socket name_connect;
++ ')
++
+ allow $1 rpc_port_type:dccp_socket name_connect;
- ')
-
- ########################################
++')
++
++########################################
++## <summary>
+ ## Connect TCP sockets to rpc ports.
+ ## </summary>
+ ## <param name="domain">
@@ -1955,6 +2527,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
########################################
@@ -114081,7 +114023,7 @@ index 07126bd..d6ec4a8 100644
## Do not audit attempts to connect TCP sockets
## all rpc ports.
## </summary>
-@@ -1993,6 +2584,24 @@ interface(`corenet_rw_tun_tap_dev',`
+@@ -1993,6 +2584,41 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
## <summary>
@@ -114100,13 +114042,30 @@ index 07126bd..d6ec4a8 100644
+
+ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms;
+')
++########################################
++## <summary>
++## Relabel to and from the TUN/TAP virtual network device.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_relabel_tun_tap_dev',`
++ gen_require(`
++ type tun_tap_device_t;
++ ')
+
++ relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t)
++')
++
+########################################
+## <summary>
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
## </summary>
-@@ -2049,6 +2658,25 @@ interface(`corenet_rw_ppp_dev',`
+@@ -2049,6 +2675,25 @@ interface(`corenet_rw_ppp_dev',`
########################################
## <summary>
@@ -114132,7 +114091,7 @@ index 07126bd..d6ec4a8 100644
## Bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2068,6 +2696,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2713,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
########################################
## <summary>
@@ -114157,7 +114116,7 @@ index 07126bd..d6ec4a8 100644
## Do not audit attempts to bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2194,6 +2840,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2857,25 @@ interface(`corenet_tcp_recv_netlabel',`
########################################
## <summary>
@@ -114183,7 +114142,7 @@ index 07126bd..d6ec4a8 100644
## Receive TCP packets from a NetLabel connection.
## </summary>
## <param name="domain">
-@@ -2213,7 +2878,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,7 +2895,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -114192,7 +114151,7 @@ index 07126bd..d6ec4a8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2221,10 +2886,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2221,10 +2903,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </summary>
## </param>
#
@@ -114210,7 +114169,7 @@ index 07126bd..d6ec4a8 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2249,6 +2919,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2936,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
########################################
## <summary>
@@ -114237,7 +114196,7 @@ index 07126bd..d6ec4a8 100644
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
## </summary>
-@@ -2269,6 +2959,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2976,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -114265,7 +114224,7 @@ index 07126bd..d6ec4a8 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2533,15 +3244,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,15 +3261,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
## <infoflow type="read" weight="10"/>
#
interface(`corenet_all_recvfrom_unlabeled',`
@@ -114285,7 +114244,7 @@ index 07126bd..d6ec4a8 100644
')
########################################
-@@ -2567,11 +3273,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
+@@ -2567,11 +3290,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
#
interface(`corenet_all_recvfrom_netlabel',`
gen_require(`
@@ -114323,7 +114282,7 @@ index 07126bd..d6ec4a8 100644
')
########################################
-@@ -2585,6 +3314,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3331,7 @@ interface(`corenet_all_recvfrom_netlabel',`
## </param>
#
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@@ -114331,7 +114290,7 @@ index 07126bd..d6ec4a8 100644
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3343,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3360,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
')
dontaudit $1 netlabel_peer_t:peer recv;
@@ -114368,7 +114327,7 @@ index 07126bd..d6ec4a8 100644
')
########################################
-@@ -2727,6 +3485,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3502,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
@@ -114376,7 +114335,7 @@ index 07126bd..d6ec4a8 100644
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
-@@ -3134,3 +3893,53 @@ interface(`corenet_unconfined',`
+@@ -3134,3 +3910,53 @@ interface(`corenet_unconfined',`
typeattribute $1 corenet_unconfined_type;
')
@@ -114984,7 +114943,7 @@ index 02b7ac1..1fc53d1 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index d820975..3566762 100644
+index d820975..02a2acf 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -115827,45 +115786,45 @@ index d820975..3566762 100644
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
## </summary>
-@@ -3235,7 +3556,25 @@ interface(`dev_rw_printer',`
+@@ -3235,7 +3556,7 @@ interface(`dev_rw_printer',`
########################################
## <summary>
-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+## Relabel the printer device node.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_relabel_printer',`
-+ gen_require(`
-+ type printer_device_t;
-+ ')
-+
-+ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read and write the printer device.
## </summary>
## <param name="domain">
## <summary>
-@@ -3243,12 +3582,13 @@ interface(`dev_rw_printer',`
+@@ -3243,12 +3564,31 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
-interface(`dev_read_printk',`
-+interface(`dev_manage_printer',`
++interface(`dev_relabel_printer',`
gen_require(`
- type device_t, printk_device_t;
-+ type device_t, printer_device_t;
++ type printer_device_t;
')
- read_chr_files_pattern($1, device_t, printk_device_t)
++ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
++')
++
++########################################
++## <summary>
++## Read and write the printer device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_manage_printer',`
++ gen_require(`
++ type device_t, printer_device_t;
++ ')
++
+ manage_chr_files_pattern($1, device_t, printer_device_t)
+ dev_filetrans_printer_named_dev($1)
')
@@ -115943,7 +115902,7 @@ index d820975..3566762 100644
#
-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_read_cpu_online',`
-+ gen_require(`
+ gen_require(`
+ type cpu_online_t;
+ ')
+
@@ -115962,7 +115921,7 @@ index d820975..3566762 100644
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
- gen_require(`
++ gen_require(`
+ type cpu_online_t;
type sysfs_t;
')
@@ -116090,7 +116049,31 @@ index d820975..3566762 100644
########################################
## <summary>
## Read generic the USB devices.
-@@ -4520,6 +5016,24 @@ interface(`dev_rw_vhost',`
+@@ -4407,6 +4903,23 @@ interface(`dev_rw_userio_dev',`
+
+ rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
++########################################
++## <summary>
++## Read and write the VFIO devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, vfio_device_t)
++')
+
+ ########################################
+ ## <summary>
+@@ -4520,6 +5033,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -116115,7 +116098,7 @@ index d820975..3566762 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4725,6 +5239,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4725,6 +5256,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -116142,7 +116125,7 @@ index d820975..3566762 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4814,3 +5348,917 @@ interface(`dev_unconfined',`
+@@ -4814,3 +5365,917 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -128311,7 +128294,7 @@ index fe0c682..871b8fd 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index b17e27a..e700e11 100644
+index b17e27a..2bca9eb 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,53 @@ policy_module(ssh, 2.3.0)
@@ -128467,8 +128450,12 @@ index b17e27a..e700e11 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -156,38 +178,42 @@ logging_read_generic_logs(ssh_t)
+@@ -154,40 +176,46 @@ files_read_var_files(ssh_t)
+ logging_send_syslog_msg(ssh_t)
+ logging_read_generic_logs(ssh_t)
++term_use_ptmx(ssh_t)
++
auth_use_nsswitch(ssh_t)
-miscfiles_read_localization(ssh_t)
@@ -128529,7 +128516,7 @@ index b17e27a..e700e11 100644
')
optional_policy(`
-@@ -195,28 +221,24 @@ optional_policy(`
+@@ -195,28 +223,24 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -128562,7 +128549,7 @@ index b17e27a..e700e11 100644
#################################
#
# sshd local policy
-@@ -227,33 +249,50 @@ optional_policy(`
+@@ -227,33 +251,50 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -128622,7 +128609,7 @@ index b17e27a..e700e11 100644
')
optional_policy(`
-@@ -261,11 +300,24 @@ optional_policy(`
+@@ -261,11 +302,24 @@ optional_policy(`
')
optional_policy(`
@@ -128648,7 +128635,7 @@ index b17e27a..e700e11 100644
')
optional_policy(`
-@@ -273,6 +325,10 @@ optional_policy(`
+@@ -273,6 +327,10 @@ optional_policy(`
')
optional_policy(`
@@ -128659,7 +128646,7 @@ index b17e27a..e700e11 100644
rpm_use_script_fds(sshd_t)
')
-@@ -283,13 +339,69 @@ optional_policy(`
+@@ -283,13 +341,69 @@ optional_policy(`
')
optional_policy(`
@@ -128729,7 +128716,7 @@ index b17e27a..e700e11 100644
########################################
#
# ssh_keygen local policy
-@@ -298,19 +410,26 @@ optional_policy(`
+@@ -298,19 +412,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -128757,7 +128744,7 @@ index b17e27a..e700e11 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -327,9 +446,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -327,9 +448,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -128771,7 +128758,7 @@ index b17e27a..e700e11 100644
')
optional_policy(`
-@@ -339,3 +460,124 @@ optional_policy(`
+@@ -339,3 +462,124 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -129047,7 +129034,7 @@ index fc86b7c..31e19bd 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..ff0f72a 100644
+index 130ced9..3bfaf3b 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -129936,7 +129923,7 @@ index 130ced9..ff0f72a 100644
')
########################################
-@@ -1243,10 +1626,625 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1626,626 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -130436,6 +130423,7 @@ index 130ced9..ff0f72a 100644
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
@@ -130565,7 +130553,7 @@ index 130ced9..ff0f72a 100644
+ allow $1 xdm_t:lnk_file read_lnk_file_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..e169452 100644
+index d40f750..a5cd263 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -130802,7 +130790,7 @@ index d40f750..e169452 100644
')
########################################
-@@ -247,45 +314,85 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,45 +314,91 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -130866,6 +130854,12 @@ index d40f750..e169452 100644
+userdom_use_inherited_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
+userdom_read_all_users_state(xauth_t)
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth")
xserver_rw_xdm_tmp_files(xauth_t)
@@ -130898,7 +130892,7 @@ index d40f750..e169452 100644
')
optional_policy(`
-@@ -299,64 +406,108 @@ optional_policy(`
+@@ -299,64 +412,108 @@ optional_policy(`
# XDM Local policy
#
@@ -131017,7 +131011,7 @@ index d40f750..e169452 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +516,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +522,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -131047,7 +131041,7 @@ index d40f750..e169452 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +546,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +552,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -131100,7 +131094,7 @@ index d40f750..e169452 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +598,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +604,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -131129,7 +131123,7 @@ index d40f750..e169452 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +628,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +634,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -131176,7 +131170,7 @@ index d40f750..e169452 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +673,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +679,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -131226,7 +131220,7 @@ index d40f750..e169452 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +723,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +729,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -131253,7 +131247,7 @@ index d40f750..e169452 100644
')
optional_policy(`
-@@ -514,12 +750,72 @@ optional_policy(`
+@@ -514,12 +756,72 @@ optional_policy(`
')
optional_policy(`
@@ -131326,7 +131320,7 @@ index d40f750..e169452 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +833,78 @@ optional_policy(`
+@@ -537,28 +839,78 @@ optional_policy(`
')
optional_policy(`
@@ -131414,7 +131408,7 @@ index d40f750..e169452 100644
')
optional_policy(`
-@@ -570,6 +916,14 @@ optional_policy(`
+@@ -570,6 +922,14 @@ optional_policy(`
')
optional_policy(`
@@ -131429,7 +131423,7 @@ index d40f750..e169452 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +948,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +954,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -131442,7 +131436,7 @@ index d40f750..e169452 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +965,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +971,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -131458,7 +131452,7 @@ index d40f750..e169452 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +981,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +987,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -131469,7 +131463,7 @@ index d40f750..e169452 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +996,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1002,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -131491,7 +131485,7 @@ index d40f750..e169452 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1016,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1022,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -131505,7 +131499,7 @@ index d40f750..e169452 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1042,29 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1048,29 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -131538,7 +131532,7 @@ index d40f750..e169452 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1075,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1081,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -131556,7 +131550,7 @@ index d40f750..e169452 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1098,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1104,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -131580,7 +131574,7 @@ index d40f750..e169452 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1163,40 @@ optional_policy(`
+@@ -775,16 +1169,40 @@ optional_policy(`
')
optional_policy(`
@@ -131622,7 +131616,7 @@ index d40f750..e169452 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1205,10 @@ optional_policy(`
+@@ -793,6 +1211,10 @@ optional_policy(`
')
optional_policy(`
@@ -131633,7 +131627,7 @@ index d40f750..e169452 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1224,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1230,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -131647,7 +131641,7 @@ index d40f750..e169452 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1235,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1241,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -131656,7 +131650,7 @@ index d40f750..e169452 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1248,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1254,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -131691,7 +131685,7 @@ index d40f750..e169452 100644
')
optional_policy(`
-@@ -859,6 +1270,10 @@ optional_policy(`
+@@ -859,6 +1276,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -131702,7 +131696,7 @@ index d40f750..e169452 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1317,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1323,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -131711,7 +131705,7 @@ index d40f750..e169452 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1371,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1377,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -131743,7 +131737,7 @@ index d40f750..e169452 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1417,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1423,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -137000,7 +136994,7 @@ index 0646ee7..da1337a 100644
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index ef8bbaf..7133fca 100644
+index ef8bbaf..adbee9f 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -137154,7 +137148,7 @@ index ef8bbaf..7133fca 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +307,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +307,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -137293,6 +137287,7 @@ index ef8bbaf..7133fca 100644
+/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
@@ -137313,6 +137308,7 @@ index ef8bbaf..7133fca 100644
+/opt/google/[^/]*/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
++
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 808ba93..7b506f2 100644
--- a/policy/modules/system/libraries.if
@@ -138349,7 +138345,7 @@ index 321bb13..3638d50 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 0034021..a2cd438 100644
+index 0034021..df6d9ee 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.0)
@@ -138664,7 +138660,7 @@ index 0034021..a2cd438 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -493,15 +568,36 @@ optional_policy(`
+@@ -493,15 +568,40 @@ optional_policy(`
')
optional_policy(`
@@ -138691,6 +138687,10 @@ index 0034021..a2cd438 100644
')
optional_policy(`
++ psad_search_lib_files(syslogd_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(syslogd_t)
+ snmp_read_snmp_var_lib_files(syslogd_t)
+ snmp_dontaudit_write_snmp_var_lib_files(syslogd_t)
@@ -138701,7 +138701,7 @@ index 0034021..a2cd438 100644
')
optional_policy(`
-@@ -512,3 +608,24 @@ optional_policy(`
+@@ -512,3 +612,24 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -138727,10 +138727,10 @@ index 0034021..a2cd438 100644
+ kernel_dgram_send(syslog_client_type)
+')
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..e2a9f15 100644
+index 879bb1e..79e6c30 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
-@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',`
+@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
/etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
@@ -138747,6 +138747,7 @@ index 879bb1e..e2a9f15 100644
# /sbin
#
+/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/umount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -138766,7 +138767,7 @@ index 879bb1e..e2a9f15 100644
/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +94,69 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +95,69 @@ ifdef(`distro_gentoo',`
#
# /usr
#
@@ -138838,7 +138839,7 @@ index 879bb1e..e2a9f15 100644
#
# /var
-@@ -97,5 +164,8 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +165,8 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -141988,6 +141989,32 @@ index bea4629..06e2834 100644
+
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
+/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
+diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
+index efa9c27..591f581 100644
+--- a/policy/modules/system/setrans.if
++++ b/policy/modules/system/setrans.if
+@@ -40,3 +40,21 @@ interface(`setrans_translate_context',`
+ stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
+ files_list_pids($1)
+ ')
++#######################################
++## <summary>
++## Allow a domain to manage pid files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`setrans_manage_pid_files',`
++ gen_require(`
++ type setrans_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t)
++')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 1447687..d5e6fb9 100644
--- a/policy/modules/system/setrans.te
@@ -145915,7 +145942,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..a246d7c 100644
+index e720dcd..9c9a616 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -148075,7 +148102,52 @@ index e720dcd..a246d7c 100644
')
########################################
-@@ -2521,6 +3198,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2298,6 +2975,44 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
+
+ ########################################
+ ## <summary>
++## Relabel user tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_relabel_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file relabel_file_perms;
++')
++
++########################################
++## <summary>
++## Set the attributes of user tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_setattr_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file setattr;
++')
++
++########################################
++## <summary>
+ ## Read and write user temporary files.
+ ## </summary>
+ ## <param name="domain">
+@@ -2521,6 +3236,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -148101,7 +148173,7 @@ index e720dcd..a246d7c 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2537,13 +3233,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2537,13 +3271,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -148117,7 +148189,7 @@ index e720dcd..a246d7c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3261,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3299,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -148126,7 +148198,7 @@ index e720dcd..a246d7c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,14 +3269,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,14 +3307,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -148161,7 +148233,7 @@ index e720dcd..a246d7c 100644
')
########################################
-@@ -2674,6 +3387,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2674,6 +3425,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -148186,7 +148258,7 @@ index e720dcd..a246d7c 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3423,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3461,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -148229,7 +148301,7 @@ index e720dcd..a246d7c 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3459,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3497,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -148267,7 +148339,7 @@ index e720dcd..a246d7c 100644
')
########################################
-@@ -2742,8 +3504,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3542,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -148297,7 +148369,7 @@ index e720dcd..a246d7c 100644
')
########################################
-@@ -2815,69 +3596,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3634,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -148398,7 +148470,7 @@ index e720dcd..a246d7c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3665,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3703,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -148413,7 +148485,7 @@ index e720dcd..a246d7c 100644
')
########################################
-@@ -2954,7 +3734,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3772,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -148422,7 +148494,7 @@ index e720dcd..a246d7c 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3750,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,16 +3788,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -148433,11 +148505,33 @@ index e720dcd..a246d7c 100644
files_list_home($1)
- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
++ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
++ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Send signull to unprivileged user domains.
++## Send general signals to unprivileged user domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2987,30 +3807,12 @@ interface(`userdom_search_user_home_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_signull_unpriv_users',`
++interface(`userdom_signal_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+- allow $1 unpriv_userdomain:process signull;
-')
-
-########################################
-## <summary>
--## Send signull to unprivileged user domains.
+-## Send general signals to unprivileged user domains.
-## </summary>
-## <param name="domain">
-## <summary>
@@ -148445,18 +148539,17 @@ index e720dcd..a246d7c 100644
-## </summary>
-## </param>
-#
--interface(`userdom_signull_unpriv_users',`
+-interface(`userdom_signal_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
-- allow $1 unpriv_userdomain:process signull;
-+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
-+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
+- allow $1 unpriv_userdomain:process signal;
++ allow $1 unpriv_userdomain:process signal;
')
########################################
-@@ -3074,7 +3838,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3876,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -148465,106 +148558,82 @@ index e720dcd..a246d7c 100644
')
########################################
-@@ -3129,12 +3893,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,7 +3931,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to use user ttys.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to write users
+## temporary files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3142,21 +3907,77 @@ interface(`userdom_write_user_tmp_files',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_use_user_ttys',`
-+interface(`userdom_dontaudit_write_user_tmp_files',`
- gen_require(`
-- type user_tty_device_t;
-+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ dontaudit $1 user_tmp_t:file write;
- ')
-
- ########################################
- ## <summary>
--## Read the process state of all user domains.
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
-+## Allow domain to read/write inherited users
-+## fifo files.
++## Do not audit attempts to read/write users
++## temporary fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`userdom_rw_inherited_user_pipes',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
-+ attribute userdomain;
++ type user_tmp_t;
+ ')
+
-+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to use user ttys.
++## Allow domain to read/write inherited users
++## fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_rw_inherited_user_pipes',`
+ gen_require(`
-+ type user_tty_device_t;
++ attribute userdomain;
+ ')
+
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -3147,7 +4006,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+ type user_tty_device_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read the process state of all user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
-@@ -3166,6 +3987,7 @@ interface(`userdom_read_all_users_state',`
+ ')
+
+ ########################################
+@@ -3166,6 +4025,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -148572,7 +148641,7 @@ index e720dcd..a246d7c 100644
kernel_search_proc($1)
')
-@@ -3242,6 +4064,42 @@ interface(`userdom_signal_all_users',`
+@@ -3242,6 +4102,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -148615,7 +148684,7 @@ index e720dcd..a246d7c 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4120,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4158,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -148640,7 +148709,7 @@ index e720dcd..a246d7c 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3295,4 +4171,1364 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3295,4 +4209,1400 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -149515,7 +149584,7 @@ index e720dcd..a246d7c 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_read_admin_home_files',`
++interface(`userdom_dontaudit_read_admin_home_file',`
+ gen_require(`
+ type admin_home_t;
+ ')
@@ -149525,6 +149594,42 @@ index e720dcd..a246d7c 100644
+
+########################################
+## <summary>
++## Dontaudit Read files inherited from the admin home dir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_read_inherited_admin_home_file',`
++ gen_require(`
++ attribute admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file read_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Dontaudit append files inherited from the admin home dir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_append_inherited_admin_home_file',`
++ gen_require(`
++ attribute admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete user
+## temporary chr files.
+## </summary>
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 00d6059..891a691 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index 1bd5812..cd073d2 100644
+index 1bd5812..2fe1152 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,20 +1,39 @@
+@@ -1,20 +1,41 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -18,6 +18,8 @@ index 1bd5812..cd073d2 100644
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+
+/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -368,10 +370,10 @@ index 0b827c5..cce58bb 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..53d5f7b 100644
+index 30861ec..9906206 100644
--- a/abrt.te
+++ b/abrt.te
-@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
+@@ -5,13 +5,41 @@ policy_module(abrt, 1.2.0)
# Declarations
#
@@ -386,6 +388,14 @@ index 30861ec..53d5f7b 100644
+gen_tunable(abrt_anon_write, false)
+
+## <desc>
++## <p>
++## Allow abrt-handle-upload to modify public files
++## used for public file transfer services in /var/spool/abrt-upload/.
++## </p>
++## </desc>
++gen_tunable(abrt_upload_watch_anon_write, true)
++
++## <desc>
+## <p>
+## Allow ABRT to run in abrt_handle_event_t domain
+## to handle ABRT event scripts
@@ -407,7 +417,7 @@ index 30861ec..53d5f7b 100644
# etc files
type abrt_etc_t;
files_config_file(abrt_etc_t)
-@@ -20,22 +40,33 @@ files_config_file(abrt_etc_t)
+@@ -20,22 +48,33 @@ files_config_file(abrt_etc_t)
type abrt_var_log_t;
logging_log_file(abrt_var_log_t)
@@ -434,17 +444,17 @@ index 30861ec..53d5f7b 100644
+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
+role system_r types abrt_handle_event_t;
+
++# type needed to allow all domains
++# to handle /var/cache/abrt
# type needed to allow all domains
# to handle /var/cache/abrt
-type abrt_helper_t;
-type abrt_helper_exec_t;
-+# type needed to allow all domains
-+# to handle /var/cache/abrt
+abrt_basic_types_template(abrt_helper)
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
-@@ -43,14 +74,36 @@ ifdef(`enable_mcs',`
+@@ -43,14 +82,40 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -470,6 +480,10 @@ index 30861ec..53d5f7b 100644
+abrt_basic_types_template(abrt_watch_log)
+init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
+
++# Support for abrt-upload-watch
++abrt_basic_types_template(abrt_upload_watch)
++init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
++
########################################
#
# abrt local policy
@@ -483,7 +497,7 @@ index 30861ec..53d5f7b 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +112,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +124,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
@@ -491,7 +505,7 @@ index 30861ec..53d5f7b 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -68,7 +122,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +134,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -501,7 +515,7 @@ index 30861ec..53d5f7b 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -76,16 +132,18 @@ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -76,16 +144,18 @@ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
@@ -522,7 +536,7 @@ index 30861ec..53d5f7b 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -93,7 +151,6 @@ corecmd_exec_shell(abrt_t)
+@@ -93,7 +163,6 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -530,7 +544,7 @@ index 30861ec..53d5f7b 100644
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
corenet_tcp_sendrecv_generic_port(abrt_t)
-@@ -104,6 +161,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +173,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -539,7 +553,7 @@ index 30861ec..53d5f7b 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +172,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +184,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -549,7 +563,7 @@ index 30861ec..53d5f7b 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +181,9 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +193,9 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -559,7 +573,7 @@ index 30861ec..53d5f7b 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +194,39 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +206,39 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -577,7 +591,7 @@ index 30861ec..53d5f7b 100644
+miscfiles_read_public_files(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
-+userdom_dontaudit_read_admin_home_files(abrt_t)
++userdom_dontaudit_read_admin_home_file(abrt_t)
+
+tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
@@ -603,7 +617,7 @@ index 30861ec..53d5f7b 100644
')
optional_policy(`
-@@ -167,6 +247,7 @@ optional_policy(`
+@@ -167,6 +259,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -611,7 +625,7 @@ index 30861ec..53d5f7b 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,9 +259,36 @@ optional_policy(`
+@@ -178,9 +271,36 @@ optional_policy(`
')
optional_policy(`
@@ -648,7 +662,7 @@ index 30861ec..53d5f7b 100644
########################################
#
# abrt--helper local policy
-@@ -196,13 +304,16 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -196,13 +316,16 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -666,7 +680,7 @@ index 30861ec..53d5f7b 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -211,12 +322,11 @@ auth_use_nsswitch(abrt_helper_t)
+@@ -211,12 +334,11 @@ auth_use_nsswitch(abrt_helper_t)
logging_send_syslog_msg(abrt_helper_t)
@@ -681,7 +695,7 @@ index 30861ec..53d5f7b 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +334,152 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +346,170 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -689,7 +703,7 @@ index 30861ec..53d5f7b 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
-+')
+ ')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -826,13 +840,31 @@ index 30861ec..53d5f7b 100644
+
+optional_policy(`
+ unconfined_domain(abrt_watch_log_t)
- ')
++')
++
++#######################################
++#
++# abrt-upload-watch local policy
++#
++
++corecmd_exec_bin(abrt_upload_watch_t)
++
++tunable_policy(`abrt_upload_watch_anon_write',`
++ miscfiles_manage_public_files(abrt_upload_watch_t)
++')
++
++optional_policy(`
++ unconfined_domain(abrt_upload_watch_t)
++')
+
+#######################################
+#
+# Local policy for all abrt domain
+#
+
++allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
++allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
++
+files_read_etc_files(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index 1adca53..18e0e41 100644
@@ -6293,7 +6325,7 @@ index 44a1e3d..bc50fd6 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 0968cb4..895ac30 100644
+index 0968cb4..048c069 100644
--- a/bind.te
+++ b/bind.te
@@ -6,6 +6,13 @@ policy_module(bind, 1.11.0)
@@ -6393,7 +6425,7 @@ index 0968cb4..895ac30 100644
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -154,6 +168,12 @@ tunable_policy(`named_write_master_zones',`
+@@ -154,6 +168,18 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -6403,10 +6435,16 @@ index 0968cb4..895ac30 100644
+')
+
+optional_policy(`
++ cron_system_entry(named_t, named_exec_t)
++')
++
++optional_policy(`
++ dbus_system_domain(named_t, named_exec_t)
++
init_dbus_chat_script(named_t)
sysnet_dbus_chat_dhcpc(named_t)
-@@ -168,6 +188,7 @@ optional_policy(`
+@@ -168,6 +194,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(named, named_t)
@@ -6414,7 +6452,7 @@ index 0968cb4..895ac30 100644
')
optional_policy(`
-@@ -199,6 +220,7 @@ optional_policy(`
+@@ -199,6 +226,7 @@ optional_policy(`
# cjp: why net_admin?!
allow ndc_t self:capability { dac_override net_admin };
@@ -6422,7 +6460,7 @@ index 0968cb4..895ac30 100644
allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
-@@ -211,13 +233,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
+@@ -211,13 +239,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
allow ndc_t named_conf_t:file read_file_perms;
@@ -6438,7 +6476,7 @@ index 0968cb4..895ac30 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -228,28 +250,26 @@ corenet_sendrecv_rndc_client_packets(ndc_t)
+@@ -228,28 +256,26 @@ corenet_sendrecv_rndc_client_packets(ndc_t)
domain_use_interactive_fds(ndc_t)
@@ -14064,7 +14102,7 @@ index 6e12dc7..b006818 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/cron.te b/cron.te
-index b357856..23b2124 100644
+index b357856..07685bc 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -14276,7 +14314,7 @@ index b357856..23b2124 100644
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
-@@ -215,25 +253,27 @@ seutil_read_config(crond_t)
+@@ -215,25 +253,31 @@ seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
seutil_sigchld_newrole(crond_t)
@@ -14306,11 +14344,15 @@ index b357856..23b2124 100644
+ logwatch_search_cache_dir(crond_t)
+')
+
++optional_policy(`
++ bind_read_config(crond_t)
++')
++
+ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -241,7 +281,7 @@ ifdef(`distro_redhat', `
+@@ -241,7 +285,7 @@ ifdef(`distro_redhat', `
')
')
@@ -14319,7 +14361,7 @@ index b357856..23b2124 100644
files_polyinstantiate_all(crond_t)
')
-@@ -250,11 +290,27 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +294,27 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -14347,7 +14389,7 @@ index b357856..23b2124 100644
amanda_search_var_lib(crond_t)
')
-@@ -264,6 +320,8 @@ optional_policy(`
+@@ -264,6 +324,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -14356,7 +14398,7 @@ index b357856..23b2124 100644
')
optional_policy(`
-@@ -286,15 +344,25 @@ optional_policy(`
+@@ -286,15 +348,25 @@ optional_policy(`
')
optional_policy(`
@@ -14382,7 +14424,7 @@ index b357856..23b2124 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +374,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +378,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -14403,7 +14445,7 @@ index b357856..23b2124 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -329,22 +406,29 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,22 +410,29 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -14436,7 +14478,7 @@ index b357856..23b2124 100644
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
-@@ -353,7 +437,6 @@ files_dontaudit_search_boot(system_cronjob_t)
+@@ -353,7 +441,6 @@ files_dontaudit_search_boot(system_cronjob_t)
corecmd_exec_all_executables(system_cronjob_t)
@@ -14444,7 +14486,7 @@ index b357856..23b2124 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -365,6 +448,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +452,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -14452,7 +14494,7 @@ index b357856..23b2124 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -376,7 +460,6 @@ fs_getattr_all_sockets(system_cronjob_t)
+@@ -376,7 +464,6 @@ fs_getattr_all_sockets(system_cronjob_t)
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
@@ -14460,7 +14502,7 @@ index b357856..23b2124 100644
files_read_etc_runtime_files(system_cronjob_t)
files_list_all(system_cronjob_t)
files_getattr_all_dirs(system_cronjob_t)
-@@ -391,6 +474,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +478,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -14468,7 +14510,7 @@ index b357856..23b2124 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -408,23 +492,23 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -408,23 +496,23 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -14497,7 +14539,7 @@ index b357856..23b2124 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -439,6 +523,12 @@ optional_policy(`
+@@ -439,6 +527,12 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -14510,7 +14552,7 @@ index b357856..23b2124 100644
')
optional_policy(`
-@@ -446,6 +536,14 @@ optional_policy(`
+@@ -446,6 +540,14 @@ optional_policy(`
')
optional_policy(`
@@ -14525,7 +14567,7 @@ index b357856..23b2124 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,6 +554,10 @@ optional_policy(`
+@@ -456,6 +558,10 @@ optional_policy(`
')
optional_policy(`
@@ -14536,7 +14578,7 @@ index b357856..23b2124 100644
lpd_list_spool(system_cronjob_t)
')
-@@ -464,7 +566,9 @@ optional_policy(`
+@@ -464,7 +570,9 @@ optional_policy(`
')
optional_policy(`
@@ -14546,7 +14588,7 @@ index b357856..23b2124 100644
')
optional_policy(`
-@@ -472,6 +576,10 @@ optional_policy(`
+@@ -472,6 +580,10 @@ optional_policy(`
')
optional_policy(`
@@ -14557,7 +14599,7 @@ index b357856..23b2124 100644
postfix_read_config(system_cronjob_t)
')
-@@ -480,7 +588,7 @@ optional_policy(`
+@@ -480,7 +592,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -14566,7 +14608,7 @@ index b357856..23b2124 100644
')
optional_policy(`
-@@ -495,6 +603,7 @@ optional_policy(`
+@@ -495,6 +607,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -14574,7 +14616,7 @@ index b357856..23b2124 100644
')
optional_policy(`
-@@ -502,7 +611,18 @@ optional_policy(`
+@@ -502,7 +615,18 @@ optional_policy(`
')
optional_policy(`
@@ -14593,7 +14635,7 @@ index b357856..23b2124 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -542,7 +662,6 @@ kernel_read_kernel_sysctls(cronjob_t)
+@@ -542,7 +666,6 @@ kernel_read_kernel_sysctls(cronjob_t)
# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(cronjob_t)
@@ -14601,7 +14643,7 @@ index b357856..23b2124 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -579,7 +698,6 @@ logging_search_logs(cronjob_t)
+@@ -579,7 +702,6 @@ logging_search_logs(cronjob_t)
seutil_read_config(cronjob_t)
@@ -14609,7 +14651,7 @@ index b357856..23b2124 100644
userdom_manage_user_tmp_files(cronjob_t)
userdom_manage_user_tmp_symlinks(cronjob_t)
-@@ -595,9 +713,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +717,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -14623,7 +14665,7 @@ index b357856..23b2124 100644
allow crond_t user_cron_spool_t:file manage_file_perms;
')
-@@ -626,3 +747,74 @@ optional_policy(`
+@@ -626,3 +751,74 @@ optional_policy(`
unconfined_domain(unconfined_cronjob_t)
')
@@ -20155,7 +20197,7 @@ index e1d7dc5..66d42bb 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/dovecot.te b/dovecot.te
-index 2df7766..8c2a834 100644
+index 2df7766..8aa537e 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -4,12 +4,12 @@ policy_module(dovecot, 1.14.0)
@@ -20204,7 +20246,7 @@ index 2df7766..8c2a834 100644
type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
-@@ -51,17 +53,37 @@ logging_log_file(dovecot_var_log_t)
+@@ -51,17 +53,38 @@ logging_log_file(dovecot_var_log_t)
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
@@ -20219,6 +20261,7 @@ index 2df7766..8c2a834 100644
+allow dovecot_domain self:fifo_file rw_fifo_file_perms;
+
+kernel_read_all_sysctls(dovecot_domain)
++kernel_read_network_state(dovecot_domain)
+
+corecmd_exec_bin(dovecot_domain)
+corecmd_exec_shell(dovecot_domain)
@@ -20246,7 +20289,7 @@ index 2df7766..8c2a834 100644
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
-@@ -72,7 +94,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+@@ -72,7 +95,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
@@ -20257,7 +20300,7 @@ index 2df7766..8c2a834 100644
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,15 +118,13 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -94,15 +119,13 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -20276,7 +20319,7 @@ index 2df7766..8c2a834 100644
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
corenet_tcp_sendrecv_generic_node(dovecot_t)
-@@ -110,41 +132,36 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+@@ -110,41 +133,36 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
@@ -20324,7 +20367,7 @@ index 2df7766..8c2a834 100644
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -153,10 +170,23 @@ userdom_manage_user_home_content_pipes(dovecot_t)
+@@ -153,10 +171,23 @@ userdom_manage_user_home_content_pipes(dovecot_t)
userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
@@ -20350,7 +20393,7 @@ index 2df7766..8c2a834 100644
')
optional_policy(`
-@@ -164,6 +194,11 @@ optional_policy(`
+@@ -164,6 +195,11 @@ optional_policy(`
')
optional_policy(`
@@ -20362,7 +20405,7 @@ index 2df7766..8c2a834 100644
seutil_sigchld_newrole(dovecot_t)
')
-@@ -180,16 +215,17 @@ optional_policy(`
+@@ -180,16 +216,17 @@ optional_policy(`
# dovecot auth local policy
#
@@ -20384,7 +20427,7 @@ index 2df7766..8c2a834 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -198,31 +234,26 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+@@ -198,31 +235,26 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
dovecot_stream_connect_auth(dovecot_auth_t)
@@ -20422,7 +20465,7 @@ index 2df7766..8c2a834 100644
optional_policy(`
kerberos_use(dovecot_auth_t)
-@@ -236,6 +267,8 @@ optional_policy(`
+@@ -236,6 +268,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -20431,16 +20474,17 @@ index 2df7766..8c2a834 100644
')
optional_policy(`
-@@ -243,6 +276,8 @@ optional_policy(`
+@@ -243,32 +277,41 @@ optional_policy(`
')
optional_policy(`
+- postfix_search_spool(dovecot_auth_t)
+ postfix_manage_private_sockets(dovecot_auth_t)
-+ postfix_rw_master_pipes(dovecot_deliver_t)
- postfix_search_spool(dovecot_auth_t)
++ postfix_rw_master_pipes(dovecot_deliver_t)
++ postfix_search_spool(dovecot_auth_t)
')
-@@ -250,25 +285,32 @@ optional_policy(`
+ ########################################
#
# dovecot deliver local policy
#
@@ -20483,7 +20527,7 @@ index 2df7766..8c2a834 100644
dovecot_stream_connect_auth(dovecot_deliver_t)
-@@ -283,24 +325,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +326,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -24309,7 +24353,7 @@ index 7ff9d6d..b1c97f2 100644
allow $1 glance_api_t:process signal_perms;
ps_process_pattern($1, glance_api_t)
diff --git a/glance.te b/glance.te
-index 4afb81f..aae5156 100644
+index 4afb81f..0f4fd21 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.0)
@@ -24343,7 +24387,7 @@ index 4afb81f..aae5156 100644
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket create_stream_socket_perms;
-@@ -54,16 +56,31 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -54,16 +56,32 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -24358,6 +24402,7 @@ index 4afb81f..aae5156 100644
+corecmd_exec_shell(glance_domain)
dev_read_urand(glance_domain)
++dev_read_sysfs(glance_domain)
files_read_etc_files(glance_domain)
files_read_usr_files(glance_domain)
@@ -24377,7 +24422,7 @@ index 4afb81f..aae5156 100644
optional_policy(`
sysnet_dns_name_resolve(glance_domain)
-@@ -78,8 +95,16 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -78,8 +96,16 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
@@ -24394,7 +24439,7 @@ index 4afb81f..aae5156 100644
########################################
#
-@@ -94,11 +119,14 @@ can_exec(glance_api_t, glance_tmp_t)
+@@ -94,11 +120,14 @@ can_exec(glance_api_t, glance_tmp_t)
corecmd_exec_shell(glance_api_t)
corenet_tcp_bind_generic_node(glance_api_t)
@@ -35312,10 +35357,10 @@ index 0000000..8d0e473
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/mock.if b/mock.if
new file mode 100644
-index 0000000..7f6f2d6
+index 0000000..c6eb342
--- /dev/null
+++ b/mock.if
-@@ -0,0 +1,307 @@
+@@ -0,0 +1,312 @@
+## <summary>policy for mock</summary>
+
+########################################
@@ -35564,9 +35609,14 @@ index 0000000..7f6f2d6
+
+ ps_process_pattern($2, mock_t)
+ allow $2 mock_t:process signal_perms;
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 mock_t:process ptrace;
+ ')
++
++ optional_policy(`
++ mock_read_lib_files($2)
++ ')
+')
+
+#######################################
@@ -35625,10 +35675,10 @@ index 0000000..7f6f2d6
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..ecfd7be
+index 0000000..3457c62
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,247 @@
+@@ -0,0 +1,251 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -35780,7 +35830,11 @@ index 0000000..ecfd7be
+')
+
+optional_policy(`
-+ rpm_exec(mock_t)
++ rpm_exec(mock_t)
++ rpm_manage_cache(mock_t)
++ rpm_manage_db(mock_t)
++ rpm_manage_tmp_files(mock_t)
++ rpm_read_log(mock_t)
+')
+
+optional_policy(`
@@ -53157,7 +53211,7 @@ index 29b9295..6aad841 100644
sendmail_signal(procmail_t)
sendmail_dontaudit_rw_tcp_sockets(procmail_t)
diff --git a/psad.if b/psad.if
-index bc329d1..20bb463 100644
+index bc329d1..7583d26 100644
--- a/psad.if
+++ b/psad.if
@@ -91,7 +91,6 @@ interface(`psad_manage_config',`
@@ -53232,7 +53286,7 @@ index bc329d1..20bb463 100644
')
files_search_var_lib($1)
-@@ -196,6 +234,26 @@ interface(`psad_rw_fifo_file',`
+@@ -196,7 +234,47 @@ interface(`psad_rw_fifo_file',`
#######################################
## <summary>
@@ -53257,9 +53311,30 @@ index bc329d1..20bb463 100644
+#######################################
+## <summary>
## Read and write psad tmp files.
++## Allow search to psad lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`psad_search_lib_files',`
++ gen_require(`
++ type psad_t, psad_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
++')
++
++#######################################
++## <summary>
++## Read and write psad temporary files.
## </summary>
## <param name="domain">
-@@ -233,30 +291,33 @@ interface(`psad_rw_tmp_files',`
+ ## <summary>
+@@ -233,30 +311,33 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
@@ -58128,7 +58203,7 @@ index c2ba53b..d022603 100644
/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index de37806..aee7ba7 100644
+index de37806..7ebe255 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -13,7 +13,7 @@
@@ -58171,7 +58246,7 @@ index de37806..aee7ba7 100644
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
-+ files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
++ files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
+
+ auth_use_nsswitch($1_t)
@@ -60820,7 +60895,7 @@ index b2a0b6a..ea27ee5 100644
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
diff --git a/rpm.if b/rpm.if
-index 951d8f6..2363592 100644
+index 951d8f6..fb48b05 100644
--- a/rpm.if
+++ b/rpm.if
@@ -13,10 +13,13 @@
@@ -60912,7 +60987,32 @@ index 951d8f6..2363592 100644
')
########################################
-@@ -332,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -296,6 +342,24 @@ interface(`rpm_manage_log',`
+ logging_rw_generic_log_dirs($1)
+ allow $1 rpm_log_t:file manage_file_perms;
+ ')
++########################################
++## <summary>
++## Create, read, write, and delete the RPM log.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_read_log',`
++ gen_require(`
++ type rpm_log_t;
++ ')
++
++ read_files_pattern($1, rpm_log_t, rpm_log_t)
++')
++
+
+ ########################################
+ ## <summary>
+@@ -332,7 +396,9 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -60922,7 +61022,7 @@ index 951d8f6..2363592 100644
')
#####################################
-@@ -351,8 +399,7 @@ interface(`rpm_append_tmp_files',`
+@@ -351,8 +417,7 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -60932,7 +61032,7 @@ index 951d8f6..2363592 100644
')
########################################
-@@ -372,7 +419,9 @@ interface(`rpm_manage_tmp_files',`
+@@ -372,7 +437,9 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -60942,7 +61042,7 @@ index 951d8f6..2363592 100644
')
########################################
-@@ -456,6 +505,7 @@ interface(`rpm_read_db',`
+@@ -456,6 +523,7 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -60950,7 +61050,7 @@ index 951d8f6..2363592 100644
')
########################################
-@@ -499,6 +549,26 @@ interface(`rpm_manage_db',`
+@@ -499,6 +567,26 @@ interface(`rpm_manage_db',`
########################################
## <summary>
@@ -60977,7 +61077,7 @@ index 951d8f6..2363592 100644
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
## </summary>
-@@ -513,7 +583,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -513,7 +601,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -60986,7 +61086,7 @@ index 951d8f6..2363592 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -573,3 +643,66 @@ interface(`rpm_pid_filetrans',`
+@@ -573,3 +661,66 @@ interface(`rpm_pid_filetrans',`
files_pid_filetrans($1, rpm_var_run_t, file)
')
@@ -71020,10 +71120,10 @@ index 0000000..c5e890b
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..7a35df3
+index 0000000..fc15527
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,143 @@
+@@ -0,0 +1,144 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -71099,6 +71199,7 @@ index 0000000..7a35df3
+dev_rw_xserver_misc(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
++domain_dontaudit_read_all_domains_state(thumb_t)
+
+files_read_usr_files(thumb_t)
+files_read_non_security_files(thumb_t)
@@ -72729,7 +72830,7 @@ index e70b0e8..cd83b89 100644
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
-index 65baaac..3b93d32 100644
+index 65baaac..16d4548 100644
--- a/userhelper.if
+++ b/userhelper.if
@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
@@ -72777,7 +72878,33 @@ index 65baaac..3b93d32 100644
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
-@@ -255,3 +246,91 @@ interface(`userhelper_exec',`
+@@ -204,6 +195,25 @@ interface(`userhelper_dontaudit_search_config',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to write
++## the userhelper configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userhelper_dontaudit_write_config',`
++ gen_require(`
++ type userhelper_conf_t;
++ ')
++
++ dontaudit $1 userhelper_conf_t:file write;
++')
++
++########################################
++## <summary>
+ ## Allow domain to use userhelper file descriptor.
+ ## </summary>
+ ## <param name="domain">
+@@ -255,3 +265,91 @@ interface(`userhelper_exec',`
can_exec($1, userhelper_exec_t)
')
@@ -74663,13 +74790,13 @@ index 6f0736b..b6aaf56 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..8bbc3d0 100644
+index 947bbc6..1ff7327 100644
--- a/virt.te
+++ b/virt.te
-@@ -5,56 +5,97 @@ policy_module(virt, 1.5.0)
+@@ -4,57 +4,97 @@ policy_module(virt, 1.5.0)
+ #
# Declarations
#
-
+attribute virsh_transition_domain;
+attribute virt_ptynode;
+attribute virt_domain;
@@ -74686,7 +74813,7 @@ index 947bbc6..8bbc3d0 100644
+files_type(svirt_image_t)
+dev_node(svirt_image_t)
+dev_associate_sysfs(svirt_image_t)
-+
+
## <desc>
## <p>
-## Allow virt to use serial/parallell communication ports
@@ -74775,7 +74902,7 @@ index 947bbc6..8bbc3d0 100644
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -62,26 +103,37 @@ files_config_file(virt_etc_t)
+@@ -62,26 +102,37 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
@@ -74816,7 +74943,7 @@ index 947bbc6..8bbc3d0 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,9 +141,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+@@ -89,9 +140,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
domain_obj_id_change_exemption(virtd_t)
domain_subj_id_change_exemption(virtd_t)
@@ -74834,7 +74961,7 @@ index 947bbc6..8bbc3d0 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -100,28 +160,53 @@ ifdef(`enable_mls',`
+@@ -100,28 +159,62 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -74860,6 +74987,15 @@ index 947bbc6..8bbc3d0 100644
+type virt_qemu_ga_log_t;
+logging_log_file(virt_qemu_ga_log_t)
+
++type virt_qemu_ga_tmp_t;
++files_tmp_file(virt_qemu_ga_tmp_t)
++
++type virt_qemu_ga_data_t;
++files_type(virt_qemu_ga_data_t)
++
++type virt_qemu_ga_unconfined_exec_t;
++application_executable_file(virt_qemu_ga_unconfined_exec_t)
++
########################################
#
-# svirt local policy
@@ -74902,7 +75038,7 @@ index 947bbc6..8bbc3d0 100644
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
-@@ -131,45 +216,27 @@ corenet_udp_bind_all_ports(svirt_t)
+@@ -131,45 +224,31 @@ corenet_udp_bind_all_ports(svirt_t)
corenet_tcp_bind_all_ports(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
@@ -74911,40 +75047,42 @@ index 947bbc6..8bbc3d0 100644
-userdom_search_user_home_content(svirt_t)
-userdom_read_user_home_content_symlinks(svirt_t)
-userdom_read_all_users_state(svirt_t)
-+miscfiles_read_generic_certs(svirt_t)
-
+-
-tunable_policy(`virt_use_comm',`
- term_use_unallocated_ttys(svirt_t)
- dev_rw_printer(svirt_t)
-')
--
++miscfiles_read_generic_certs(svirt_t)
+
-tunable_policy(`virt_use_fusefs',`
- fs_read_fusefs_files(svirt_t)
- fs_read_fusefs_symlinks(svirt_t)
+optional_policy(`
-+ nscd_use(svirt_t)
++ nscd_dontaudit_write_sock_file(svirt_t)
')
-tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs(svirt_t)
- fs_manage_nfs_files(svirt_t)
++optional_policy(`
++ sssd_dontaudit_stream_connect(svirt_t)
+ ')
+
+-tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_dirs(svirt_t)
+- fs_manage_cifs_files(svirt_t)
-')
+#######################################
+#
+# svirt_prot_exec local policy
+#
--tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_dirs(svirt_t)
-- fs_manage_cifs_files(svirt_t)
+-tunable_policy(`virt_use_sysfs',`
+- dev_rw_sysfs(svirt_t)
-')
+allow svirt_tcg_t self:process { execmem execstack };
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
--tunable_policy(`virt_use_sysfs',`
-- dev_rw_sysfs(svirt_t)
--')
--
-tunable_policy(`virt_use_usb',`
- dev_rw_usbfs(svirt_t)
- fs_manage_dos_dirs(svirt_t)
@@ -74964,7 +75102,7 @@ index 947bbc6..8bbc3d0 100644
########################################
#
-@@ -177,21 +244,42 @@ optional_policy(`
+@@ -177,21 +256,42 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -75013,7 +75151,7 @@ index 947bbc6..8bbc3d0 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +290,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +302,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -75049,7 +75187,7 @@ index 947bbc6..8bbc3d0 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +323,23 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +335,23 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -75074,9 +75212,13 @@ index 947bbc6..8bbc3d0 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +352,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -245,31 +362,52 @@ corenet_tcp_bind_vnc_port(virtd_t)
+ corenet_tcp_connect_vnc_port(virtd_t)
+ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
++corenet_relabel_tun_tap_dev(virtd_t)
++dev_rw_vfio_dev(virtd_t)
dev_rw_sysfs(virtd_t)
+dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
@@ -75090,11 +75232,9 @@ index 947bbc6..8bbc3d0 100644
# Init script handling
domain_use_interactive_fds(virtd_t)
domain_read_all_domains_state(virtd_t)
-+domain_read_all_domains_state(virtd_t)
- files_read_usr_files(virtd_t)
+-files_read_usr_files(virtd_t)
-files_read_etc_files(virtd_t)
-+files_read_usr_files(virtd_t)
files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
files_read_kernel_modules(virtd_t)
@@ -75106,9 +75246,10 @@ index 947bbc6..8bbc3d0 100644
+# Manages /etc/sysconfig/system-config-firewall
+files_manage_system_conf_files(virtd_t)
++fs_read_tmpfs_symlinks(virtd_t)
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +384,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -75127,7 +75268,7 @@ index 947bbc6..8bbc3d0 100644
mcs_process_set_categories(virtd_t)
-@@ -284,7 +410,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +422,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -75137,7 +75278,7 @@ index 947bbc6..8bbc3d0 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +420,36 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +432,38 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -75163,6 +75304,8 @@ index 947bbc6..8bbc3d0 100644
userdom_list_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
userdom_read_user_home_content_files(virtd_t)
++userdom_relabel_user_tmp_files(virtd_t)
++userdom_setattr_user_tmp_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
@@ -75174,7 +75317,7 @@ index 947bbc6..8bbc3d0 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +468,10 @@ optional_policy(`
+@@ -322,6 +482,10 @@ optional_policy(`
')
optional_policy(`
@@ -75185,7 +75328,7 @@ index 947bbc6..8bbc3d0 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +485,34 @@ optional_policy(`
+@@ -335,19 +499,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -75221,7 +75364,7 @@ index 947bbc6..8bbc3d0 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +527,12 @@ optional_policy(`
+@@ -362,6 +541,12 @@ optional_policy(`
')
optional_policy(`
@@ -75234,7 +75377,7 @@ index 947bbc6..8bbc3d0 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +540,11 @@ optional_policy(`
+@@ -369,11 +554,11 @@ optional_policy(`
')
optional_policy(`
@@ -75251,7 +75394,14 @@ index 947bbc6..8bbc3d0 100644
')
optional_policy(`
-@@ -384,6 +555,7 @@ optional_policy(`
+@@ -381,9 +566,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ setrans_manage_pid_files(virtd_t)
++')
++
++optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -75259,7 +75409,7 @@ index 947bbc6..8bbc3d0 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -402,35 +574,87 @@ optional_policy(`
+@@ -402,70 +592,799 @@ optional_policy(`
#
# virtual domains common policy
#
@@ -75356,8 +75506,9 @@ index 947bbc6..8bbc3d0 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +662,655 @@ dev_write_sound(virt_domain)
+ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
++dev_rw_vfio_dev(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
+dev_rw_inherited_vhost(virt_domain)
@@ -75365,8 +75516,8 @@ index 947bbc6..8bbc3d0 100644
domain_use_interactive_fds(virt_domain)
-files_read_etc_files(virt_domain)
+-files_read_usr_files(virt_domain)
+files_read_mnt_symlinks(virt_domain)
- files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
@@ -75416,7 +75567,7 @@ index 947bbc6..8bbc3d0 100644
virt_read_content(virt_domain)
virt_stream_connect(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
- ')
++')
+
+optional_policy(`
+ xserver_rw_shm(virt_domain)
@@ -75497,6 +75648,11 @@ index 947bbc6..8bbc3d0 100644
+virt_manage_config(virsh_t)
+virt_stream_connect(virsh_t)
+
++manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t)
++manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
++manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
++files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file })
++
+manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
@@ -75512,9 +75668,11 @@ index 947bbc6..8bbc3d0 100644
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
++filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
++kernel_write_proc_files(virsh_t)
+kernel_read_system_state(virsh_t)
+kernel_read_network_state(virsh_t)
+kernel_read_kernel_sysctls(virsh_t)
@@ -75534,8 +75692,6 @@ index 947bbc6..8bbc3d0 100644
+dev_read_sysfs(virsh_t)
+
+files_read_etc_runtime_files(virsh_t)
-+files_read_etc_files(virsh_t)
-+files_read_usr_files(virsh_t)
+files_list_mnt(virsh_t)
+files_list_tmp(virsh_t)
+# Some common macros (you might be able to remove some)
@@ -75589,8 +75745,8 @@ index 947bbc6..8bbc3d0 100644
+
+optional_policy(`
+ xen_manage_image_dirs(virsh_t)
-+ xen_read_image_files(virsh_t)
-+ xen_read_lib_files(virsh_t)
++ xen_read_image_files(virsh_t)
++ xen_read_lib_files(virsh_t)
+ xen_append_log(virsh_t)
+ xen_domtrans(virsh_t)
+ xen_read_pid_files_xenstored(virsh_t)
@@ -75656,6 +75812,7 @@ index 947bbc6..8bbc3d0 100644
+manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
++filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+
+manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -75667,6 +75824,8 @@ index 947bbc6..8bbc3d0 100644
+allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
+files_associate_rootfs(svirt_lxc_file_t)
+
++seutil_read_file_contexts(virtd_lxc_t)
++
+storage_manage_fixed_disk(virtd_lxc_t)
+storage_rw_fuse(virtd_lxc_t)
+
@@ -75687,7 +75846,6 @@ index 947bbc6..8bbc3d0 100644
+
+files_search_all(virtd_lxc_t)
+files_getattr_all_files(virtd_lxc_t)
-+files_read_usr_files(virtd_lxc_t)
+files_relabel_rootfs(virtd_lxc_t)
+files_mounton_non_security(virtd_lxc_t)
+files_mount_all_file_type_fs(virtd_lxc_t)
@@ -75695,6 +75853,7 @@ index 947bbc6..8bbc3d0 100644
+files_list_isid_type_dirs(virtd_lxc_t)
+files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
+
++fs_read_fusefs_files(virtd_lxc_t)
+fs_getattr_all_fs(virtd_lxc_t)
+fs_manage_tmpfs_dirs(virtd_lxc_t)
+fs_manage_tmpfs_chr_files(virtd_lxc_t)
@@ -75730,7 +75889,6 @@ index 947bbc6..8bbc3d0 100644
+selinux_compute_create_context(virtd_lxc_t)
+selinux_compute_relabel_context(virtd_lxc_t)
+selinux_compute_user_contexts(virtd_lxc_t)
-+seutil_read_default_contexts(virtd_lxc_t)
+
+sysnet_exec_ifconfig(virtd_lxc_t)
+
@@ -75741,6 +75899,10 @@ index 947bbc6..8bbc3d0 100644
+')
+
+optional_policy(`
++ setrans_manage_pid_files(virtd_lxc_t)
++')
++
++optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
+
@@ -75748,9 +75910,8 @@ index 947bbc6..8bbc3d0 100644
+#
+# virt_lxc_domain local policy
+#
-+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock };
+allow svirt_lxc_domain self:key manage_key_perms;
-+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
++allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid setrlimit };
+allow svirt_lxc_domain self:fifo_file manage_file_perms;
+allow svirt_lxc_domain self:sem create_sem_perms;
+allow svirt_lxc_domain self:shm create_shm_perms;
@@ -75782,7 +75943,7 @@ index 947bbc6..8bbc3d0 100644
+
+kernel_getattr_proc(svirt_lxc_domain)
+kernel_list_all_proc(svirt_lxc_domain)
-+kernel_read_kernel_sysctls(svirt_lxc_domain)
++kernel_read_all_sysctls(svirt_lxc_domain)
+kernel_rw_net_sysctls(svirt_lxc_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+
@@ -75800,7 +75961,6 @@ index 947bbc6..8bbc3d0 100644
+files_list_var_lib(svirt_lxc_domain)
+files_search_all(svirt_lxc_domain)
+files_read_config_files(svirt_lxc_domain)
-+files_read_usr_files(svirt_lxc_domain)
+files_read_usr_symlinks(svirt_lxc_domain)
+files_search_locks(svirt_lxc_domain)
+
@@ -75825,6 +75985,12 @@ index 947bbc6..8bbc3d0 100644
+miscfiles_read_fonts(svirt_lxc_domain)
+miscfiles_read_hwdata(svirt_lxc_domain)
+
++systemd_read_unit_files(svirt_lxc_domain)
++
++userdom_use_inherited_user_terminals(svirt_lxc_domain)
++userdom_dontaudit_append_inherited_admin_home_file(svirt_lxc_domain)
++userdom_dontaudit_read_inherited_admin_home_file(svirt_lxc_domain)
++
+optional_policy(`
+ apache_exec_modules(svirt_lxc_domain)
+ apache_read_sys_content(svirt_lxc_domain)
@@ -75834,8 +76000,6 @@ index 947bbc6..8bbc3d0 100644
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+')
+
-+systemd_read_unit_files(svirt_lxc_domain)
-+
+optional_policy(`
+ ssh_use_ptys(svirt_lxc_net_t)
+')
@@ -75844,10 +76008,15 @@ index 947bbc6..8bbc3d0 100644
+ udev_read_pid_files(svirt_lxc_domain)
+')
+
++optional_policy(`
++ userhelper_dontaudit_write_config(svirt_lxc_domain)
++')
++
+virt_lxc_domain_template(svirt_lxc_net)
+
-+allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap };
++allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_lxc_net_t self:capability2 block_suspend;
++allow svirt_lxc_net_t self:process { execstack execmem };
+allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
+allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
@@ -75855,7 +76024,7 @@ index 947bbc6..8bbc3d0 100644
+allow svirt_lxc_net_t self:packet_socket create_socket_perms;
+allow svirt_lxc_net_t self:socket create_socket_perms;
+allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
-+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
++allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_network_state(svirt_lxc_net_t)
@@ -75889,7 +76058,7 @@ index 947bbc6..8bbc3d0 100644
+
+logging_send_audit_msgs(svirt_lxc_net_t)
+
-+userdom_use_inherited_user_ptys(svirt_lxc_net_t)
++userdom_use_user_ptys(svirt_lxc_net_t)
+
+########################################
+#
@@ -75921,7 +76090,7 @@ index 947bbc6..8bbc3d0 100644
+
+optional_policy(`
+ dbus_read_lib_files(virt_qmf_t)
-+')
+ ')
+
+optional_policy(`
+ virt_stream_connect(virt_qmf_t)
@@ -75955,23 +76124,33 @@ index 947bbc6..8bbc3d0 100644
+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
+
++allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms;
++can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t)
++
++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
++files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir })
++
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
+files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } )
+
++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
++
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )
+
+corecmd_exec_shell(virt_qemu_ga_t)
+corecmd_exec_bin(virt_qemu_ga_t)
+
-+files_read_etc_files(virt_qemu_ga_t)
-+
+dev_rw_sysfs(virt_qemu_ga_t)
+
+files_list_all_mountpoints(virt_qemu_ga_t)
+files_write_all_mountpoints(virt_qemu_ga_t)
++
+fs_list_all(virt_qemu_ga_t)
++fs_getattr_all_fs(virt_qemu_ga_t)
+
+term_use_virtio_console(virt_qemu_ga_t)
+term_use_all_ttys(virt_qemu_ga_t)
@@ -75981,6 +76160,9 @@ index 947bbc6..8bbc3d0 100644
+
+sysnet_dns_name_resolve(virt_qemu_ga_t)
+
++systemd_exec_systemctl(virt_qemu_ga_t)
++systemd_start_power_services(virt_qemu_ga_t)
++
+userdom_use_user_ptys(virt_qemu_ga_t)
+
+optional_policy(`
@@ -76010,6 +76192,31 @@ index 947bbc6..8bbc3d0 100644
+
+#######################################
+#
++# qemu-ga unconfined hook script local policy
++#
++
++optional_policy(`
++ type virt_qemu_ga_unconfined_t;
++ domain_type(virt_qemu_ga_unconfined_t)
++
++ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
++ role system_r types virt_qemu_ga_unconfined_t;
++
++ domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t)
++
++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
++
++ init_domtrans_script(virt_qemu_ga_unconfined_t)
++
++ optional_policy(`
++ unconfined_domain(virt_qemu_ga_unconfined_t)
++ ')
++')
++
++#######################################
++#
+# tye for svirt sockets
+#
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 07f9971..a50438e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 100%{?dist}
+Release: 101%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,35 @@ SELinux Reference policy mls base module.
%endif
%Changelog
+* Thu Aug 29 2013 Lukas Vrabec <lvrabec at redhat.com> 3.11.1-101
+- Allow ssh_t to use /dev/ptmx
+- Allow syslogd to search psad lib files
+- Label umount.crypt as lvm_exec_t
+- Add support for .Xauthority-n
+- activate labeling for /usr/lib/libmpg123 as textrel_shlib_t
+- Add interface corenet_relabel_tun_tap_dev
+- Add interface dev_rw_vfio_dev
+- Add userdom_relabel_user_tmp_files interface
+- Add userdom_setattr_user_tmp_files interface
+- Add setrans_manage_pid_files interface
+- Add userdom_dontaudit_append_inherited_admin_home_file interface
+- Rename userdom_dontaudit_append_inherited_admin_home_files to userdom_dontaudit_append_inherited_admin_home_file
+- Add userdom_dontaudit_read_inherited_admin_home_file to userdom.if
+- Allow dovecot_domain to read all system and network state
+- Allow abrt domain to write abrt.socket
+- Add psad_search_lib_files()
+- Add support for abrt-upload-watch
+- Allow roles which can run mock to read mock lib files to view results
+- Fix rhcs_domain_template()
+- Dontaudit thumb_t trying to look in /proc
+- Fix abrt policy
+- Fix dovecot policy
+- Fix syntax error in mock policy
+- Add interface rpm_read_log
+- Fix interface rpm_read_log
+- Fix userdom_dontaudit_read_inherited_admin_home_file interface in virt.te
+- Add userhelper_dontaudit_write_config interface
+
* Wed Aug 7 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-100
- Allow dhcpc to write to virt_var_run_t
More information about the scm-commits
mailing list