[selinux-policy/f19] * Tue Sep 03 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.1 - Allow xdm_t to delete gkeyringd_tm
Lukas Vrabec
lvrabec at fedoraproject.org
Tue Sep 3 15:21:38 UTC 2013
commit 3147b74f0ca4b79be618c17f34a0aa85f2b73e1c
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue Sep 3 17:21:02 2013 +0200
* Tue Sep 03 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.1
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
- Fix polipo.te
- Add trans rules for lsm pid files/dirs
- Fix labeling for fetchmail pid files/dirs
- Add additional fixes for abrt-upload-watch
- Fix transition rules in asterisk policy
- Add fowner capability to networkmanager policy
- Cleanup openhpid policy
- Fix kdump_read_crash() interface
- Make more domains as init domain
- Allow sosreport to getattr everything in /dev and send rawip packets
- Allow sosreport to transition to brctl
- Add missing alias for amavis_etc_t
- Fix requires in rpm_rw_script_inherited_pipes
- Fix interfaces in lsm.if
- Fix cupsd.te
- Allow munin service plugins to manage own tmpfs files/dirs
- Allow virtd_t also relabel unix stream sockets for virt_image_type
- Fix to define ktalkd_unit_file_t correctly
- Add systemd support for talk-server
- Allow glusterd to create sock_file in /run
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
- Add support for tmp directories to openvswitch
- Add logwatch_can_sendmail boolean
- Allow telpathy_domains to search user homedirs and tmp dirs
- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
policy-f19-base.patch | 43 ++--
policy-f19-contrib.patch | 656 +++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 28 ++
3 files changed, 517 insertions(+), 210 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 4068580..81c7d86 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -22544,7 +22544,7 @@ index 6bf0ecc..15e1047 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..df66dcb 100644
+index 2696452..2967b77 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -23352,7 +23352,7 @@ index 2696452..df66dcb 100644
')
optional_policy(`
-@@ -514,12 +860,72 @@ optional_policy(`
+@@ -514,12 +860,73 @@ optional_policy(`
')
optional_policy(`
@@ -23411,6 +23411,7 @@ index 2696452..df66dcb 100644
+ gnome_stream_connect_gkeyringd(xdm_t)
+ gnome_exec_gstreamer_home_files(xdm_t)
+ gnome_exec_keyringd(xdm_t)
++ gnome_delete_gkeyringd_tmp_content(xdm_t)
+ gnome_manage_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t)
+ #gnome_filetrans_home_content(xdm_t)
@@ -23425,7 +23426,7 @@ index 2696452..df66dcb 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +943,78 @@ optional_policy(`
+@@ -537,28 +944,78 @@ optional_policy(`
')
optional_policy(`
@@ -23513,7 +23514,7 @@ index 2696452..df66dcb 100644
')
optional_policy(`
-@@ -570,6 +1026,14 @@ optional_policy(`
+@@ -570,6 +1027,14 @@ optional_policy(`
')
optional_policy(`
@@ -23528,7 +23529,7 @@ index 2696452..df66dcb 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +1058,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1059,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23541,7 +23542,7 @@ index 2696452..df66dcb 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1075,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1076,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23557,7 +23558,7 @@ index 2696452..df66dcb 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1091,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1092,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23568,7 +23569,7 @@ index 2696452..df66dcb 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1106,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1107,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23590,7 +23591,7 @@ index 2696452..df66dcb 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1126,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1127,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23604,7 +23605,7 @@ index 2696452..df66dcb 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1152,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1153,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23636,7 +23637,7 @@ index 2696452..df66dcb 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1184,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1185,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23654,7 +23655,7 @@ index 2696452..df66dcb 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1207,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1208,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23678,7 +23679,7 @@ index 2696452..df66dcb 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1226,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1227,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23687,7 +23688,7 @@ index 2696452..df66dcb 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1270,44 @@ optional_policy(`
+@@ -775,16 +1271,44 @@ optional_policy(`
')
optional_policy(`
@@ -23733,7 +23734,7 @@ index 2696452..df66dcb 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1316,10 @@ optional_policy(`
+@@ -793,6 +1317,10 @@ optional_policy(`
')
optional_policy(`
@@ -23744,7 +23745,7 @@ index 2696452..df66dcb 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1335,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1336,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23758,7 +23759,7 @@ index 2696452..df66dcb 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1346,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1347,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23767,7 +23768,7 @@ index 2696452..df66dcb 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1359,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1360,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23802,7 +23803,7 @@ index 2696452..df66dcb 100644
')
optional_policy(`
-@@ -902,7 +1424,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23811,7 +23812,7 @@ index 2696452..df66dcb 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1478,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1479,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23843,7 +23844,7 @@ index 2696452..df66dcb 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1524,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1525,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 4f23182..19c3de3 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -519,7 +519,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..d345054 100644
+index cc43d25..9782064 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -528,7 +528,7 @@ index cc43d25..d345054 100644
########################################
#
-@@ -6,105 +6,128 @@ policy_module(abrt, 1.3.4)
+@@ -6,105 +6,131 @@ policy_module(abrt, 1.3.4)
#
## <desc>
@@ -636,15 +636,15 @@ index cc43d25..d345054 100644
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+')
++
++#
++# Support for ABRT retrace server
-type abrt_retrace_worker_t, abrt_domain;
-type abrt_retrace_worker_exec_t;
-domain_type(abrt_retrace_worker_t)
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+#
-+# Support for ABRT retrace server
-+
-+#
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
role system_r types abrt_retrace_worker_t;
@@ -672,6 +672,9 @@ index cc43d25..d345054 100644
+# Support for abrt-upload-watch
+abrt_basic_types_template(abrt_upload_watch)
+init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
++
++type abrt_upload_watch_tmp_t;
++files_tmp_file(abrt_upload_watch_tmp_t)
########################################
#
@@ -701,7 +704,7 @@ index cc43d25..d345054 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -112,23 +135,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +138,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -730,7 +733,7 @@ index cc43d25..d345054 100644
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -137,16 +162,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +165,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -749,7 +752,7 @@ index cc43d25..d345054 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +186,37 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +189,37 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -790,7 +793,7 @@ index cc43d25..d345054 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +224,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +227,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -807,7 +810,7 @@ index cc43d25..d345054 100644
')
optional_policy(`
-@@ -209,6 +236,16 @@ optional_policy(`
+@@ -209,6 +239,16 @@ optional_policy(`
')
optional_policy(`
@@ -824,7 +827,7 @@ index cc43d25..d345054 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +257,7 @@ optional_policy(`
+@@ -220,6 +260,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -832,7 +835,7 @@ index cc43d25..d345054 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +268,7 @@ optional_policy(`
+@@ -230,6 +271,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -840,7 +843,7 @@ index cc43d25..d345054 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +279,17 @@ optional_policy(`
+@@ -240,9 +282,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -859,7 +862,7 @@ index cc43d25..d345054 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +300,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +303,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -874,7 +877,7 @@ index cc43d25..d345054 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +319,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +322,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -882,7 +885,7 @@ index cc43d25..d345054 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +328,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +331,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -903,7 +906,7 @@ index cc43d25..d345054 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +349,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +352,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -930,7 +933,7 @@ index cc43d25..d345054 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +385,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +388,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -944,7 +947,7 @@ index cc43d25..d345054 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +403,11 @@ optional_policy(`
+@@ -330,10 +406,11 @@ optional_policy(`
#######################################
#
@@ -958,7 +961,7 @@ index cc43d25..d345054 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +426,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +429,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1020,7 +1023,7 @@ index cc43d25..d345054 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +484,29 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +487,47 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1037,23 +1040,41 @@ index cc43d25..d345054 100644
#
-kernel_read_system_state(abrt_domain)
-+corecmd_exec_bin(abrt_upload_watch_t)
++allow abrt_upload_watch_t self:capability dac_override;
-files_read_etc_files(abrt_domain)
++manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
++
++read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
++
++manage_dirs_pattern(abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_cache_t)
++
++corecmd_exec_bin(abrt_upload_watch_t)
++
++dev_read_urand(abrt_upload_watch_t)
++
++auth_read_passwd(abrt_upload_watch_t)
+
+-logging_send_syslog_msg(abrt_domain)
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
++optional_policy(`
++ dbus_system_bus_client(abrt_upload_watch_t)
++')
++
+#######################################
+#
+# Local policy for all abrt domain
+#
--logging_send_syslog_msg(abrt_domain)
+-miscfiles_read_localization(abrt_domain)
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
-
--miscfiles_read_localization(abrt_domain)
++
+files_read_etc_files(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a..0682710 100644
@@ -2661,7 +2682,7 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..badbc17
+index 0000000..849c983
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,256 @@
@@ -2704,7 +2725,7 @@ index 0000000..badbc17
+systemd_unit_file(antivirus_unit_file_t)
+
+type antivirus_conf_t;
-+typealias antivirus_conf_t alias { clamd_etc_t };
++typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
+files_config_file(antivirus_conf_t)
+
+type antivirus_var_run_t;
@@ -7415,7 +7436,7 @@ index 7268a04..6ffd87d 100644
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
-index 5439f1c..74c24a3 100644
+index 5439f1c..4f8a8a5 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
@@ -7427,7 +7448,25 @@ index 5439f1c..74c24a3 100644
type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)
-@@ -72,11 +72,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms;
+ read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+ read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+
+-append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+-create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+-setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir})
+
+ manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+ manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+ manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
++files_spool_file(asterisk_t, asterisk_spool_t, {dir file})
+
+ manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+ manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
@@ -7441,7 +7480,7 @@ index 5439f1c..74c24a3 100644
can_exec(asterisk_t, asterisk_exec_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -87,7 +87,6 @@ kernel_request_load_module(asterisk_t)
+@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_exec_shell(asterisk_t)
@@ -7449,7 +7488,7 @@ index 5439f1c..74c24a3 100644
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -135,7 +134,6 @@ dev_read_urand(asterisk_t)
+@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
@@ -7457,7 +7496,7 @@ index 5439f1c..74c24a3 100644
files_search_spool(asterisk_t)
files_dontaudit_search_home(asterisk_t)
-@@ -148,8 +146,6 @@ auth_use_nsswitch(asterisk_t)
+@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t)
logging_send_syslog_msg(asterisk_t)
@@ -17058,7 +17097,7 @@ index 06da9a0..6d69a2f 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..ab0eee9 100644
+index 9f34c2e..09ef91c 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -17088,7 +17127,7 @@ index 9f34c2e..ab0eee9 100644
files_config_file(cupsd_etc_t)
type cupsd_initrc_exec_t;
-@@ -33,9 +38,13 @@ type cupsd_lock_t;
+@@ -33,13 +38,15 @@ type cupsd_lock_t;
files_lock_file(cupsd_lock_t)
type cupsd_log_t;
@@ -17101,9 +17140,14 @@ index 9f34c2e..ab0eee9 100644
+
+type cupsd_lpd_t, cups_domain;
type cupsd_lpd_exec_t;
- domain_type(cupsd_lpd_t)
- domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
-@@ -47,7 +56,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
+-domain_type(cupsd_lpd_t)
+-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
+-role system_r types cupsd_lpd_t;
++init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
+
+ type cupsd_lpd_tmp_t;
+ files_tmp_file(cupsd_lpd_tmp_t)
+@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
type cupsd_lpd_var_run_t;
files_pid_file(cupsd_lpd_var_run_t)
@@ -17112,7 +17156,7 @@ index 9f34c2e..ab0eee9 100644
type cups_pdf_exec_t;
cups_backend(cups_pdf_t, cups_pdf_exec_t)
-@@ -55,29 +64,17 @@ type cups_pdf_tmp_t;
+@@ -55,29 +62,17 @@ type cups_pdf_tmp_t;
files_tmp_file(cups_pdf_tmp_t)
type cupsd_tmp_t;
@@ -17146,7 +17190,7 @@ index 9f34c2e..ab0eee9 100644
type ptal_t;
type ptal_exec_t;
-@@ -97,21 +94,49 @@ ifdef(`enable_mls',`
+@@ -97,21 +92,49 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
@@ -17200,7 +17244,7 @@ index 9f34c2e..ab0eee9 100644
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,11 +145,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -17214,8 +17258,15 @@ index 9f34c2e..ab0eee9 100644
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -139,22 +166,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -133,28 +158,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms;
+ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+
+ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
++manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
@@ -17242,7 +17293,7 @@ index 9f34c2e..ab0eee9 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -162,11 +190,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -162,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -17254,7 +17305,7 @@ index 9f34c2e..ab0eee9 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -189,12 +215,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -189,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -17279,7 +17330,7 @@ index 9f34c2e..ab0eee9 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -206,7 +240,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -206,7 +235,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -17287,7 +17338,7 @@ index 9f34c2e..ab0eee9 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +248,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +243,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -17307,7 +17358,7 @@ index 9f34c2e..ab0eee9 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +269,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -17316,7 +17367,7 @@ index 9f34c2e..ab0eee9 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +283,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -17342,7 +17393,7 @@ index 9f34c2e..ab0eee9 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +310,8 @@ optional_policy(`
+@@ -275,6 +305,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -17351,7 +17402,7 @@ index 9f34c2e..ab0eee9 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +322,10 @@ optional_policy(`
+@@ -285,8 +317,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -17362,7 +17413,7 @@ index 9f34c2e..ab0eee9 100644
')
')
-@@ -299,8 +338,8 @@ optional_policy(`
+@@ -299,8 +333,8 @@ optional_policy(`
')
optional_policy(`
@@ -17372,7 +17423,7 @@ index 9f34c2e..ab0eee9 100644
')
optional_policy(`
-@@ -309,7 +348,6 @@ optional_policy(`
+@@ -309,7 +343,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -17380,7 +17431,7 @@ index 9f34c2e..ab0eee9 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +375,11 @@ optional_policy(`
+@@ -337,7 +370,11 @@ optional_policy(`
')
optional_policy(`
@@ -17393,7 +17444,7 @@ index 9f34c2e..ab0eee9 100644
')
########################################
-@@ -345,12 +387,11 @@ optional_policy(`
+@@ -345,12 +382,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -17409,7 +17460,7 @@ index 9f34c2e..ab0eee9 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +416,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -17430,7 +17481,7 @@ index 9f34c2e..ab0eee9 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +434,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -17451,7 +17502,7 @@ index 9f34c2e..ab0eee9 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +451,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -17463,7 +17514,7 @@ index 9f34c2e..ab0eee9 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +478,12 @@ optional_policy(`
+@@ -452,9 +473,12 @@ optional_policy(`
')
optional_policy(`
@@ -17477,7 +17528,7 @@ index 9f34c2e..ab0eee9 100644
')
optional_policy(`
-@@ -490,10 +519,6 @@ optional_policy(`
+@@ -490,10 +514,6 @@ optional_policy(`
# Lpd local policy
#
@@ -17488,7 +17539,7 @@ index 9f34c2e..ab0eee9 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +536,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +531,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -17521,7 +17572,7 @@ index 9f34c2e..ab0eee9 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +562,6 @@ optional_policy(`
+@@ -546,7 +557,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -17529,7 +17580,7 @@ index 9f34c2e..ab0eee9 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +577,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +572,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -17681,7 +17732,7 @@ index 9f34c2e..ab0eee9 100644
########################################
#
-@@ -731,7 +621,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +616,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -17689,7 +17740,7 @@ index 9f34c2e..ab0eee9 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +630,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +625,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -17703,7 +17754,7 @@ index 9f34c2e..ab0eee9 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +642,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +637,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -17712,7 +17763,7 @@ index 9f34c2e..ab0eee9 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +654,4 @@ optional_policy(`
+@@ -769,3 +649,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -17762,10 +17813,10 @@ index 9fa7ffb..fd3262c 100644
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
diff --git a/cvs.te b/cvs.te
-index 53fc3af..25b3285 100644
+index 53fc3af..989aabf 100644
--- a/cvs.te
+++ b/cvs.te
-@@ -11,7 +11,7 @@ policy_module(cvs, 1.9.1)
+@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
## password files.
## </p>
## </desc>
@@ -17774,7 +17825,12 @@ index 53fc3af..25b3285 100644
type cvs_t;
type cvs_exec_t;
-@@ -58,6 +58,14 @@ kernel_read_network_state(cvs_t)
+ inetd_tcp_service_domain(cvs_t, cvs_exec_t)
++init_domain(cvs_t, cvs_exec_t)
+ application_executable_file(cvs_exec_t)
+
+ type cvs_data_t; # customizable
+@@ -58,6 +59,14 @@ kernel_read_network_state(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
@@ -17789,7 +17845,7 @@ index 53fc3af..25b3285 100644
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
-@@ -70,18 +78,18 @@ auth_use_nsswitch(cvs_t)
+@@ -70,18 +79,18 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
@@ -17811,7 +17867,7 @@ index 53fc3af..25b3285 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
-@@ -103,4 +111,5 @@ optional_policy(`
+@@ -103,4 +112,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -23598,7 +23654,7 @@ index 79b9273..76b7ed5 100644
logging_send_syslog_msg(fcoemon_t)
diff --git a/fetchmail.fc b/fetchmail.fc
-index 2486e2a..72143ee 100644
+index 2486e2a..fef9bff 100644
--- a/fetchmail.fc
+++ b/fetchmail.fc
@@ -1,4 +1,5 @@
@@ -23612,7 +23668,7 @@ index 2486e2a..72143ee 100644
/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
-/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
-+/var/run/fetchmail.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
++/var/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0)
diff --git a/fetchmail.if b/fetchmail.if
index c3f7916..cab3954 100644
--- a/fetchmail.if
@@ -24893,7 +24949,7 @@ index 1e29af1..c67e44e 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 93b0301..11a76a5 100644
+index 93b0301..eafea5b 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -24911,7 +24967,13 @@ index 93b0301..11a76a5 100644
## Determine whether Git system daemon
## can search home directories.
## </p>
-@@ -92,10 +84,10 @@ type git_session_t, git_daemon;
+@@ -87,15 +79,16 @@ apache_content_template(git)
+ type git_system_t, git_daemon;
+ type gitd_exec_t;
+ inetd_service_domain(git_system_t, gitd_exec_t)
++init_domain(git_system_t, gitd_exec_t)
+
+ type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;
@@ -24924,7 +24986,7 @@ index 93b0301..11a76a5 100644
userdom_user_home_content(git_user_content_t)
########################################
-@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+@@ -109,6 +102,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
@@ -24933,7 +24995,7 @@ index 93b0301..11a76a5 100644
corenet_all_recvfrom_netlabel(git_session_t)
corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
-@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
+@@ -129,9 +124,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_sendrecv_all_ports(git_session_t)
')
@@ -24944,7 +25006,7 @@ index 93b0301..11a76a5 100644
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
-@@ -157,6 +149,9 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -157,6 +150,9 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
@@ -24954,7 +25016,7 @@ index 93b0301..11a76a5 100644
files_search_var_lib(git_system_t)
auth_use_nsswitch(git_system_t)
-@@ -255,12 +250,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -255,12 +251,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -25337,10 +25399,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..06e17e3
+index 0000000..a19c35c
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,169 @@
+@@ -0,0 +1,170 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
@@ -25422,7 +25484,8 @@ index 0000000..06e17e3
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
++manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
@@ -25790,7 +25853,7 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..e334392 100644
+index d03fd43..71aa685 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,155 @@
@@ -26872,7 +26935,7 @@ index d03fd43..e334392 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -704,12 +795,830 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +795,851 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@@ -26969,6 +27032,27 @@ index d03fd43..e334392 100644
+
+#######################################
+## <summary>
++## Delete gkeyringd temporary
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_delete_gkeyringd_tmp_content',`
++ gen_require(`
++ type gkeyringd_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++ delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++ delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++')
++
++#######################################
++## <summary>
+## Manage gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
@@ -26983,7 +27067,7 @@ index d03fd43..e334392 100644
+ ')
+
+ files_search_tmp($1)
-+ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+########################################
@@ -31578,7 +31662,7 @@ index a49ae4e..913a0e3 100644
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
diff --git a/kdump.if b/kdump.if
-index 3a00b3a..9d8c551 100644
+index 3a00b3a..73476cb 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
@@ -31649,7 +31733,7 @@ index 3a00b3a..9d8c551 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -56,10 +100,65 @@ interface(`kdump_read_config',`
+@@ -56,10 +100,66 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
@@ -31670,6 +31754,7 @@ index 3a00b3a..9d8c551 100644
+
+ files_search_var($1)
+ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
++ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+#####################################
@@ -31717,7 +31802,7 @@ index 3a00b3a..9d8c551 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -76,10 +175,31 @@ interface(`kdump_manage_config',`
+@@ -76,10 +176,31 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
@@ -31751,7 +31836,7 @@ index 3a00b3a..9d8c551 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -88,19 +208,24 @@ interface(`kdump_manage_config',`
+@@ -88,19 +209,24 @@ interface(`kdump_manage_config',`
## </param>
## <param name="role">
## <summary>
@@ -31781,7 +31866,7 @@ index 3a00b3a..9d8c551 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +235,10 @@ interface(`kdump_admin',`
+@@ -110,6 +236,10 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
@@ -33775,11 +33860,124 @@ index c1539b5..fd0a17f 100644
+ fs_read_cifs_files(ksmtuned_t)
+ samba_read_share_files(ksmtuned_t)
+')
+diff --git a/ktalk.fc b/ktalk.fc
+index 38ecb07..451067e 100644
+--- a/ktalk.fc
++++ b/ktalk.fc
+@@ -1,3 +1,5 @@
++/usr/lib/systemd/system/ntalk.* -- gen_context(system_u:object_r:ktalkd_unit_file_t,s0)
++
+ /usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+
+ /usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+diff --git a/ktalk.if b/ktalk.if
+index 19777b8..63d46d3 100644
+--- a/ktalk.if
++++ b/ktalk.if
+@@ -1 +1,81 @@
+-## <summary>KDE Talk daemon.</summary>
++
++## <summary>talk-server - daemon programs for the Internet talk </summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the ktalkd domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ktalk_domtrans',`
++ gen_require(`
++ type ktalkd_t, ktalkd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ktalkd_exec_t, ktalkd_t)
++')
++########################################
++## <summary>
++## Execute ktalkd server in the ktalkd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ktalk_systemctl',`
++ gen_require(`
++ type ktalkd_t;
++ type ktalkd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 ktalkd_unit_file_t:file read_file_perms;
++ allow $1 ktalkd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ktalkd_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an ktalkd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ktalk_admin',`
++ gen_require(`
++ type ktalkd_t;
++ type ktalkd_unit_file_t;
++ ')
++
++ allow $1 ktalkd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, ktalkd_t)
++
++ ktalk_systemctl($1)
++ admin_pattern($1, ktalkd_unit_file_t)
++ allow $1 ktalkd_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
diff --git a/ktalk.te b/ktalk.te
-index 2cf3815..2c4c979 100644
+index 2cf3815..cb979b0 100644
--- a/ktalk.te
+++ b/ktalk.te
-@@ -35,16 +35,23 @@ kernel_read_kernel_sysctls(ktalkd_t)
+@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
+
+ type ktalkd_t;
+ type ktalkd_exec_t;
++init_domain(ktalkd_t, ktalkd_exec_t)
+ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
+
+ type ktalkd_log_t;
+ logging_log_file(ktalkd_log_t)
+
++type ktalkd_unit_file_t;
++systemd_unit_file(ktalkd_unit_file_t)
++
+ type ktalkd_tmp_t;
+ files_tmp_file(ktalkd_tmp_t)
+
+@@ -35,16 +39,23 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
@@ -35344,11 +35542,20 @@ index 7bab8e5..b88bbf3 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..a8dde53 100644
+index 4256a4c..30e3cd2 100644
--- a/logwatch.te
+++ b/logwatch.te
-@@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6)
+@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
+ # Declarations
+ #
++## <desc>
++## <p>
++## Allow epylog to send mail
++## </p>
++## </desc>
++gen_tunable(logwatch_can_sendmail, false)
++
type logwatch_t;
type logwatch_exec_t;
-init_system_domain(logwatch_t, logwatch_exec_t)
@@ -35357,7 +35564,7 @@ index 4256a4c..a8dde53 100644
type logwatch_cache_t;
files_type(logwatch_cache_t)
-@@ -37,7 +38,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
+@@ -37,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
@@ -35367,7 +35574,7 @@ index 4256a4c..a8dde53 100644
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
-@@ -67,10 +69,11 @@ files_list_var(logwatch_t)
+@@ -67,10 +76,11 @@ files_list_var(logwatch_t)
files_search_all(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
@@ -35380,7 +35587,7 @@ index 4256a4c..a8dde53 100644
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
-@@ -92,13 +95,12 @@ libs_read_lib_files(logwatch_t)
+@@ -92,13 +102,12 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
@@ -35395,7 +35602,7 @@ index 4256a4c..a8dde53 100644
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-@@ -137,6 +139,11 @@ optional_policy(`
+@@ -137,6 +146,11 @@ optional_policy(`
')
optional_policy(`
@@ -35407,7 +35614,21 @@ index 4256a4c..a8dde53 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -164,6 +171,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -145,6 +159,13 @@ optional_policy(`
+ samba_read_share_files(logwatch_t)
+ ')
+
++tunable_policy(`logwatch_can_sendmail',`
++ corenet_tcp_connect_smtp_port(logwatch_t)
++ corenet_sendrecv_smtp_client_packets(logwatch_t)
++ corenet_tcp_connect_pop_port(logwatch_t)
++ corenet_sendrecv_pop_client_packets(logwatch_t)
++')
++
+ ########################################
+ #
+ # Mail local policy
+@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -35774,7 +35995,7 @@ index 0000000..711c04b
+/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
new file mode 100644
-index 0000000..aaf4080
+index 0000000..52d5956
--- /dev/null
+++ b/lsm.if
@@ -0,0 +1,103 @@
@@ -35835,7 +36056,7 @@ index 0000000..aaf4080
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 lsmd_unit_file_t:file read_file_perms;
+ allow $1 lsmd_unit_file_t:service manage_service_perms;
+
@@ -35883,10 +36104,10 @@ index 0000000..aaf4080
+')
diff --git a/lsm.te b/lsm.te
new file mode 100644
-index 0000000..14fe4d7
+index 0000000..fc42149
--- /dev/null
+++ b/lsm.te
-@@ -0,0 +1,31 @@
+@@ -0,0 +1,32 @@
+policy_module(lsm, 1.0.0)
+
+########################################
@@ -35916,6 +36137,7 @@ index 0000000..14fe4d7
+manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
+
+logging_send_syslog_msg(lsmd_t)
diff --git a/mailman.fc b/mailman.fc
@@ -42853,10 +43075,17 @@ index b744fe3..4c1b6a8 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..92138ca 100644
+index 97370e4..3549b8f 100644
--- a/munin.te
+++ b/munin.te
-@@ -40,12 +40,15 @@ munin_plugin_template(services)
+@@ -37,15 +37,22 @@ munin_plugin_template(disk)
+ munin_plugin_template(mail)
+ munin_plugin_template(selinux)
+ munin_plugin_template(services)
++
++type services_munin_plugin_tmpfs_t;
++files_tmpfs_file(services_munin_plugin_tmpfs_t)
++
munin_plugin_template(system)
munin_plugin_template(unconfined)
@@ -42873,7 +43102,7 @@ index 97370e4..92138ca 100644
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -58,23 +61,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+@@ -58,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
@@ -42898,7 +43127,7 @@ index 97370e4..92138ca 100644
optional_policy(`
nscd_use(munin_plugin_domain)
-@@ -114,7 +111,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -114,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -42907,7 +43136,7 @@ index 97370e4..92138ca 100644
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +127,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -130,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
@@ -42915,7 +43144,7 @@ index 97370e4..92138ca 100644
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +149,6 @@ domain_use_interactive_fds(munin_t)
+@@ -153,7 +153,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -42923,7 +43152,7 @@ index 97370e4..92138ca 100644
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
-@@ -165,7 +160,6 @@ logging_send_syslog_msg(munin_t)
+@@ -165,7 +164,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -42931,7 +43160,7 @@ index 97370e4..92138ca 100644
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
-@@ -173,13 +167,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -173,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -42945,7 +43174,7 @@ index 97370e4..92138ca 100644
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
-@@ -213,7 +200,6 @@ optional_policy(`
+@@ -213,7 +204,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -42953,7 +43182,7 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -242,21 +228,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -242,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -42981,7 +43210,7 @@ index 97370e4..92138ca 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -268,6 +256,10 @@ optional_policy(`
+@@ -268,6 +260,10 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
@@ -42992,7 +43221,7 @@ index 97370e4..92138ca 100644
####################################
#
# Mail local policy
-@@ -275,27 +267,36 @@ optional_policy(`
+@@ -275,27 +271,36 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -43033,7 +43262,17 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -331,7 +332,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -320,6 +325,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow services_munin_plugin_t self:udp_socket create_socket_perms;
+ allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
++manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
++manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
++
+ corenet_sendrecv_all_client_packets(services_munin_plugin_t)
+ corenet_tcp_connect_all_ports(services_munin_plugin_t)
+ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -331,7 +339,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
@@ -43042,7 +43281,7 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -353,7 +354,11 @@ optional_policy(`
+@@ -353,7 +361,11 @@ optional_policy(`
')
optional_policy(`
@@ -43055,7 +43294,7 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -385,6 +390,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +397,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -43063,7 +43302,7 @@ index 97370e4..92138ca 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +419,31 @@ optional_policy(`
+@@ -413,3 +426,31 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -43688,7 +43927,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..94457fe 100644
+index 9f6179e..3c7bbd8 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -43861,7 +44100,7 @@ index 9f6179e..94457fe 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -153,29 +160,23 @@ optional_policy(`
+@@ -153,29 +160,24 @@ optional_policy(`
#######################################
#
@@ -43888,6 +44127,7 @@ index 9f6179e..94457fe 100644
-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
++manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -43898,7 +44138,7 @@ index 9f6179e..94457fe 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,17 +188,21 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -187,17 +189,21 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -43926,7 +44166,7 @@ index 9f6179e..94457fe 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +210,7 @@ optional_policy(`
+@@ -205,7 +211,7 @@ optional_policy(`
########################################
#
@@ -43935,7 +44175,7 @@ index 9f6179e..94457fe 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +219,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +220,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -43953,7 +44193,7 @@ index 9f6179e..94457fe 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +232,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +233,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -45532,7 +45772,7 @@ index 0e8508c..0b68b86 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..2de59df 100644
+index 0b48a30..2b6c69a 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -45572,7 +45812,7 @@ index 0b48a30..2de59df 100644
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+dontaudit NetworkManager_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
@@ -50411,10 +50651,10 @@ index 0000000..598789a
+
diff --git a/openhpid.te b/openhpid.te
new file mode 100644
-index 0000000..be2a88d
+index 0000000..51acfae
--- /dev/null
+++ b/openhpid.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,47 @@
+policy_module(openhpid, 1.0.0)
+
+########################################
@@ -50441,7 +50681,7 @@ index 0000000..be2a88d
+#
+
+allow openhpid_t self:capability { kill };
-+allow openhpid_t self:process { fork signal };
++allow openhpid_t self:process signal_perms;
+
+allow openhpid_t self:fifo_file rw_fifo_file_perms;
+allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
@@ -50459,11 +50699,8 @@ index 0000000..be2a88d
+corenet_tcp_bind_generic_node(openhpid_t)
+corenet_tcp_bind_openhpid_port(openhpid_t)
+
-+domain_use_interactive_fds(openhpid_t)
-+
+dev_read_urand(openhpid_t)
+
-+
+logging_send_syslog_msg(openhpid_t)
diff --git a/openshift-origin.fc b/openshift-origin.fc
new file mode 100644
@@ -52321,7 +52558,7 @@ index 9b15730..eedd136 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..f025b03 100644
+index 508fedf..a499612 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
@@ -52344,7 +52581,13 @@ index 508fedf..f025b03 100644
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
-@@ -24,20 +21,27 @@ logging_log_file(openvswitch_log_t)
+@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t)
+ type openvswitch_log_t;
+ logging_log_file(openvswitch_log_t)
+
++type openvswitch_tmp_t;
++files_tmp_file(openvswitch_tmp_t)
++
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
@@ -52368,19 +52611,19 @@ index 508fedf..f025b03 100644
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
-+
-+can_exec(openvswitch_t, openvswitch_exec_t)
-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
++can_exec(openvswitch_t, openvswitch_exec_t)
++
+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,9 +49,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,45 +52,53 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -52391,7 +52634,14 @@ index 508fedf..f025b03 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -57,33 +59,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
++manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir })
++
+ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -56866,7 +57116,7 @@ index ae27bb7..d00f6ba 100644
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
-index 316d53a..79b5c4f 100644
+index 316d53a..388d659 100644
--- a/polipo.te
+++ b/polipo.te
@@ -1,4 +1,4 @@
@@ -56980,10 +57230,14 @@ index 316d53a..79b5c4f 100644
-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
-
-auth_use_nsswitch(polipo_session_t)
+-
+-userdom_use_user_terminals(polipo_session_t)
+allow polipo_daemon self:fifo_file rw_fifo_file_perms;
+allow polipo_daemon self:tcp_socket { listen accept };
--userdom_use_user_terminals(polipo_session_t)
+-tunable_policy(`polipo_session_send_syslog_msg',`
+- logging_send_syslog_msg(polipo_session_t)
+-')
+corenet_tcp_bind_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_generic_if(polipo_daemon)
+corenet_tcp_sendrecv_generic_node(polipo_daemon)
@@ -56991,10 +57245,7 @@ index 316d53a..79b5c4f 100644
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
-
--tunable_policy(`polipo_session_send_syslog_msg',`
-- logging_send_syslog_msg(polipo_session_t)
--')
++corenet_tcp_connect_tor_port(polipo_daemon)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(polipo_session_t)
@@ -71108,10 +71359,18 @@ index 050479d..0e1b364 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
-index d34cdec..f41c9c5 100644
+index d34cdec..eeeee9b 100644
--- a/rlogin.te
+++ b/rlogin.te
-@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
+@@ -9,6 +9,7 @@ type rlogind_t;
+ type rlogind_exec_t;
+ auth_login_pgm_domain(rlogind_t)
+ inetd_service_domain(rlogind_t, rlogind_exec_t)
++init_daemon_domain(rlogind_t, rlogind_exec_t)
+
+ type rlogind_devpts_t;
+ term_login_pty(rlogind_devpts_t)
+@@ -30,7 +31,9 @@ files_pid_file(rlogind_var_run_t)
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
@@ -71122,7 +71381,7 @@ index d34cdec..f41c9c5 100644
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
-@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
+@@ -39,7 +42,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
@@ -71130,7 +71389,7 @@ index d34cdec..f41c9c5 100644
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t)
+@@ -50,7 +52,6 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
@@ -71138,7 +71397,7 @@ index d34cdec..f41c9c5 100644
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_generic_if(rlogind_t)
corenet_udp_sendrecv_generic_if(rlogind_t)
-@@ -67,6 +67,7 @@ fs_getattr_all_fs(rlogind_t)
+@@ -67,6 +68,7 @@ fs_getattr_all_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
@@ -71146,7 +71405,7 @@ index d34cdec..f41c9c5 100644
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
-@@ -77,30 +78,23 @@ init_rw_utmp(rlogind_t)
+@@ -77,30 +79,23 @@ init_rw_utmp(rlogind_t)
logging_send_syslog_msg(rlogind_t)
@@ -72516,7 +72775,7 @@ index ebe91fc..6392cad 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..3031a82 100644
+index 0628d50..39e36fb 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -72665,7 +72924,7 @@ index 0628d50..3031a82 100644
+#
+interface(`rpm_rw_script_inherited_pipes',`
+ gen_require(`
-+ type rpm_t;
++ type rpm_script_t;
+ ')
+
+ allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
@@ -81474,18 +81733,19 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..7779402 100644
+index 703efa3..e3580b2 100644
--- a/sosreport.te
+++ b/sosreport.te
-@@ -33,6 +33,7 @@ allow sosreport_t self:process { setsched signull };
+@@ -33,6 +33,8 @@ allow sosreport_t self:process { setsched signull };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
allow sosreport_t self:unix_stream_socket { accept listen };
++allow sosreport_t self:rawip_socket create_socket_perms;
+allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
-@@ -58,6 +59,8 @@ dev_read_rand(sosreport_t)
+@@ -58,6 +60,8 @@ dev_read_rand(sosreport_t)
dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
@@ -81494,7 +81754,7 @@ index 703efa3..7779402 100644
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
-@@ -70,7 +73,6 @@ files_list_all(sosreport_t)
+@@ -70,7 +74,6 @@ files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
files_read_non_auth_files(sosreport_t)
@@ -81502,7 +81762,7 @@ index 703efa3..7779402 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -79,11 +81,18 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -79,23 +82,31 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -81513,6 +81773,7 @@ index 703efa3..7779402 100644
storage_dontaudit_read_removable_device(sosreport_t)
+term_getattr_pty_fs(sosreport_t)
++term_getattr_all_ptys(sosreport_t)
+
+# some config files do not have configfile attribute
+# sosreport needs to read various files on system
@@ -81521,7 +81782,10 @@ index 703efa3..7779402 100644
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
-@@ -93,9 +102,8 @@ libs_domtrans_ldconfig(sosreport_t)
++init_getattr_initctl(sosreport_t)
+
+ libs_domtrans_ldconfig(sosreport_t)
+
logging_read_all_logs(sosreport_t)
logging_send_syslog_msg(sosreport_t)
@@ -81532,7 +81796,18 @@ index 703efa3..7779402 100644
optional_policy(`
abrt_manage_pid_files(sosreport_t)
-@@ -111,6 +119,11 @@ optional_policy(`
+@@ -103,6 +114,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ brctl_domtrans(sosreport_t)
++')
++
++optional_policy(`
+ cups_stream_connect(sosreport_t)
+ ')
+
+@@ -111,6 +126,11 @@ optional_policy(`
')
optional_policy(`
@@ -85224,7 +85499,7 @@ index 42946bc..741f2f4 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..91c1898 100644
+index e9c0964..ff77783 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
@@ -85725,7 +86000,7 @@ index e9c0964..91c1898 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +382,40 @@ optional_policy(`
+@@ -452,31 +382,43 @@ optional_policy(`
#######################################
#
@@ -85753,10 +86028,12 @@ index e9c0964..91c1898 100644
fs_getattr_all_fs(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
--
--miscfiles_read_localization(telepathy_domain)
+fs_rw_inherited_tmpfs_files(telepathy_domain)
+-miscfiles_read_localization(telepathy_domain)
++userdom_search_user_tmp_dirs(telepathy_domain)
++userdom_search_user_home_dirs(telepathy_domain)
+
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
')
@@ -85764,7 +86041,7 @@ index e9c0964..91c1898 100644
optional_policy(`
+ gnome_read_generic_cache_files(telepathy_domain)
+ gnome_write_generic_cache_files(telepathy_domain)
-+ gnome_filetrans_config_home_content(telepathy_domain)
++ gnome_filetrans_config_home_content(telepathy_domain)
+')
+
+optional_policy(`
@@ -91193,7 +91470,7 @@ index 9dec06c..4e31afe 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..8757277 100644
+index 1f22fba..2361150 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,104 @@
@@ -91775,7 +92052,7 @@ index 1f22fba..8757277 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +308,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +308,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -91799,6 +92076,7 @@ index 1f22fba..8757277 100644
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-
++allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
@@ -91821,7 +92099,7 @@ index 1f22fba..8757277 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +342,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +343,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -91842,7 +92120,7 @@ index 1f22fba..8757277 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +354,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +355,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -91850,7 +92128,7 @@ index 1f22fba..8757277 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +362,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +363,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -91878,7 +92156,7 @@ index 1f22fba..8757277 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +382,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +383,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -91907,7 +92185,7 @@ index 1f22fba..8757277 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +429,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +430,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -91927,7 +92205,7 @@ index 1f22fba..8757277 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +451,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +452,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -91964,7 +92242,7 @@ index 1f22fba..8757277 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +479,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +480,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -91973,7 +92251,7 @@ index 1f22fba..8757277 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +504,12 @@ optional_policy(`
+@@ -658,20 +505,12 @@ optional_policy(`
')
optional_policy(`
@@ -91994,7 +92272,7 @@ index 1f22fba..8757277 100644
')
optional_policy(`
-@@ -684,14 +522,20 @@ optional_policy(`
+@@ -684,14 +523,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -92017,7 +92295,7 @@ index 1f22fba..8757277 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +548,13 @@ optional_policy(`
+@@ -704,11 +549,13 @@ optional_policy(`
')
optional_policy(`
@@ -92031,7 +92309,7 @@ index 1f22fba..8757277 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +565,18 @@ optional_policy(`
+@@ -719,10 +566,18 @@ optional_policy(`
')
optional_policy(`
@@ -92050,7 +92328,7 @@ index 1f22fba..8757277 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +591,261 @@ optional_policy(`
+@@ -737,44 +592,261 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -92335,7 +92613,7 @@ index 1f22fba..8757277 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +856,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +857,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -92362,7 +92640,7 @@ index 1f22fba..8757277 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +876,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +877,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -92394,7 +92672,7 @@ index 1f22fba..8757277 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +909,20 @@ optional_policy(`
+@@ -847,14 +910,20 @@ optional_policy(`
')
optional_policy(`
@@ -92416,7 +92694,7 @@ index 1f22fba..8757277 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +947,65 @@ optional_policy(`
+@@ -879,49 +948,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -92500,7 +92778,7 @@ index 1f22fba..8757277 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1017,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1018,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -92520,7 +92798,7 @@ index 1f22fba..8757277 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1038,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1039,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -92544,7 +92822,7 @@ index 1f22fba..8757277 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1063,247 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1064,247 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -92922,7 +93200,7 @@ index 1f22fba..8757277 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1316,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1317,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -92937,7 +93215,7 @@ index 1f22fba..8757277 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1334,8 @@ optional_policy(`
+@@ -1183,9 +1335,8 @@ optional_policy(`
########################################
#
@@ -92948,7 +93226,7 @@ index 1f22fba..8757277 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1348,120 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1349,120 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 353f035..dd481a5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -539,6 +539,34 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Sep 03 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.1
+- Allow xdm_t to delete gkeyringd_tmp_t files on logout
+- Fix polipo.te
+- Add trans rules for lsm pid files/dirs
+- Fix labeling for fetchmail pid files/dirs
+- Add additional fixes for abrt-upload-watch
+- Fix transition rules in asterisk policy
+- Add fowner capability to networkmanager policy
+- Cleanup openhpid policy
+- Fix kdump_read_crash() interface
+- Make more domains as init domain
+- Allow sosreport to getattr everything in /dev and send rawip packets
+- Allow sosreport to transition to brctl
+- Add missing alias for amavis_etc_t
+- Fix requires in rpm_rw_script_inherited_pipes
+- Fix interfaces in lsm.if
+- Fix cupsd.te
+- Allow munin service plugins to manage own tmpfs files/dirs
+- Allow virtd_t also relabel unix stream sockets for virt_image_type
+- Fix to define ktalkd_unit_file_t correctly
+- Add systemd support for talk-server
+- Allow glusterd to create sock_file in /run
+- Allow xdm_t to delete gkeyringd_tmp_t files on logout
+- Add support for tmp directories to openvswitch
+- Add logwatch_can_sendmail boolean
+- Allow telpathy_domains to search user homedirs and tmp dirs
+- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
+
* Thu Aug 29 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74
- Rename svirt_lxc_file_t to svirt_sandbox_file_t
- Allow virt_domain with USB devices to look at dos file systems
More information about the scm-commits
mailing list