[selinux-policy/f20] - Also sock_file trans rule is needed in lsm - Fix labeling for fetchmail pid files/dirs - Add addit
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Sep 3 20:42:47 UTC 2013
commit 22545a13feb3f51091198cf5563d2cb77a3109fb
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Sep 3 22:42:22 2013 +0200
- Also sock_file trans rule is needed in lsm
- Fix labeling for fetchmail pid files/dirs
- Add additional fixes for abrt-upload-watch
- Fix polipo.te
- Fix transition rules in asterisk policy
- Add fowner capability to networkmanager policy
- Allow polipo to connect to tor ports
- Cleanup lsmd.if
- Cleanup openhpid policy
- Fix kdump_read_crash() interface
- Make more domains as init domain
- Fix cupsd.te
- Fix requires in rpm_rw_script_inherited_pipes
- Fix interfaces in lsm.if
- Allow munin service plugins to manage own tmpfs files/dirs
- Allow virtd_t also relabel unix stream sockets for virt_image_type
- Make ktalk as init domain
- Fix to define ktalkd_unit_file_t correctly
- Fix ktalk.fc
- Add systemd support for talk-server
- Allow glusterd to create sock_file in /run
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
- Add fixes for hypervkvp policy
- Add logwatch_can_sendmail boolean
- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
policy-rawhide-base.patch | 45 ++--
policy-rawhide-contrib.patch | 742 +++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 30 ++-
3 files changed, 605 insertions(+), 212 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a8e95dd..718fb3d 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -22589,7 +22589,7 @@ index 6bf0ecc..9b46e11 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..b67997e 100644
+index 2696452..93b05fa 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -23403,7 +23403,7 @@ index 2696452..b67997e 100644
')
optional_policy(`
-@@ -514,12 +865,56 @@ optional_policy(`
+@@ -514,12 +865,57 @@ optional_policy(`
')
optional_policy(`
@@ -23446,6 +23446,7 @@ index 2696452..b67997e 100644
+ gnome_stream_connect_gkeyringd(xdm_t)
+ gnome_exec_gstreamer_home_files(xdm_t)
+ gnome_exec_keyringd(xdm_t)
++ gnome_delete_gkeyringd_tmp_content(xdm_t)
+ gnome_manage_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t)
+ #gnome_filetrans_home_content(xdm_t)
@@ -23460,7 +23461,7 @@ index 2696452..b67997e 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +932,78 @@ optional_policy(`
+@@ -537,28 +933,78 @@ optional_policy(`
')
optional_policy(`
@@ -23548,7 +23549,7 @@ index 2696452..b67997e 100644
')
optional_policy(`
-@@ -570,6 +1015,14 @@ optional_policy(`
+@@ -570,6 +1016,14 @@ optional_policy(`
')
optional_policy(`
@@ -23563,7 +23564,7 @@ index 2696452..b67997e 100644
xfs_stream_connect(xdm_t)
')
-@@ -584,7 +1037,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -584,7 +1038,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -23572,7 +23573,7 @@ index 2696452..b67997e 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -594,8 +1047,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23585,7 +23586,7 @@ index 2696452..b67997e 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1064,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23601,7 +23602,7 @@ index 2696452..b67997e 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1080,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23612,7 +23613,7 @@ index 2696452..b67997e 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1095,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23634,7 +23635,7 @@ index 2696452..b67997e 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1115,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23648,7 +23649,7 @@ index 2696452..b67997e 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1141,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23680,7 +23681,7 @@ index 2696452..b67997e 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1173,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23698,7 +23699,7 @@ index 2696452..b67997e 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1196,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1197,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23722,7 +23723,7 @@ index 2696452..b67997e 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1215,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23731,7 +23732,7 @@ index 2696452..b67997e 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1259,44 @@ optional_policy(`
+@@ -775,16 +1260,44 @@ optional_policy(`
')
optional_policy(`
@@ -23777,7 +23778,7 @@ index 2696452..b67997e 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1305,10 @@ optional_policy(`
+@@ -793,6 +1306,10 @@ optional_policy(`
')
optional_policy(`
@@ -23788,7 +23789,7 @@ index 2696452..b67997e 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1324,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23802,7 +23803,7 @@ index 2696452..b67997e 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1335,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23811,7 +23812,7 @@ index 2696452..b67997e 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1348,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1349,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23846,7 +23847,7 @@ index 2696452..b67997e 100644
')
optional_policy(`
-@@ -902,7 +1413,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23855,7 +23856,7 @@ index 2696452..b67997e 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1467,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23887,7 +23888,7 @@ index 2696452..b67997e 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1513,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1514,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 69b9cf3..6927ccb 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -519,7 +519,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..883dd05 100644
+index cc43d25..f71a133 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -528,7 +528,7 @@ index cc43d25..883dd05 100644
########################################
#
-@@ -6,105 +6,128 @@ policy_module(abrt, 1.3.4)
+@@ -6,105 +6,131 @@ policy_module(abrt, 1.3.4)
#
## <desc>
@@ -636,15 +636,15 @@ index cc43d25..883dd05 100644
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+')
++
++#
++# Support for ABRT retrace server
-type abrt_retrace_worker_t, abrt_domain;
-type abrt_retrace_worker_exec_t;
-domain_type(abrt_retrace_worker_t)
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+#
-+# Support for ABRT retrace server
-+
-+#
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
role system_r types abrt_retrace_worker_t;
@@ -672,6 +672,9 @@ index cc43d25..883dd05 100644
+# Support for abrt-upload-watch
+abrt_basic_types_template(abrt_upload_watch)
+init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
++
++type abrt_upload_watch_tmp_t;
++files_tmp_file(abrt_upload_watch_tmp_t)
########################################
#
@@ -701,7 +704,7 @@ index cc43d25..883dd05 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -112,23 +135,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +138,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -730,7 +733,7 @@ index cc43d25..883dd05 100644
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -137,16 +162,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +165,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -749,7 +752,7 @@ index cc43d25..883dd05 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +186,37 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +189,37 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -790,7 +793,7 @@ index cc43d25..883dd05 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +224,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +227,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -807,7 +810,7 @@ index cc43d25..883dd05 100644
')
optional_policy(`
-@@ -209,6 +236,16 @@ optional_policy(`
+@@ -209,6 +239,16 @@ optional_policy(`
')
optional_policy(`
@@ -824,7 +827,7 @@ index cc43d25..883dd05 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +257,7 @@ optional_policy(`
+@@ -220,6 +260,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -832,7 +835,7 @@ index cc43d25..883dd05 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +268,7 @@ optional_policy(`
+@@ -230,6 +271,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -840,7 +843,7 @@ index cc43d25..883dd05 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +279,17 @@ optional_policy(`
+@@ -240,9 +282,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -859,7 +862,7 @@ index cc43d25..883dd05 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +300,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +303,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -874,7 +877,7 @@ index cc43d25..883dd05 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +319,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +322,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -882,7 +885,7 @@ index cc43d25..883dd05 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +328,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +331,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -903,7 +906,7 @@ index cc43d25..883dd05 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +349,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +352,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -930,7 +933,7 @@ index cc43d25..883dd05 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +385,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +388,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -944,7 +947,7 @@ index cc43d25..883dd05 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +403,11 @@ optional_policy(`
+@@ -330,10 +406,11 @@ optional_policy(`
#######################################
#
@@ -958,7 +961,7 @@ index cc43d25..883dd05 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +426,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +429,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1020,7 +1023,7 @@ index cc43d25..883dd05 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +484,29 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +487,47 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1037,23 +1040,41 @@ index cc43d25..883dd05 100644
#
-kernel_read_system_state(abrt_domain)
-+corecmd_exec_bin(abrt_upload_watch_t)
++allow abrt_upload_watch_t self:capability dac_override;
-files_read_etc_files(abrt_domain)
++manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
++
++read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
+
+-logging_send_syslog_msg(abrt_domain)
++manage_dirs_pattern(abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_cache_t)
++
++corecmd_exec_bin(abrt_upload_watch_t)
++
++dev_read_urand(abrt_upload_watch_t)
++
++auth_read_passwd(abrt_upload_watch_t)
++
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+-miscfiles_read_localization(abrt_domain)
++optional_policy(`
++ dbus_system_bus_client(abrt_upload_watch_t)
++')
+
+#######################################
+#
+# Local policy for all abrt domain
+#
-
--logging_send_syslog_msg(abrt_domain)
++
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
-
--miscfiles_read_localization(abrt_domain)
++
+files_read_etc_files(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a..0682710 100644
@@ -7416,7 +7437,7 @@ index 7268a04..6ffd87d 100644
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
-index 5439f1c..74c24a3 100644
+index 5439f1c..4f8a8a5 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
@@ -7428,7 +7449,25 @@ index 5439f1c..74c24a3 100644
type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)
-@@ -72,11 +72,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms;
+ read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+ read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+
+-append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+-create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+-setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir})
+
+ manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+ manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+ manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
++files_spool_file(asterisk_t, asterisk_spool_t, {dir file})
+
+ manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+ manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
@@ -7442,7 +7481,7 @@ index 5439f1c..74c24a3 100644
can_exec(asterisk_t, asterisk_exec_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -87,7 +87,6 @@ kernel_request_load_module(asterisk_t)
+@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_exec_shell(asterisk_t)
@@ -7450,7 +7489,7 @@ index 5439f1c..74c24a3 100644
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -135,7 +134,6 @@ dev_read_urand(asterisk_t)
+@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
@@ -7458,7 +7497,7 @@ index 5439f1c..74c24a3 100644
files_search_spool(asterisk_t)
files_dontaudit_search_home(asterisk_t)
-@@ -148,8 +146,6 @@ auth_use_nsswitch(asterisk_t)
+@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t)
logging_send_syslog_msg(asterisk_t)
@@ -17056,7 +17095,7 @@ index 06da9a0..6d69a2f 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..ab0eee9 100644
+index 9f34c2e..09ef91c 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -17086,7 +17125,7 @@ index 9f34c2e..ab0eee9 100644
files_config_file(cupsd_etc_t)
type cupsd_initrc_exec_t;
-@@ -33,9 +38,13 @@ type cupsd_lock_t;
+@@ -33,13 +38,15 @@ type cupsd_lock_t;
files_lock_file(cupsd_lock_t)
type cupsd_log_t;
@@ -17099,9 +17138,14 @@ index 9f34c2e..ab0eee9 100644
+
+type cupsd_lpd_t, cups_domain;
type cupsd_lpd_exec_t;
- domain_type(cupsd_lpd_t)
- domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
-@@ -47,7 +56,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
+-domain_type(cupsd_lpd_t)
+-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
+-role system_r types cupsd_lpd_t;
++init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
+
+ type cupsd_lpd_tmp_t;
+ files_tmp_file(cupsd_lpd_tmp_t)
+@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
type cupsd_lpd_var_run_t;
files_pid_file(cupsd_lpd_var_run_t)
@@ -17110,7 +17154,7 @@ index 9f34c2e..ab0eee9 100644
type cups_pdf_exec_t;
cups_backend(cups_pdf_t, cups_pdf_exec_t)
-@@ -55,29 +64,17 @@ type cups_pdf_tmp_t;
+@@ -55,29 +62,17 @@ type cups_pdf_tmp_t;
files_tmp_file(cups_pdf_tmp_t)
type cupsd_tmp_t;
@@ -17144,7 +17188,7 @@ index 9f34c2e..ab0eee9 100644
type ptal_t;
type ptal_exec_t;
-@@ -97,21 +94,49 @@ ifdef(`enable_mls',`
+@@ -97,21 +92,49 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
@@ -17198,7 +17242,7 @@ index 9f34c2e..ab0eee9 100644
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,11 +145,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -17212,8 +17256,15 @@ index 9f34c2e..ab0eee9 100644
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -139,22 +166,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -133,28 +158,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms;
+ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+
+ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
++manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
@@ -17240,7 +17291,7 @@ index 9f34c2e..ab0eee9 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -162,11 +190,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -162,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -17252,7 +17303,7 @@ index 9f34c2e..ab0eee9 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -189,12 +215,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -189,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -17277,7 +17328,7 @@ index 9f34c2e..ab0eee9 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -206,7 +240,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -206,7 +235,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -17285,7 +17336,7 @@ index 9f34c2e..ab0eee9 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +248,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +243,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -17305,7 +17356,7 @@ index 9f34c2e..ab0eee9 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +269,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -17314,7 +17365,7 @@ index 9f34c2e..ab0eee9 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +283,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -17340,7 +17391,7 @@ index 9f34c2e..ab0eee9 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +310,8 @@ optional_policy(`
+@@ -275,6 +305,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -17349,7 +17400,7 @@ index 9f34c2e..ab0eee9 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +322,10 @@ optional_policy(`
+@@ -285,8 +317,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -17360,7 +17411,7 @@ index 9f34c2e..ab0eee9 100644
')
')
-@@ -299,8 +338,8 @@ optional_policy(`
+@@ -299,8 +333,8 @@ optional_policy(`
')
optional_policy(`
@@ -17370,7 +17421,7 @@ index 9f34c2e..ab0eee9 100644
')
optional_policy(`
-@@ -309,7 +348,6 @@ optional_policy(`
+@@ -309,7 +343,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -17378,7 +17429,7 @@ index 9f34c2e..ab0eee9 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +375,11 @@ optional_policy(`
+@@ -337,7 +370,11 @@ optional_policy(`
')
optional_policy(`
@@ -17391,7 +17442,7 @@ index 9f34c2e..ab0eee9 100644
')
########################################
-@@ -345,12 +387,11 @@ optional_policy(`
+@@ -345,12 +382,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -17407,7 +17458,7 @@ index 9f34c2e..ab0eee9 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +416,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -17428,7 +17479,7 @@ index 9f34c2e..ab0eee9 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +434,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -17449,7 +17500,7 @@ index 9f34c2e..ab0eee9 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +451,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -17461,7 +17512,7 @@ index 9f34c2e..ab0eee9 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +478,12 @@ optional_policy(`
+@@ -452,9 +473,12 @@ optional_policy(`
')
optional_policy(`
@@ -17475,7 +17526,7 @@ index 9f34c2e..ab0eee9 100644
')
optional_policy(`
-@@ -490,10 +519,6 @@ optional_policy(`
+@@ -490,10 +514,6 @@ optional_policy(`
# Lpd local policy
#
@@ -17486,7 +17537,7 @@ index 9f34c2e..ab0eee9 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +536,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +531,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -17519,7 +17570,7 @@ index 9f34c2e..ab0eee9 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +562,6 @@ optional_policy(`
+@@ -546,7 +557,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -17527,7 +17578,7 @@ index 9f34c2e..ab0eee9 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +577,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +572,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -17679,7 +17730,7 @@ index 9f34c2e..ab0eee9 100644
########################################
#
-@@ -731,7 +621,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +616,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -17687,7 +17738,7 @@ index 9f34c2e..ab0eee9 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +630,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +625,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -17701,7 +17752,7 @@ index 9f34c2e..ab0eee9 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +642,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +637,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -17710,7 +17761,7 @@ index 9f34c2e..ab0eee9 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +654,4 @@ optional_policy(`
+@@ -769,3 +649,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -17760,10 +17811,10 @@ index 9fa7ffb..fd3262c 100644
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
diff --git a/cvs.te b/cvs.te
-index 53fc3af..25b3285 100644
+index 53fc3af..989aabf 100644
--- a/cvs.te
+++ b/cvs.te
-@@ -11,7 +11,7 @@ policy_module(cvs, 1.9.1)
+@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
## password files.
## </p>
## </desc>
@@ -17772,7 +17823,12 @@ index 53fc3af..25b3285 100644
type cvs_t;
type cvs_exec_t;
-@@ -58,6 +58,14 @@ kernel_read_network_state(cvs_t)
+ inetd_tcp_service_domain(cvs_t, cvs_exec_t)
++init_domain(cvs_t, cvs_exec_t)
+ application_executable_file(cvs_exec_t)
+
+ type cvs_data_t; # customizable
+@@ -58,6 +59,14 @@ kernel_read_network_state(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
@@ -17787,7 +17843,7 @@ index 53fc3af..25b3285 100644
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
-@@ -70,18 +78,18 @@ auth_use_nsswitch(cvs_t)
+@@ -70,18 +79,18 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
@@ -17809,7 +17865,7 @@ index 53fc3af..25b3285 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
-@@ -103,4 +111,5 @@ optional_policy(`
+@@ -103,4 +112,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -23596,7 +23652,7 @@ index 79b9273..76b7ed5 100644
logging_send_syslog_msg(fcoemon_t)
diff --git a/fetchmail.fc b/fetchmail.fc
-index 2486e2a..72143ee 100644
+index 2486e2a..fef9bff 100644
--- a/fetchmail.fc
+++ b/fetchmail.fc
@@ -1,4 +1,5 @@
@@ -23610,7 +23666,7 @@ index 2486e2a..72143ee 100644
/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
-/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
-+/var/run/fetchmail.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
++/var/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0)
diff --git a/fetchmail.if b/fetchmail.if
index c3f7916..cab3954 100644
--- a/fetchmail.if
@@ -24891,7 +24947,7 @@ index 1e29af1..c67e44e 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 93b0301..11a76a5 100644
+index 93b0301..eafea5b 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -24909,7 +24965,13 @@ index 93b0301..11a76a5 100644
## Determine whether Git system daemon
## can search home directories.
## </p>
-@@ -92,10 +84,10 @@ type git_session_t, git_daemon;
+@@ -87,15 +79,16 @@ apache_content_template(git)
+ type git_system_t, git_daemon;
+ type gitd_exec_t;
+ inetd_service_domain(git_system_t, gitd_exec_t)
++init_domain(git_system_t, gitd_exec_t)
+
+ type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;
@@ -24922,7 +24984,7 @@ index 93b0301..11a76a5 100644
userdom_user_home_content(git_user_content_t)
########################################
-@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+@@ -109,6 +102,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
@@ -24931,7 +24993,7 @@ index 93b0301..11a76a5 100644
corenet_all_recvfrom_netlabel(git_session_t)
corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
-@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
+@@ -129,9 +124,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_sendrecv_all_ports(git_session_t)
')
@@ -24942,7 +25004,7 @@ index 93b0301..11a76a5 100644
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
-@@ -157,6 +149,9 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -157,6 +150,9 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
@@ -24952,7 +25014,7 @@ index 93b0301..11a76a5 100644
files_search_var_lib(git_system_t)
auth_use_nsswitch(git_system_t)
-@@ -255,12 +250,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -255,12 +251,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -25335,10 +25397,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..06e17e3
+index 0000000..a19c35c
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,169 @@
+@@ -0,0 +1,170 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
@@ -25420,7 +25482,8 @@ index 0000000..06e17e3
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
++manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
@@ -25788,7 +25851,7 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..e334392 100644
+index d03fd43..71aa685 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,155 @@
@@ -26870,7 +26933,7 @@ index d03fd43..e334392 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -704,12 +795,830 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +795,851 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@@ -26967,6 +27030,27 @@ index d03fd43..e334392 100644
+
+#######################################
+## <summary>
++## Delete gkeyringd temporary
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_delete_gkeyringd_tmp_content',`
++ gen_require(`
++ type gkeyringd_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++ delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++ delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++')
++
++#######################################
++## <summary>
+## Manage gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
@@ -26981,7 +27065,7 @@ index d03fd43..e334392 100644
+ ')
+
+ files_search_tmp($1)
-+ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+########################################
@@ -29564,19 +29648,22 @@ index e207823..4e0f8ba 100644
diff --git a/hypervkvp.fc b/hypervkvp.fc
new file mode 100644
-index 0000000..2a69ee4
+index 0000000..3f82945
--- /dev/null
+++ b/hypervkvp.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
+
+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
++/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
++
++/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
new file mode 100644
-index 0000000..7743be5
+index 0000000..17c3627
--- /dev/null
+++ b/hypervkvp.if
-@@ -0,0 +1,21 @@
+@@ -0,0 +1,111 @@
+
+## <summary>policy for hypervkvp</summary>
+
@@ -29598,12 +29685,102 @@ index 0000000..7743be5
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
+')
++
++########################################
++## <summary>
++## Search hypervkvp lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`hypervkvp_search_lib',`
++ gen_require(`
++ type hypervkvp_var_lib_t;
++ ')
++
++ allow $1 hypervkvp_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read hypervkvp lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`hypervkvp_read_lib_files',`
++ gen_require(`
++ type hypervkvp_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
++ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## hypervkvp lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`hypervkvp_manage_lib_files',`
++ gen_require(`
++ type hypervkvp_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an hypervkvp environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`hypervkvp_admin',`
++ gen_require(`
++ type hypervkvp_t;
++ type hypervkvp_unit_file_t;
++ ')
++
++ allow $1 hypervkvp_t:process signal_perms;
++ ps_process_pattern($1, hypervkvp_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 hypervkvp_t:process ptrace;
++ ')
++
++ hypervkvp_manage_lib_files($1)
++
++ hypervkvp_systemctl($1)
++ admin_pattern($1, hypervkvp_unit_file_t)
++ allow $1 hypervkvp_unit_file_t:service all_service_perms;
++')
diff --git a/hypervkvp.te b/hypervkvp.te
new file mode 100644
-index 0000000..fd3b26b
+index 0000000..63591db
--- /dev/null
+++ b/hypervkvp.te
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,36 @@
+policy_module(hypervkvp, 1.0.0)
+
+########################################
@@ -29618,15 +29795,23 @@ index 0000000..fd3b26b
+type hypervkvp_initrc_exec_t;
+init_script_file(hypervkvp_initrc_exec_t)
+
++type hypervkvp_var_lib_t;
++files_type(hypervkvp_var_lib_t)
++
+########################################
+#
+# hypervkvp local policy
+#
+#
-+
++allow hypervkvp_t self:capability net_admin;
++allow hypervkvp_t self:netlink_socket create_socket_perms;
+allow hypervkvp_t self:fifo_file rw_fifo_file_perms;
+allow hypervkvp_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
++
+logging_send_syslog_msg(hypervkvp_t)
+
+miscfiles_read_localization(hypervkvp_t)
@@ -31646,7 +31831,7 @@ index a49ae4e..913a0e3 100644
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
diff --git a/kdump.if b/kdump.if
-index 3a00b3a..b835e95 100644
+index 3a00b3a..7cc27b6 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
@@ -31717,7 +31902,7 @@ index 3a00b3a..b835e95 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -56,10 +100,66 @@ interface(`kdump_read_config',`
+@@ -56,10 +100,67 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
@@ -31738,6 +31923,7 @@ index 3a00b3a..b835e95 100644
+
+ files_search_var($1)
+ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
++ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+
@@ -31786,7 +31972,7 @@ index 3a00b3a..b835e95 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -76,10 +176,31 @@ interface(`kdump_manage_config',`
+@@ -76,10 +177,31 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
@@ -31820,7 +32006,7 @@ index 3a00b3a..b835e95 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -88,19 +209,24 @@ interface(`kdump_manage_config',`
+@@ -88,19 +210,24 @@ interface(`kdump_manage_config',`
## </param>
## <param name="role">
## <summary>
@@ -31850,7 +32036,7 @@ index 3a00b3a..b835e95 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +236,10 @@ interface(`kdump_admin',`
+@@ -110,6 +237,10 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
@@ -33844,11 +34030,124 @@ index c1539b5..fd0a17f 100644
+ fs_read_cifs_files(ksmtuned_t)
+ samba_read_share_files(ksmtuned_t)
+')
+diff --git a/ktalk.fc b/ktalk.fc
+index 38ecb07..451067e 100644
+--- a/ktalk.fc
++++ b/ktalk.fc
+@@ -1,3 +1,5 @@
++/usr/lib/systemd/system/ntalk.* -- gen_context(system_u:object_r:ktalkd_unit_file_t,s0)
++
+ /usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+
+ /usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+diff --git a/ktalk.if b/ktalk.if
+index 19777b8..63d46d3 100644
+--- a/ktalk.if
++++ b/ktalk.if
+@@ -1 +1,81 @@
+-## <summary>KDE Talk daemon.</summary>
++
++## <summary>talk-server - daemon programs for the Internet talk </summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the ktalkd domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ktalk_domtrans',`
++ gen_require(`
++ type ktalkd_t, ktalkd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ktalkd_exec_t, ktalkd_t)
++')
++########################################
++## <summary>
++## Execute ktalkd server in the ktalkd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ktalk_systemctl',`
++ gen_require(`
++ type ktalkd_t;
++ type ktalkd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 ktalkd_unit_file_t:file read_file_perms;
++ allow $1 ktalkd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ktalkd_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an ktalkd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ktalk_admin',`
++ gen_require(`
++ type ktalkd_t;
++ type ktalkd_unit_file_t;
++ ')
++
++ allow $1 ktalkd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, ktalkd_t)
++
++ ktalk_systemctl($1)
++ admin_pattern($1, ktalkd_unit_file_t)
++ allow $1 ktalkd_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
diff --git a/ktalk.te b/ktalk.te
-index 2cf3815..2c4c979 100644
+index 2cf3815..cb979b0 100644
--- a/ktalk.te
+++ b/ktalk.te
-@@ -35,16 +35,23 @@ kernel_read_kernel_sysctls(ktalkd_t)
+@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
+
+ type ktalkd_t;
+ type ktalkd_exec_t;
++init_domain(ktalkd_t, ktalkd_exec_t)
+ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
+
+ type ktalkd_log_t;
+ logging_log_file(ktalkd_log_t)
+
++type ktalkd_unit_file_t;
++systemd_unit_file(ktalkd_unit_file_t)
++
+ type ktalkd_tmp_t;
+ files_tmp_file(ktalkd_tmp_t)
+
+@@ -35,16 +39,23 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
@@ -35413,11 +35712,20 @@ index 7bab8e5..b88bbf3 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..a8dde53 100644
+index 4256a4c..30e3cd2 100644
--- a/logwatch.te
+++ b/logwatch.te
-@@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6)
+@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
+ # Declarations
+ #
++## <desc>
++## <p>
++## Allow epylog to send mail
++## </p>
++## </desc>
++gen_tunable(logwatch_can_sendmail, false)
++
type logwatch_t;
type logwatch_exec_t;
-init_system_domain(logwatch_t, logwatch_exec_t)
@@ -35426,7 +35734,7 @@ index 4256a4c..a8dde53 100644
type logwatch_cache_t;
files_type(logwatch_cache_t)
-@@ -37,7 +38,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
+@@ -37,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
@@ -35436,7 +35744,7 @@ index 4256a4c..a8dde53 100644
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
-@@ -67,10 +69,11 @@ files_list_var(logwatch_t)
+@@ -67,10 +76,11 @@ files_list_var(logwatch_t)
files_search_all(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
@@ -35449,7 +35757,7 @@ index 4256a4c..a8dde53 100644
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
-@@ -92,13 +95,12 @@ libs_read_lib_files(logwatch_t)
+@@ -92,13 +102,12 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
@@ -35464,7 +35772,7 @@ index 4256a4c..a8dde53 100644
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-@@ -137,6 +139,11 @@ optional_policy(`
+@@ -137,6 +146,11 @@ optional_policy(`
')
optional_policy(`
@@ -35476,7 +35784,21 @@ index 4256a4c..a8dde53 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -164,6 +171,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -145,6 +159,13 @@ optional_policy(`
+ samba_read_share_files(logwatch_t)
+ ')
+
++tunable_policy(`logwatch_can_sendmail',`
++ corenet_tcp_connect_smtp_port(logwatch_t)
++ corenet_sendrecv_smtp_client_packets(logwatch_t)
++ corenet_tcp_connect_pop_port(logwatch_t)
++ corenet_sendrecv_pop_client_packets(logwatch_t)
++')
++
+ ########################################
+ #
+ # Mail local policy
+@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -35843,10 +36165,10 @@ index 0000000..711c04b
+/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
new file mode 100644
-index 0000000..aaf4080
+index 0000000..e8d4ce2
--- /dev/null
+++ b/lsm.if
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,104 @@
+
+## <summary>libStorageMgmt plug-in daemon </summary>
+
@@ -35904,7 +36226,7 @@ index 0000000..aaf4080
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 lsmd_unit_file_t:file read_file_perms;
+ allow $1 lsmd_unit_file_t:service manage_service_perms;
+
@@ -35945,6 +36267,7 @@ index 0000000..aaf4080
+ lsmd_systemctl($1)
+ admin_pattern($1, lsmd_unit_file_t)
+ allow $1 lsmd_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -35952,10 +36275,10 @@ index 0000000..aaf4080
+')
diff --git a/lsm.te b/lsm.te
new file mode 100644
-index 0000000..14fe4d7
+index 0000000..fc42149
--- /dev/null
+++ b/lsm.te
-@@ -0,0 +1,31 @@
+@@ -0,0 +1,32 @@
+policy_module(lsm, 1.0.0)
+
+########################################
@@ -35985,6 +36308,7 @@ index 0000000..14fe4d7
+manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
+
+logging_send_syslog_msg(lsmd_t)
diff --git a/mailman.fc b/mailman.fc
@@ -42917,10 +43241,17 @@ index b744fe3..4c1b6a8 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..92138ca 100644
+index 97370e4..3549b8f 100644
--- a/munin.te
+++ b/munin.te
-@@ -40,12 +40,15 @@ munin_plugin_template(services)
+@@ -37,15 +37,22 @@ munin_plugin_template(disk)
+ munin_plugin_template(mail)
+ munin_plugin_template(selinux)
+ munin_plugin_template(services)
++
++type services_munin_plugin_tmpfs_t;
++files_tmpfs_file(services_munin_plugin_tmpfs_t)
++
munin_plugin_template(system)
munin_plugin_template(unconfined)
@@ -42937,7 +43268,7 @@ index 97370e4..92138ca 100644
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -58,23 +61,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+@@ -58,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
@@ -42962,7 +43293,7 @@ index 97370e4..92138ca 100644
optional_policy(`
nscd_use(munin_plugin_domain)
-@@ -114,7 +111,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -114,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -42971,7 +43302,7 @@ index 97370e4..92138ca 100644
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +127,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -130,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
@@ -42979,7 +43310,7 @@ index 97370e4..92138ca 100644
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +149,6 @@ domain_use_interactive_fds(munin_t)
+@@ -153,7 +153,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -42987,7 +43318,7 @@ index 97370e4..92138ca 100644
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
-@@ -165,7 +160,6 @@ logging_send_syslog_msg(munin_t)
+@@ -165,7 +164,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -42995,7 +43326,7 @@ index 97370e4..92138ca 100644
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
-@@ -173,13 +167,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -173,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -43009,7 +43340,7 @@ index 97370e4..92138ca 100644
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
-@@ -213,7 +200,6 @@ optional_policy(`
+@@ -213,7 +204,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -43017,7 +43348,7 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -242,21 +228,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -242,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -43045,7 +43376,7 @@ index 97370e4..92138ca 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -268,6 +256,10 @@ optional_policy(`
+@@ -268,6 +260,10 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
@@ -43056,7 +43387,7 @@ index 97370e4..92138ca 100644
####################################
#
# Mail local policy
-@@ -275,27 +267,36 @@ optional_policy(`
+@@ -275,27 +271,36 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -43097,7 +43428,17 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -331,7 +332,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -320,6 +325,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow services_munin_plugin_t self:udp_socket create_socket_perms;
+ allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
++manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
++manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
++
+ corenet_sendrecv_all_client_packets(services_munin_plugin_t)
+ corenet_tcp_connect_all_ports(services_munin_plugin_t)
+ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -331,7 +339,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
@@ -43106,7 +43447,7 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -353,7 +354,11 @@ optional_policy(`
+@@ -353,7 +361,11 @@ optional_policy(`
')
optional_policy(`
@@ -43119,7 +43460,7 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -385,6 +390,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +397,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -43127,7 +43468,7 @@ index 97370e4..92138ca 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +419,31 @@ optional_policy(`
+@@ -413,3 +426,31 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -43752,7 +44093,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..94457fe 100644
+index 9f6179e..3c7bbd8 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -43925,7 +44266,7 @@ index 9f6179e..94457fe 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -153,29 +160,23 @@ optional_policy(`
+@@ -153,29 +160,24 @@ optional_policy(`
#######################################
#
@@ -43952,6 +44293,7 @@ index 9f6179e..94457fe 100644
-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
++manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -43962,7 +44304,7 @@ index 9f6179e..94457fe 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,17 +188,21 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -187,17 +189,21 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -43990,7 +44332,7 @@ index 9f6179e..94457fe 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +210,7 @@ optional_policy(`
+@@ -205,7 +211,7 @@ optional_policy(`
########################################
#
@@ -43999,7 +44341,7 @@ index 9f6179e..94457fe 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +219,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +220,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -44017,7 +44359,7 @@ index 9f6179e..94457fe 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +232,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +233,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -45596,7 +45938,7 @@ index 0e8508c..0b68b86 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..2de59df 100644
+index 0b48a30..2b6c69a 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -45636,7 +45978,7 @@ index 0b48a30..2de59df 100644
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+dontaudit NetworkManager_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
@@ -50475,10 +50817,10 @@ index 0000000..598789a
+
diff --git a/openhpid.te b/openhpid.te
new file mode 100644
-index 0000000..be2a88d
+index 0000000..51acfae
--- /dev/null
+++ b/openhpid.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,47 @@
+policy_module(openhpid, 1.0.0)
+
+########################################
@@ -50505,7 +50847,7 @@ index 0000000..be2a88d
+#
+
+allow openhpid_t self:capability { kill };
-+allow openhpid_t self:process { fork signal };
++allow openhpid_t self:process signal_perms;
+
+allow openhpid_t self:fifo_file rw_fifo_file_perms;
+allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
@@ -50523,11 +50865,8 @@ index 0000000..be2a88d
+corenet_tcp_bind_generic_node(openhpid_t)
+corenet_tcp_bind_openhpid_port(openhpid_t)
+
-+domain_use_interactive_fds(openhpid_t)
-+
+dev_read_urand(openhpid_t)
+
-+
+logging_send_syslog_msg(openhpid_t)
diff --git a/openshift-origin.fc b/openshift-origin.fc
new file mode 100644
@@ -52385,7 +52724,7 @@ index 9b15730..eedd136 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..f025b03 100644
+index 508fedf..a499612 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
@@ -52408,7 +52747,13 @@ index 508fedf..f025b03 100644
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
-@@ -24,20 +21,27 @@ logging_log_file(openvswitch_log_t)
+@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t)
+ type openvswitch_log_t;
+ logging_log_file(openvswitch_log_t)
+
++type openvswitch_tmp_t;
++files_tmp_file(openvswitch_tmp_t)
++
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
@@ -52432,19 +52777,19 @@ index 508fedf..f025b03 100644
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
-+
-+can_exec(openvswitch_t, openvswitch_exec_t)
-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
++can_exec(openvswitch_t, openvswitch_exec_t)
++
+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,9 +49,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,45 +52,53 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -52455,7 +52800,14 @@ index 508fedf..f025b03 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -57,33 +59,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
++manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir })
++
+ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -57060,7 +57412,7 @@ index ae27bb7..d00f6ba 100644
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
-index 316d53a..79b5c4f 100644
+index 316d53a..388d659 100644
--- a/polipo.te
+++ b/polipo.te
@@ -1,4 +1,4 @@
@@ -57174,10 +57526,14 @@ index 316d53a..79b5c4f 100644
-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
-
-auth_use_nsswitch(polipo_session_t)
+-
+-userdom_use_user_terminals(polipo_session_t)
+allow polipo_daemon self:fifo_file rw_fifo_file_perms;
+allow polipo_daemon self:tcp_socket { listen accept };
--userdom_use_user_terminals(polipo_session_t)
+-tunable_policy(`polipo_session_send_syslog_msg',`
+- logging_send_syslog_msg(polipo_session_t)
+-')
+corenet_tcp_bind_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_generic_if(polipo_daemon)
+corenet_tcp_sendrecv_generic_node(polipo_daemon)
@@ -57185,10 +57541,7 @@ index 316d53a..79b5c4f 100644
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
-
--tunable_policy(`polipo_session_send_syslog_msg',`
-- logging_send_syslog_msg(polipo_session_t)
--')
++corenet_tcp_connect_tor_port(polipo_daemon)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(polipo_session_t)
@@ -71664,10 +72017,18 @@ index 050479d..0e1b364 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
-index d34cdec..f41c9c5 100644
+index d34cdec..eeeee9b 100644
--- a/rlogin.te
+++ b/rlogin.te
-@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
+@@ -9,6 +9,7 @@ type rlogind_t;
+ type rlogind_exec_t;
+ auth_login_pgm_domain(rlogind_t)
+ inetd_service_domain(rlogind_t, rlogind_exec_t)
++init_daemon_domain(rlogind_t, rlogind_exec_t)
+
+ type rlogind_devpts_t;
+ term_login_pty(rlogind_devpts_t)
+@@ -30,7 +31,9 @@ files_pid_file(rlogind_var_run_t)
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
@@ -71678,7 +72039,7 @@ index d34cdec..f41c9c5 100644
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
-@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
+@@ -39,7 +42,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
@@ -71686,7 +72047,7 @@ index d34cdec..f41c9c5 100644
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t)
+@@ -50,7 +52,6 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
@@ -71694,7 +72055,7 @@ index d34cdec..f41c9c5 100644
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_generic_if(rlogind_t)
corenet_udp_sendrecv_generic_if(rlogind_t)
-@@ -67,6 +67,7 @@ fs_getattr_all_fs(rlogind_t)
+@@ -67,6 +68,7 @@ fs_getattr_all_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
@@ -71702,7 +72063,7 @@ index d34cdec..f41c9c5 100644
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
-@@ -77,30 +78,23 @@ init_rw_utmp(rlogind_t)
+@@ -77,30 +79,23 @@ init_rw_utmp(rlogind_t)
logging_send_syslog_msg(rlogind_t)
@@ -73072,7 +73433,7 @@ index ebe91fc..6392cad 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..3031a82 100644
+index 0628d50..39e36fb 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -73221,7 +73582,7 @@ index 0628d50..3031a82 100644
+#
+interface(`rpm_rw_script_inherited_pipes',`
+ gen_require(`
-+ type rpm_t;
++ type rpm_script_t;
+ ')
+
+ allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
@@ -85807,7 +86168,7 @@ index 42946bc..741f2f4 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..91c1898 100644
+index e9c0964..ff77783 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
@@ -86308,7 +86669,7 @@ index e9c0964..91c1898 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +382,40 @@ optional_policy(`
+@@ -452,31 +382,43 @@ optional_policy(`
#######################################
#
@@ -86336,10 +86697,12 @@ index e9c0964..91c1898 100644
fs_getattr_all_fs(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
--
--miscfiles_read_localization(telepathy_domain)
+fs_rw_inherited_tmpfs_files(telepathy_domain)
+-miscfiles_read_localization(telepathy_domain)
++userdom_search_user_tmp_dirs(telepathy_domain)
++userdom_search_user_home_dirs(telepathy_domain)
+
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
')
@@ -86347,7 +86710,7 @@ index e9c0964..91c1898 100644
optional_policy(`
+ gnome_read_generic_cache_files(telepathy_domain)
+ gnome_write_generic_cache_files(telepathy_domain)
-+ gnome_filetrans_config_home_content(telepathy_domain)
++ gnome_filetrans_config_home_content(telepathy_domain)
+')
+
+optional_policy(`
@@ -91777,7 +92140,7 @@ index 9dec06c..4e31afe 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..d200be6 100644
+index 1f22fba..a4ae8e0 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,104 @@
@@ -92360,7 +92723,7 @@ index 1f22fba..d200be6 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +308,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +308,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -92384,6 +92747,7 @@ index 1f22fba..d200be6 100644
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-
++allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
@@ -92406,7 +92770,7 @@ index 1f22fba..d200be6 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +342,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +343,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -92427,7 +92791,7 @@ index 1f22fba..d200be6 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +354,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +355,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -92435,7 +92799,7 @@ index 1f22fba..d200be6 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +362,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +363,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -92463,7 +92827,7 @@ index 1f22fba..d200be6 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +382,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +383,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -92492,7 +92856,7 @@ index 1f22fba..d200be6 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +429,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +430,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -92512,7 +92876,7 @@ index 1f22fba..d200be6 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +451,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +452,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -92549,7 +92913,7 @@ index 1f22fba..d200be6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +479,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +480,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -92558,7 +92922,7 @@ index 1f22fba..d200be6 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +504,12 @@ optional_policy(`
+@@ -658,20 +505,12 @@ optional_policy(`
')
optional_policy(`
@@ -92579,7 +92943,7 @@ index 1f22fba..d200be6 100644
')
optional_policy(`
-@@ -684,14 +522,20 @@ optional_policy(`
+@@ -684,14 +523,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -92602,7 +92966,7 @@ index 1f22fba..d200be6 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +548,13 @@ optional_policy(`
+@@ -704,11 +549,13 @@ optional_policy(`
')
optional_policy(`
@@ -92616,7 +92980,7 @@ index 1f22fba..d200be6 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +565,18 @@ optional_policy(`
+@@ -719,10 +566,18 @@ optional_policy(`
')
optional_policy(`
@@ -92635,7 +92999,7 @@ index 1f22fba..d200be6 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +591,261 @@ optional_policy(`
+@@ -737,44 +592,261 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -92919,7 +93283,7 @@ index 1f22fba..d200be6 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +856,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +857,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -92946,7 +93310,7 @@ index 1f22fba..d200be6 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +876,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +877,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -92978,7 +93342,7 @@ index 1f22fba..d200be6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +909,20 @@ optional_policy(`
+@@ -847,14 +910,20 @@ optional_policy(`
')
optional_policy(`
@@ -93000,7 +93364,7 @@ index 1f22fba..d200be6 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +947,65 @@ optional_policy(`
+@@ -879,49 +948,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -93084,7 +93448,7 @@ index 1f22fba..d200be6 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1017,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1018,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -93104,7 +93468,7 @@ index 1f22fba..d200be6 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1038,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1039,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -93128,7 +93492,7 @@ index 1f22fba..d200be6 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1063,247 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1064,247 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -93506,7 +93870,7 @@ index 1f22fba..d200be6 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1316,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1317,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -93521,7 +93885,7 @@ index 1f22fba..d200be6 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1334,8 @@ optional_policy(`
+@@ -1183,9 +1335,8 @@ optional_policy(`
########################################
#
@@ -93532,7 +93896,7 @@ index 1f22fba..d200be6 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1348,120 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1349,120 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dc8c4d6..ff52e16 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74%{?dist}
+Release: 75%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -563,6 +563,34 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Sep 3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-75
+- Also sock_file trans rule is needed in lsm
+- Fix labeling for fetchmail pid files/dirs
+- Add additional fixes for abrt-upload-watch
+- Fix polipo.te
+- Fix transition rules in asterisk policy
+- Add fowner capability to networkmanager policy
+- Allow polipo to connect to tor ports
+- Cleanup lsmd.if
+- Cleanup openhpid policy
+- Fix kdump_read_crash() interface
+- Make more domains as init domain
+- Fix cupsd.te
+- Fix requires in rpm_rw_script_inherited_pipes
+- Fix interfaces in lsm.if
+- Allow munin service plugins to manage own tmpfs files/dirs
+- Allow virtd_t also relabel unix stream sockets for virt_image_type
+- Make ktalk as init domain
+- Fix to define ktalkd_unit_file_t correctly
+- Fix ktalk.fc
+- Add systemd support for talk-server
+- Allow glusterd to create sock_file in /run
+- Allow xdm_t to delete gkeyringd_tmp_t files on logout
+- Add fixes for hypervkvp policy
+- Add logwatch_can_sendmail boolean
+- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
+- Allow xdm_t to delete gkeyringd_tmp_t files on logout
+
* Thu Aug 29 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74
- Add selinux-policy-sandbox pkg
More information about the scm-commits
mailing list