[selinux-policy: 1/2] Cleanup related to init_domain()+inetd_domain fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Sep 5 13:42:56 UTC 2013
commit 1b0e0923f884031ded8dc43a33fb4d06052fab84
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Sep 5 09:40:37 2013 -0400
Cleanup related to init_domain()+inetd_domain fixes
- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain
- svirt domains neeed to create kobject_uevint_sockets
- Lots of new access required for sosreport
- Allow tgtd_t to connect to isns ports
- Allow init_t to transition to all inetd domains:
- openct needs to be able to create netlink_object_uevent_sockets
- Dontaudit leaks into ldconfig_t
- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls
- Move kernel_stream_connect into all Xwindow using users
- Dontaudit inherited lock files in ifconfig o dhcpc_t
modules-targeted-contrib.conf | 21 +
permissivedomains.te | 24 +
policy-rawhide-base.patch | 734 +++++++---
policy-rawhide-contrib.patch | 3263 ++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 160 ++-
5 files changed, 3072 insertions(+), 1130 deletions(-)
---
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 740b5b2..ce9e5bc 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -2291,4 +2291,25 @@ watchdog = module
#
oracleasm = module
+# Layer: contrib
+# Module: redis
+#
+# redis policy
+#
+redis = module
+
+# Layer: contrib
+# Module: hypervkvp
+#
+# hypervkvp policy
+#
+hypervkvp = module
+
+# Layer: contrib
+# Module: lsm
+#
+# lsm policy
+#
+lsm = module
+
diff --git a/permissivedomains.te b/permissivedomains.te
index 2549561..3370d89 100644
--- a/permissivedomains.te
+++ b/permissivedomains.te
@@ -15,3 +15,27 @@ optional_policy(`
permissive prosody_t;
')
+
+optional_policy(`
+ gen_require(`
+ type redis_t;
+ ')
+
+ permissive redis_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type hypervkvp_t;
+ ')
+
+ permissive hypervkvp_t;
+')
+
+optional_policy(`
+ gen_require(`
+ type lsmd_t;
+ ')
+
+ permissive lsmd_t;
+')
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 6adc2cb..81c1286 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1820,7 +1820,7 @@ index 688abc2..3d89250 100644
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..bfc85a0 100644
+index 03ec5ca..025c177 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -89,7 +89,6 @@ template(`su_restricted_domain_template', `
@@ -1843,41 +1843,234 @@ index 03ec5ca..bfc85a0 100644
optional_policy(`
cron_read_pipes($1_su_t)
')
-@@ -208,7 +202,7 @@ template(`su_role_template',`
+@@ -172,14 +166,6 @@ template(`su_role_template',`
+ role $2 types $1_su_t;
- auth_domtrans_chk_passwd($1_su_t)
- auth_dontaudit_read_shadow($1_su_t)
+ allow $3 $1_su_t:process signal;
+-
+- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+- dontaudit $1_su_t self:capability sys_tty_config;
+- allow $1_su_t self:process { setexec setsched setrlimit };
+- allow $1_su_t self:fifo_file rw_fifo_file_perms;
+- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+- allow $1_su_t self:key { search write };
+-
+ allow $1_su_t $3:key search;
+
+ # Transition from the user domain to this domain.
+@@ -194,125 +180,12 @@ template(`su_role_template',`
+ allow $3 $1_su_t:process sigchld;
+
+ kernel_read_system_state($1_su_t)
+- kernel_read_kernel_sysctls($1_su_t)
+- kernel_search_key($1_su_t)
+- kernel_link_key($1_su_t)
+-
+- # for SSP
+- dev_read_urand($1_su_t)
+-
+- fs_search_auto_mountpoints($1_su_t)
+
+- # needed for pam_rootok
+- selinux_compute_access_vector($1_su_t)
+-
+- auth_domtrans_chk_passwd($1_su_t)
+- auth_dontaudit_read_shadow($1_su_t)
- auth_use_nsswitch($1_su_t)
+- auth_rw_faillog($1_su_t)
+-
+- corecmd_search_bin($1_su_t)
+-
+- domain_use_interactive_fds($1_su_t)
+-
+- files_read_etc_files($1_su_t)
+- files_read_etc_runtime_files($1_su_t)
+- files_search_var_lib($1_su_t)
+- files_dontaudit_getattr_tmp_dirs($1_su_t)
+-
+- init_dontaudit_use_fds($1_su_t)
+- # Write to utmp.
+- init_rw_utmp($1_su_t)
+ auth_use_pam($1_su_t)
- auth_rw_faillog($1_su_t)
- corecmd_search_bin($1_su_t)
-@@ -228,10 +222,10 @@ template(`su_role_template',`
+ mls_file_write_all_levels($1_su_t)
logging_send_syslog_msg($1_su_t)
-
+-
- miscfiles_read_localization($1_su_t)
-
- userdom_use_user_terminals($1_su_t)
- userdom_search_user_home_dirs($1_su_t)
-+ userdom_search_admin_dir($1_su_t)
-
- ifdef(`distro_redhat',`
- # RHEL5 and possibly newer releases incl. Fedora
-@@ -277,12 +271,7 @@ template(`su_role_template',`
- ')
- ')
-
+-
+- userdom_use_user_terminals($1_su_t)
+- userdom_search_user_home_dirs($1_su_t)
+-
+- ifdef(`distro_redhat',`
+- # RHEL5 and possibly newer releases incl. Fedora
+- auth_domtrans_upd_passwd($1_su_t)
+-
+- optional_policy(`
+- locallogin_search_keys($1_su_t)
+- ')
+- ')
+-
+- ifdef(`distro_rhel4',`
+- domain_role_change_exemption($1_su_t)
+- domain_subj_id_change_exemption($1_su_t)
+- domain_obj_id_change_exemption($1_su_t)
+-
+- selinux_get_fs_mount($1_su_t)
+- selinux_validate_context($1_su_t)
+- selinux_compute_create_context($1_su_t)
+- selinux_compute_relabel_context($1_su_t)
+- selinux_compute_user_contexts($1_su_t)
+-
+- # Relabel ttys and ptys.
+- term_relabel_all_ttys($1_su_t)
+- term_relabel_all_ptys($1_su_t)
+- # Close and re-open ttys and ptys to get the fd into the correct domain.
+- term_use_all_ttys($1_su_t)
+- term_use_all_ptys($1_su_t)
+-
+- seutil_read_config($1_su_t)
+- seutil_read_default_contexts($1_su_t)
+-
+- if(secure_mode) {
+- # Only allow transitions to unprivileged user domains.
+- userdom_spec_domtrans_unpriv_users($1_su_t)
+- } else {
+- # Allow transitions to all user domains
+- userdom_spec_domtrans_all_users($1_su_t)
+- }
+-
+- optional_policy(`
+- unconfined_domtrans($1_su_t)
+- unconfined_signal($1_su_t)
+- ')
+- ')
+-
- ifdef(`hide_broken_symptoms',`
- # dontaudit leaked sockets from parent
- dontaudit $1_su_t $3:socket_class_set { read write };
- ')
-
- tunable_policy(`allow_polyinstantiation',`
-+ tunable_policy(`polyinstantiation_enabled',`
- fs_mount_xattr_fs($1_su_t)
- fs_unmount_xattr_fs($1_su_t)
- ')
+- fs_mount_xattr_fs($1_su_t)
+- fs_unmount_xattr_fs($1_su_t)
+- ')
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_search_nfs($1_su_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_search_cifs($1_su_t)
+- ')
+-
+- optional_policy(`
+- cron_read_pipes($1_su_t)
+- ')
+-
+- optional_policy(`
+- kerberos_use($1_su_t)
+- ')
+-
+- optional_policy(`
+- # used when the password has expired
+- usermanage_read_crack_db($1_su_t)
+- ')
+-
+- # Modify .Xauthority file (via xauth program).
+- optional_policy(`
+- xserver_user_home_dir_filetrans_user_xauth($1_su_t)
+- xserver_domtrans_xauth($1_su_t)
+- ')
+ ')
+
+ #######################################
+diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
+index 85bb77e..0df3b43 100644
+--- a/policy/modules/admin/su.te
++++ b/policy/modules/admin/su.te
+@@ -9,3 +9,81 @@ attribute su_domain_type;
+
+ type su_exec_t;
+ corecmd_executable_file(su_exec_t)
++
++allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
++dontaudit su_domain_type self:capability sys_tty_config;
++allow su_domain_type self:process { setexec setsched setrlimit };
++allow su_domain_type self:fifo_file rw_fifo_file_perms;
++allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
++allow su_domain_type self:key { search write };
++
++kernel_read_kernel_sysctls(su_domain_type)
++kernel_search_key(su_domain_type)
++kernel_link_key(su_domain_type)
++
++# for SSP
++dev_read_urand(su_domain_type)
++dev_dontaudit_getattr_all(su_domain_type)
++
++fs_search_auto_mountpoints(su_domain_type)
++
++# needed for pam_rootok
++selinux_compute_access_vector(su_domain_type)
++
++corecmd_search_bin(su_domain_type)
++
++domain_use_interactive_fds(su_domain_type)
++
++files_read_etc_files(su_domain_type)
++files_read_etc_runtime_files(su_domain_type)
++files_search_var_lib(su_domain_type)
++files_dontaudit_getattr_tmp_dirs(su_domain_type)
++
++init_dontaudit_use_fds(su_domain_type)
++# Write to utmp.
++init_rw_utmp(su_domain_type)
++
++userdom_use_user_terminals(su_domain_type)
++userdom_search_user_home_dirs(su_domain_type)
++userdom_search_admin_dir(su_domain_type)
++
++ifdef(`distro_redhat',`
++ # RHEL5 and possibly newer releases incl. Fedora
++ auth_domtrans_upd_passwd(su_domain_type)
++
++ optional_policy(`
++ locallogin_search_keys(su_domain_type)
++ ')
++')
++
++tunable_policy(`polyinstantiation_enabled',`
++ fs_mount_xattr_fs(su_domain_type)
++ fs_unmount_xattr_fs(su_domain_type)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_search_nfs(su_domain_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(su_domain_type)
++')
++
++optional_policy(`
++ cron_read_pipes(su_domain_type)
++')
++
++optional_policy(`
++ kerberos_use(su_domain_type)
++')
++
++optional_policy(`
++ # used when the password has expired
++ usermanage_read_crack_db(su_domain_type)
++')
++
++# Modify .Xauthority file (via xauth program).
++optional_policy(`
++ xserver_user_home_dir_filetrans_user_xauth(su_domain_type)
++ xserver_domtrans_xauth(su_domain_type)
++')
diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
index 7bddc02..2b59ed0 100644
--- a/policy/modules/admin/sudo.fc
@@ -3046,7 +3239,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..51181b8 100644
+index 644d4d7..f9bcd44 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3350,7 +3543,15 @@ index 644d4d7..51181b8 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +457,15 @@ ifdef(`distro_suse', `
+@@ -342,6 +416,7 @@ ifdef(`distro_redhat', `
+ /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/system-config-selinux/polgengui.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
+@@ -383,11 +458,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3367,7 +3568,7 @@ index 644d4d7..51181b8 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +475,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +476,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -8283,7 +8484,7 @@ index 6529bd9..831344c 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..57cc8d1 100644
+index 6a1e4d1..84e8030 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -8426,7 +8627,7 @@ index 6a1e4d1..57cc8d1 100644
## Unconfined access to domains.
## </summary>
## <param name="domain">
-@@ -1530,4 +1561,45 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1561,63 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@@ -8471,9 +8672,27 @@ index 6a1e4d1..57cc8d1 100644
+ ')
+
+ allow $1 domain:process transition;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to access check /proc
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`domain_dontaudit_access_check',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..bcaf613 100644
+index cf04cb5..2b917b5 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8610,7 +8829,7 @@ index cf04cb5..bcaf613 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,296 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8887,6 +9106,7 @@ index cf04cb5..bcaf613 100644
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
+
+optional_policy(`
++ rpm_rw_script_inherited_pipes(domain)
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
+ rpm_search_log(domain)
@@ -17141,7 +17361,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..98d1e34 100644
+index 88d0028..897634a 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
@@ -17580,7 +17800,7 @@ index 88d0028..98d1e34 100644
virt_stream_connect(sysadm_t)
+ virt_filetrans_home_content(sysadm_t)
+ virt_manage_pid_dirs(sysadm_t)
-+ virt_transition_svirt_lxc(sysadm_t, sysadm_r)
++ virt_transition_svirt_sandbox(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -18395,7 +18615,7 @@ index 0000000..cf6582f
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..d74943c
+index 0000000..36f6ee2
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,332 @@
@@ -18722,7 +18942,7 @@ index 0000000..d74943c
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
-+ virt_transition_svirt_lxc(unconfined_t, unconfined_r)
++ virt_transition_svirt_sandbox(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
@@ -20222,7 +20442,7 @@ index fe0c682..225aaa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..3448145 100644
+index 5fc0391..7931fba 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20235,15 +20455,15 @@ index 5fc0391..3448145 100644
+## <p>
+## allow host key based authentication
+## </p>
- ## </desc>
--gen_tunable(allow_ssh_keysign, false)
++## </desc>
+gen_tunable(ssh_keysign, false)
+
+## <desc>
+## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(allow_ssh_keysign, false)
+gen_tunable(ssh_sysadm_login, false)
## <desc>
@@ -20379,8 +20599,12 @@ index 5fc0391..3448145 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -156,38 +177,42 @@ logging_read_generic_logs(ssh_t)
+@@ -154,40 +175,46 @@ files_read_var_files(ssh_t)
+ logging_send_syslog_msg(ssh_t)
+ logging_read_generic_logs(ssh_t)
++term_use_ptmx(ssh_t)
++
auth_use_nsswitch(ssh_t)
-miscfiles_read_localization(ssh_t)
@@ -20441,7 +20665,7 @@ index 5fc0391..3448145 100644
')
optional_policy(`
-@@ -195,6 +220,7 @@ optional_policy(`
+@@ -195,6 +222,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -20449,7 +20673,7 @@ index 5fc0391..3448145 100644
##############################
#
# ssh_keysign_t local policy
-@@ -206,6 +232,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +234,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@@ -20457,7 +20681,7 @@ index 5fc0391..3448145 100644
files_read_etc_files(ssh_keysign_t)
-@@ -223,33 +250,54 @@ optional_policy(`
+@@ -223,33 +252,54 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -20521,7 +20745,7 @@ index 5fc0391..3448145 100644
')
optional_policy(`
-@@ -257,11 +305,24 @@ optional_policy(`
+@@ -257,11 +307,28 @@ optional_policy(`
')
optional_policy(`
@@ -20543,11 +20767,15 @@ index 5fc0391..3448145 100644
optional_policy(`
- kerberos_keytab_template(sshd, sshd_t)
++ lvm_domtrans(sshd_t)
++')
++
++optional_policy(`
+ nx_read_home_files(sshd_t)
')
optional_policy(`
-@@ -269,6 +330,10 @@ optional_policy(`
+@@ -269,6 +336,10 @@ optional_policy(`
')
optional_policy(`
@@ -20558,7 +20786,7 @@ index 5fc0391..3448145 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +344,69 @@ optional_policy(`
+@@ -279,13 +350,69 @@ optional_policy(`
')
optional_policy(`
@@ -20593,8 +20821,8 @@ index 5fc0391..3448145 100644
optional_policy(`
+ kernel_write_proc_files(sshd_t)
-+ virt_transition_svirt_lxc(sshd_t, system_r)
-+ virt_stream_connect_lxc(sshd_t)
++ virt_transition_svirt_sandbox(sshd_t, system_r)
++ virt_stream_connect_sandbox(sshd_t)
+ virt_stream_connect(sshd_t)
+')
+
@@ -20628,7 +20856,7 @@ index 5fc0391..3448145 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +415,26 @@ optional_policy(`
+@@ -294,19 +421,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -20656,7 +20884,7 @@ index 5fc0391..3448145 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +451,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +457,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -20669,7 +20897,7 @@ index 5fc0391..3448145 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +465,138 @@ optional_policy(`
+@@ -331,3 +471,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -20966,7 +21194,7 @@ index d1f64a0..8f50bb9 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..ba9536c 100644
+index 6bf0ecc..9b46e11 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -21195,14 +21423,18 @@ index 6bf0ecc..ba9536c 100644
class x_synthetic_event all_x_synthetic_event_perms;
+ class x_client destroy;
+ class x_server manage;
-+ class x_screen { saver_setattr saver_hide saver_show };
++ class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor };
+ class x_pointer { get_property set_property manage };
-+ class x_keyboard { read manage };
++ class x_keyboard { read manage freeze };
')
##############################
-@@ -386,6 +328,15 @@ template(`xserver_common_x_domain_template',`
- allow $2 xevent_t:{ x_event x_synthetic_event } receive;
+@@ -383,9 +325,18 @@ template(`xserver_common_x_domain_template',`
+ allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
+ # can receive default events
+ allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
+- allow $2 xevent_t:{ x_event x_synthetic_event } receive;
++ allow $2 xevent_t:{ x_event x_synthetic_event } { send receive };
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
+
@@ -21211,9 +21443,9 @@ index 6bf0ecc..ba9536c 100644
+
+ allow $2 root_xdrawable_t:x_drawable write;
+ allow $2 xserver_t:x_server manage;
-+ allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show };
++ allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show };
+ allow $2 xserver_t:x_pointer { get_property set_property manage };
-+ allow $2 xserver_t:x_keyboard { read manage };
++ allow $2 xserver_t:x_keyboard { read manage freeze };
')
#######################################
@@ -21894,32 +22126,36 @@ index 6bf0ecc..ba9536c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1261,13 +1621,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1621,27 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
- type xserver_t;
-+ type xserver_t, root_xdrawable_t;
++ type xserver_t, root_xdrawable_t, xevent_t;
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
+ class x_screen all_x_screen_perms;
+ class x_drawable { manage };
+ attribute x_domain;
-+ class x_drawable { read manage setattr show };
-+ class x_resource { write read };
++ class x_drawable all_x_drawable_perms;
++ class x_resource all_x_resource_perms;
++ class x_synthetic_event all_x_synthetic_event_perms;
++ class x_cursor all_x_cursor_perms;
')
allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
+ allow $1 xserver_t:{ x_screen } setattr;
+
-+ allow $1 x_domain:x_drawable { read manage setattr show };
-+ allow $1 x_domain:x_resource { write read };
-+ allow $1 root_xdrawable_t:x_drawable { manage read };
++ allow $1 x_domain:x_cursor all_x_cursor_perms;
++ allow $1 x_domain:x_drawable all_x_drawable_perms;
++ allow $1 x_domain:x_resource all_x_resource_perms;
++ allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms;
++ allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms;
')
########################################
-@@ -1284,10 +1654,622 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1658,623 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -22419,6 +22655,7 @@ index 6bf0ecc..ba9536c 100644
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
@@ -22545,7 +22782,7 @@ index 6bf0ecc..ba9536c 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..027e384 100644
+index 2696452..93b05fa 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -22796,7 +23033,7 @@ index 2696452..027e384 100644
')
########################################
-@@ -247,48 +321,83 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -22859,6 +23096,12 @@ index 2696452..027e384 100644
+userdom_use_inherited_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
+userdom_read_all_users_state(xauth_t)
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth")
xserver_rw_xdm_tmp_files(xauth_t)
@@ -22891,7 +23134,7 @@ index 2696452..027e384 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +408,109 @@ optional_policy(`
+@@ -299,64 +414,109 @@ optional_policy(`
# XDM Local policy
#
@@ -23011,7 +23254,7 @@ index 2696452..027e384 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +519,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +525,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -23043,7 +23286,7 @@ index 2696452..027e384 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +551,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +557,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -23067,6 +23310,7 @@ index 2696452..027e384 100644
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
++dev_rw_wireless(xdm_t)
dev_getattr_xserver_misc_dev(xdm_t)
dev_setattr_xserver_misc_dev(xdm_t)
+dev_rw_xserver_misc(xdm_t)
@@ -23096,7 +23340,7 @@ index 2696452..027e384 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +603,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +610,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23125,7 +23369,7 @@ index 2696452..027e384 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +633,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +640,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23174,7 +23418,7 @@ index 2696452..027e384 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +680,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +687,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23325,7 +23569,7 @@ index 2696452..027e384 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +831,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +838,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -23352,7 +23596,7 @@ index 2696452..027e384 100644
')
optional_policy(`
-@@ -514,12 +858,56 @@ optional_policy(`
+@@ -514,12 +865,57 @@ optional_policy(`
')
optional_policy(`
@@ -23395,6 +23639,7 @@ index 2696452..027e384 100644
+ gnome_stream_connect_gkeyringd(xdm_t)
+ gnome_exec_gstreamer_home_files(xdm_t)
+ gnome_exec_keyringd(xdm_t)
++ gnome_delete_gkeyringd_tmp_content(xdm_t)
+ gnome_manage_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t)
+ #gnome_filetrans_home_content(xdm_t)
@@ -23409,7 +23654,7 @@ index 2696452..027e384 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +925,78 @@ optional_policy(`
+@@ -537,28 +933,78 @@ optional_policy(`
')
optional_policy(`
@@ -23497,7 +23742,7 @@ index 2696452..027e384 100644
')
optional_policy(`
-@@ -570,6 +1008,14 @@ optional_policy(`
+@@ -570,6 +1016,14 @@ optional_policy(`
')
optional_policy(`
@@ -23512,7 +23757,16 @@ index 2696452..027e384 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +1040,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -584,7 +1038,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+ type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
+
+ allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
+-allow xserver_t input_xevent_t:x_event send;
++allow xserver_t xevent_type:x_event send;
+
+ # setuid/setgid for the wrapper program to change UID
+ # sys_rawio is for iopl access - should not be needed for frame-buffer
+@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23525,7 +23779,7 @@ index 2696452..027e384 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1057,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23541,7 +23795,7 @@ index 2696452..027e384 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1073,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23552,7 +23806,7 @@ index 2696452..027e384 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1088,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23574,7 +23828,7 @@ index 2696452..027e384 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1108,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23588,7 +23842,7 @@ index 2696452..027e384 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1134,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23620,7 +23874,7 @@ index 2696452..027e384 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1166,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23638,7 +23892,7 @@ index 2696452..027e384 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1189,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1197,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23662,7 +23916,7 @@ index 2696452..027e384 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1208,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23671,7 +23925,7 @@ index 2696452..027e384 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1252,44 @@ optional_policy(`
+@@ -775,16 +1260,44 @@ optional_policy(`
')
optional_policy(`
@@ -23717,7 +23971,7 @@ index 2696452..027e384 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1298,10 @@ optional_policy(`
+@@ -793,6 +1306,10 @@ optional_policy(`
')
optional_policy(`
@@ -23728,7 +23982,7 @@ index 2696452..027e384 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1317,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23742,7 +23996,7 @@ index 2696452..027e384 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1328,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23751,7 +24005,7 @@ index 2696452..027e384 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1341,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1349,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23786,7 +24040,7 @@ index 2696452..027e384 100644
')
optional_policy(`
-@@ -902,7 +1406,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23795,7 +24049,7 @@ index 2696452..027e384 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1460,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23827,7 +24081,7 @@ index 2696452..027e384 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1506,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1514,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -25879,10 +26133,10 @@ index 9dfecf7..6d00f5c 100644
+
+/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index f6cbda9..8c37105 100644
+index f6cbda9..51e9aef 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
-@@ -23,39 +23,47 @@ dontaudit hostname_t self:capability sys_tty_config;
+@@ -23,39 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config;
kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)
@@ -25909,8 +26163,7 @@ index f6cbda9..8c37105 100644
term_dontaudit_use_console(hostname_t)
-term_use_all_ttys(hostname_t)
-term_use_all_ptys(hostname_t)
-+term_use_all_inherited_ttys(hostname_t)
-+term_use_all_inherited_ptys(hostname_t)
++term_use_all_inherited_terms(hostname_t)
init_use_fds(hostname_t)
init_use_script_fds(hostname_t)
@@ -28832,7 +29085,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..a0ba260 100644
+index 9e54bf9..bc0e6c2 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28914,7 +29167,7 @@ index 9e54bf9..a0ba260 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -165,11 +176,13 @@ auth_use_nsswitch(ipsec_t)
+@@ -165,16 +176,22 @@ auth_use_nsswitch(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@@ -28929,7 +29182,16 @@ index 9e54bf9..a0ba260 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -187,10 +200,10 @@ optional_policy(`
+
+ optional_policy(`
++ iptables_domtrans(ipsec_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(ipsec_t)
+ ')
+
+@@ -187,10 +204,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -28944,7 +29206,7 @@ index 9e54bf9..a0ba260 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -210,6 +223,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+@@ -210,10 +227,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -28952,7 +29214,12 @@ index 9e54bf9..a0ba260 100644
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
-@@ -246,6 +260,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+-files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
++files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file })
+
+ # _realsetup needs to be able to cat /var/run/pluto.pid,
+ # run ps on that pid, and delete the file
+@@ -246,6 +264,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -28969,7 +29236,7 @@ index 9e54bf9..a0ba260 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +279,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +283,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -28978,7 +29245,7 @@ index 9e54bf9..a0ba260 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +304,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +308,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -28990,7 +29257,7 @@ index 9e54bf9..a0ba260 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +317,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +321,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -29014,7 +29281,7 @@ index 9e54bf9..a0ba260 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +352,10 @@ optional_policy(`
+@@ -322,6 +356,10 @@ optional_policy(`
')
optional_policy(`
@@ -29025,7 +29292,7 @@ index 9e54bf9..a0ba260 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +369,7 @@ optional_policy(`
+@@ -335,7 +373,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -29034,7 +29301,7 @@ index 9e54bf9..a0ba260 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +404,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +408,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -29054,7 +29321,7 @@ index 9e54bf9..a0ba260 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +434,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +438,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -29067,7 +29334,7 @@ index 9e54bf9..a0ba260 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +472,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +476,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -29784,7 +30051,7 @@ index 808ba93..9d8f729 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 23a645e..f0cbd38 100644
+index 23a645e..52a8540 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@@ -29817,21 +30084,23 @@ index 23a645e..f0cbd38 100644
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -75,10 +77,14 @@ kernel_read_system_state(ldconfig_t)
+@@ -75,11 +77,15 @@ kernel_read_system_state(ldconfig_t)
fs_getattr_xattr_fs(ldconfig_t)
+files_list_var_lib(ldconfig_t)
++files_dontaudit_leaks(ldconfig_t)
+files_manage_var_lib_symlinks(ldconfig_t)
+
corecmd_search_bin(ldconfig_t)
domain_use_interactive_fds(ldconfig_t)
+-files_search_var_lib(ldconfig_t)
+files_search_home(ldconfig_t)
- files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_read_usr_files(ldconfig_t)
+ files_search_tmp(ldconfig_t)
@@ -90,11 +96,11 @@ files_delete_etc_files(ldconfig_t)
init_use_script_ptys(ldconfig_t)
init_read_script_tmp_files(ldconfig_t)
@@ -30664,7 +30933,7 @@ index 4e94884..9b82ed0 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..692b00d 100644
+index 39ea221..aae7b7d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -30880,7 +31149,7 @@ index 39ea221..692b00d 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,22 +426,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,22 +426,34 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -30910,12 +31179,15 @@ index 39ea221..692b00d 100644
+ifdef(`hide_broken_symptoms',`
+ kernel_rw_unix_dgram_sockets(syslogd_t)
+')
++
++corecmd_exec_bin(syslogd_t)
++corecmd_exec_shell(syslogd_t)
-corenet_all_recvfrom_unlabeled(syslogd_t)
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)
corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,9 +476,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +479,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -30943,7 +31215,7 @@ index 39ea221..692b00d 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -442,14 +508,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +511,19 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
@@ -30963,7 +31235,7 @@ index 39ea221..692b00d 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +532,10 @@ init_use_fds(syslogd_t)
+@@ -461,11 +535,10 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -30977,7 +31249,7 @@ index 39ea221..692b00d 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +572,36 @@ optional_policy(`
+@@ -502,15 +575,40 @@ optional_policy(`
')
optional_policy(`
@@ -31004,6 +31276,10 @@ index 39ea221..692b00d 100644
')
optional_policy(`
++ psad_search_lib_files(syslogd_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(syslogd_t)
+ snmp_read_snmp_var_lib_files(syslogd_t)
+ snmp_dontaudit_write_snmp_var_lib_files(syslogd_t)
@@ -31014,7 +31290,7 @@ index 39ea221..692b00d 100644
')
optional_policy(`
-@@ -521,3 +612,26 @@ optional_policy(`
+@@ -521,3 +619,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -31042,10 +31318,10 @@ index 39ea221..692b00d 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..7daaff3 100644
+index 879bb1e..5aa4eeb 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
-@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',`
+@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
/etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
@@ -31062,6 +31338,7 @@ index 879bb1e..7daaff3 100644
# /sbin
#
+/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/umount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -31081,7 +31358,7 @@ index 879bb1e..7daaff3 100644
/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +94,71 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +95,71 @@ ifdef(`distro_gentoo',`
#
# /usr
#
@@ -31155,7 +31432,7 @@ index 879bb1e..7daaff3 100644
#
# /var
-@@ -97,5 +166,8 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +167,8 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -32571,7 +32848,7 @@ index 4584457..e432df3 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..4e5bf09 100644
+index 6a50270..d941116 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1)
@@ -32656,7 +32933,7 @@ index 6a50270..4e5bf09 100644
+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
-+files_pid_filetrans(mount_t,mount_var_run_t,dir,"mount")
++files_pid_filetrans(mount_t,mount_var_run_t,{ dir file })
+files_var_filetrans(mount_t,mount_var_run_t,dir)
+dev_filetrans(mount_t, mount_var_run_t, dir)
+
@@ -33740,7 +34017,7 @@ index 3822072..ec95692 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..063ef61 100644
+index ec01d0b..59ed766 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -34268,7 +34545,7 @@ index ec01d0b..063ef61 100644
')
########################################
-@@ -522,108 +598,189 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +598,191 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -34536,6 +34813,8 @@ index ec01d0b..063ef61 100644
+
+files_rw_inherited_generic_pid_files(setfiles_domain)
+files_rw_inherited_generic_pid_files(policy_manager_domain)
++files_create_boot_flag(policy_manager_domain, ".autorelabel")
++files_delete_boot_flag(policy_manager_domain)
+
optional_policy(`
- hotplug_use_fds(setfiles_t)
@@ -34956,7 +35235,7 @@ index 6944526..ec17624 100644
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..a5086e8 100644
+index b7686d5..087fe08 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -35052,7 +35331,7 @@ index b7686d5..a5086e8 100644
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -108,21 +125,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+@@ -108,21 +125,24 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
@@ -35075,10 +35354,11 @@ index b7686d5..a5086e8 100644
files_dontaudit_search_locks(dhcpc_t)
files_getattr_generic_locks(dhcpc_t)
+files_rw_inherited_tmp_file(dhcpc_t)
++files_dontaudit_rw_inherited_locks(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
-@@ -132,11 +151,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -132,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -35095,7 +35375,7 @@ index b7686d5..a5086e8 100644
modutils_run_insmod(dhcpc_t, dhcpc_roles)
-@@ -156,7 +179,14 @@ ifdef(`distro_ubuntu',`
+@@ -156,7 +180,14 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -35111,7 +35391,7 @@ index b7686d5..a5086e8 100644
')
optional_policy(`
-@@ -174,10 +204,6 @@ optional_policy(`
+@@ -174,10 +205,6 @@ optional_policy(`
')
optional_policy(`
@@ -35122,7 +35402,7 @@ index b7686d5..a5086e8 100644
hotplug_getattr_config_dirs(dhcpc_t)
hotplug_search_config(dhcpc_t)
-@@ -190,23 +216,36 @@ optional_policy(`
+@@ -190,23 +217,36 @@ optional_policy(`
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
netutils_run(dhcpc_t, dhcpc_roles)
@@ -35159,7 +35439,7 @@ index b7686d5..a5086e8 100644
')
optional_policy(`
-@@ -216,7 +255,11 @@ optional_policy(`
+@@ -216,7 +256,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -35172,7 +35452,7 @@ index b7686d5..a5086e8 100644
')
optional_policy(`
-@@ -228,6 +271,10 @@ optional_policy(`
+@@ -228,6 +272,10 @@ optional_policy(`
')
optional_policy(`
@@ -35183,7 +35463,7 @@ index b7686d5..a5086e8 100644
vmware_append_log(dhcpc_t)
')
-@@ -259,12 +306,21 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,12 +307,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -35193,6 +35473,8 @@ index b7686d5..a5086e8 100644
+allow ifconfig_t self:netlink_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
++allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms };
++
allow ifconfig_t self:tcp_socket { create ioctl };
+can_exec(ifconfig_t, ifconfig_exec_t)
@@ -35205,7 +35487,7 @@ index b7686d5..a5086e8 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -274,14 +330,29 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -35226,6 +35508,7 @@ index b7686d5..a5086e8 100644
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
+
+files_dontaudit_rw_inherited_pipes(ifconfig_t)
++files_dontaudit_rw_inherited_locks(ifconfig_t)
+files_dontaudit_read_root_files(ifconfig_t)
+files_rw_inherited_tmp_file(ifconfig_t)
+
@@ -35235,7 +35518,7 @@ index b7686d5..a5086e8 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +365,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -35263,7 +35546,7 @@ index b7686d5..a5086e8 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -318,7 +389,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -35286,7 +35569,7 @@ index b7686d5..a5086e8 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +415,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -35300,7 +35583,7 @@ index b7686d5..a5086e8 100644
')
optional_policy(`
-@@ -339,7 +428,15 @@ optional_policy(`
+@@ -339,7 +432,15 @@ optional_policy(`
')
optional_policy(`
@@ -35317,7 +35600,7 @@ index b7686d5..a5086e8 100644
')
optional_policy(`
-@@ -360,3 +457,13 @@ optional_policy(`
+@@ -360,3 +461,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -35333,10 +35616,10 @@ index b7686d5..a5086e8 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..2cd29ba
+index 0000000..431619e
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,44 @@
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
+
@@ -35351,6 +35634,7 @@ index 0000000..2cd29ba
+/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
++/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
@@ -38717,7 +39001,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..2bf0cab 100644
+index 3c5dba7..fc2fb65 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39792,15 +40076,17 @@ index 3c5dba7..2bf0cab 100644
+ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
+ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
+
-+ seutil_read_file_contexts($1_t)
-+ seutil_read_default_contexts($1_t)
++ seutil_read_file_contexts($1_t)
++ seutil_read_default_contexts($1_t)
+
##############################
#
# Local policy
-@@ -908,41 +1116,97 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1115,99 @@ template(`userdom_restricted_xwindows_user_template',`
+ #
# Local policy
#
++ kernel_stream_connect($1_usertype)
- auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
@@ -39909,7 +40195,7 @@ index 3c5dba7..2bf0cab 100644
')
optional_policy(`
-@@ -951,12 +1215,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -39940,7 +40226,7 @@ index 3c5dba7..2bf0cab 100644
')
#######################################
-@@ -990,27 +1271,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -39978,7 +40264,7 @@ index 3c5dba7..2bf0cab 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1308,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -40030,26 +40316,26 @@ index 3c5dba7..2bf0cab 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
-+ mount_run_fusermount($1_t, $1_r)
-+ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
-+ wine_role_template($1, $1_r, $1_t)
++ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -40060,7 +40346,7 @@ index 3c5dba7..2bf0cab 100644
')
')
-@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -40069,7 +40355,7 @@ index 3c5dba7..2bf0cab 100644
')
##############################
-@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -40077,7 +40363,7 @@ index 3c5dba7..2bf0cab 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -40087,7 +40373,7 @@ index 3c5dba7..2bf0cab 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -40095,7 +40381,7 @@ index 3c5dba7..2bf0cab 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -40110,7 +40396,7 @@ index 3c5dba7..2bf0cab 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -40153,7 +40439,7 @@ index 3c5dba7..2bf0cab 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -40162,7 +40448,7 @@ index 3c5dba7..2bf0cab 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -40181,7 +40467,7 @@ index 3c5dba7..2bf0cab 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -40190,7 +40476,7 @@ index 3c5dba7..2bf0cab 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -40202,7 +40488,7 @@ index 3c5dba7..2bf0cab 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -40245,7 +40531,7 @@ index 3c5dba7..2bf0cab 100644
')
optional_policy(`
-@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -40264,7 +40550,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -40316,7 +40602,7 @@ index 3c5dba7..2bf0cab 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -40348,7 +40634,7 @@ index 3c5dba7..2bf0cab 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -40363,7 +40649,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -40375,7 +40661,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -40418,7 +40704,7 @@ index 3c5dba7..2bf0cab 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -40427,7 +40713,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -40442,7 +40728,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -1772,7 +2246,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2247,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -40469,7 +40755,7 @@ index 3c5dba7..2bf0cab 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1782,53 +2274,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2275,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -40552,7 +40838,7 @@ index 3c5dba7..2bf0cab 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1848,6 +2357,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2358,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -40578,7 +40864,7 @@ index 3c5dba7..2bf0cab 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2406,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2407,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -40616,7 +40902,7 @@ index 3c5dba7..2bf0cab 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2446,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2447,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -40634,7 +40920,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -1941,7 +2494,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2495,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -40661,7 +40947,7 @@ index 3c5dba7..2bf0cab 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1951,17 +2522,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2523,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -40682,7 +40968,7 @@ index 3c5dba7..2bf0cab 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2538,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2539,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -40733,7 +41019,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -2010,8 +2615,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2616,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -40743,7 +41029,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -2027,21 +2631,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2632,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -40757,19 +41043,18 @@ index 3c5dba7..2bf0cab 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
-@@ -2123,7 +2721,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2722,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -40778,7 +41063,7 @@ index 3c5dba7..2bf0cab 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2729,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2730,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -40802,7 +41087,7 @@ index 3c5dba7..2bf0cab 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2747,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2748,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -40818,7 +41103,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -2393,11 +2989,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2990,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -40833,7 +41118,7 @@ index 3c5dba7..2bf0cab 100644
files_search_tmp($1)
')
-@@ -2417,7 +3013,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3014,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -40842,7 +41127,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -2664,6 +3260,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3261,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -40868,7 +41153,7 @@ index 3c5dba7..2bf0cab 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3295,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3296,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -40884,7 +41169,7 @@ index 3c5dba7..2bf0cab 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3323,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3324,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -40893,7 +41178,7 @@ index 3c5dba7..2bf0cab 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,14 +3331,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3332,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -40928,7 +41213,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -2817,6 +3449,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3450,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -40953,7 +41238,7 @@ index 3c5dba7..2bf0cab 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3485,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3486,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -40996,7 +41281,7 @@ index 3c5dba7..2bf0cab 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3521,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3522,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -41034,7 +41319,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -2885,8 +3566,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3567,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -41064,7 +41349,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -2958,69 +3658,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3659,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -41165,7 +41450,7 @@ index 3c5dba7..2bf0cab 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3727,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3728,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -41180,7 +41465,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -3097,7 +3796,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3797,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -41189,7 +41474,7 @@ index 3c5dba7..2bf0cab 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3812,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3813,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -41223,7 +41508,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -3217,7 +3900,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3901,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -41250,7 +41535,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -3272,7 +3973,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3974,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -41316,7 +41601,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -3290,7 +4048,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4049,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -41325,7 +41610,7 @@ index 3c5dba7..2bf0cab 100644
')
########################################
-@@ -3309,6 +4067,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4068,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -41333,7 +41618,7 @@ index 3c5dba7..2bf0cab 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4144,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4145,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -41376,7 +41661,7 @@ index 3c5dba7..2bf0cab 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,7 +4200,7 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,7 +4201,7 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -41385,7 +41670,7 @@ index 3c5dba7..2bf0cab 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3413,17 +4208,17 @@ interface(`userdom_sigchld_all_users',`
+@@ -3413,17 +4209,17 @@ interface(`userdom_sigchld_all_users',`
## </summary>
## </param>
#
@@ -41406,7 +41691,7 @@ index 3c5dba7..2bf0cab 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3431,11 +4226,1516 @@ interface(`userdom_create_all_users_keys',`
+@@ -3431,11 +4227,1516 @@ interface(`userdom_create_all_users_keys',`
## </summary>
## </param>
#
@@ -42927,7 +43212,7 @@ index 3c5dba7..2bf0cab 100644
+ dontaudit $1 user_home_type:dir_file_class_set audit_access;
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..211263f 100644
+index e2b538b..3a775a7 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -43015,7 +43300,7 @@ index e2b538b..211263f 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +82,226 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +82,227 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -43073,6 +43358,7 @@ index e2b538b..211263f 100644
+allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
+
+# Nautilus causes this avc
++domain_dontaudit_access_check(unpriv_userdomain)
+dontaudit unpriv_userdomain self:dir setattr;
+allow unpriv_userdomain self:key manage_key_perms;
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index e9e4180..aa2e445 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..4e4cbd4 100644
+index e4f84de..2fe1152 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,40 @@
+@@ -1,30 +1,41 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -22,6 +22,7 @@ index e4f84de..4e4cbd4 100644
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -518,7 +519,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..da5b191 100644
+index cc43d25..f71a133 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -527,7 +528,7 @@ index cc43d25..da5b191 100644
########################################
#
-@@ -6,105 +6,116 @@ policy_module(abrt, 1.3.4)
+@@ -6,105 +6,131 @@ policy_module(abrt, 1.3.4)
#
## <desc>
@@ -549,6 +550,14 @@ index cc43d25..da5b191 100644
-## the abrt_handle_event_t domain to
-## handle ABRT event scripts.
-## </p>
++## <p>
++## Allow abrt-handle-upload to modify public files
++## used for public file transfer services in /var/spool/abrt-upload/.
++## </p>
++## </desc>
++gen_tunable(abrt_upload_watch_anon_write, true)
++
++## <desc>
+## <p>
+## Allow ABRT to run in abrt_handle_event_t domain
+## to handle ABRT event scripts
@@ -660,7 +669,13 @@ index cc43d25..da5b191 100644
-ifdef(`enable_mcs',`
- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
-')
--
++# Support for abrt-upload-watch
++abrt_basic_types_template(abrt_upload_watch)
++init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
++
++type abrt_upload_watch_tmp_t;
++files_tmp_file(abrt_upload_watch_tmp_t)
+
########################################
#
-# Local policy
@@ -689,7 +704,7 @@ index cc43d25..da5b191 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -112,23 +123,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +138,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -718,7 +733,7 @@ index cc43d25..da5b191 100644
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -137,16 +150,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +165,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -737,7 +752,7 @@ index cc43d25..da5b191 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +174,37 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +189,37 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -778,7 +793,7 @@ index cc43d25..da5b191 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +212,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +227,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -795,7 +810,7 @@ index cc43d25..da5b191 100644
')
optional_policy(`
-@@ -209,6 +224,16 @@ optional_policy(`
+@@ -209,6 +239,16 @@ optional_policy(`
')
optional_policy(`
@@ -812,7 +827,7 @@ index cc43d25..da5b191 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +245,7 @@ optional_policy(`
+@@ -220,6 +260,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -820,7 +835,7 @@ index cc43d25..da5b191 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +256,7 @@ optional_policy(`
+@@ -230,6 +271,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -828,7 +843,7 @@ index cc43d25..da5b191 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +267,17 @@ optional_policy(`
+@@ -240,9 +282,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -847,7 +862,7 @@ index cc43d25..da5b191 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +288,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +303,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -862,7 +877,7 @@ index cc43d25..da5b191 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +307,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +322,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -870,7 +885,7 @@ index cc43d25..da5b191 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +316,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +331,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -891,7 +906,7 @@ index cc43d25..da5b191 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +337,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +352,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -918,7 +933,7 @@ index cc43d25..da5b191 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +373,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +388,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -932,7 +947,7 @@ index cc43d25..da5b191 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +391,11 @@ optional_policy(`
+@@ -330,10 +406,11 @@ optional_policy(`
#######################################
#
@@ -946,7 +961,7 @@ index cc43d25..da5b191 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +414,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +429,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1008,31 +1023,59 @@ index cc43d25..da5b191 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +472,18 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +487,47 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
+logging_send_syslog_msg(abrt_watch_log_t)
+
-+optional_policy(`
-+ unconfined_domain(abrt_watch_log_t)
-+')
++#optional_policy(`
++# unconfined_domain(abrt_watch_log_t)
++#')
#######################################
#
-# Global local policy
-+# Local policy for all abrt domain
++# abrt-upload-watch local policy
#
-kernel_read_system_state(abrt_domain)
-+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
-+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
++allow abrt_upload_watch_t self:capability dac_override;
+
+-files_read_etc_files(abrt_domain)
++manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
++
++read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
- files_read_etc_files(abrt_domain)
--
-logging_send_syslog_msg(abrt_domain)
--
++manage_dirs_pattern(abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_cache_t)
++
++corecmd_exec_bin(abrt_upload_watch_t)
++
++dev_read_urand(abrt_upload_watch_t)
++
++auth_read_passwd(abrt_upload_watch_t)
++
++tunable_policy(`abrt_upload_watch_anon_write',`
++ miscfiles_manage_public_files(abrt_upload_watch_t)
++')
+
-miscfiles_read_localization(abrt_domain)
++optional_policy(`
++ dbus_system_bus_client(abrt_upload_watch_t)
++')
++
++#######################################
++#
++# Local policy for all abrt domain
++#
++
++allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
++allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
++
++files_read_etc_files(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a..0682710 100644
--- a/accountsd.fc
@@ -1980,7 +2023,7 @@ index 7f4dfbc..4d750fa 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index ed45974..95b56a6 100644
+index ed45974..cd5a4fa 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,13 @@ attribute_role amanda_recover_roles;
@@ -1990,7 +2033,7 @@ index ed45974..95b56a6 100644
+type amanda_exec_t;
type amanda_inetd_exec_t;
-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
-+init_daemon_domain(amanda_t, amanda_exec_t)
++init_daemon_domain(amanda_t, amanda_inetd_exec_t)
+role system_r types amanda_t;
-type amanda_exec_t;
@@ -3240,7 +3283,7 @@ index 550a69e..53e5708 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 83e899c..c5be77c 100644
+index 83e899c..fac6fe5 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3256,7 +3299,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="prefix">
## <summary>
-@@ -13,118 +13,100 @@
+@@ -13,118 +13,101 @@
#
template(`apache_content_template',`
gen_require(`
@@ -3411,6 +3454,7 @@ index 83e899c..c5be77c 100644
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+ # apache runs the script:
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
++ allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
')
')
@@ -3421,7 +3465,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="role">
## <summary>
-@@ -133,47 +115,61 @@ template(`apache_content_template',`
+@@ -133,47 +116,61 @@ template(`apache_content_template',`
## </param>
## <param name="domain">
## <summary>
@@ -3512,7 +3556,7 @@ index 83e899c..c5be77c 100644
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
')
-@@ -184,7 +180,7 @@ interface(`apache_role',`
+@@ -184,7 +181,7 @@ interface(`apache_role',`
########################################
## <summary>
@@ -3521,7 +3565,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -204,7 +200,7 @@ interface(`apache_read_user_scripts',`
+@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',`
########################################
## <summary>
@@ -3530,7 +3574,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -224,7 +220,7 @@ interface(`apache_read_user_content',`
+@@ -224,7 +221,7 @@ interface(`apache_read_user_content',`
########################################
## <summary>
@@ -3539,7 +3583,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -241,27 +237,47 @@ interface(`apache_domtrans',`
+@@ -241,27 +238,47 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -3594,7 +3638,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,7 +295,7 @@ interface(`apache_signal',`
+@@ -279,7 +296,7 @@ interface(`apache_signal',`
########################################
## <summary>
@@ -3603,7 +3647,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -297,7 +313,7 @@ interface(`apache_signull',`
+@@ -297,7 +314,7 @@ interface(`apache_signull',`
########################################
## <summary>
@@ -3612,7 +3656,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -315,8 +331,7 @@ interface(`apache_sigchld',`
+@@ -315,8 +332,7 @@ interface(`apache_sigchld',`
########################################
## <summary>
@@ -3622,7 +3666,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -334,8 +349,8 @@ interface(`apache_use_fds',`
+@@ -334,8 +350,8 @@ interface(`apache_use_fds',`
########################################
## <summary>
@@ -3633,7 +3677,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -348,13 +363,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -3650,7 +3694,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -372,8 +387,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
########################################
## <summary>
@@ -3661,7 +3705,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -391,8 +406,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
+@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
@@ -3671,7 +3715,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -417,7 +431,8 @@ interface(`apache_manage_all_content',`
+@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',`
########################################
## <summary>
@@ -3681,7 +3725,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -435,7 +450,8 @@ interface(`apache_setattr_cache_dirs',`
+@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',`
########################################
## <summary>
@@ -3691,7 +3735,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -453,7 +469,8 @@ interface(`apache_list_cache',`
+@@ -453,7 +470,8 @@ interface(`apache_list_cache',`
########################################
## <summary>
@@ -3701,7 +3745,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -471,7 +488,8 @@ interface(`apache_rw_cache_files',`
+@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
@@ -3711,7 +3755,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -489,7 +507,8 @@ interface(`apache_delete_cache_dirs',`
+@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',`
########################################
## <summary>
@@ -3721,7 +3765,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -507,49 +526,51 @@ interface(`apache_delete_cache_files',`
+@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@@ -3784,7 +3828,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -570,8 +591,8 @@ interface(`apache_manage_config',`
+@@ -570,8 +592,8 @@ interface(`apache_manage_config',`
########################################
## <summary>
@@ -3795,7 +3839,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -608,16 +629,38 @@ interface(`apache_domtrans_helper',`
+@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',`
#
interface(`apache_run_helper',`
gen_require(`
@@ -3837,7 +3881,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -639,7 +682,8 @@ interface(`apache_read_log',`
+@@ -639,7 +683,8 @@ interface(`apache_read_log',`
########################################
## <summary>
@@ -3847,7 +3891,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -657,10 +701,29 @@ interface(`apache_append_log',`
+@@ -657,10 +702,29 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
@@ -3879,7 +3923,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -678,8 +741,8 @@ interface(`apache_dontaudit_append_log',`
+@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',`
########################################
## <summary>
@@ -3890,7 +3934,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -698,47 +761,49 @@ interface(`apache_manage_log',`
+@@ -698,47 +762,49 @@ interface(`apache_manage_log',`
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
')
@@ -3953,7 +3997,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -752,11 +817,13 @@ interface(`apache_list_modules',`
+@@ -752,11 +818,13 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -3968,7 +4012,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -776,46 +843,63 @@ interface(`apache_exec_modules',`
+@@ -776,46 +844,63 @@ interface(`apache_exec_modules',`
########################################
## <summary>
@@ -4049,7 +4093,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -829,13 +913,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -4066,7 +4110,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -844,6 +929,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',`
## </param>
## <rolecap/>
#
@@ -4074,7 +4118,7 @@ index 83e899c..c5be77c 100644
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
-@@ -855,32 +941,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -4181,7 +4225,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -888,10 +1040,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',`
## </summary>
## </param>
#
@@ -4200,7 +4244,7 @@ index 83e899c..c5be77c 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1060,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',`
########################################
## <summary>
@@ -4212,7 +4256,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -941,7 +1099,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
## <summary>
## Execute all user scripts in the user
@@ -4221,7 +4265,7 @@ index 83e899c..c5be77c 100644
## to the specified role.
## </summary>
## <param name="domain">
-@@ -954,6 +1112,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
## </summary>
## </param>
@@ -4229,7 +4273,7 @@ index 83e899c..c5be77c 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -966,7 +1125,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',`
########################################
## <summary>
@@ -4239,7 +4283,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -979,12 +1139,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -4255,7 +4299,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1002,7 +1163,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
## <summary>
@@ -4264,7 +4308,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1015,13 +1176,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
@@ -4279,7 +4323,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1041,7 +1201,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',`
########################################
## <summary>
@@ -4288,7 +4332,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1059,8 +1219,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',`
########################################
## <summary>
@@ -4298,7 +4342,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1070,13 +1229,22 @@ interface(`apache_search_sys_scripts',`
+@@ -1070,13 +1230,22 @@ interface(`apache_search_sys_scripts',`
## <rolecap/>
#
interface(`apache_manage_all_user_content',`
@@ -4324,7 +4368,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1094,7 +1262,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1263,8 @@ interface(`apache_search_sys_script_state',`
########################################
## <summary>
@@ -4334,7 +4378,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1111,10 +1280,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1281,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -4366,7 +4410,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1127,7 +1315,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -4375,7 +4419,7 @@ index 83e899c..c5be77c 100644
')
########################################
-@@ -1136,6 +1324,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',`
## </summary>
## <desc>
## <p>
@@ -4385,7 +4429,7 @@ index 83e899c..c5be77c 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1165,8 +1356,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@@ -4418,7 +4462,7 @@ index 83e899c..c5be77c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1183,18 +1396,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4447,7 +4491,7 @@ index 83e899c..c5be77c 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1204,10 +1418,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1419,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4461,7 +4505,7 @@ index 83e899c..c5be77c 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1432,129 @@ interface(`apache_admin',`
+@@ -1218,9 +1433,129 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -7156,6 +7200,19 @@ index 3590e2f..e1494bd 100644
')
optional_policy(`
+diff --git a/apt.if b/apt.if
+index e2414c4..970736b 100644
+--- a/apt.if
++++ b/apt.if
+@@ -152,7 +152,7 @@ interface(`apt_read_cache',`
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir list_dir_perms;
+- dontaudit $1 apt_var_cache_t:dir write_dir_perms;
++ dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
+ allow $1 apt_var_cache_t:file read_file_perms;
+ ')
+
diff --git a/apt.te b/apt.te
index e2d8d52..d82403c 100644
--- a/apt.te
@@ -7380,7 +7437,7 @@ index 7268a04..6ffd87d 100644
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
-index 5439f1c..0be374d 100644
+index 5439f1c..4f8a8a5 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
@@ -7392,7 +7449,25 @@ index 5439f1c..0be374d 100644
type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)
-@@ -72,11 +72,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms;
+ read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+ read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+
+-append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+-create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+-setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir})
+
+ manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+ manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+ manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
++files_spool_file(asterisk_t, asterisk_spool_t, {dir file})
+
+ manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+ manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
@@ -7402,11 +7477,11 @@ index 5439f1c..0be374d 100644
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
-
-+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
can_exec(asterisk_t, asterisk_exec_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -87,7 +87,6 @@ kernel_request_load_module(asterisk_t)
+@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_exec_shell(asterisk_t)
@@ -7414,7 +7489,7 @@ index 5439f1c..0be374d 100644
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -135,7 +134,6 @@ dev_read_urand(asterisk_t)
+@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
@@ -7422,7 +7497,7 @@ index 5439f1c..0be374d 100644
files_search_spool(asterisk_t)
files_dontaudit_search_home(asterisk_t)
-@@ -148,8 +146,6 @@ auth_use_nsswitch(asterisk_t)
+@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t)
logging_send_syslog_msg(asterisk_t)
@@ -8357,7 +8432,7 @@ index 866a1e2..6c2dbe4 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 076ffee..d4fb2a4 100644
+index 076ffee..1672ca4 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -8390,7 +8465,18 @@ index 076ffee..d4fb2a4 100644
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
-@@ -110,7 +114,6 @@ kernel_read_network_state(named_t)
+@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+
+ can_exec(named_t, named_exec_t)
+
+-append_files_pattern(named_t, named_log_t, named_log_t)
+-create_files_pattern(named_t, named_log_t, named_log_t)
+-setattr_files_pattern(named_t, named_log_t, named_log_t)
++manage_files_pattern(named_t, named_log_t, named_log_t)
+ logging_log_filetrans(named_t, named_log_t, file)
+
+ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -110,7 +112,6 @@ kernel_read_network_state(named_t)
corecmd_search_bin(named_t)
@@ -8398,7 +8484,7 @@ index 076ffee..d4fb2a4 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -139,6 +142,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
dev_read_sysfs(named_t)
dev_read_rand(named_t)
dev_read_urand(named_t)
@@ -8406,7 +8492,7 @@ index 076ffee..d4fb2a4 100644
domain_use_interactive_fds(named_t)
-@@ -170,6 +174,15 @@ tunable_policy(`named_write_master_zones',`
+@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -8422,7 +8508,7 @@ index 076ffee..d4fb2a4 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -183,6 +196,7 @@ optional_policy(`
+@@ -183,6 +194,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(named, named_t)
@@ -8430,7 +8516,7 @@ index 076ffee..d4fb2a4 100644
')
optional_policy(`
-@@ -209,7 +223,8 @@ optional_policy(`
+@@ -209,7 +221,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -8440,7 +8526,7 @@ index 076ffee..d4fb2a4 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -223,10 +238,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -8452,7 +8538,7 @@ index 076ffee..d4fb2a4 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +265,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -8648,10 +8734,10 @@ index bc5c984..63a4b1d 100644
+ xserver_read_state_xdm(blueman_t)
+')
diff --git a/bluetooth.fc b/bluetooth.fc
-index 2b9c7f3..63e4860 100644
+index 2b9c7f3..0086b95 100644
--- a/bluetooth.fc
+++ b/bluetooth.fc
-@@ -5,10 +5,13 @@
+@@ -5,10 +5,14 @@
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
@@ -8662,6 +8748,7 @@ index 2b9c7f3..63e4860 100644
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
++/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
@@ -8782,7 +8869,7 @@ index c723a0a..3e8a553 100644
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
-index 6f09d24..9c48d18 100644
+index 6f09d24..231de05 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
@@ -8795,7 +8882,17 @@ index 6f09d24..9c48d18 100644
########################################
#
# Local policy
-@@ -90,14 +93,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
+
+ manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+ manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
++manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
++files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
+
+ manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+ manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
can_exec(bluetooth_t, bluetooth_helper_exec_t)
@@ -8822,7 +8919,7 @@ index 6f09d24..9c48d18 100644
dev_read_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
-@@ -110,7 +123,6 @@ domain_use_interactive_fds(bluetooth_t)
+@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t)
domain_dontaudit_search_all_domains_state(bluetooth_t)
files_read_etc_runtime_files(bluetooth_t)
@@ -8830,7 +8927,7 @@ index 6f09d24..9c48d18 100644
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
-@@ -122,7 +134,6 @@ auth_use_nsswitch(bluetooth_t)
+@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t)
logging_send_syslog_msg(bluetooth_t)
@@ -8838,12 +8935,13 @@ index 6f09d24..9c48d18 100644
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
-@@ -130,8 +141,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+@@ -130,8 +142,13 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+# machine-info
+systemd_hostnamed_read_config(bluetooth_t)
++systemd_dbus_chat_hostnamed(bluetooth_t)
+
optional_policy(`
dbus_system_bus_client(bluetooth_t)
@@ -8851,7 +8949,7 @@ index 6f09d24..9c48d18 100644
optional_policy(`
cups_dbus_chat(bluetooth_t)
-@@ -199,7 +214,6 @@ dev_read_urand(bluetooth_helper_t)
+@@ -199,7 +216,6 @@ dev_read_urand(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t)
files_read_etc_runtime_files(bluetooth_helper_t)
@@ -12419,7 +12517,7 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..b2709d1 100644
+index 6471fa8..dc0423c 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
@@ -12437,16 +12535,17 @@ index 6471fa8..b2709d1 100644
########################################
#
# Local policy
-@@ -38,6 +44,8 @@ allow collectd_t self:process { getsched setsched signal };
+@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
++allow collectd_t self:rawip_socket create_socket_perms;
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -46,23 +54,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
files_pid_filetrans(collectd_t, collectd_var_run_t, file)
@@ -12454,6 +12553,9 @@ index 6471fa8..b2709d1 100644
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
++
++auth_getattr_passwd(collectd_t)
++auth_read_passwd(collectd_t)
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
@@ -12479,7 +12581,7 @@ index 6471fa8..b2709d1 100644
logging_send_syslog_msg(collectd_t)
-@@ -75,16 +85,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
@@ -12726,7 +12828,7 @@ index 3f6e4dc..88c4f19 100644
mta_getattr_spool(comsat_t)
diff --git a/condor.fc b/condor.fc
-index 23dc348..7cc536b 100644
+index 23dc348..c4450f7 100644
--- a/condor.fc
+++ b/condor.fc
@@ -1,4 +1,5 @@
@@ -12735,6 +12837,15 @@ index 23dc348..7cc536b 100644
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
+@@ -8,6 +9,8 @@
+ /usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
+ /usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
+
++/etc/condor(/.*)? gen_context(system_u:object_r:condor_etc_rw_t,s0)
++
+ /var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
+
+ /var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
diff --git a/condor.if b/condor.if
index 3fe3cb8..5fe84a6 100644
--- a/condor.if
@@ -13192,10 +13303,20 @@ index 3fe3cb8..5fe84a6 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index 3f2b672..95daaa7 100644
+index 3f2b672..39f85e7 100644
--- a/condor.te
+++ b/condor.te
-@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t)
+@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
+ type condor_startd_tmpfs_t;
+ files_tmpfs_file(condor_startd_tmpfs_t)
+
++type condor_etc_rw_t;
++files_config_file(condor_etc_rw_t)
++
+ type condor_log_t;
+ logging_log_file(condor_log_t)
+
+@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t)
type condor_var_run_t;
files_pid_file(condor_var_run_t)
@@ -13205,7 +13326,7 @@ index 3f2b672..95daaa7 100644
condor_domain_template(collector)
condor_domain_template(negotiator)
condor_domain_template(procd)
-@@ -57,10 +60,15 @@ condor_domain_template(startd)
+@@ -57,15 +63,20 @@ condor_domain_template(startd)
# Global local policy
#
@@ -13220,16 +13341,22 @@ index 3f2b672..95daaa7 100644
+allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
++
++rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
- append_files_pattern(condor_domain, condor_log_t, condor_log_t)
-@@ -86,13 +94,12 @@ allow condor_domain condor_master_t:tcp_socket getattr;
+-append_files_pattern(condor_domain, condor_log_t, condor_log_t)
+-create_files_pattern(condor_domain, condor_log_t, condor_log_t)
+-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t)
++manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
+ logging_log_filetrans(condor_domain, condor_log_t, { dir file })
+
+ manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
+@@ -86,13 +97,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
-kernel_read_system_state(condor_domain)
-+
-+
corecmd_exec_bin(condor_domain)
corecmd_exec_shell(condor_domain)
@@ -13239,18 +13366,19 @@ index 3f2b672..95daaa7 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -106,9 +113,7 @@ dev_read_rand(condor_domain)
+@@ -106,9 +114,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
-logging_send_syslog_msg(condor_domain)
--
--miscfiles_read_localization(condor_domain)
+auth_read_passwd(condor_domain)
+-miscfiles_read_localization(condor_domain)
++sysnet_dns_name_resolve(condor_domain)
+
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
-@@ -125,7 +130,7 @@ optional_policy(`
+@@ -125,7 +133,7 @@ optional_policy(`
# Master local policy
#
@@ -13259,25 +13387,27 @@ index 3f2b672..95daaa7 100644
allow condor_master_t condor_domain:process { sigkill signal };
-@@ -133,6 +138,8 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -133,6 +141,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+can_exec(condor_master_t, condor_master_exec_t)
+
++kernel_read_system_state(condor_master_t)
++
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
-@@ -150,7 +157,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
+@@ -152,6 +164,8 @@ domain_read_all_domains_state(condor_master_t)
- domain_read_all_domains_state(condor_master_t)
-
--auth_use_nsswitch(condor_master_t)
-+auth_read_passwd(condor_master_t)
+ auth_use_nsswitch(condor_master_t)
++logging_send_syslog_msg(condor_master_t)
++
optional_policy(`
mta_send_mail(condor_master_t)
-@@ -169,6 +176,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+ mta_read_config(condor_master_t)
+@@ -169,6 +183,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
@@ -13286,7 +13416,7 @@ index 3f2b672..95daaa7 100644
#####################################
#
# Negotiator local policy
-@@ -178,6 +187,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +194,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -13295,7 +13425,17 @@ index 3f2b672..95daaa7 100644
######################################
#
# Procd local policy
-@@ -201,6 +212,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -185,7 +203,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
+
+ allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
+
+-allow condor_procd_t condor_startd_t:process sigkill;
++allow condor_procd_t condor_domain:process sigkill;
++
+
+ domain_read_all_domains_state(condor_procd_t)
+
+@@ -201,6 +220,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@@ -13304,7 +13444,7 @@ index 3f2b672..95daaa7 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -209,6 +222,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -209,6 +230,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -13313,7 +13453,7 @@ index 3f2b672..95daaa7 100644
#####################################
#
# Startd local policy
-@@ -233,11 +248,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +256,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -13326,7 +13466,7 @@ index 3f2b672..95daaa7 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -249,3 +263,7 @@ optional_policy(`
+@@ -249,3 +271,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -15389,7 +15529,7 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 28e1b86..9436993 100644
+index 28e1b86..f871609 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -15630,7 +15770,7 @@ index 28e1b86..9436993 100644
logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
-@@ -237,72 +180,67 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+@@ -237,72 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -15701,6 +15841,7 @@ index 28e1b86..9436993 100644
+# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
++files_read_all_locks(crond_t)
-mls_fd_share_all_levels(crond_t)
+fs_manage_cgroup_dirs(crond_t)
@@ -15733,7 +15874,7 @@ index 28e1b86..9436993 100644
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
-@@ -311,41 +249,46 @@ logging_set_loginuid(crond_t)
+@@ -311,41 +250,46 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -15796,7 +15937,7 @@ index 28e1b86..9436993 100644
')
optional_policy(`
-@@ -353,102 +296,136 @@ optional_policy(`
+@@ -353,102 +297,136 @@ optional_policy(`
')
optional_policy(`
@@ -15964,7 +16105,7 @@ index 28e1b86..9436993 100644
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-@@ -457,11 +434,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -457,11 +435,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
@@ -15977,7 +16118,7 @@ index 28e1b86..9436993 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -481,6 +458,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -481,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -15985,7 +16126,7 @@ index 28e1b86..9436993 100644
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
-@@ -491,15 +469,19 @@ files_getattr_all_files(system_cronjob_t)
+@@ -491,15 +470,19 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
@@ -16008,7 +16149,7 @@ index 28e1b86..9436993 100644
init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
-@@ -511,20 +493,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -511,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -16038,7 +16179,7 @@ index 28e1b86..9436993 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +522,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +523,17 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -16056,7 +16197,7 @@ index 28e1b86..9436993 100644
')
optional_policy(`
-@@ -546,10 +541,6 @@ optional_policy(`
+@@ -546,10 +542,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -16067,7 +16208,7 @@ index 28e1b86..9436993 100644
')
optional_policy(`
-@@ -581,6 +572,7 @@ optional_policy(`
+@@ -581,6 +573,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -16075,7 +16216,7 @@ index 28e1b86..9436993 100644
')
optional_policy(`
-@@ -588,15 +580,19 @@ optional_policy(`
+@@ -588,15 +581,19 @@ optional_policy(`
')
optional_policy(`
@@ -16097,7 +16238,7 @@ index 28e1b86..9436993 100644
')
optional_policy(`
-@@ -606,6 +602,7 @@ optional_policy(`
+@@ -606,6 +603,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -16105,7 +16246,7 @@ index 28e1b86..9436993 100644
')
optional_policy(`
-@@ -613,12 +610,24 @@ optional_policy(`
+@@ -613,12 +611,24 @@ optional_policy(`
')
optional_policy(`
@@ -16132,7 +16273,7 @@ index 28e1b86..9436993 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +635,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +636,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -16166,7 +16307,7 @@ index 28e1b86..9436993 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +668,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +669,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -16954,7 +17095,7 @@ index 06da9a0..6d69a2f 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..ab0eee9 100644
+index 9f34c2e..09ef91c 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16984,7 +17125,7 @@ index 9f34c2e..ab0eee9 100644
files_config_file(cupsd_etc_t)
type cupsd_initrc_exec_t;
-@@ -33,9 +38,13 @@ type cupsd_lock_t;
+@@ -33,13 +38,15 @@ type cupsd_lock_t;
files_lock_file(cupsd_lock_t)
type cupsd_log_t;
@@ -16997,9 +17138,14 @@ index 9f34c2e..ab0eee9 100644
+
+type cupsd_lpd_t, cups_domain;
type cupsd_lpd_exec_t;
- domain_type(cupsd_lpd_t)
- domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
-@@ -47,7 +56,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
+-domain_type(cupsd_lpd_t)
+-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
+-role system_r types cupsd_lpd_t;
++init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
+
+ type cupsd_lpd_tmp_t;
+ files_tmp_file(cupsd_lpd_tmp_t)
+@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
type cupsd_lpd_var_run_t;
files_pid_file(cupsd_lpd_var_run_t)
@@ -17008,7 +17154,7 @@ index 9f34c2e..ab0eee9 100644
type cups_pdf_exec_t;
cups_backend(cups_pdf_t, cups_pdf_exec_t)
-@@ -55,29 +64,17 @@ type cups_pdf_tmp_t;
+@@ -55,29 +62,17 @@ type cups_pdf_tmp_t;
files_tmp_file(cups_pdf_tmp_t)
type cupsd_tmp_t;
@@ -17042,7 +17188,7 @@ index 9f34c2e..ab0eee9 100644
type ptal_t;
type ptal_exec_t;
-@@ -97,21 +94,49 @@ ifdef(`enable_mls',`
+@@ -97,21 +92,49 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
@@ -17096,7 +17242,7 @@ index 9f34c2e..ab0eee9 100644
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,11 +145,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -17110,8 +17256,15 @@ index 9f34c2e..ab0eee9 100644
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -139,22 +166,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -133,28 +158,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms;
+ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+
+ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
++manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
@@ -17138,7 +17291,7 @@ index 9f34c2e..ab0eee9 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -162,11 +190,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -162,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -17150,7 +17303,7 @@ index 9f34c2e..ab0eee9 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -189,12 +215,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -189,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -17175,7 +17328,7 @@ index 9f34c2e..ab0eee9 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -206,7 +240,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -206,7 +235,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -17183,7 +17336,7 @@ index 9f34c2e..ab0eee9 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +248,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +243,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -17203,7 +17356,7 @@ index 9f34c2e..ab0eee9 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +269,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -17212,7 +17365,7 @@ index 9f34c2e..ab0eee9 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +283,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -17238,7 +17391,7 @@ index 9f34c2e..ab0eee9 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +310,8 @@ optional_policy(`
+@@ -275,6 +305,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -17247,7 +17400,7 @@ index 9f34c2e..ab0eee9 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +322,10 @@ optional_policy(`
+@@ -285,8 +317,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -17258,7 +17411,7 @@ index 9f34c2e..ab0eee9 100644
')
')
-@@ -299,8 +338,8 @@ optional_policy(`
+@@ -299,8 +333,8 @@ optional_policy(`
')
optional_policy(`
@@ -17268,7 +17421,7 @@ index 9f34c2e..ab0eee9 100644
')
optional_policy(`
-@@ -309,7 +348,6 @@ optional_policy(`
+@@ -309,7 +343,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -17276,7 +17429,7 @@ index 9f34c2e..ab0eee9 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +375,11 @@ optional_policy(`
+@@ -337,7 +370,11 @@ optional_policy(`
')
optional_policy(`
@@ -17289,7 +17442,7 @@ index 9f34c2e..ab0eee9 100644
')
########################################
-@@ -345,12 +387,11 @@ optional_policy(`
+@@ -345,12 +382,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -17305,7 +17458,7 @@ index 9f34c2e..ab0eee9 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +416,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -17326,7 +17479,7 @@ index 9f34c2e..ab0eee9 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +434,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -17347,7 +17500,7 @@ index 9f34c2e..ab0eee9 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +451,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -17359,7 +17512,7 @@ index 9f34c2e..ab0eee9 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +478,12 @@ optional_policy(`
+@@ -452,9 +473,12 @@ optional_policy(`
')
optional_policy(`
@@ -17373,7 +17526,7 @@ index 9f34c2e..ab0eee9 100644
')
optional_policy(`
-@@ -490,10 +519,6 @@ optional_policy(`
+@@ -490,10 +514,6 @@ optional_policy(`
# Lpd local policy
#
@@ -17384,7 +17537,7 @@ index 9f34c2e..ab0eee9 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +536,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +531,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -17417,7 +17570,7 @@ index 9f34c2e..ab0eee9 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +562,6 @@ optional_policy(`
+@@ -546,7 +557,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -17425,7 +17578,7 @@ index 9f34c2e..ab0eee9 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +577,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +572,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -17577,7 +17730,7 @@ index 9f34c2e..ab0eee9 100644
########################################
#
-@@ -731,7 +621,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +616,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -17585,7 +17738,7 @@ index 9f34c2e..ab0eee9 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +630,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +625,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -17599,7 +17752,7 @@ index 9f34c2e..ab0eee9 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +642,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +637,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -17608,7 +17761,7 @@ index 9f34c2e..ab0eee9 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +654,4 @@ optional_policy(`
+@@ -769,3 +649,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -17658,10 +17811,10 @@ index 9fa7ffb..fd3262c 100644
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
diff --git a/cvs.te b/cvs.te
-index 53fc3af..25b3285 100644
+index 53fc3af..989aabf 100644
--- a/cvs.te
+++ b/cvs.te
-@@ -11,7 +11,7 @@ policy_module(cvs, 1.9.1)
+@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
## password files.
## </p>
## </desc>
@@ -17670,7 +17823,12 @@ index 53fc3af..25b3285 100644
type cvs_t;
type cvs_exec_t;
-@@ -58,6 +58,14 @@ kernel_read_network_state(cvs_t)
+ inetd_tcp_service_domain(cvs_t, cvs_exec_t)
++init_domain(cvs_t, cvs_exec_t)
+ application_executable_file(cvs_exec_t)
+
+ type cvs_data_t; # customizable
+@@ -58,6 +59,14 @@ kernel_read_network_state(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
@@ -17685,7 +17843,7 @@ index 53fc3af..25b3285 100644
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
-@@ -70,18 +78,18 @@ auth_use_nsswitch(cvs_t)
+@@ -70,18 +79,18 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
@@ -17707,7 +17865,7 @@ index 53fc3af..25b3285 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
-@@ -103,4 +111,5 @@ optional_policy(`
+@@ -103,4 +112,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -19055,6 +19213,19 @@ index 2c2e7e1..493ab48 100644
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
+diff --git a/dcc.fc b/dcc.fc
+index 62d3c4e..cef59a7 100644
+--- a/dcc.fc
++++ b/dcc.fc
+@@ -10,6 +10,8 @@
+ /usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+ /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
+
++/usr/libexec/dcc/start-dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
++
+ /usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+ /usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
+ /usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
diff --git a/dcc.if b/dcc.if
index a5c21e0..4639421 100644
--- a/dcc.if
@@ -19068,7 +19239,7 @@ index a5c21e0..4639421 100644
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
')
diff --git a/dcc.te b/dcc.te
-index 15d908f..147dd14 100644
+index 15d908f..cecb0da 100644
--- a/dcc.te
+++ b/dcc.te
@@ -45,7 +45,7 @@ type dcc_var_t;
@@ -19102,7 +19273,16 @@ index 15d908f..147dd14 100644
########################################
#
-@@ -123,6 +126,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid };
+
+ allow dcc_client_t dcc_client_map_t:file rw_file_perms;
+
++domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t)
++
+ manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+ manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+ files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
+@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_client_t)
@@ -19115,7 +19295,7 @@ index 15d908f..147dd14 100644
files_read_etc_runtime_files(dcc_client_t)
fs_getattr_all_fs(dcc_client_t)
-@@ -131,12 +140,10 @@ auth_use_nsswitch(dcc_client_t)
+@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t)
logging_send_syslog_msg(dcc_client_t)
@@ -19130,7 +19310,7 @@ index 15d908f..147dd14 100644
')
optional_policy(`
-@@ -160,15 +167,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_dbclean_t)
@@ -19152,7 +19332,7 @@ index 15d908f..147dd14 100644
########################################
#
-@@ -202,7 +212,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
+@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
@@ -19160,7 +19340,7 @@ index 15d908f..147dd14 100644
corenet_all_recvfrom_netlabel(dccd_t)
corenet_udp_sendrecv_generic_if(dccd_t)
corenet_udp_sendrecv_generic_node(dccd_t)
-@@ -227,8 +236,6 @@ auth_use_nsswitch(dccd_t)
+@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t)
logging_send_syslog_msg(dccd_t)
@@ -19169,7 +19349,7 @@ index 15d908f..147dd14 100644
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
userdom_dontaudit_search_user_home_dirs(dccd_t)
-@@ -269,6 +276,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
+@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
kernel_read_system_state(dccifd_t)
kernel_read_kernel_sysctls(dccifd_t)
@@ -19181,7 +19361,7 @@ index 15d908f..147dd14 100644
dev_read_sysfs(dccifd_t)
domain_use_interactive_fds(dccifd_t)
-@@ -282,8 +294,6 @@ auth_use_nsswitch(dccifd_t)
+@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t)
logging_send_syslog_msg(dccifd_t)
@@ -19190,7 +19370,7 @@ index 15d908f..147dd14 100644
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
userdom_dontaudit_search_user_home_dirs(dccifd_t)
-@@ -324,6 +334,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
+@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
kernel_read_system_state(dccm_t)
kernel_read_kernel_sysctls(dccm_t)
@@ -19202,7 +19382,7 @@ index 15d908f..147dd14 100644
dev_read_sysfs(dccm_t)
domain_use_interactive_fds(dccm_t)
-@@ -337,8 +352,6 @@ auth_use_nsswitch(dccm_t)
+@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t)
logging_send_syslog_msg(dccm_t)
@@ -22992,7 +23172,7 @@ index 6041113..ef3b449 100644
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/exim.te b/exim.te
-index 19325ce..5957aad 100644
+index 19325ce..b5c157f 100644
--- a/exim.te
+++ b/exim.te
@@ -49,7 +49,7 @@ type exim_log_t;
@@ -23049,7 +23229,18 @@ index 19325ce..5957aad 100644
')
optional_policy(`
-@@ -218,6 +216,7 @@ optional_policy(`
+@@ -192,8 +190,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- mailman_read_data_files(exim_t)
++ mailman_manage_data_files(exim_t)
+ mailman_domtrans(exim_t)
++ mailman_read_log(exim_t)
+ ')
+
+ optional_policy(`
+@@ -218,6 +217,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -23461,7 +23652,7 @@ index 79b9273..76b7ed5 100644
logging_send_syslog_msg(fcoemon_t)
diff --git a/fetchmail.fc b/fetchmail.fc
-index 2486e2a..ea07c4f 100644
+index 2486e2a..fef9bff 100644
--- a/fetchmail.fc
+++ b/fetchmail.fc
@@ -1,4 +1,5 @@
@@ -23470,6 +23661,12 @@ index 2486e2a..ea07c4f 100644
/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
+@@ -12,4 +13,4 @@ HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0)
+
+ /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
+
+-/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
++/var/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0)
diff --git a/fetchmail.if b/fetchmail.if
index c3f7916..cab3954 100644
--- a/fetchmail.if
@@ -23495,7 +23692,7 @@ index c3f7916..cab3954 100644
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..df501ec 100644
+index f0388cb..8e7f99e 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
@@ -23515,18 +23712,20 @@ index f0388cb..df501ec 100644
manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-@@ -54,6 +52,11 @@ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
- manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
- files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
+@@ -52,7 +50,12 @@ mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
+ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+ manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
++files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, {file dir})
++
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+userdom_search_user_home_dirs(fetchmail_t)
+userdom_search_admin_dir(fetchmail_t)
-+
+
kernel_read_kernel_sysctls(fetchmail_t)
kernel_list_proc(fetchmail_t)
- kernel_getattr_proc_files(fetchmail_t)
@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
corecmd_exec_bin(fetchmail_t)
corecmd_exec_shell(fetchmail_t)
@@ -24146,7 +24345,7 @@ index c12c067..a415012 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..fcb022d 100644
+index c81b6e8..34e1f1c 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
@@ -24157,8 +24356,11 @@ index c81b6e8..fcb022d 100644
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -30,14 +31,10 @@ dev_list_usbfs(fprintd_t)
+@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t)
+
+ dev_list_usbfs(fprintd_t)
dev_read_sysfs(fprintd_t)
++dev_read_urand(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
-files_read_usr_files(fprintd_t)
@@ -24172,7 +24374,7 @@ index c81b6e8..fcb022d 100644
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +51,13 @@ optional_policy(`
+@@ -54,8 +52,13 @@ optional_policy(`
')
')
@@ -24901,7 +25103,7 @@ index 9eacb2c..229782f 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index e0a4f46..79bc951 100644
+index e0a4f46..95cf77c 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -24935,7 +25137,7 @@ index e0a4f46..79bc951 100644
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
-@@ -56,27 +58,22 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -24954,6 +25156,7 @@ index e0a4f46..79bc951 100644
corecmd_exec_shell(glance_domain)
dev_read_urand(glance_domain)
++dev_read_sysfs(glance_domain)
-files_read_etc_files(glance_domain)
-files_read_usr_files(glance_domain)
@@ -24966,7 +25169,7 @@ index e0a4f46..79bc951 100644
sysnet_dns_name_resolve(glance_domain)
########################################
-@@ -88,8 +85,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@@ -24981,7 +25184,7 @@ index e0a4f46..79bc951 100644
logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +111,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +112,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@@ -25188,10 +25391,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..7244e2c
+index 0000000..a19c35c
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,170 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
@@ -25273,7 +25476,8 @@ index 0000000..7244e2c
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
++manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
@@ -25320,6 +25524,8 @@ index 0000000..7244e2c
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+
++domain_read_all_domains_state(glusterd_t)
++
+domain_use_interactive_fds(glusterd_t)
+
+fs_mount_all_fs(glusterd_t)
@@ -25639,7 +25845,7 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..e334392 100644
+index d03fd43..71aa685 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,155 @@
@@ -26721,7 +26927,7 @@ index d03fd43..e334392 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -704,12 +795,830 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +795,851 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@@ -26818,6 +27024,27 @@ index d03fd43..e334392 100644
+
+#######################################
+## <summary>
++## Delete gkeyringd temporary
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_delete_gkeyringd_tmp_content',`
++ gen_require(`
++ type gkeyringd_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++ delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++ delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++')
++
++#######################################
++## <summary>
+## Manage gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
@@ -26832,7 +27059,7 @@ index d03fd43..e334392 100644
+ ')
+
+ files_search_tmp($1)
-+ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+########################################
@@ -29413,6 +29640,177 @@ index e207823..4e0f8ba 100644
userdom_dontaudit_use_unpriv_user_fds(howl_t)
userdom_dontaudit_search_user_home_dirs(howl_t)
+diff --git a/hypervkvp.fc b/hypervkvp.fc
+new file mode 100644
+index 0000000..3f82945
+--- /dev/null
++++ b/hypervkvp.fc
+@@ -0,0 +1,6 @@
++/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
++
++/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
++/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
++
++/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
+diff --git a/hypervkvp.if b/hypervkvp.if
+new file mode 100644
+index 0000000..17c3627
+--- /dev/null
++++ b/hypervkvp.if
+@@ -0,0 +1,111 @@
++
++## <summary>policy for hypervkvp</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the hypervkvp domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`hypervkvp_domtrans',`
++ gen_require(`
++ type hypervkvp_t, hypervkvp_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
++')
++
++########################################
++## <summary>
++## Search hypervkvp lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`hypervkvp_search_lib',`
++ gen_require(`
++ type hypervkvp_var_lib_t;
++ ')
++
++ allow $1 hypervkvp_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read hypervkvp lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`hypervkvp_read_lib_files',`
++ gen_require(`
++ type hypervkvp_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
++ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## hypervkvp lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`hypervkvp_manage_lib_files',`
++ gen_require(`
++ type hypervkvp_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an hypervkvp environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`hypervkvp_admin',`
++ gen_require(`
++ type hypervkvp_t;
++ type hypervkvp_unit_file_t;
++ ')
++
++ allow $1 hypervkvp_t:process signal_perms;
++ ps_process_pattern($1, hypervkvp_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 hypervkvp_t:process ptrace;
++ ')
++
++ hypervkvp_manage_lib_files($1)
++
++ hypervkvp_systemctl($1)
++ admin_pattern($1, hypervkvp_unit_file_t)
++ allow $1 hypervkvp_unit_file_t:service all_service_perms;
++')
+diff --git a/hypervkvp.te b/hypervkvp.te
+new file mode 100644
+index 0000000..63591db
+--- /dev/null
++++ b/hypervkvp.te
+@@ -0,0 +1,36 @@
++policy_module(hypervkvp, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type hypervkvp_t;
++type hypervkvp_exec_t;
++init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
++
++type hypervkvp_initrc_exec_t;
++init_script_file(hypervkvp_initrc_exec_t)
++
++type hypervkvp_var_lib_t;
++files_type(hypervkvp_var_lib_t)
++
++########################################
++#
++# hypervkvp local policy
++#
++#
++allow hypervkvp_t self:capability net_admin;
++allow hypervkvp_t self:netlink_socket create_socket_perms;
++allow hypervkvp_t self:fifo_file rw_fifo_file_perms;
++allow hypervkvp_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
++
++logging_send_syslog_msg(hypervkvp_t)
++
++miscfiles_read_localization(hypervkvp_t)
++
++sysnet_dns_name_resolve(hypervkvp_t)
diff --git a/i18n_input.te b/i18n_input.te
index 3bed8fa..a738d7f 100644
--- a/i18n_input.te
@@ -29554,14 +29952,16 @@ index 05387d1..08a489c 100644
userdom_dontaudit_search_user_home_dirs(imazesrv_t)
diff --git a/inetd.if b/inetd.if
-index fbb54e7..b347964 100644
+index fbb54e7..05c3777 100644
--- a/inetd.if
+++ b/inetd.if
-@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',`
+@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',`
domtrans_pattern(inetd_t, $2, $1)
allow inetd_t $1:process { siginh sigkill };
+
++ init_domain($1, $2)
++
+ optional_policy(`
+ abrt_stream_connect($1)
+ ')
@@ -29772,7 +30172,7 @@ index ca07a87..6ea129c 100644
+
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/iodine.if b/iodine.if
-index a0bfbd0..6f5dbdf 100644
+index a0bfbd0..47f7c75 100644
--- a/iodine.if
+++ b/iodine.if
@@ -2,6 +2,30 @@
@@ -29794,7 +30194,7 @@ index a0bfbd0..6f5dbdf 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 iodined_unit_file_t:file read_file_perms;
+ allow $1 iodined_unit_file_t:service manage_service_perms;
+
@@ -31427,7 +31827,7 @@ index a49ae4e..913a0e3 100644
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
diff --git a/kdump.if b/kdump.if
-index 3a00b3a..b835e95 100644
+index 3a00b3a..7cc27b6 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
@@ -31498,7 +31898,7 @@ index 3a00b3a..b835e95 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -56,10 +100,66 @@ interface(`kdump_read_config',`
+@@ -56,10 +100,67 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
@@ -31519,6 +31919,7 @@ index 3a00b3a..b835e95 100644
+
+ files_search_var($1)
+ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
++ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+
@@ -31567,7 +31968,7 @@ index 3a00b3a..b835e95 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -76,10 +176,31 @@ interface(`kdump_manage_config',`
+@@ -76,10 +177,31 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
@@ -31601,7 +32002,7 @@ index 3a00b3a..b835e95 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -88,19 +209,24 @@ interface(`kdump_manage_config',`
+@@ -88,19 +210,24 @@ interface(`kdump_manage_config',`
## </param>
## <param name="role">
## <summary>
@@ -31631,7 +32032,7 @@ index 3a00b3a..b835e95 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +236,10 @@ interface(`kdump_admin',`
+@@ -110,6 +237,10 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
@@ -33625,11 +34026,124 @@ index c1539b5..fd0a17f 100644
+ fs_read_cifs_files(ksmtuned_t)
+ samba_read_share_files(ksmtuned_t)
+')
+diff --git a/ktalk.fc b/ktalk.fc
+index 38ecb07..451067e 100644
+--- a/ktalk.fc
++++ b/ktalk.fc
+@@ -1,3 +1,5 @@
++/usr/lib/systemd/system/ntalk.* -- gen_context(system_u:object_r:ktalkd_unit_file_t,s0)
++
+ /usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+
+ /usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+diff --git a/ktalk.if b/ktalk.if
+index 19777b8..63d46d3 100644
+--- a/ktalk.if
++++ b/ktalk.if
+@@ -1 +1,81 @@
+-## <summary>KDE Talk daemon.</summary>
++
++## <summary>talk-server - daemon programs for the Internet talk </summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the ktalkd domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ktalk_domtrans',`
++ gen_require(`
++ type ktalkd_t, ktalkd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ktalkd_exec_t, ktalkd_t)
++')
++########################################
++## <summary>
++## Execute ktalkd server in the ktalkd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ktalk_systemctl',`
++ gen_require(`
++ type ktalkd_t;
++ type ktalkd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 ktalkd_unit_file_t:file read_file_perms;
++ allow $1 ktalkd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ktalkd_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an ktalkd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ktalk_admin',`
++ gen_require(`
++ type ktalkd_t;
++ type ktalkd_unit_file_t;
++ ')
++
++ allow $1 ktalkd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, ktalkd_t)
++
++ ktalk_systemctl($1)
++ admin_pattern($1, ktalkd_unit_file_t)
++ allow $1 ktalkd_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
diff --git a/ktalk.te b/ktalk.te
-index 2cf3815..2c4c979 100644
+index 2cf3815..cb979b0 100644
--- a/ktalk.te
+++ b/ktalk.te
-@@ -35,16 +35,23 @@ kernel_read_kernel_sysctls(ktalkd_t)
+@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
+
+ type ktalkd_t;
+ type ktalkd_exec_t;
++init_domain(ktalkd_t, ktalkd_exec_t)
+ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
+
+ type ktalkd_log_t;
+ logging_log_file(ktalkd_log_t)
+
++type ktalkd_unit_file_t;
++systemd_unit_file(ktalkd_unit_file_t)
++
+ type ktalkd_tmp_t;
+ files_tmp_file(ktalkd_tmp_t)
+
+@@ -35,16 +39,23 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
@@ -35194,11 +35708,20 @@ index 7bab8e5..b88bbf3 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..a8dde53 100644
+index 4256a4c..30e3cd2 100644
--- a/logwatch.te
+++ b/logwatch.te
-@@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6)
+@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
+ # Declarations
+ #
++## <desc>
++## <p>
++## Allow epylog to send mail
++## </p>
++## </desc>
++gen_tunable(logwatch_can_sendmail, false)
++
type logwatch_t;
type logwatch_exec_t;
-init_system_domain(logwatch_t, logwatch_exec_t)
@@ -35207,7 +35730,7 @@ index 4256a4c..a8dde53 100644
type logwatch_cache_t;
files_type(logwatch_cache_t)
-@@ -37,7 +38,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
+@@ -37,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
@@ -35217,7 +35740,7 @@ index 4256a4c..a8dde53 100644
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
-@@ -67,10 +69,11 @@ files_list_var(logwatch_t)
+@@ -67,10 +76,11 @@ files_list_var(logwatch_t)
files_search_all(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
@@ -35230,7 +35753,7 @@ index 4256a4c..a8dde53 100644
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
-@@ -92,13 +95,12 @@ libs_read_lib_files(logwatch_t)
+@@ -92,13 +102,12 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
@@ -35245,7 +35768,7 @@ index 4256a4c..a8dde53 100644
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-@@ -137,6 +139,11 @@ optional_policy(`
+@@ -137,6 +146,11 @@ optional_policy(`
')
optional_policy(`
@@ -35257,7 +35780,21 @@ index 4256a4c..a8dde53 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -164,6 +171,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -145,6 +159,13 @@ optional_policy(`
+ samba_read_share_files(logwatch_t)
+ ')
+
++tunable_policy(`logwatch_can_sendmail',`
++ corenet_tcp_connect_smtp_port(logwatch_t)
++ corenet_sendrecv_smtp_client_packets(logwatch_t)
++ corenet_tcp_connect_pop_port(logwatch_t)
++ corenet_sendrecv_pop_client_packets(logwatch_t)
++')
++
+ ########################################
+ #
+ # Mail local policy
+@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -35611,6 +36148,165 @@ index b9270f7..15f3748 100644
+optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
')
+diff --git a/lsm.fc b/lsm.fc
+new file mode 100644
+index 0000000..81cd4e0
+--- /dev/null
++++ b/lsm.fc
+@@ -0,0 +1,5 @@
++/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
++
++/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
++
++/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
+diff --git a/lsm.if b/lsm.if
+new file mode 100644
+index 0000000..e8d4ce2
+--- /dev/null
++++ b/lsm.if
+@@ -0,0 +1,104 @@
++
++## <summary>libStorageMgmt plug-in daemon </summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the lsmd domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`lsmd_domtrans',`
++ gen_require(`
++ type lsmd_t, lsmd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, lsmd_exec_t, lsmd_t)
++')
++########################################
++## <summary>
++## Read lsmd PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`lsmd_read_pid_files',`
++ gen_require(`
++ type lsmd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute lsmd server in the lsmd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`lsmd_systemctl',`
++ gen_require(`
++ type lsmd_t;
++ type lsmd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 lsmd_unit_file_t:file read_file_perms;
++ allow $1 lsmd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, lsmd_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an lsmd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`lsmd_admin',`
++ gen_require(`
++ type lsmd_t;
++ type lsmd_var_run_t;
++ type lsmd_unit_file_t;
++ ')
++
++ allow $1 lsmd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, lsmd_t)
++
++ files_search_pids($1)
++ admin_pattern($1, lsmd_var_run_t)
++
++ lsmd_systemctl($1)
++ admin_pattern($1, lsmd_unit_file_t)
++ allow $1 lsmd_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/lsm.te b/lsm.te
+new file mode 100644
+index 0000000..fc42149
+--- /dev/null
++++ b/lsm.te
+@@ -0,0 +1,32 @@
++policy_module(lsm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type lsmd_t;
++type lsmd_exec_t;
++init_daemon_domain(lsmd_t, lsmd_exec_t)
++
++type lsmd_var_run_t;
++files_pid_file(lsmd_var_run_t)
++
++type lsmd_unit_file_t;
++systemd_unit_file(lsmd_unit_file_t)
++
++########################################
++#
++# lsmd local policy
++#
++allow lsmd_t self:capability { setgid };
++allow lsmd_t self:process { fork };
++allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
++
++logging_send_syslog_msg(lsmd_t)
diff --git a/mailman.fc b/mailman.fc
index 7fa381b..bbe6b01 100644
--- a/mailman.fc
@@ -35940,7 +36636,7 @@ index 108c0f1..a248501 100644
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
diff --git a/mailman.te b/mailman.te
-index 8eaf51b..3229e0f 100644
+index 8eaf51b..a057913 100644
--- a/mailman.te
+++ b/mailman.te
@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4)
@@ -35985,7 +36681,7 @@ index 8eaf51b..3229e0f 100644
########################################
#
# CGI local policy
-@@ -115,8 +112,9 @@ optional_policy(`
+@@ -115,20 +112,23 @@ optional_policy(`
# Mail local policy
#
@@ -35997,7 +36693,12 @@ index 8eaf51b..3229e0f 100644
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-@@ -127,8 +125,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t)
+ files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
+
++can_exec(mailman_mail_t, mailman_mail_exec_t)
++
+ corenet_sendrecv_innd_client_packets(mailman_mail_t)
+ corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
@@ -36007,7 +36708,7 @@ index 8eaf51b..3229e0f 100644
dev_read_urand(mailman_mail_t)
-@@ -142,6 +140,10 @@ optional_policy(`
+@@ -142,6 +142,10 @@ optional_policy(`
')
optional_policy(`
@@ -36018,7 +36719,7 @@ index 8eaf51b..3229e0f 100644
cron_read_pipes(mailman_mail_t)
')
-@@ -182,3 +184,9 @@ optional_policy(`
+@@ -182,3 +186,9 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
')
@@ -37467,10 +38168,10 @@ index 0000000..8d0e473
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/mock.if b/mock.if
new file mode 100644
-index 0000000..895f325
+index 0000000..6568bfe
--- /dev/null
+++ b/mock.if
-@@ -0,0 +1,305 @@
+@@ -0,0 +1,310 @@
+## <summary>policy for mock</summary>
+
+########################################
@@ -37717,9 +38418,14 @@ index 0000000..895f325
+
+ ps_process_pattern($2, mock_t)
+ allow $2 mock_t:process signal_perms;
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 mock_t:process ptrace;
+ ')
++
++ optional_policy(`
++ mock_read_lib_files($2)
++ ')
+')
+
+#######################################
@@ -39137,7 +39843,7 @@ index 6194b80..3209b1c 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..2288b0e 100644
+index 6a306ee..2108bc7 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -39581,7 +40287,7 @@ index 6a306ee..2288b0e 100644
')
optional_policy(`
-@@ -300,221 +324,183 @@ optional_policy(`
+@@ -300,221 +324,184 @@ optional_policy(`
########################################
#
@@ -39849,6 +40555,7 @@ index 6a306ee..2288b0e 100644
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+term_getattr_ptmx(mozilla_plugin_t)
++term_dontaudit_use_ptmx(mozilla_plugin_t)
+userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -39904,7 +40611,7 @@ index 6a306ee..2288b0e 100644
')
optional_policy(`
-@@ -523,36 +509,44 @@ optional_policy(`
+@@ -523,36 +510,44 @@ optional_policy(`
')
optional_policy(`
@@ -39919,13 +40626,6 @@ index 6a306ee..2288b0e 100644
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ gnome_manage_config(mozilla_plugin_t)
-+ gnome_read_usr_config(mozilla_plugin_t)
-+ gnome_filetrans_home_content(mozilla_plugin_t)
-+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
')
optional_policy(`
@@ -39933,6 +40633,13 @@ index 6a306ee..2288b0e 100644
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
++ gnome_manage_config(mozilla_plugin_t)
++ gnome_read_usr_config(mozilla_plugin_t)
++ gnome_filetrans_home_content(mozilla_plugin_t)
++ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
++')
++
++optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
')
@@ -39962,7 +40669,7 @@ index 6a306ee..2288b0e 100644
')
optional_policy(`
-@@ -560,7 +554,7 @@ optional_policy(`
+@@ -560,7 +555,7 @@ optional_policy(`
')
optional_policy(`
@@ -39971,7 +40678,7 @@ index 6a306ee..2288b0e 100644
')
optional_policy(`
-@@ -568,108 +562,126 @@ optional_policy(`
+@@ -568,108 +563,128 @@ optional_policy(`
')
optional_policy(`
@@ -40000,12 +40707,12 @@ index 6a306ee..2288b0e 100644
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-
+-
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
@@ -40077,6 +40784,8 @@ index 6a306ee..2288b0e 100644
fs_getattr_all_fs(mozilla_plugin_config_t)
-fs_search_auto_mountpoints(mozilla_plugin_config_t)
-fs_list_inotifyfs(mozilla_plugin_config_t)
++
++term_dontaudit_use_ptmx(mozilla_plugin_config_t)
auth_use_nsswitch(mozilla_plugin_config_t)
@@ -42528,10 +43237,17 @@ index b744fe3..4c1b6a8 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..92138ca 100644
+index 97370e4..3549b8f 100644
--- a/munin.te
+++ b/munin.te
-@@ -40,12 +40,15 @@ munin_plugin_template(services)
+@@ -37,15 +37,22 @@ munin_plugin_template(disk)
+ munin_plugin_template(mail)
+ munin_plugin_template(selinux)
+ munin_plugin_template(services)
++
++type services_munin_plugin_tmpfs_t;
++files_tmpfs_file(services_munin_plugin_tmpfs_t)
++
munin_plugin_template(system)
munin_plugin_template(unconfined)
@@ -42548,7 +43264,7 @@ index 97370e4..92138ca 100644
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -58,23 +61,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+@@ -58,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
@@ -42573,7 +43289,7 @@ index 97370e4..92138ca 100644
optional_policy(`
nscd_use(munin_plugin_domain)
-@@ -114,7 +111,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -114,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -42582,7 +43298,7 @@ index 97370e4..92138ca 100644
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +127,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -130,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
@@ -42590,7 +43306,7 @@ index 97370e4..92138ca 100644
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +149,6 @@ domain_use_interactive_fds(munin_t)
+@@ -153,7 +153,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -42598,7 +43314,7 @@ index 97370e4..92138ca 100644
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
-@@ -165,7 +160,6 @@ logging_send_syslog_msg(munin_t)
+@@ -165,7 +164,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -42606,7 +43322,7 @@ index 97370e4..92138ca 100644
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
-@@ -173,13 +167,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -173,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -42620,7 +43336,7 @@ index 97370e4..92138ca 100644
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
-@@ -213,7 +200,6 @@ optional_policy(`
+@@ -213,7 +204,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -42628,7 +43344,7 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -242,21 +228,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -242,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -42656,7 +43372,7 @@ index 97370e4..92138ca 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -268,6 +256,10 @@ optional_policy(`
+@@ -268,6 +260,10 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
@@ -42667,7 +43383,7 @@ index 97370e4..92138ca 100644
####################################
#
# Mail local policy
-@@ -275,27 +267,36 @@ optional_policy(`
+@@ -275,27 +271,36 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -42708,7 +43424,17 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -331,7 +332,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -320,6 +325,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow services_munin_plugin_t self:udp_socket create_socket_perms;
+ allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
++manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
++manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
++
+ corenet_sendrecv_all_client_packets(services_munin_plugin_t)
+ corenet_tcp_connect_all_ports(services_munin_plugin_t)
+ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -331,7 +339,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
@@ -42717,7 +43443,7 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -353,7 +354,11 @@ optional_policy(`
+@@ -353,7 +361,11 @@ optional_policy(`
')
optional_policy(`
@@ -42730,7 +43456,7 @@ index 97370e4..92138ca 100644
')
optional_policy(`
-@@ -385,6 +390,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +397,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -42738,7 +43464,7 @@ index 97370e4..92138ca 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +419,31 @@ optional_policy(`
+@@ -413,3 +426,31 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -42771,7 +43497,7 @@ index 97370e4..92138ca 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
-index c48dc17..f93fa69 100644
+index c48dc17..6355fb4 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -1,11 +1,24 @@
@@ -42807,7 +43533,7 @@ index c48dc17..f93fa69 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-@@ -13,13 +26,15 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
+@@ -13,13 +26,16 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -42823,6 +43549,7 @@ index c48dc17..f93fa69 100644
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
++/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
@@ -43362,7 +44089,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..0f6abcb 100644
+index 9f6179e..3c7bbd8 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -43535,7 +44262,7 @@ index 9f6179e..0f6abcb 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -153,29 +160,22 @@ optional_policy(`
+@@ -153,29 +160,24 @@ optional_policy(`
#######################################
#
@@ -43561,6 +44288,8 @@ index 9f6179e..0f6abcb 100644
-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
++list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
++manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -43571,7 +44300,7 @@ index 9f6179e..0f6abcb 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,17 +187,21 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -187,17 +189,21 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -43599,7 +44328,7 @@ index 9f6179e..0f6abcb 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +209,7 @@ optional_policy(`
+@@ -205,7 +211,7 @@ optional_policy(`
########################################
#
@@ -43608,7 +44337,7 @@ index 9f6179e..0f6abcb 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +218,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +220,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -43626,7 +44355,7 @@ index 9f6179e..0f6abcb 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +231,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +233,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -45205,7 +45934,7 @@ index 0e8508c..0b68b86 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..2de59df 100644
+index 0b48a30..2b6c69a 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -45245,7 +45974,7 @@ index 0b48a30..2de59df 100644
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+dontaudit NetworkManager_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
@@ -46227,10 +46956,10 @@ index 0000000..02dc6dc
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
diff --git a/nova.if b/nova.if
new file mode 100644
-index 0000000..cf8f660
+index 0000000..28936b4
--- /dev/null
+++ b/nova.if
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,57 @@
+## <summary>openstack-nova</summary>
+
+######################################
@@ -46285,13 +47014,15 @@ index 0000000..cf8f660
+
+ kernel_read_system_state(nova_$1_t)
+
++ logging_send_syslog_msg(nova_$1_t)
++
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..fc9f771
+index 0000000..d5b54e5
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,320 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -46305,6 +47036,7 @@ index 0000000..fc9f771
+#
+
+attribute nova_domain;
++attribute nova_sudo_domain;
+
+nova_domain_template(ajax)
+nova_domain_template(api)
@@ -46318,6 +47050,12 @@ index 0000000..fc9f771
+nova_domain_template(vncproxy)
+nova_domain_template(volume)
+
++typeattribute nova_api_t nova_sudo_domain;
++typeattribute nova_cert_t nova_sudo_domain;
++typeattribute nova_console_t nova_sudo_domain;
++typeattribute nova_network_t nova_sudo_domain;
++typeattribute nova_volume_t nova_sudo_domain;
++
+type nova_log_t;
+logging_log_file(nova_log_t)
+
@@ -46349,6 +47087,8 @@ index 0000000..fc9f771
+corenet_tcp_connect_amqp_port(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
+
++kernel_read_network_state(nova_domain)
++
+corecmd_exec_bin(nova_domain)
+corecmd_exec_shell(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
@@ -46362,6 +47102,7 @@ index 0000000..fc9f771
+
+optional_policy(`
+ sysnet_read_config(nova_domain)
++ sysnet_exec_ifconfig(nova_domain)
+')
+
+######################################
@@ -46369,9 +47110,9 @@ index 0000000..fc9f771
+# nova ajax local policy
+#
+
-+optional_policy(`
-+ unconfined_domain(nova_ajax_t)
-+')
++#optional_policy(`
++# unconfined_domain(nova_ajax_t)
++#')
+
+#######################################
+#
@@ -46400,15 +47141,6 @@ index 0000000..fc9f771
+
+miscfiles_read_certs(nova_api_t)
+
-+ifdef(`hide_broken_symptoms',`
-+ optional_policy(`
-+ sudo_exec(nova_api_t)
-+ allow nova_api_t self:capability { setuid sys_resource setgid };
-+ allow nova_api_t self:process { setsched setrlimit };
-+ logging_send_audit_msgs(nova_api_t)
-+ ')
-+')
-+
+optional_policy(`
+ iptables_domtrans(nova_api_t)
+')
@@ -46417,9 +47149,9 @@ index 0000000..fc9f771
+ ssh_exec_keygen(nova_api_t)
+')
+
-+optional_policy(`
-+ unconfined_domain(nova_api_t)
-+')
++#optional_policy(`
++# unconfined_domain(nova_api_t)
++#')
+
+######################################
+#
@@ -46478,9 +47210,9 @@ index 0000000..fc9f771
+# nova direct local policy
+#
+
-+optional_policy(`
-+ unconfined_domain(nova_direct_t)
-+')
++#optional_policy(`
++# unconfined_domain(nova_direct_t)
++#')
+
+#######################################
+#
@@ -46520,15 +47252,6 @@ index 0000000..fc9f771
+
+logging_send_syslog_msg(nova_network_t)
+
-+ifdef(`hide_broken_symptoms',`
-+ optional_policy(`
-+ sudo_exec(nova_network_t)
-+ allow nova_network_t self:capability { setuid sys_resource setgid };
-+ allow nova_network_t self:process { setsched setrlimit };
-+ logging_send_audit_msgs(nova_network_t)
-+ ')
-+')
-+
+optional_policy(`
+ brctl_domtrans(nova_network_t)
+')
@@ -46539,16 +47262,16 @@ index 0000000..fc9f771
+')
+
+optional_policy(`
-+ iptables_domtrans(nova_network_t)
++ iptables_domtrans(nova_network_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(nova_network_t)
+')
+
-+optional_policy(`
-+ unconfined_domain(nova_network_t)
-+')
++#optional_policy(`
++# unconfined_domain(nova_network_t)
++#')
+
+#######################################
+#
@@ -46572,18 +47295,18 @@ index 0000000..fc9f771
+allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
+allow nova_scheduler_t self:udp_socket create_socket_perms;
+
-+optional_policy(`
-+ unconfined_domain(nova_scheduler_t)
-+')
++#optional_policy(`
++# unconfined_domain(nova_scheduler_t)
++#')
+
+#######################################
+#
+# nova vncproxy local policy
+#
+
-+optional_policy(`
-+ unconfined_domain(nova_vncproxy_t)
-+')
++#optional_policy(`
++# unconfined_domain(nova_vncproxy_t)
++#')
+
+#######################################
+#
@@ -46602,22 +47325,22 @@ index 0000000..fc9f771
+ lvm_domtrans(nova_volume_t)
+')
+
-+ifdef(`hide_broken_symptoms',`
-+ require {
-+ type sudo_exec_t;
-+ }
-+
-+ allow nova_volume_t sudo_exec_t:file { read execute open execute_no_trans };
-+
-+ allow nova_volume_t self:capability { setuid sys_resource setgid audit_write };
-+ allow nova_volume_t self:process { setsched setrlimit };
-+
-+ logging_send_audit_msgs(nova_volume_t)
++#optional_policy(`
++# unconfined_domain(nova_volume_t)
++#')
+
-+')
++#######################################
++#
++# nova sudo domain local policy
++#
+
-+optional_policy(`
-+ unconfined_domain(nova_volume_t)
++ifdef(`hide_broken_symptoms',`
++ optional_policy(`
++ sudo_exec(nova_sudo_domain)
++ allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write };
++ allow nova_sudo_domain self:process { setsched setrlimit };
++ logging_send_audit_msgs(nova_sudo_domain)
++ ')
+')
+
diff --git a/nscd.fc b/nscd.fc
@@ -49863,10 +50586,17 @@ index 296a1d3..edc3e32 100644
+userdom_stream_connect(oddjob_mkhomedir_t)
+
diff --git a/openct.te b/openct.te
-index 8467596..66f068f 100644
+index 8467596..428ae48 100644
--- a/openct.te
+++ b/openct.te
-@@ -28,12 +28,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+@@ -22,18 +22,19 @@ files_pid_file(openct_var_run_t)
+
+ dontaudit openct_t self:capability sys_tty_config;
+ allow openct_t self:process signal_perms;
++allow openct_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
@@ -49881,7 +50611,7 @@ index 8467596..66f068f 100644
dev_read_sysfs(openct_t)
dev_rw_usbfs(openct_t)
dev_rw_smartcard(openct_t)
-@@ -41,15 +41,12 @@ dev_rw_generic_usb_dev(openct_t)
+@@ -41,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
domain_use_interactive_fds(openct_t)
@@ -50090,10 +50820,10 @@ index 0000000..598789a
+
diff --git a/openhpid.te b/openhpid.te
new file mode 100644
-index 0000000..be2a88d
+index 0000000..51acfae
--- /dev/null
+++ b/openhpid.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,47 @@
+policy_module(openhpid, 1.0.0)
+
+########################################
@@ -50120,7 +50850,7 @@ index 0000000..be2a88d
+#
+
+allow openhpid_t self:capability { kill };
-+allow openhpid_t self:process { fork signal };
++allow openhpid_t self:process signal_perms;
+
+allow openhpid_t self:fifo_file rw_fifo_file_perms;
+allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
@@ -50138,11 +50868,8 @@ index 0000000..be2a88d
+corenet_tcp_bind_generic_node(openhpid_t)
+corenet_tcp_bind_openhpid_port(openhpid_t)
+
-+domain_use_interactive_fds(openhpid_t)
-+
+dev_read_urand(openhpid_t)
+
-+
+logging_send_syslog_msg(openhpid_t)
diff --git a/openshift-origin.fc b/openshift-origin.fc
new file mode 100644
@@ -50917,7 +51644,7 @@ index 0000000..fdc4a03
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..c1eed44
+index 0000000..9724884
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,549 @@
@@ -51019,7 +51746,7 @@ index 0000000..c1eed44
+unconfined_domain_noaudit(openshift_initrc_t)
+mcs_process_set_categories(openshift_initrc_t)
+
-+virt_lxc_domain(openshift_initrc_t)
++virt_sandbox_domain(openshift_initrc_t)
+
+systemd_dbus_chat_logind(openshift_initrc_t)
+
@@ -51534,7 +52261,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..8a6fbc2 100644
+index 3270ff9..60a7af6 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -51551,7 +52278,22 @@ index 3270ff9..8a6fbc2 100644
## <p>
## Determine whether openvpn can
## read generic user home content files.
-@@ -26,12 +33,18 @@ files_config_file(openvpn_etc_t)
+@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3)
+ ## </desc>
+ gen_tunable(openvpn_enable_homedirs, false)
+
++## <desc>
++## <p>
++## Determine whether openvpn can
++## connect to the TCP network.
++## </p>
++## </desc>
++gen_tunable(openvpn_can_network_connect, false)
++
+ attribute_role openvpn_roles;
+
+ type openvpn_t;
+@@ -26,12 +41,18 @@ files_config_file(openvpn_etc_t)
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -51570,7 +52312,7 @@ index 3270ff9..8a6fbc2 100644
type openvpn_var_log_t;
logging_log_file(openvpn_var_log_t)
-@@ -43,7 +56,7 @@ files_pid_file(openvpn_var_run_t)
+@@ -43,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
@@ -51579,7 +52321,7 @@ index 3270ff9..8a6fbc2 100644
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
-@@ -62,6 +75,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -62,6 +83,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
@@ -51592,7 +52334,7 @@ index 3270ff9..8a6fbc2 100644
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-@@ -83,7 +102,6 @@ kernel_request_load_module(openvpn_t)
+@@ -83,7 +110,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -51600,8 +52342,11 @@ index 3270ff9..8a6fbc2 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -105,11 +123,12 @@ corenet_tcp_bind_http_port(openvpn_t)
+@@ -103,13 +129,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+ corenet_sendrecv_http_server_packets(openvpn_t)
+ corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
++corenet_tcp_connect_squid_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_sendrecv_http_port(openvpn_t)
-
@@ -51614,7 +52359,7 @@ index 3270ff9..8a6fbc2 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -121,18 +140,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -121,18 +149,24 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t)
@@ -51642,7 +52387,18 @@ index 3270ff9..8a6fbc2 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -155,3 +180,27 @@ optional_policy(`
+@@ -143,6 +177,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(openvpn_t)
+ ')
+
++tunable_policy(`openvpn_can_network_connect',`
++ corenet_tcp_connect_all_ports(openvpn_t)
++')
++
+ optional_policy(`
+ daemontools_service_domain(openvpn_t, openvpn_exec_t)
+ ')
+@@ -155,3 +193,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -51971,7 +52727,7 @@ index 9b15730..eedd136 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..f025b03 100644
+index 508fedf..a499612 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
@@ -51994,7 +52750,13 @@ index 508fedf..f025b03 100644
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
-@@ -24,20 +21,27 @@ logging_log_file(openvswitch_log_t)
+@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t)
+ type openvswitch_log_t;
+ logging_log_file(openvswitch_log_t)
+
++type openvswitch_tmp_t;
++files_tmp_file(openvswitch_tmp_t)
++
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
@@ -52018,19 +52780,19 @@ index 508fedf..f025b03 100644
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
-+
-+can_exec(openvswitch_t, openvswitch_exec_t)
-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
++can_exec(openvswitch_t, openvswitch_exec_t)
++
+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,9 +49,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,45 +52,53 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -52041,7 +52803,14 @@ index 508fedf..f025b03 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -57,33 +59,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
++manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir })
++
+ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -53116,7 +53885,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..ca01f2f 100644
+index 7bcf327..c850b64 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -53140,7 +53909,7 @@ index 7bcf327..ca01f2f 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,237 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,238 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -53173,8 +53942,8 @@ index 7bcf327..ca01f2f 100644
+allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
+allow pegasus_openlmi_domain self:udp_socket create_socket_perms;
+
-+list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
-+rw_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
+
+corecmd_exec_bin(pegasus_openlmi_domain)
+corecmd_exec_shell(pegasus_openlmi_domain)
@@ -53309,6 +54078,7 @@ index 7bcf327..ca01f2f 100644
+# pegasus openlmi storage local policy
+#
+
++allow pegasus_openlmi_storage_t self:capability sys_admin;
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
@@ -53383,7 +54153,7 @@ index 7bcf327..ca01f2f 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +270,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +271,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -53414,7 +54184,7 @@ index 7bcf327..ca01f2f 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +296,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +297,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -53447,7 +54217,7 @@ index 7bcf327..ca01f2f 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +324,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +325,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -53455,7 +54225,7 @@ index 7bcf327..ca01f2f 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +339,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +340,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -53487,7 +54257,7 @@ index 7bcf327..ca01f2f 100644
')
optional_policy(`
-@@ -151,16 +369,24 @@ optional_policy(`
+@@ -151,16 +370,24 @@ optional_policy(`
')
optional_policy(`
@@ -53516,7 +54286,7 @@ index 7bcf327..ca01f2f 100644
')
optional_policy(`
-@@ -168,7 +394,7 @@ optional_policy(`
+@@ -168,7 +395,7 @@ optional_policy(`
')
optional_policy(`
@@ -54387,17 +55157,19 @@ index 977b972..0000000
-miscfiles_read_localization(pkcs_slotd_t)
diff --git a/pkcsslotd.fc b/pkcsslotd.fc
new file mode 100644
-index 0000000..38fa01d
+index 0000000..29d7c1c
--- /dev/null
+++ b/pkcsslotd.fc
-@@ -0,0 +1,7 @@
-+/usr/lib/systemd/system/pkcsslotd.service -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
+@@ -0,0 +1,9 @@
++/usr/lib/systemd/system/pkcsslotd.* -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
+
+/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0)
+
+/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
+
+/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_lock_t,s0)
++
++/var/run/pkcsslotd.* -- gen_context(system_u:object_r:pkcsslotd_var_run_t,s0)
diff --git a/pkcsslotd.if b/pkcsslotd.if
new file mode 100644
index 0000000..848ddc9
@@ -54561,10 +55333,10 @@ index 0000000..848ddc9
+')
diff --git a/pkcsslotd.te b/pkcsslotd.te
new file mode 100644
-index 0000000..f788d35
+index 0000000..2ce92e0
--- /dev/null
+++ b/pkcsslotd.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,67 @@
+policy_module(pkcsslotd, 1.0.0)
+
+########################################
@@ -54599,7 +55371,7 @@ index 0000000..f788d35
+# pkcsslotd local policy
+#
+
-+allow pkcsslotd_t self:capability { chown kill };
++allow pkcsslotd_t self:capability { fsetid chown kill };
+
+allow pkcsslotd_t self:fifo_file rw_fifo_file_perms;
+allow pkcsslotd_t self:sem create_sem_perms;
@@ -54624,7 +55396,8 @@ index 0000000..f788d35
+
+manage_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t, pkcsslotd_var_run_t)
+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t)
-+files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { file dir })
++manage_sock_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t)
++files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { sock_file file dir })
+
+domain_use_interactive_fds(pkcsslotd_t)
+
@@ -56642,7 +57415,7 @@ index ae27bb7..d00f6ba 100644
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
-index 316d53a..79b5c4f 100644
+index 316d53a..388d659 100644
--- a/polipo.te
+++ b/polipo.te
@@ -1,4 +1,4 @@
@@ -56756,10 +57529,14 @@ index 316d53a..79b5c4f 100644
-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
-
-auth_use_nsswitch(polipo_session_t)
+-
+-userdom_use_user_terminals(polipo_session_t)
+allow polipo_daemon self:fifo_file rw_fifo_file_perms;
+allow polipo_daemon self:tcp_socket { listen accept };
--userdom_use_user_terminals(polipo_session_t)
+-tunable_policy(`polipo_session_send_syslog_msg',`
+- logging_send_syslog_msg(polipo_session_t)
+-')
+corenet_tcp_bind_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_generic_if(polipo_daemon)
+corenet_tcp_sendrecv_generic_node(polipo_daemon)
@@ -56767,10 +57544,7 @@ index 316d53a..79b5c4f 100644
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
-
--tunable_policy(`polipo_session_send_syslog_msg',`
-- logging_send_syslog_msg(polipo_session_t)
--')
++corenet_tcp_connect_tor_port(polipo_daemon)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(polipo_session_t)
@@ -56882,6 +57656,18 @@ index 316d53a..79b5c4f 100644
-miscfiles_read_localization(polipo_daemon)
+userdom_home_manager(polipo_session_t)
+diff --git a/portage.if b/portage.if
+index 67e8c12..18b89d7 100644
+--- a/portage.if
++++ b/portage.if
+@@ -67,6 +67,7 @@ interface(`portage_compile_domain',`
+ class dbus send_msg;
+ type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
+ type portage_tmpfs_t;
++ type portage_sandbox_t;
+ ')
+
+ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
diff --git a/portage.te b/portage.te
index a95fc4a..b9b5418 100644
--- a/portage.te
@@ -60114,7 +60900,7 @@ index 20d4697..e6605c1 100644
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
-index c0f047a..6f22887 100644
+index c0f047a..e04bdd6 100644
--- a/prelink.te
+++ b/prelink.te
@@ -1,4 +1,4 @@
@@ -60287,7 +61073,7 @@ index c0f047a..6f22887 100644
kernel_read_system_state(prelink_cron_system_t)
-@@ -184,8 +168,11 @@ optional_policy(`
+@@ -184,23 +168,36 @@ optional_policy(`
dev_list_sysfs(prelink_cron_system_t)
dev_read_sysfs(prelink_cron_system_t)
@@ -60300,7 +61086,11 @@ index c0f047a..6f22887 100644
auth_use_nsswitch(prelink_cron_system_t)
-@@ -196,11 +183,20 @@ optional_policy(`
+ init_telinit(prelink_cron_system_t)
+ init_exec(prelink_cron_system_t)
++ init_reload_services(prelink_cron_system_t)
+
+ libs_exec_ld_so(prelink_cron_system_t)
logging_search_logs(prelink_cron_system_t)
@@ -61006,7 +61796,7 @@ index 0000000..96a0d9f
+/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0)
diff --git a/prosody.if b/prosody.if
new file mode 100644
-index 0000000..8867237
+index 0000000..f1e1209
--- /dev/null
+++ b/prosody.if
@@ -0,0 +1,239 @@
@@ -61144,7 +61934,7 @@ index 0000000..8867237
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 prosody_unit_file_t:file read_file_perms;
+ allow $1 prosody_unit_file_t:service manage_service_perms;
+
@@ -61331,7 +62121,7 @@ index 0000000..4f6badd
+
+miscfiles_read_localization(prosody_t)
diff --git a/psad.if b/psad.if
-index d4dcf78..59ab964 100644
+index d4dcf78..3cce82e 100644
--- a/psad.if
+++ b/psad.if
@@ -93,9 +93,8 @@ interface(`psad_manage_config',`
@@ -61401,7 +62191,7 @@ index d4dcf78..59ab964 100644
## Read and write psad fifo files.
## </summary>
## <param name="domain">
-@@ -198,6 +236,26 @@ interface(`psad_rw_fifo_file',`
+@@ -198,6 +236,45 @@ interface(`psad_rw_fifo_file',`
#######################################
## <summary>
@@ -61425,10 +62215,29 @@ index d4dcf78..59ab964 100644
+
+#######################################
+## <summary>
++## Allow search to psad lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`psad_search_lib_files',`
++ gen_require(`
++ type psad_t, psad_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
++')
++
++#######################################
++## <summary>
## Read and write psad temporary files.
## </summary>
## <param name="domain">
-@@ -235,30 +293,34 @@ interface(`psad_rw_tmp_files',`
+@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
@@ -66060,7 +66869,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..7054723 100644
+index 3698b51..8c4ba04 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -66118,7 +66927,7 @@ index 3698b51..7054723 100644
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +80,42 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +80,44 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
@@ -66139,6 +66948,8 @@ index 3698b51..7054723 100644
+fs_getattr_all_dirs(rabbitmq_beam_t)
+fs_getattr_cgroup(rabbitmq_beam_t)
+
++corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
++
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
@@ -66165,7 +66976,7 @@ index 3698b51..7054723 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +133,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +135,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -66554,7 +67365,7 @@ index 951db7f..7736755 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..1e9ad6b 100644
+index 2c1730b..0bf7d02 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
@@ -66635,7 +67446,7 @@ index 2c1730b..1e9ad6b 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +91,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +91,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -66653,10 +67464,11 @@ index 2c1730b..1e9ad6b 100644
-miscfiles_read_localization(mdadm_t)
+systemd_exec_systemctl(mdadm_t)
++systemd_start_systemd_services(mdadm_t)
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -97,9 +122,17 @@ optional_policy(`
+@@ -97,9 +123,17 @@ optional_policy(`
')
optional_policy(`
@@ -67658,6 +68470,368 @@ index 9a8f052..3baa71a 100644
+
+ unconfined_domain_noaudit(realmd_consolehelper_t)
')
+diff --git a/redis.fc b/redis.fc
+new file mode 100644
+index 0000000..638d6b4
+--- /dev/null
++++ b/redis.fc
+@@ -0,0 +1,11 @@
++/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
++
++/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
++
++/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
++
++/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
++
++/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
+diff --git a/redis.if b/redis.if
+new file mode 100644
+index 0000000..72a2d7b
+--- /dev/null
++++ b/redis.if
+@@ -0,0 +1,271 @@
++
++## <summary>redis-server SELinux policy</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the redis domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`redis_domtrans',`
++ gen_require(`
++ type redis_t, redis_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, redis_exec_t, redis_t)
++')
++
++########################################
++## <summary>
++## Execute redis server in the redis domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`redis_initrc_domtrans',`
++ gen_require(`
++ type redis_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, redis_initrc_exec_t)
++')
++########################################
++## <summary>
++## Read redis's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`redis_read_log',`
++ gen_require(`
++ type redis_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, redis_log_t, redis_log_t)
++')
++
++########################################
++## <summary>
++## Append to redis log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`redis_append_log',`
++ gen_require(`
++ type redis_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, redis_log_t, redis_log_t)
++')
++
++########################################
++## <summary>
++## Manage redis log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`redis_manage_log',`
++ gen_require(`
++ type redis_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, redis_log_t, redis_log_t)
++ manage_files_pattern($1, redis_log_t, redis_log_t)
++ manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
++')
++
++########################################
++## <summary>
++## Search redis lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`redis_search_lib',`
++ gen_require(`
++ type redis_var_lib_t;
++ ')
++
++ allow $1 redis_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read redis lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`redis_read_lib_files',`
++ gen_require(`
++ type redis_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage redis lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`redis_manage_lib_files',`
++ gen_require(`
++ type redis_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage redis lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`redis_manage_lib_dirs',`
++ gen_require(`
++ type redis_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read redis PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`redis_read_pid_files',`
++ gen_require(`
++ type redis_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, redis_var_run_t, redis_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute redis server in the redis domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`redis_systemctl',`
++ gen_require(`
++ type redis_t;
++ type redis_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 redis_unit_file_t:file read_file_perms;
++ allow $1 redis_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, redis_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an redis environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`redis_admin',`
++ gen_require(`
++ type redis_t;
++ type redis_initrc_exec_t;
++ type redis_log_t;
++ type redis_var_lib_t;
++ type redis_var_run_t;
++ type redis_unit_file_t;
++ ')
++
++ allow $1 redis_t:process { ptrace signal_perms };
++ ps_process_pattern($1, redis_t)
++
++ redis_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 redis_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, redis_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, redis_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, redis_var_run_t)
++
++ redis_systemctl($1)
++ admin_pattern($1, redis_unit_file_t)
++ allow $1 redis_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/redis.te b/redis.te
+new file mode 100644
+index 0000000..e5e9cf7
+--- /dev/null
++++ b/redis.te
+@@ -0,0 +1,62 @@
++policy_module(redis, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type redis_t;
++type redis_exec_t;
++init_daemon_domain(redis_t, redis_exec_t)
++
++type redis_initrc_exec_t;
++init_script_file(redis_initrc_exec_t)
++
++type redis_log_t;
++logging_log_file(redis_log_t)
++
++type redis_var_lib_t;
++files_type(redis_var_lib_t)
++
++type redis_var_run_t;
++files_pid_file(redis_var_run_t)
++
++type redis_unit_file_t;
++systemd_unit_file(redis_unit_file_t)
++
++########################################
++#
++# redis local policy
++#
++
++allow redis_t self:process { setrlimit signal_perms };
++allow redis_t self:fifo_file rw_fifo_file_perms;
++allow redis_t self:unix_stream_socket create_stream_socket_perms;
++allow redis_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
++manage_files_pattern(redis_t, redis_log_t, redis_log_t)
++manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
++
++manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
++manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
++manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
++
++manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++
++kernel_read_system_state(redis_t)
++
++corenet_tcp_bind_generic_node(redis_t)
++corenet_tcp_bind_redis_port(redis_t)
++
++dev_read_sysfs(redis_t)
++dev_read_urand(redis_t)
++
++logging_send_syslog_msg(redis_t)
++
++miscfiles_read_localization(redis_t)
++
++sysnet_dns_name_resolve(redis_t)
++
diff --git a/remotelogin.fc b/remotelogin.fc
index 327baf0..d8691bd 100644
--- a/remotelogin.fc
@@ -68441,7 +69615,7 @@ index 47de2d6..98a4280 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..4699b1b 100644
+index 56bc01f..b8d154e 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -68470,7 +69644,7 @@ index 56bc01f..4699b1b 100644
')
##############################
-@@ -43,11 +43,6 @@ template(`rhcs_domain_template',`
+@@ -43,33 +43,27 @@ template(`rhcs_domain_template',`
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
@@ -68482,9 +69656,11 @@ index 56bc01f..4699b1b 100644
logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
-@@ -56,20 +51,19 @@ template(`rhcs_domain_template',`
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
+- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
++ files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
- optional_policy(`
- dbus_system_bus_client($1_t)
@@ -70372,7 +71548,7 @@ index 6dbc905..d803796 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..f8ae4cc 100644
+index 1cedd70..6508b1e 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,7 +30,8 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -70385,7 +71561,7 @@ index 1cedd70..f8ae4cc 100644
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -52,21 +53,35 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -52,21 +53,37 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
@@ -70408,6 +71584,8 @@ index 1cedd70..f8ae4cc 100644
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
++init_read_state(rhsmcertd_t)
++
+logging_send_syslog_msg(rhsmcertd_t)
+
+miscfiles_read_certs(rhsmcertd_t)
@@ -72102,7 +73280,7 @@ index 3b5e9ee..ff1163f 100644
+ admin_pattern($1, rpcbind_var_run_t)
')
diff --git a/rpcbind.te b/rpcbind.te
-index c49828c..a323332 100644
+index c49828c..56cb0c2 100644
--- a/rpcbind.te
+++ b/rpcbind.te
@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t)
@@ -72121,7 +73299,7 @@ index c49828c..a323332 100644
files_read_etc_runtime_files(rpcbind_t)
-logging_send_syslog_msg(rpcbind_t)
-+auth_read_passwd(rpcbind_t)
++auth_use_nsswitch(rpcbind_t)
-miscfiles_read_localization(rpcbind_t)
+logging_send_syslog_msg(rpcbind_t)
@@ -72250,7 +73428,7 @@ index ebe91fc..6392cad 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..84f2fd7 100644
+index 0628d50..39e36fb 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -72385,10 +73563,28 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -181,6 +186,42 @@ interface(`rpm_rw_pipes',`
+@@ -181,6 +186,60 @@ interface(`rpm_rw_pipes',`
########################################
## <summary>
++## Read and write an unnamed RPM script pipe.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_rw_script_inherited_pipes',`
++ gen_require(`
++ type rpm_script_t;
++ ')
++
++ allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
@@ -72428,7 +73624,7 @@ index 0628d50..84f2fd7 100644
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -224,7 +265,7 @@ interface(`rpm_dontaudit_dbus_chat',`
+@@ -224,7 +283,7 @@ interface(`rpm_dontaudit_dbus_chat',`
########################################
## <summary>
## Send and receive messages from
@@ -72437,7 +73633,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -244,7 +285,7 @@ interface(`rpm_script_dbus_chat',`
+@@ -244,7 +303,7 @@ interface(`rpm_script_dbus_chat',`
########################################
## <summary>
@@ -72446,7 +73642,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -263,7 +304,8 @@ interface(`rpm_search_log',`
+@@ -263,7 +322,8 @@ interface(`rpm_search_log',`
#####################################
## <summary>
@@ -72456,17 +73652,19 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -276,14 +318,30 @@ interface(`rpm_append_log',`
+@@ -276,14 +336,30 @@ interface(`rpm_append_log',`
type rpm_log_t;
')
- logging_search_logs($1)
- append_files_pattern($1, rpm_log_t, rpm_log_t)
+ allow $1 rpm_log_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rpm log files.
+## Create, read, write, and delete the RPM log.
+## </summary>
+## <param name="domain">
@@ -72481,17 +73679,15 @@ index 0628d50..84f2fd7 100644
+ ')
+
+ read_files_pattern($1, rpm_log_t, rpm_log_t)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## rpm log files.
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
## <summary>
-@@ -302,7 +360,7 @@ interface(`rpm_manage_log',`
+@@ -302,7 +378,7 @@ interface(`rpm_manage_log',`
########################################
## <summary>
@@ -72500,7 +73696,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -320,8 +378,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',`
########################################
## <summary>
@@ -72511,7 +73707,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -335,12 +393,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -72528,7 +73724,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -353,14 +414,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -72546,7 +73742,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -374,12 +434,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -72562,7 +73758,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -399,7 +461,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
## <summary>
@@ -72571,7 +73767,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -420,8 +482,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +500,7 @@ interface(`rpm_read_cache',`
########################################
## <summary>
@@ -72581,7 +73777,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -442,7 +503,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',`
########################################
## <summary>
@@ -72590,7 +73786,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,11 +520,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +538,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -72604,7 +73800,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -482,8 +544,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +562,7 @@ interface(`rpm_delete_db',`
########################################
## <summary>
@@ -72614,7 +73810,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -503,8 +564,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +582,28 @@ interface(`rpm_manage_db',`
########################################
## <summary>
@@ -72644,7 +73840,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -517,7 +598,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -72653,7 +73849,7 @@ index 0628d50..84f2fd7 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +624,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',`
#####################################
## <summary>
@@ -72663,7 +73859,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -563,8 +643,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',`
######################################
## <summary>
@@ -72673,7 +73869,7 @@ index 0628d50..84f2fd7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -573,94 +652,72 @@ interface(`rpm_manage_pid_files',`
+@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',`
## </param>
#
interface(`rpm_pid_filetrans',`
@@ -72767,16 +73963,16 @@ index 0628d50..84f2fd7 100644
- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { rpm_t rpm_script_t })
--
++ typeattribute $1 rpm_transition_domain;
++ allow $1 rpm_script_t:process transition;
+
- init_labeled_script_domtrans($1, rpm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpm_initrc_exec_t system_r;
- allow $2 system_r;
-
- admin_pattern($1, rpm_file_t)
-+ typeattribute $1 rpm_transition_domain;
-+ allow $1 rpm_script_t:process transition;
-
+-
- files_list_var($1)
- admin_pattern($1, rpm_cache_t)
-
@@ -73737,7 +74933,7 @@ index f1140ef..ebc2190 100644
+ files_etc_filetrans($1, rsync_etc_t, $2, $3)
')
diff --git a/rsync.te b/rsync.te
-index e3e7c96..0820cb2 100644
+index e3e7c96..ec50426 100644
--- a/rsync.te
+++ b/rsync.te
@@ -1,4 +1,4 @@
@@ -73746,7 +74942,7 @@ index e3e7c96..0820cb2 100644
########################################
#
-@@ -6,67 +6,46 @@ policy_module(rsync, 1.12.2)
+@@ -6,67 +6,45 @@ policy_module(rsync, 1.12.2)
#
## <desc>
@@ -73822,7 +75018,6 @@ index e3e7c96..0820cb2 100644
-init_daemon_domain(rsync_t, rsync_exec_t)
-application_domain(rsync_t, rsync_exec_t)
-role rsync_roles types rsync_t;
-+init_domain(rsync_t, rsync_exec_t)
+application_executable_file(rsync_exec_t)
+role system_r types rsync_t;
@@ -73834,7 +75029,7 @@ index e3e7c96..0820cb2 100644
files_type(rsync_data_t)
type rsync_log_t;
-@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t)
+@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t)
allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
@@ -73865,7 +75060,7 @@ index e3e7c96..0820cb2 100644
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +97,80 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -79155,7 +80350,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..46356db 100644
+index 49b12ae..e5948ba 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -79252,7 +80447,15 @@ index 49b12ae..46356db 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
-@@ -107,27 +112,24 @@ init_read_utmp(setroubleshootd_t)
+@@ -101,33 +106,32 @@ selinux_read_policy(setroubleshootd_t)
+ term_dontaudit_use_all_ptys(setroubleshootd_t)
+ term_dontaudit_use_all_ttys(setroubleshootd_t)
+
++mls_dbus_recv_all_levels(setroubleshootd_t)
++
+ auth_use_nsswitch(setroubleshootd_t)
+
+ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
@@ -79285,7 +80488,7 @@ index 49b12ae..46356db 100644
')
optional_policy(`
-@@ -135,10 +137,18 @@ optional_policy(`
+@@ -135,10 +139,18 @@ optional_policy(`
')
optional_policy(`
@@ -79304,7 +80507,7 @@ index 49b12ae..46356db 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -148,15 +158,17 @@ optional_policy(`
+@@ -148,15 +160,17 @@ optional_policy(`
########################################
#
@@ -79323,7 +80526,7 @@ index 49b12ae..46356db 100644
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,9 +177,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -165,9 +179,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
@@ -79340,7 +80543,7 @@ index 49b12ae..46356db 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +193,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +195,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -81193,10 +82396,64 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..de313d7 100644
+index 703efa3..f9d6ed6 100644
--- a/sosreport.te
+++ b/sosreport.te
-@@ -70,7 +70,6 @@ files_list_all(sosreport_t)
+@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
+ type sosreport_tmpfs_t;
+ files_tmpfs_file(sosreport_tmpfs_t)
+
++type sosreport_var_run_t;
++files_pid_file(sosreport_var_run_t)
++
+ optional_policy(`
+ pulseaudio_tmpfs_content(sosreport_tmpfs_t)
+ ')
+@@ -29,10 +32,13 @@ optional_policy(`
+ #
+
+ allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
++dontaudit sosreport_t self:capability { sys_ptrace };
+ allow sosreport_t self:process { setsched signull };
+ allow sosreport_t self:fifo_file rw_fifo_file_perms;
+ allow sosreport_t self:tcp_socket { accept listen };
+ allow sosreport_t self:unix_stream_socket { accept listen };
++allow sosreport_t self:rawip_socket create_socket_perms;
++allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+ manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+@@ -40,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+ files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
+ files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
+
++manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file })
++
+ manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
+ fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
+
+@@ -58,6 +70,9 @@ dev_read_rand(sosreport_t)
+ dev_read_urand(sosreport_t)
+ dev_read_raw_memory(sosreport_t)
+ dev_read_sysfs(sosreport_t)
++dev_rw_generic_usb_dev(sosreport_t)
++dev_getattr_all_chr_files(sosreport_t)
++dev_getattr_all_blk_files(sosreport_t)
+
+ domain_getattr_all_domains(sosreport_t)
+ domain_read_all_domains_state(sosreport_t)
+@@ -65,12 +80,13 @@ domain_getattr_all_sockets(sosreport_t)
+ domain_getattr_all_pipes(sosreport_t)
+
+ files_getattr_all_sockets(sosreport_t)
++files_getattr_all_files(sosreport_t)
++files_getattr_all_pipes(sosreport_t)
+ files_exec_etc_files(sosreport_t)
+ files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
files_read_non_auth_files(sosreport_t)
@@ -81204,10 +82461,20 @@ index 703efa3..de313d7 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -84,6 +83,10 @@ fs_list_inotifyfs(sosreport_t)
+@@ -79,27 +95,41 @@ files_manage_etc_runtime_files(sosreport_t)
+ files_etc_filetrans_etc_runtime(sosreport_t, file)
+
+ fs_getattr_all_fs(sosreport_t)
++fs_getattr_all_dirs(sosreport_t)
+ fs_list_inotifyfs(sosreport_t)
+
storage_dontaudit_read_fixed_disk(sosreport_t)
storage_dontaudit_read_removable_device(sosreport_t)
++term_getattr_pty_fs(sosreport_t)
++term_getattr_all_ptys(sosreport_t)
++term_use_generic_ptys(sosreport_t)
++
+# some config files do not have configfile attribute
+# sosreport needs to read various files on system
+files_read_non_security_files(sosreport_t)
@@ -81215,7 +82482,10 @@ index 703efa3..de313d7 100644
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
-@@ -93,9 +96,8 @@ libs_domtrans_ldconfig(sosreport_t)
++init_getattr_initctl(sosreport_t)
+
+ libs_domtrans_ldconfig(sosreport_t)
+
logging_read_all_logs(sosreport_t)
logging_send_syslog_msg(sosreport_t)
@@ -81226,7 +82496,16 @@ index 703efa3..de313d7 100644
optional_policy(`
abrt_manage_pid_files(sosreport_t)
-@@ -111,6 +113,11 @@ optional_policy(`
+ abrt_manage_cache(sosreport_t)
++ abrt_stream_connect(sosreport_t)
++')
++
++optional_policy(`
++ brctl_domtrans(sosreport_t)
+ ')
+
+ optional_policy(`
+@@ -111,6 +141,11 @@ optional_policy(`
')
optional_policy(`
@@ -83191,7 +84470,7 @@ index a240455..54c5c1f 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 8b537aa..e9632c3 100644
+index 8b537aa..3bce4df 100644
--- a/sssd.te
+++ b/sssd.te
@@ -1,4 +1,4 @@
@@ -83280,7 +84559,7 @@ index 8b537aa..e9632c3 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +105,31 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -83290,6 +84569,7 @@ index 8b537aa..e9632c3 100644
sysnet_use_ldap(sssd_t)
+userdom_manage_tmp_role(system_r, sssd_t)
++userdom_manage_all_users_keys(sssd_t)
+
optional_policy(`
dbus_system_bus_client(sssd_t)
@@ -83843,10 +85123,10 @@ index c6aaac7..a5600a8 100644
sysnet_dns_name_resolve(svnserve_t)
diff --git a/swift.fc b/swift.fc
new file mode 100644
-index 0000000..e5433ad
+index 0000000..744f0ce
--- /dev/null
+++ b/swift.fc
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,29 @@
+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
@@ -83866,7 +85146,8 @@ index 0000000..e5433ad
+
+/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
+
-+/var/run/swift(/.*)? gen_context(system_u:object_r:swift_var_run_t,s0)
++/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0)
++/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0)
+
+# This seems to be a de-facto standard when using swift.
+/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
@@ -84006,10 +85287,10 @@ index 0000000..015c2c9
+')
diff --git a/swift.te b/swift.te
new file mode 100644
-index 0000000..39f1ca1
+index 0000000..c7b2bf6
--- /dev/null
+++ b/swift.te
-@@ -0,0 +1,53 @@
+@@ -0,0 +1,69 @@
+policy_module(swift, 1.0.0)
+
+########################################
@@ -84021,6 +85302,9 @@ index 0000000..39f1ca1
+type swift_exec_t;
+init_daemon_domain(swift_t, swift_exec_t)
+
++type swift_var_cache_t;
++files_type(swift_var_cache_t)
++
+type swift_var_run_t;
+files_pid_file(swift_var_run_t)
+
@@ -84035,10 +85319,18 @@ index 0000000..39f1ca1
+# swift local policy
+#
+
++allow swift_t self:process signal;
++
+allow swift_t self:fifo_file rw_fifo_file_perms;
++allow swift_t self:tcp_socket create_stream_socket_perms;
+allow swift_t self:unix_stream_socket create_stream_socket_perms;
+allow swift_t self:unix_dgram_socket create_socket_perms;
+
++manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
++manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
++manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
++files_var_filetrans(swift_t,swift_var_cache_t, { dir file })
++
+manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
@@ -84051,6 +85343,7 @@ index 0000000..39f1ca1
+
+kernel_dgram_send(swift_t)
+kernel_read_system_state(swift_t)
++kernel_read_network_state(swift_t)
+
+corecmd_exec_shell(swift_t)
+
@@ -84058,11 +85351,15 @@ index 0000000..39f1ca1
+
+domain_use_interactive_fds(swift_t)
+
++files_dontaudit_search_home(swift_t)
++
+auth_use_nsswitch(swift_t)
+
+libs_exec_ldconfig(swift_t)
+
+logging_send_syslog_msg(swift_t)
++
++userdom_dontaudit_search_user_home_dirs(swift_t)
diff --git a/swift_alias.fc b/swift_alias.fc
new file mode 100644
index 0000000..b7db254
@@ -84141,7 +85438,7 @@ index c9824cb..1973f71 100644
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
diff --git a/sysstat.te b/sysstat.te
-index c8b80b2..f041061 100644
+index c8b80b2..c81d332 100644
--- a/sysstat.te
+++ b/sysstat.te
@@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
@@ -84163,8 +85460,12 @@ index c8b80b2..f041061 100644
corecmd_exec_bin(sysstat_t)
dev_read_sysfs(sysstat_t)
-@@ -49,8 +48,10 @@ files_read_etc_runtime_files(sysstat_t)
- fs_getattr_xattr_fs(sysstat_t)
+@@ -46,11 +45,13 @@ dev_read_urand(sysstat_t)
+ files_search_var(sysstat_t)
+ files_read_etc_runtime_files(sysstat_t)
+
+-fs_getattr_xattr_fs(sysstat_t)
++fs_getattr_all_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
+storage_getattr_fixed_disk_dev(sysstat_t)
@@ -84481,7 +85782,7 @@ index c7de0cf..9813503 100644
+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/telepathy.if b/telepathy.if
-index 42946bc..3d30062 100644
+index 42946bc..741f2f4 100644
--- a/telepathy.if
+++ b/telepathy.if
@@ -2,45 +2,39 @@
@@ -84561,7 +85862,7 @@ index 42946bc..3d30062 100644
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
-@@ -63,91 +62,79 @@ template(`telepathy_role_template',`
+@@ -63,91 +62,84 @@ template(`telepathy_role_template',`
type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
type telepathy_msn_exec_t;
@@ -84667,11 +85968,15 @@ index 42946bc..3d30062 100644
## <param name="domain">
-## <summary>
+## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`telepathy_gabble_dbus_chat',`
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`telepathy_gabble_stream_connect_to', `
+ gen_require(`
+ type telepathy_gabble_t;
@@ -84687,15 +85992,16 @@ index 42946bc..3d30062 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`telepathy_gabble_dbus_chat',`
+interface(`telepathy_gabble_dbus_chat', `
gen_require(`
type telepathy_gabble_t;
class dbus send_msg;
-@@ -159,10 +146,10 @@ interface(`telepathy_gabble_dbus_chat',`
+@@ -159,10 +151,10 @@ interface(`telepathy_gabble_dbus_chat',`
########################################
## <summary>
@@ -84708,7 +86014,7 @@ index 42946bc..3d30062 100644
## Domain allowed access.
## </summary>
## </param>
-@@ -173,15 +160,12 @@ interface(`telepathy_mission_control_read_state',`
+@@ -173,15 +165,12 @@ interface(`telepathy_mission_control_read_state',`
')
kernel_search_proc($1)
@@ -84726,7 +86032,7 @@ index 42946bc..3d30062 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -189,19 +173,18 @@ interface(`telepathy_mission_control_read_state',`
+@@ -189,19 +178,18 @@ interface(`telepathy_mission_control_read_state',`
## </summary>
## </param>
#
@@ -84749,7 +86055,7 @@ index 42946bc..3d30062 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -209,11 +192,138 @@ interface(`telepathy_msn_stream_connect',`
+@@ -209,11 +197,138 @@ interface(`telepathy_msn_stream_connect',`
## </summary>
## </param>
#
@@ -84891,7 +86197,7 @@ index 42946bc..3d30062 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..91c1898 100644
+index e9c0964..ff77783 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
@@ -85392,7 +86698,7 @@ index e9c0964..91c1898 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +382,40 @@ optional_policy(`
+@@ -452,31 +382,43 @@ optional_policy(`
#######################################
#
@@ -85420,10 +86726,12 @@ index e9c0964..91c1898 100644
fs_getattr_all_fs(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
--
--miscfiles_read_localization(telepathy_domain)
+fs_rw_inherited_tmpfs_files(telepathy_domain)
+-miscfiles_read_localization(telepathy_domain)
++userdom_search_user_tmp_dirs(telepathy_domain)
++userdom_search_user_home_dirs(telepathy_domain)
+
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
')
@@ -85431,7 +86739,7 @@ index e9c0964..91c1898 100644
optional_policy(`
+ gnome_read_generic_cache_files(telepathy_domain)
+ gnome_write_generic_cache_files(telepathy_domain)
-+ gnome_filetrans_config_home_content(telepathy_domain)
++ gnome_filetrans_config_home_content(telepathy_domain)
+')
+
+optional_policy(`
@@ -85961,7 +87269,7 @@ index 5406b6e..dc5b46e 100644
admin_pattern($1, tgtd_tmpfs_t)
')
diff --git a/tgtd.te b/tgtd.te
-index c93c973..b04d201 100644
+index c93c973..4ec1eb0 100644
--- a/tgtd.te
+++ b/tgtd.te
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
@@ -85973,7 +87281,7 @@ index c93c973..b04d201 100644
allow tgtd_t self:capability2 block_suspend;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
-@@ -58,7 +58,6 @@ kernel_read_system_state(tgtd_t)
+@@ -58,27 +58,27 @@ kernel_read_system_state(tgtd_t)
kernel_read_fs_sysctls(tgtd_t)
corenet_all_recvfrom_netlabel(tgtd_t)
@@ -85981,7 +87289,11 @@ index c93c973..b04d201 100644
corenet_tcp_sendrecv_generic_if(tgtd_t)
corenet_tcp_sendrecv_generic_node(tgtd_t)
corenet_tcp_bind_generic_node(tgtd_t)
-@@ -69,16 +68,16 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+
+ corenet_sendrecv_iscsi_server_packets(tgtd_t)
+ corenet_tcp_bind_iscsi_port(tgtd_t)
++corenet_tcp_connect_isns_port(tgtd_t)
+ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
dev_read_sysfs(tgtd_t)
@@ -86371,10 +87683,10 @@ index 0000000..8b2dfff
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..bf58d50
+index 0000000..ec3eb8f
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,146 @@
+@@ -0,0 +1,147 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -86449,6 +87761,7 @@ index 0000000..bf58d50
+dev_rw_xserver_misc(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
++domain_dontaudit_read_all_domains_state(thumb_t)
+
+files_read_non_security_files(thumb_t)
+
@@ -87915,7 +89228,7 @@ index 1ec5e99..88e287d 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 8840be6..285680c 100644
+index 8840be6..d2c7596 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
@@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles;
@@ -87935,7 +89248,15 @@ index 8840be6..285680c 100644
########################################
#
# Local policy
-@@ -38,6 +42,10 @@ dev_rw_generic_usb_dev(usbmuxd_t)
+@@ -24,6 +28,7 @@ files_pid_file(usbmuxd_var_run_t)
+ allow usbmuxd_t self:capability { kill setgid setuid };
+ allow usbmuxd_t self:process { signal signull };
+ allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
++allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+ manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+@@ -38,6 +43,10 @@ dev_rw_generic_usb_dev(usbmuxd_t)
auth_use_nsswitch(usbmuxd_t)
@@ -89035,10 +90356,10 @@ index 0be8535..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index c30da4c..898ce74 100644
+index c30da4c..b81eaa0 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,52 +1,87 @@
+@@ -1,52 +1,86 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -89091,7 +90412,6 @@ index c30da4c..898ce74 100644
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
-+/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0)
@@ -89107,14 +90427,14 @@ index c30da4c..898ce74 100644
-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+-
+-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
--/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
--
-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
@@ -89166,7 +90486,7 @@ index c30da4c..898ce74 100644
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..bdba959 100644
+index 9dec06c..4e31afe 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -90308,17 +91628,17 @@ index 9dec06c..bdba959 100644
-## <infoflow type="write" weight="10"/>
#
-interface(`virt_pid_filetrans',`
-+interface(`virt_stream_connect_lxc',`
++interface(`virt_stream_connect_sandbox',`
gen_require(`
- type virt_var_run_t;
-+ attribute svirt_lxc_domain;
-+ type svirt_lxc_file_t;
++ attribute svirt_sandbox_domain;
++ type svirt_sandbox_file_t;
')
files_search_pids($1)
- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
-+ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
-+ ps_process_pattern(svirt_lxc_domain, $1)
++ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
++ ps_process_pattern(svirt_sandbox_domain, $1)
')
+
@@ -90642,16 +91962,16 @@ index 9dec06c..bdba959 100644
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
--
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
+
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
- ')
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
-
+-
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_files($1)
- fs_manage_cifs_files($1)
@@ -90700,7 +92020,7 @@ index 9dec06c..bdba959 100644
-## <rolecap/>
#
-interface(`virt_admin',`
-+template(`virt_lxc_domain_template',`
++template(`virt_sandbox_domain_template',`
gen_require(`
- attribute virt_domain, virt_image_type, virt_tmpfs_type;
- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
@@ -90710,14 +92030,14 @@ index 9dec06c..bdba959 100644
- type virt_var_run_t, virt_tmp_t, virt_log_t;
- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
- type virt_etc_t, svirt_cache_t;
-+ attribute svirt_lxc_domain;
++ attribute svirt_sandbox_domain;
')
- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
-+ type $1_t, svirt_lxc_domain;
++ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
@@ -90743,14 +92063,14 @@ index 9dec06c..bdba959 100644
+## </summary>
+## </param>
+#
-+template(`virt_lxc_domain',`
++template(`virt_sandbox_domain',`
+ gen_require(`
-+ attribute svirt_lxc_domain;
++ attribute svirt_sandbox_domain;
+ ')
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+ typeattribute $1 svirt_lxc_domain;
++ typeattribute $1 svirt_sandbox_domain;
+')
- files_search_etc($1)
@@ -90819,16 +92139,16 @@ index 9dec06c..bdba959 100644
+## </param>
+## <rolecap/>
+#
-+interface(`virt_transition_svirt_lxc',`
++interface(`virt_transition_svirt_sandbox',`
+ gen_require(`
-+ attribute svirt_lxc_domain;
++ attribute svirt_sandbox_domain;
+ ')
+
-+ allow $1 svirt_lxc_domain:process transition;
-+ role $2 types svirt_lxc_domain;
-+ allow $1 svirt_lxc_domain:unix_dgram_socket sendto;
++ allow $1 svirt_sandbox_domain:process transition;
++ role $2 types svirt_sandbox_domain;
++ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
+
-+ allow svirt_lxc_domain $1:process sigchld;
++ allow svirt_sandbox_domain $1:process sigchld;
+')
- files_search_locks($1)
@@ -90853,7 +92173,7 @@ index 9dec06c..bdba959 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..cd628f9 100644
+index 1f22fba..d48d354 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,104 @@
@@ -91115,7 +92435,7 @@ index 1f22fba..cd628f9 100644
-# Common virt domain local policy
+# Declarations
#
-+attribute svirt_lxc_domain;
++attribute svirt_sandbox_domain;
-allow virt_domain self:process { signal getsched signull };
-allow virt_domain self:fifo_file rw_fifo_file_perms;
@@ -91268,8 +92588,8 @@ index 1f22fba..cd628f9 100644
- dev_rw_sysfs(virt_domain)
-')
+# virt lxc container files
-+type svirt_lxc_file_t;
-+files_mountpoint(svirt_lxc_file_t)
++type svirt_sandbox_file_t alias svirt_lxc_file_t;
++files_mountpoint(svirt_sandbox_file_t)
-tunable_policy(`virt_use_usb',`
- dev_rw_usbfs(virt_domain)
@@ -91334,11 +92654,11 @@ index 1f22fba..cd628f9 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
--
--filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+allow svirt_tcg_t self:process { execmem execstack };
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
-corenet_udp_sendrecv_generic_if(svirt_t)
@@ -91388,7 +92708,7 @@ index 1f22fba..cd628f9 100644
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
-allow virtd_t self:unix_stream_socket { accept connectto listen };
-allow virtd_t self:tcp_socket { accept listen };
-+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms };
++allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto };
+allow virtd_t self:tcp_socket create_stream_socket_perms;
allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow virtd_t self:rawip_socket create_socket_perms;
@@ -91436,7 +92756,7 @@ index 1f22fba..cd628f9 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +308,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +308,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -91460,6 +92780,7 @@ index 1f22fba..cd628f9 100644
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-
++allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
@@ -91482,28 +92803,28 @@ index 1f22fba..cd628f9 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +342,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +343,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
-can_exec(virtd_t, virt_tmp_t)
-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +354,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +355,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -91511,7 +92832,7 @@ index 1f22fba..cd628f9 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +362,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +363,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -91539,7 +92860,7 @@ index 1f22fba..cd628f9 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +382,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +383,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -91568,7 +92889,7 @@ index 1f22fba..cd628f9 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +429,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +430,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -91588,7 +92909,7 @@ index 1f22fba..cd628f9 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +451,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +452,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -91625,7 +92946,7 @@ index 1f22fba..cd628f9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +479,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +480,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -91634,7 +92955,7 @@ index 1f22fba..cd628f9 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,95 +504,326 @@ optional_policy(`
+@@ -658,20 +505,12 @@ optional_policy(`
')
optional_policy(`
@@ -91648,95 +92969,82 @@ index 1f22fba..cd628f9 100644
optional_policy(`
networkmanager_dbus_chat(virtd_t)
')
-+')
-+
-+optional_policy(`
-+ dmidecode_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
-+ dnsmasq_domtrans(virtd_t)
-+ dnsmasq_signal(virtd_t)
-+ dnsmasq_kill(virtd_t)
-+ dnsmasq_signull(virtd_t)
-+ dnsmasq_create_pid_dirs(virtd_t)
+-
+- optional_policy(`
+- policykit_dbus_chat(virtd_t)
+- ')
+ ')
+
+ optional_policy(`
+@@ -684,14 +523,20 @@ optional_policy(`
+ dnsmasq_kill(virtd_t)
+ dnsmasq_signull(virtd_t)
+ dnsmasq_create_pid_dirs(virtd_t)
+- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network")
+- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid")
+ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
-+ dnsmasq_manage_pid_files(virtd_t)
-+')
-+
-+optional_policy(`
+ dnsmasq_manage_pid_files(virtd_t)
+ ')
+
+ optional_policy(`
+ firewalld_dbus_chat(virtd_t)
+')
+
+optional_policy(`
-+ iptables_domtrans(virtd_t)
-+ iptables_initrc_domtrans(virtd_t)
+ iptables_domtrans(virtd_t)
+ iptables_initrc_domtrans(virtd_t)
+ iptables_systemctl(virtd_t)
+
+ # Manages /etc/sysconfig/system-config-firewall
-+ iptables_manage_config(virtd_t)
-+')
-+
-+optional_policy(`
-+ kerberos_keytab_template(virtd, virtd_t)
-+')
-+
-+optional_policy(`
-+ lvm_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
+ iptables_manage_config(virtd_t)
+ ')
+
+@@ -704,11 +549,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ # Run mount in the mount_t domain.
-+ mount_domtrans(virtd_t)
-+ mount_signal(virtd_t)
-+')
-+
-+optional_policy(`
+ mount_domtrans(virtd_t)
+ mount_signal(virtd_t)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(virtd_t)
-+ policykit_domtrans_auth(virtd_t)
-+ policykit_domtrans_resolve(virtd_t)
-+ policykit_read_lib(virtd_t)
-+')
-+
-+optional_policy(`
-+ qemu_exec(virtd_t)
-+')
-+
-+optional_policy(`
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
+ policykit_read_lib(virtd_t)
+@@ -719,10 +566,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ sanlock_stream_connect(virtd_t)
+')
+
+optional_policy(`
-+ sasl_connect(virtd_t)
-+')
-+
-+optional_policy(`
+ sasl_connect(virtd_t)
+ ')
+
+ optional_policy(`
+ setrans_manage_pid_files(virtd_t)
+')
+
+optional_policy(`
-+ kernel_read_xen_state(virtd_t)
-+ kernel_write_xen_state(virtd_t)
-+
-+ xen_exec(virtd_t)
-+ xen_stream_connect(virtd_t)
-+ xen_stream_connect_xenstore(virtd_t)
-+ xen_read_image_files(virtd_t)
-+')
-+
-+optional_policy(`
-+ udev_domtrans(virtd_t)
-+ udev_read_db(virtd_t)
-+')
-+
+ kernel_read_xen_state(virtd_t)
+ kernel_write_xen_state(virtd_t)
+
+@@ -737,44 +592,262 @@ optional_policy(`
+ udev_read_db(virtd_t)
+ ')
+
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+
-+########################################
-+#
+ ########################################
+ #
+-# Virsh local policy
+# virtual domains common policy
-+#
+ #
+allow virt_domain self:capability2 compromise_kernel;
+allow virt_domain self:process { setrlimit signal_perms getsched setsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
@@ -91745,12 +93053,21 @@ index 1f22fba..cd628f9 100644
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+allow virt_domain self:udp_socket create_socket_perms;
-+
++allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+-allow virsh_t self:process { getcap getsched setsched setcap signal };
+-allow virsh_t self:fifo_file rw_fifo_file_perms;
+-allow virsh_t self:unix_stream_socket { accept connectto listen };
+-allow virsh_t self:tcp_socket { accept listen };
+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
+dontaudit virt_domain virt_content_t:file write_file_perms;
+dontaudit virt_domain virt_content_t:dir write;
-+
+
+-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@@ -91764,7 +93081,13 @@ index 1f22fba..cd628f9 100644
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-+
+
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -91795,13 +93118,19 @@ index 1f22fba..cd628f9 100644
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-+
+
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+dontaudit virt_domain virt_tmpfs_type:file { read write };
-+
+
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-+
+
+-allow virsh_t svirt_lxc_domain:process transition;
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-+
+
+-can_exec(virsh_t, virsh_exec_t)
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@@ -91848,10 +93177,7 @@ index 1f22fba..cd628f9 100644
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
-
-- optional_policy(`
-- policykit_dbus_chat(virtd_t)
-- ')
++
+term_use_all_inherited_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
@@ -91859,78 +93185,53 @@ index 1f22fba..cd628f9 100644
+
+tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
- ')
-
- optional_policy(`
-- dmidecode_domtrans(virtd_t)
++')
++
++optional_policy(`
+ alsa_read_rw_config(virt_domain)
- ')
-
- optional_policy(`
-- dnsmasq_domtrans(virtd_t)
-- dnsmasq_signal(virtd_t)
-- dnsmasq_kill(virtd_t)
-- dnsmasq_signull(virtd_t)
-- dnsmasq_create_pid_dirs(virtd_t)
-- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network")
-- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid")
-- dnsmasq_manage_pid_files(virtd_t)
++')
++
++optional_policy(`
+ ptchown_domtrans(virt_domain)
- ')
-
- optional_policy(`
-- iptables_domtrans(virtd_t)
-- iptables_initrc_domtrans(virtd_t)
-- iptables_manage_config(virtd_t)
++')
++
++optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
- ')
-
- optional_policy(`
-- kerberos_keytab_template(virtd, virtd_t)
++')
++
++optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
+ virt_read_pid_symlinks(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
- ')
++')
- optional_policy(`
-- lvm_domtrans(virtd_t)
++optional_policy(`
+ xserver_rw_shm(virt_domain)
- ')
-
--optional_policy(`
-- mount_domtrans(virtd_t)
-- mount_signal(virtd_t)
++')
++
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(virt_domain)
+ dev_rw_printer(virt_domain)
- ')
-
--optional_policy(`
-- policykit_domtrans_auth(virtd_t)
-- policykit_domtrans_resolve(virtd_t)
-- policykit_read_lib(virtd_t)
++')
++
+tunable_policy(`virt_use_fusefs',`
+ fs_manage_fusefs_dirs(virt_domain)
+ fs_manage_fusefs_files(virt_domain)
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
- ')
-
--optional_policy(`
-- qemu_exec(virtd_t)
++')
++
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
+ fs_manage_nfs_named_sockets(virt_domain)
+ fs_read_nfs_symlinks(virt_domain)
+ fs_getattr_nfs(virt_domain)
- ')
-
--optional_policy(`
-- sasl_connect(virtd_t)
++')
++
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
@@ -91942,102 +93243,81 @@ index 1f22fba..cd628f9 100644
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
++ fs_getattr_dos_fs(virt_domain)
+ fs_manage_dos_dirs(virt_domain)
+ fs_manage_dos_files(virt_domain)
- ')
-
- optional_policy(`
-- kernel_read_xen_state(virtd_t)
-- kernel_write_xen_state(virtd_t)
++')
++
++optional_policy(`
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ ')
+')
-
-- xen_exec(virtd_t)
-- xen_stream_connect(virtd_t)
-- xen_stream_connect_xenstore(virtd_t)
-- xen_read_image_files(virtd_t)
++
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
- ')
-
- optional_policy(`
-- udev_domtrans(virtd_t)
-- udev_read_db(virtd_t)
++')
++
++optional_policy(`
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(virt_domain)
+ ')
- ')
-
- ########################################
- #
--# Virsh local policy
++')
++
++########################################
++#
+# xm local policy
- #
++#
+type virsh_t;
+type virsh_exec_t;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-
--allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
--allow virsh_t self:process { getcap getsched setsched setcap signal };
++
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
- allow virsh_t self:fifo_file rw_fifo_file_perms;
--allow virsh_t self:unix_stream_socket { accept connectto listen };
--allow virsh_t self:tcp_socket { accept listen };
++allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
-+ps_process_pattern(virsh_t, svirt_lxc_domain)
++ps_process_pattern(virsh_t, svirt_sandbox_domain)
+
+can_exec(virsh_t, virsh_exec_t)
-+virt_domtrans(virsh_t)
-+virt_manage_images(virsh_t)
-+virt_manage_config(virsh_t)
-+virt_stream_connect(virsh_t)
-+
+ virt_domtrans(virsh_t)
+ virt_manage_images(virsh_t)
+ virt_manage_config(virsh_t)
+ virt_stream_connect(virsh_t)
+
+-kernel_read_crypto_sysctls(virsh_t)
+manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t)
+manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
+manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
+files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file })
-
- manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
- manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +835,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+virt_transition_svirt_lxc(virsh_t, system_r)
-
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
++
++manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
++manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++
++manage_dirs_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_chr_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++virt_transition_svirt_sandbox(virsh_t, system_r)
++
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
+filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
-
--allow virsh_t svirt_lxc_domain:process transition;
++
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
-
--can_exec(virsh_t, virsh_exec_t)
--
--virt_domtrans(virsh_t)
--virt_manage_images(virsh_t)
--virt_manage_config(virsh_t)
--virt_stream_connect(virsh_t)
--
--kernel_read_crypto_sysctls(virsh_t)
++
+kernel_write_proc_files(virsh_t)
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +855,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +858,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -92064,7 +93344,7 @@ index 1f22fba..cd628f9 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +875,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +878,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -92096,7 +93376,7 @@ index 1f22fba..cd628f9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +908,20 @@ optional_policy(`
+@@ -847,14 +911,20 @@ optional_policy(`
')
optional_policy(`
@@ -92118,7 +93398,7 @@ index 1f22fba..cd628f9 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +946,45 @@ optional_policy(`
+@@ -879,49 +949,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -92148,7 +93428,7 @@ index 1f22fba..cd628f9 100644
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow virtd_lxc_t self:packet_socket create_socket_perms;
-+ps_process_pattern(virtd_lxc_t, svirt_lxc_domain)
++ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain)
+allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms;
-allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
@@ -92165,19 +93445,30 @@ index 1f22fba..cd628f9 100644
-manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
+-
+-manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
+-allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
+manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
+filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
-
- manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +994,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
- allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
- allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
-+files_associate_rootfs(svirt_lxc_file_t)
++
++manage_dirs_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_chr_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++allow virtd_lxc_t svirt_sandbox_file_t:dir_file_class_set { relabelto relabelfrom };
++allow virtd_lxc_t svirt_sandbox_file_t:filesystem { relabelto relabelfrom };
++files_associate_rootfs(svirt_sandbox_file_t)
+
+seutil_read_file_contexts(virtd_lxc_t)
@@ -92191,7 +93482,7 @@ index 1f22fba..cd628f9 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1016,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1019,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -92202,15 +93493,16 @@ index 1f22fba..cd628f9 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1025,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
- files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
+-files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
++files_root_filetrans(virtd_lxc_t, svirt_sandbox_file_t, dir_file_class_set)
+fs_read_fusefs_files(virtd_lxc_t)
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1037,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1040,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -92218,48 +93510,53 @@ index 1f22fba..cd628f9 100644
+
selinux_mount_fs(virtd_lxc_t)
selinux_unmount_fs(virtd_lxc_t)
--selinux_get_enforce_mode(virtd_lxc_t)
--selinux_get_fs_mount(virtd_lxc_t)
--selinux_validate_context(virtd_lxc_t)
--selinux_compute_access_vector(virtd_lxc_t)
--selinux_compute_create_context(virtd_lxc_t)
--selinux_compute_relabel_context(virtd_lxc_t)
--selinux_compute_user_contexts(virtd_lxc_t)
+seutil_read_config(virtd_lxc_t)
++
++term_use_generic_ptys(virtd_lxc_t)
++term_use_ptmx(virtd_lxc_t)
++term_relabel_pty_fs(virtd_lxc_t)
++
++auth_use_nsswitch(virtd_lxc_t)
++
++logging_send_syslog_msg(virtd_lxc_t)
++
++seutil_domtrans_setfiles(virtd_lxc_t)
++seutil_read_default_contexts(virtd_lxc_t)
++
+ selinux_get_enforce_mode(virtd_lxc_t)
+ selinux_get_fs_mount(virtd_lxc_t)
+ selinux_validate_context(virtd_lxc_t)
+@@ -965,194 +1065,247 @@ selinux_compute_create_context(virtd_lxc_t)
+ selinux_compute_relabel_context(virtd_lxc_t)
+ selinux_compute_user_contexts(virtd_lxc_t)
- term_use_generic_ptys(virtd_lxc_t)
- term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1051,39 @@ auth_use_nsswitch(virtd_lxc_t)
+-term_use_generic_ptys(virtd_lxc_t)
+-term_use_ptmx(virtd_lxc_t)
+-term_relabel_pty_fs(virtd_lxc_t)
++sysnet_exec_ifconfig(virtd_lxc_t)
- logging_send_syslog_msg(virtd_lxc_t)
+-auth_use_nsswitch(virtd_lxc_t)
++userdom_read_admin_home_files(virtd_lxc_t)
--miscfiles_read_localization(virtd_lxc_t)
--
- seutil_domtrans_setfiles(virtd_lxc_t)
--seutil_read_config(virtd_lxc_t)
- seutil_read_default_contexts(virtd_lxc_t)
+-logging_send_syslog_msg(virtd_lxc_t)
++optional_policy(`
++ dbus_system_bus_client(virtd_lxc_t)
++ init_dbus_chat(virtd_lxc_t)
++')
--sysnet_domtrans_ifconfig(virtd_lxc_t)
-+selinux_get_enforce_mode(virtd_lxc_t)
-+selinux_get_fs_mount(virtd_lxc_t)
-+selinux_validate_context(virtd_lxc_t)
-+selinux_compute_access_vector(virtd_lxc_t)
-+selinux_compute_create_context(virtd_lxc_t)
-+selinux_compute_relabel_context(virtd_lxc_t)
-+selinux_compute_user_contexts(virtd_lxc_t)
-+
-+sysnet_exec_ifconfig(virtd_lxc_t)
-+
-+userdom_read_admin_home_files(virtd_lxc_t)
-+
+-miscfiles_read_localization(virtd_lxc_t)
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-+
+
+-seutil_domtrans_setfiles(virtd_lxc_t)
+-seutil_read_config(virtd_lxc_t)
+-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -92267,134 +93564,202 @@ index 1f22fba..cd628f9 100644
########################################
#
-# Common virt lxc domain local policy
-+# virt_lxc_domain local policy
- #
--
++# svirt_sandbox_domain local policy
+ #
++allow svirt_sandbox_domain self:key manage_key_perms;
++allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
++allow svirt_sandbox_domain self:fifo_file manage_file_perms;
++allow svirt_sandbox_domain self:sem create_sem_perms;
++allow svirt_sandbox_domain self:shm create_shm_perms;
++allow svirt_sandbox_domain self:msgq create_msgq_perms;
++allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
++allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
++
++
++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
++
++allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
++allow svirt_sandbox_domain virtd_lxc_t:fd use;
++allow svirt_sandbox_domain virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_sandbox_domain virt_lxc_var_run_t:file read_file_perms;
++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
++
++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
++
++kernel_getattr_proc(svirt_sandbox_domain)
++kernel_list_all_proc(svirt_sandbox_domain)
++kernel_read_all_sysctls(svirt_sandbox_domain)
++kernel_rw_net_sysctls(svirt_sandbox_domain)
++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
++
++corecmd_exec_all_executables(svirt_sandbox_domain)
++
++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
++files_dontaudit_getattr_all_files(svirt_sandbox_domain)
++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
++files_entrypoint_all_files(svirt_sandbox_domain)
++files_list_var(svirt_sandbox_domain)
++files_list_var_lib(svirt_sandbox_domain)
++files_search_all(svirt_sandbox_domain)
++files_read_config_files(svirt_sandbox_domain)
++files_read_usr_symlinks(svirt_sandbox_domain)
++files_search_locks(svirt_sandbox_domain)
++
++fs_getattr_all_fs(svirt_sandbox_domain)
++fs_list_inotifyfs(svirt_sandbox_domain)
++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
++fs_read_fusefs_files(svirt_sandbox_domain)
++
++auth_dontaudit_read_passwd(svirt_sandbox_domain)
++auth_dontaudit_read_login_records(svirt_sandbox_domain)
++auth_dontaudit_write_login_records(svirt_sandbox_domain)
++auth_search_pam_console_data(svirt_sandbox_domain)
++
++clock_read_adjtime(svirt_sandbox_domain)
++
++init_read_utmp(svirt_sandbox_domain)
++init_dontaudit_write_utmp(svirt_sandbox_domain)
++
++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
++
++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
++miscfiles_read_fonts(svirt_sandbox_domain)
++miscfiles_read_hwdata(svirt_sandbox_domain)
++
++systemd_read_unit_files(svirt_sandbox_domain)
++
++userdom_use_inherited_user_terminals(svirt_sandbox_domain)
++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
++
++optional_policy(`
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
++')
+
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
-+allow svirt_lxc_domain self:key manage_key_perms;
-+allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid setrlimit };
- allow svirt_lxc_domain self:fifo_file manage_file_perms;
- allow svirt_lxc_domain self:sem create_sem_perms;
- allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1091,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
- allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
- allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
-
+-allow svirt_lxc_domain self:fifo_file manage_file_perms;
+-allow svirt_lxc_domain self:sem create_sem_perms;
+-allow svirt_lxc_domain self:shm create_shm_perms;
+-allow svirt_lxc_domain self:msgq create_msgq_perms;
+-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+-
-allow svirt_lxc_domain virtd_lxc_t:fd use;
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
-
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-
+-
-allow svirt_lxc_domain virsh_t:fd use;
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virsh_t:process sigchld;
-+allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
-+allow virtd_t svirt_lxc_domain:process { signal_perms getattr };
-+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched setrlimit transition signal_perms };
-
+-
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
-+allow svirt_lxc_domain virtd_lxc_t:process sigchld;
-+allow svirt_lxc_domain virtd_lxc_t:fd use;
-+allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
-+allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-
- manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1109,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--
-+can_exec(svirt_lxc_domain, svirt_lxc_file_t)
- allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
- allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
-
+-
+-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+-
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
-
- kernel_getattr_proc(svirt_lxc_domain)
- kernel_list_all_proc(svirt_lxc_domain)
+-kernel_getattr_proc(svirt_lxc_domain)
+-kernel_list_all_proc(svirt_lxc_domain)
-kernel_read_kernel_sysctls(svirt_lxc_domain)
-+kernel_read_all_sysctls(svirt_lxc_domain)
- kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_rw_net_sysctls(svirt_lxc_domain)
-kernel_read_system_state(svirt_lxc_domain)
- kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
-
- corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1128,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
- files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
- files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
- files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+-
+-corecmd_exec_all_executables(svirt_lxc_domain)
+-
+-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+-files_dontaudit_getattr_all_files(svirt_lxc_domain)
+-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
+-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
-# files_entrypoint_all_files(svirt_lxc_domain)
-+files_entrypoint_all_files(svirt_lxc_domain)
- files_list_var(svirt_lxc_domain)
- files_list_var_lib(svirt_lxc_domain)
- files_search_all(svirt_lxc_domain)
- files_read_config_files(svirt_lxc_domain)
+-files_list_var(svirt_lxc_domain)
+-files_list_var_lib(svirt_lxc_domain)
+-files_search_all(svirt_lxc_domain)
+-files_read_config_files(svirt_lxc_domain)
-files_read_usr_files(svirt_lxc_domain)
- files_read_usr_symlinks(svirt_lxc_domain)
-+files_search_locks(svirt_lxc_domain)
-
- fs_getattr_all_fs(svirt_lxc_domain)
- fs_list_inotifyfs(svirt_lxc_domain)
-+fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-+fs_read_fusefs_files(svirt_lxc_net_t)
-
+-files_read_usr_symlinks(svirt_lxc_domain)
+-
+-fs_getattr_all_fs(svirt_lxc_domain)
+-fs_list_inotifyfs(svirt_lxc_domain)
+-
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
-
-+auth_dontaudit_read_passwd(svirt_lxc_domain)
- auth_dontaudit_read_login_records(svirt_lxc_domain)
- auth_dontaudit_write_login_records(svirt_lxc_domain)
- auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1153,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
-
- libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
-
+-auth_dontaudit_read_login_records(svirt_lxc_domain)
+-auth_dontaudit_write_login_records(svirt_lxc_domain)
+-auth_search_pam_console_data(svirt_lxc_domain)
+-
+-clock_read_adjtime(svirt_lxc_domain)
+-
+-init_read_utmp(svirt_lxc_domain)
+-init_dontaudit_write_utmp(svirt_lxc_domain)
+-
+-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+-
-miscfiles_read_localization(svirt_lxc_domain)
- miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
- miscfiles_read_fonts(svirt_lxc_domain)
-+miscfiles_read_hwdata(svirt_lxc_domain)
-+
-+systemd_read_unit_files(svirt_lxc_domain)
-+
-+userdom_use_inherited_user_terminals(svirt_lxc_domain)
-+userdom_dontaudit_append_inherited_admin_home_file(svirt_lxc_domain)
-+userdom_dontaudit_read_inherited_admin_home_files(svirt_lxc_domain)
-+
+-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+-miscfiles_read_fonts(svirt_lxc_domain)
+-
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ apache_exec_modules(svirt_lxc_domain)
-+ apache_read_sys_content(svirt_lxc_domain)
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
+
+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+')
-
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+optional_policy(`
-+ ssh_use_ptys(svirt_lxc_net_t)
++ ssh_use_ptys(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
+- udev_read_pid_files(svirt_lxc_domain)
++ udev_read_pid_files(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
-+ userhelper_dontaudit_write_config(svirt_lxc_domain)
++ userhelper_dontaudit_write_config(svirt_sandbox_domain)
')
--########################################
--#
+ ########################################
+ #
-# Lxc net local policy
--#
-+virt_lxc_domain_template(svirt_lxc_net)
++# svirt_lxc_net_t local policy
+ #
++virt_sandbox_domain_template(svirt_lxc_net)
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
@@ -92450,13 +93815,13 @@ index 1f22fba..cd628f9 100644
-
files_read_kernel_modules(svirt_lxc_net_t)
-+fs_noxattr_type(svirt_lxc_file_t)
++fs_noxattr_type(svirt_sandbox_file_t)
fs_mount_cgroup(svirt_lxc_net_t)
fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
+fs_manage_cgroup_files(svirt_lxc_net_t)
+
-+term_pty(svirt_lxc_file_t)
++term_pty(svirt_sandbox_file_t)
auth_use_nsswitch(svirt_lxc_net_t)
@@ -92469,14 +93834,62 @@ index 1f22fba..cd628f9 100644
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
-')
--
+
-#######################################
--#
++########################################
+ #
-# Prot exec local policy
--#
--
++# svirt_lxc_net_t local policy
+ #
++virt_sandbox_domain_template(svirt_qemu_net)
++
++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++dontaudit svirt_qemu_net_t self:capability2 block_suspend;
++allow svirt_qemu_net_t self:process { execstack execmem };
++allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
++allow svirt_qemu_net_t self:udp_socket create_socket_perms;
++allow svirt_qemu_net_t self:tcp_socket create_stream_socket_perms;
++allow svirt_qemu_net_t self:netlink_route_socket create_netlink_socket_perms;
++allow svirt_qemu_net_t self:packet_socket create_socket_perms;
++allow svirt_qemu_net_t self:socket create_socket_perms;
++allow svirt_qemu_net_t self:rawip_socket create_socket_perms;
++allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+
-allow svirt_prot_exec_t self:process { execmem execstack };
--
++kernel_read_network_state(svirt_qemu_net_t)
++kernel_read_irq_sysctls(svirt_qemu_net_t)
++
++dev_read_sysfs(svirt_qemu_net_t)
++dev_getattr_mtrr_dev(svirt_qemu_net_t)
++dev_read_rand(svirt_qemu_net_t)
++dev_read_urand(svirt_qemu_net_t)
++
++corenet_tcp_bind_generic_node(svirt_qemu_net_t)
++corenet_udp_bind_generic_node(svirt_qemu_net_t)
++corenet_tcp_sendrecv_all_ports(svirt_qemu_net_t)
++corenet_udp_sendrecv_all_ports(svirt_qemu_net_t)
++corenet_udp_bind_all_ports(svirt_qemu_net_t)
++corenet_tcp_bind_all_ports(svirt_qemu_net_t)
++corenet_tcp_connect_all_ports(svirt_qemu_net_t)
++
++files_read_kernel_modules(svirt_qemu_net_t)
++
++fs_noxattr_type(svirt_sandbox_file_t)
++fs_mount_cgroup(svirt_qemu_net_t)
++fs_manage_cgroup_dirs(svirt_qemu_net_t)
++fs_manage_cgroup_files(svirt_qemu_net_t)
++
++term_pty(svirt_sandbox_file_t)
++
++auth_use_nsswitch(svirt_qemu_net_t)
++
++rpm_read_db(svirt_qemu_net_t)
++
++logging_send_audit_msgs(svirt_qemu_net_t)
++
++userdom_use_user_ptys(svirt_qemu_net_t)
+
########################################
#
-# Qmf local policy
@@ -92491,7 +93904,7 @@ index 1f22fba..cd628f9 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1252,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1318,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -92506,7 +93919,7 @@ index 1f22fba..cd628f9 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1270,8 @@ optional_policy(`
+@@ -1183,9 +1336,8 @@ optional_policy(`
########################################
#
@@ -92517,7 +93930,7 @@ index 1f22fba..cd628f9 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1284,121 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1350,120 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -92640,7 +94053,6 @@ index 1f22fba..cd628f9 100644
+ userdom_transition(virtd_t)
+ userdom_transition(virtd_lxc_t)
+')
-+
diff --git a/vlock.te b/vlock.te
index 9ead775..b5285e7 100644
--- a/vlock.te
@@ -93063,10 +94475,20 @@ index 9329eae..824e86f 100644
- seutil_use_newrole_fds(vpnc_t)
-')
diff --git a/watchdog.te b/watchdog.te
-index 29f79e8..c58abd5 100644
+index 29f79e8..9e403ee 100644
--- a/watchdog.te
+++ b/watchdog.te
-@@ -63,7 +63,6 @@ domain_signull_all_domains(watchdog_t)
+@@ -30,7 +30,8 @@ allow watchdog_t self:fifo_file rw_fifo_file_perms;
+ allow watchdog_t self:tcp_socket { accept listen };
+
+ allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
++manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
++logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file})
+
+ manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
+ files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
+@@ -63,7 +64,6 @@ domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
@@ -93074,7 +94496,7 @@ index 29f79e8..c58abd5 100644
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
-@@ -75,8 +74,6 @@ auth_append_login_records(watchdog_t)
+@@ -75,8 +75,6 @@ auth_append_login_records(watchdog_t)
logging_send_syslog_msg(watchdog_t)
@@ -93590,7 +95012,7 @@ index 304ae09..c1d10a1 100644
-/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/wm.if b/wm.if
-index 25b702d..177cf16 100644
+index 25b702d..36b2f81 100644
--- a/wm.if
+++ b/wm.if
@@ -1,4 +1,4 @@
@@ -93599,7 +95021,7 @@ index 25b702d..177cf16 100644
#######################################
## <summary>
-@@ -29,58 +29,44 @@
+@@ -29,54 +29,46 @@
#
template(`wm_role_template',`
gen_require(`
@@ -93650,6 +95072,8 @@ index 25b702d..177cf16 100644
+
+ kernel_read_system_state($1_wm_t)
+
++ auth_use_nsswitch($1_wm_t)
++
mls_file_read_all_levels($1_wm_t)
mls_file_write_all_levels($1_wm_t)
mls_xwin_read_all_levels($1_wm_t)
@@ -93667,14 +95091,10 @@ index 25b702d..177cf16 100644
- ')
- ')
-
-- optional_policy(`
-- pulseaudio_run($1_wm_t, $2)
-- ')
--
optional_policy(`
- xserver_role($2, $1_wm_t)
- xserver_manage_core_devices($1_wm_t)
-@@ -89,7 +75,7 @@ template(`wm_role_template',`
+ pulseaudio_run($1_wm_t, $2)
+ ')
+@@ -89,7 +81,7 @@ template(`wm_role_template',`
########################################
## <summary>
@@ -93683,7 +95103,7 @@ index 25b702d..177cf16 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -102,33 +88,5 @@ interface(`wm_exec',`
+@@ -102,33 +94,5 @@ interface(`wm_exec',`
type wm_exec_t;
')
@@ -93718,10 +95138,10 @@ index 25b702d..177cf16 100644
- allow $1_wm_t $2:dbus send_msg;
-')
diff --git a/wm.te b/wm.te
-index 7c7f7fa..dfeac3e 100644
+index 7c7f7fa..20ce90b 100644
--- a/wm.te
+++ b/wm.te
-@@ -1,36 +1,40 @@
+@@ -1,36 +1,88 @@
-policy_module(wm, 1.2.5)
+policy_module(wm, 1.2.0)
+
@@ -93743,28 +95163,75 @@ index 7c7f7fa..dfeac3e 100644
+corecmd_executable_file(wm_exec_t)
allow wm_domain self:fifo_file rw_fifo_file_perms;
- allow wm_domain self:process getsched;
+-allow wm_domain self:process getsched;
++allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
++allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
++
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
-kernel_read_system_state(wm_domain)
-
dev_read_urand(wm_domain)
-
--files_read_usr_files(wm_domain)
++dev_read_sound(wm_domain)
++dev_write_sound(wm_domain)
++dev_rw_wireless(wm_domain)
++dev_read_sysfs(wm_domain)
+
-+fs_getattr_tmpfs(wm_domain)
++fs_getattr_all_fs(wm_domain)
+
++corecmd_dontaudit_access_all_executables(wm_domain)
++corecmd_getattr_all_executables(wm_domain)
+
+-files_read_usr_files(wm_domain)
+application_signull(wm_domain)
++
++init_read_state(wm_domain)
miscfiles_read_fonts(wm_domain)
-miscfiles_read_localization(wm_domain)
-userdom_manage_user_tmp_sockets(wm_domain)
-userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
++systemd_dbus_chat_logind(wm_domain)
++systemd_read_logind_sessions_files(wm_domain)
++systemd_write_inhibit_pipes(wm_domain)
++systemd_login_read_pid_files(wm_domain)
++
++userdom_read_user_home_content_files(wm_domain)
++
++udev_read_pid_files(wm_domain)
++
++optional_policy(`
++ gnome_stream_connect_gkeyringd(wm_domain)
++')
++
+optional_policy(`
+ dbus_system_bus_client(wm_domain)
+ dbus_session_bus_client(wm_domain)
++ optional_policy(`
++ accountsd_dbus_chat(wm_domain)
++ ')
++
++ optional_policy(`
++ bluetooth_dbus_chat(wm_domain)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat_power(wm_domain)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(wm_domain)
++ ')
++
++ optional_policy(`
++ policykit_dbus_chat(wm_domain)
++ ')
++
++ optional_policy(`
++ systemd_dbus_chat_logind(wm_domain)
++ ')
+')
+
+optional_policy(`
@@ -93772,13 +95239,15 @@ index 7c7f7fa..dfeac3e 100644
+')
+
+optional_policy(`
-+ xserver_manage_core_devices(wm_domain)
++ userhelper_exec_console(wm_domain)
+')
-+
-userdom_manage_user_home_content_dirs(wm_domain)
-userdom_manage_user_home_content_files(wm_domain)
-userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
++optional_policy(`
++ xserver_manage_core_devices(wm_domain)
++')
diff --git a/xen.fc b/xen.fc
index 42d83b0..7977c2c 100644
--- a/xen.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1d7d795..609d27e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 70%{?dist}
+Release: 76%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -69,6 +69,33 @@ SELinux Base package
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%ghost %{_sysconfdir}/sysconfig/selinux
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
+%{_rpmconfigdir}/macros.d/selinux-policy.macros
+
+%package sandbox
+Summary: SELinux policy sandbox
+Group: System Environment/Base
+Requires(pre): selinux-policy-base = %{version}-%{release}
+
+%description sandbox
+SELinux sandbox policy used for the policycoreutils-sandbox package
+
+%files sandbox
+%defattr(-,root,root,-)
+%verify(not md5 size mtime) /usr/share/selinux/packages/sandbox.pp
+
+%post sandbox
+rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
+semodule -n -i /usr/share/selinux/packages/sandbox.pp
+if /usr/sbin/selinuxenabled ; then
+ /usr/sbin/load_policy
+fi;
+exit 0
+
+%preun sandbox
+semodule -n -d sandbox 2>/dev/null
+if /usr/sbin/selinuxenabled ; then
+ /usr/sbin/load_policy
+fi;exit 0
%package devel
Summary: SELinux policy devel
@@ -157,7 +184,8 @@ bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp > %{buildroot}/%{_syscon
rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
-touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.pp.disabled \
+mkdir -p %{buildroot}%{_usr}/share/selinux/packages \
+mv %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.pp %{buildroot}/usr/share/selinux/packages \
/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
@@ -187,7 +215,6 @@ rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/users_extra \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/homedir_template \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/*.pp \
-%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.pp.disabled \
%ghost %{_sysconfdir}/selinux/%1/modules/active/*.local \
%ghost %{_sysconfdir}/selinux/%1/modules/active/*.bin \
%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \
@@ -236,7 +263,7 @@ fi; \
if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
continue; \
fi; \
-if /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null;then \
+if /sbin/restorecon -R /home/*/.config 2> /dev/null;then \
continue; \
fi;
@@ -263,8 +290,6 @@ if [ -e /etc/selinux/%2/.rebuild ]; then \
rm /etc/selinux/%2/.rebuild; \
(cd /etc/selinux/%2/modules/active/modules; rm -f l2tpd.pp shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
/usr/sbin/semodule -B -n -s %2; \
-else \
- touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \
fi; \
[ "${SELINUXTYPE}" == "%2" ] && selinuxenabled && load_policy; \
if [ %1 -eq 1 ]; then \
@@ -360,7 +385,9 @@ mkdir %{buildroot}%{_usr}/share/selinux/devel/html
htmldir=`compgen -d %{buildroot}%{_usr}/share/man/man8/`
mv ${htmldir}/* %{buildroot}%{_usr}/share/selinux/devel/html
rm -rf ${htmldir}
-mkdir %{buildroot}%{_usr}/share/selinux/packages/
+
+mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
+echo '%%_selinux_policy_version %{version}-%{release}' > %{buildroot}%{_rpmconfigdir}/macros.d/selinux-policy.macros
rm -rf selinux_config
%clean
@@ -438,7 +465,11 @@ exit 0
selinuxenabled && semodule -nB
exit 0
-%triggerpostun targeted -- selinux-policy-targeted < 3.12.1-7.fc19
+%triggerpostun -- selinux-policy-targeted < 3.12.1-74
+rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
+exit 0
+
+%triggerpostun targeted -- selinux-policy-targeted < 3.12.1-75
restorecon -R -p /home
exit 0
@@ -538,6 +569,117 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Sep 4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-76
+- Cleanup related to init_domain()+inetd_domain fixes
+- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain
+- svirt domains neeed to create kobject_uevint_sockets
+- Lots of new access required for sosreport
+- Allow tgtd_t to connect to isns ports
+- Allow init_t to transition to all inetd domains:
+- openct needs to be able to create netlink_object_uevent_sockets
+- Dontaudit leaks into ldconfig_t
+- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls
+- Move kernel_stream_connect into all Xwindow using users
+- Dontaudit inherited lock files in ifconfig o dhcpc_t
+
+* Tue Sep 3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-75
+- Also sock_file trans rule is needed in lsm
+- Fix labeling for fetchmail pid files/dirs
+- Add additional fixes for abrt-upload-watch
+- Fix polipo.te
+- Fix transition rules in asterisk policy
+- Add fowner capability to networkmanager policy
+- Allow polipo to connect to tor ports
+- Cleanup lsmd.if
+- Cleanup openhpid policy
+- Fix kdump_read_crash() interface
+- Make more domains as init domain
+- Fix cupsd.te
+- Fix requires in rpm_rw_script_inherited_pipes
+- Fix interfaces in lsm.if
+- Allow munin service plugins to manage own tmpfs files/dirs
+- Allow virtd_t also relabel unix stream sockets for virt_image_type
+- Make ktalk as init domain
+- Fix to define ktalkd_unit_file_t correctly
+- Fix ktalk.fc
+- Add systemd support for talk-server
+- Allow glusterd to create sock_file in /run
+- Allow xdm_t to delete gkeyringd_tmp_t files on logout
+- Add fixes for hypervkvp policy
+- Add logwatch_can_sendmail boolean
+- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
+- Allow xdm_t to delete gkeyringd_tmp_t files on logout
+
+* Thu Aug 29 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74
+- Add selinux-policy-sandbox pkg
+
+* Tue Aug 27 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-73
+0
+- Allow rhsmcertd to read init state
+- Allow fsetid for pkcsslotd
+- Fix labeling for /usr/lib/systemd/system/pkcsslotd.service
+- Allow fetchmail to create own pid with correct labeling
+- Fix rhcs_domain_template()
+- Allow roles which can run mock to read mock lib files to view results
+- Allow rpcbind to use nsswitch
+- Fix lsm.if summary
+- Fix collectd_t can read /etc/passwd file
+- Label systemd unit files under dracut correctly
+- Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh
+- Add support for .Xauthority-n
+- Label umount.crypt as lvm_exec_t
+- Allow syslogd to search psad lib files
+- Allow ssh_t to use /dev/ptmx
+- Make sure /run/pluto dir is created with correct labeling
+- Allow syslog to run shell and bin_t commands
+- Allow ip to relabel tun_sockets
+- Allow mount to create directories in files under /run
+- Allow processes to use inherited fifo files
+
+* Fri Aug 23 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-72
+- Add policy for lsmd
+- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory
+- Update condor_master rules to allow read system state info and allow logging
+- Add labeling for /etc/condor and allow condor domain to write it (bug)
+- Allow condor domains to manage own logs
+- Allow glusterd to read domains state
+- Fix initial hypervkvp policy
+- Add policy for hypervkvpd
+- Fix redis.if summary
+
+* Wed Aug 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-71
+- Allow boinc to connect to @/tmp/.X11-unix/X0
+- Allow beam.smp to connect to tcp/5984
+- Allow named to manage own log files
+- Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t
+- Add virt_transition_userdomain boolean decl
+- Allow httpd_t to sendto unix_dgram sockets on its children
+- Allow nova domains to execute ifconfig
+- bluetooth wants to create fifo_files in /tmp
+- exim needs to be able to manage mailman data
+- Allow sysstat to getattr on all file systems
+- Looks like bluetoothd has moved
+- Allow collectd to send ping packets
+- Allow svirt_lxc domains to getpgid
+- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff
+- Allow frpintd_t to read /dev/urandom
+- Allow asterisk_t to create sock_file in /var/run
+- Allow usbmuxd to use netlink_kobject
+- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket
+- More cleanup of svirt_lxc policy
+- virtd_lxc_t now talks to dbus
+- Dontaudit leaked ptmx_t
+- Allow processes to use inherited fifo files
+- Allow openvpn_t to connect to squid ports
+- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert()
+- Allow ssh_t to use /dev/ptmx
+- Make sure /run/pluto dir is created with correct labeling
+- Allow syslog to run shell and bin_t commands
+- Allow ip to relabel tun_sockets
+- Allow mount to create directories in files under /run
+- Allow processes to use inherited fifo files
+- Allow user roles to connect to the journal socket
+
* Thu Aug 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-70
- selinux_set_enforce_mode needs to be used with type
- Add append to the dontaudit for unix_stream_socket of xdm_t leak
@@ -546,7 +688,7 @@ SELinux Reference policy mls base module.
- Label 10933 as a pop port, for dovecot
- New policy to allow selinux_server.py to run as semanage_t as a dbus service
- Add fixes to make netlabelctl working on MLS
-- AVC's required for running sepolicy gui as staff_t
+- AVCs required for running sepolicy gui as staff_t
- Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC
- New dbus server to be used with new gui
- After modifying some files in /etc/mail, I saw this needed on the next boot
More information about the scm-commits
mailing list