[selinux-policy/f20] - Fix labeling for /usr/libexec/kde4/kcmdatetimehelper - Allow tuned to search all file system direc
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Sep 30 16:07:00 UTC 2013
commit 034b0e7ac5172e1cfd7a8ea176c3d5de9a15e7dc
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Sep 30 18:06:46 2013 +0200
- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper
- Allow tuned to search all file system directories
- Allow alsa_t to sys_nice, to get top performance for sound management
- Add support for MySQL/PostgreSQL for amavis
- Allow openvpn_t to manage openvpn_var_log_t files.
- Allow dirsrv_t to create tmpfs_t directories
- Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label
- Dontaudit leaked unix_stream_sockets into gnome keyring
- Allow telepathy domains to inhibit pipes on telepathy domains
- Allow cloud-init to domtrans to rpm
- Allow abrt daemon to manage abrt-watch tmp files
- Allow abrt-upload-watcher to search /var/spool directory
- Allow nsswitch domains to manage own process key
- Fix labeling for mgetty.* logs
- Allow systemd to dbus chat with upower
- Allow ipsec to send signull to itself
- Allow setgid cap for ipsec_t
- Match upstream labeling
policy-rawhide-base.patch | 1083 ++++++++++++++++++++++--------------------
policy-rawhide-contrib.patch | 289 +++++++-----
selinux-policy.spec | 22 +-
3 files changed, 752 insertions(+), 642 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index cde283c..ad31282 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -9412,7 +9412,7 @@ index c2c6e05..be423a7 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..3e91f7d 100644
+index 64ff4d7..27c051d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10075,7 +10075,32 @@ index 64ff4d7..3e91f7d 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2627,6 +3026,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2163,6 +2562,24 @@ interface(`files_relabelfrom_boot_files',`
+ relabelfrom_files_pattern($1, boot_t, boot_t)
+ ')
+
++########################################
++## <summary>
++## Relabel to files in the /boot directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelto_boot_files',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ relabelto_files_pattern($1, boot_t, boot_t)
++')
++
+ ######################################
+ ## <summary>
+ ## Read symbolic links in the /boot directory.
+@@ -2627,6 +3044,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10100,7 +10125,7 @@ index 64ff4d7..3e91f7d 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +3115,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3133,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10108,7 +10133,7 @@ index 64ff4d7..3e91f7d 100644
')
########################################
-@@ -2706,7 +3124,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3142,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10117,7 +10142,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## </param>
#
-@@ -2762,6 +3180,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3198,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -10143,7 +10168,7 @@ index 64ff4d7..3e91f7d 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2780,6 +3217,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3235,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10168,7 +10193,7 @@ index 64ff4d7..3e91f7d 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2945,24 +3400,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3418,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -10193,7 +10218,7 @@ index 64ff4d7..3e91f7d 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3440,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3458,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -10204,7 +10229,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3448,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3466,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -10226,7 +10251,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,6 +3476,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3494,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -10253,7 +10278,7 @@ index 64ff4d7..3e91f7d 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3059,6 +3513,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3531,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10261,7 +10286,7 @@ index 64ff4d7..3e91f7d 100644
')
########################################
-@@ -3080,6 +3535,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3553,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10269,7 +10294,7 @@ index 64ff4d7..3e91f7d 100644
')
########################################
-@@ -3132,6 +3588,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3606,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -10295,7 +10320,7 @@ index 64ff4d7..3e91f7d 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3208,6 +3683,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3701,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
## <summary>
@@ -10321,7 +10346,7 @@ index 64ff4d7..3e91f7d 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3455,6 +3949,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3967,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -10347,7 +10372,7 @@ index 64ff4d7..3e91f7d 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4309,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4327,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10391,7 +10416,7 @@ index 64ff4d7..3e91f7d 100644
')
########################################
-@@ -4199,52 +4730,219 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,14 +4748,141 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -10405,45 +10430,32 @@ index 64ff4d7..3e91f7d 100644
## </summary>
-## <param name="file_type">
-## <summary>
--## Type of the file to associate.
--## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_associate_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++## </param>
++#
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:filesystem associate;
++
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
- ')
-
--########################################
++')
++
+######################################
- ## <summary>
--## Get the attributes of the tmp directory (/tmp).
++## <summary>
+## Manage manageable system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_getattr_tmp_dirs',`
++## </param>
++#
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
@@ -10549,20 +10561,13 @@ index 64ff4d7..3e91f7d 100644
+## </summary>
+## <param name="file_type">
+## <summary>
-+## Type of the file to associate.
-+## </summary>
-+## </param>
-+#
-+interface(`files_associate_tmp',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ allow $1 tmp_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
+ ## Type of the file to associate.
+ ## </summary>
+ ## </param>
+@@ -4221,6 +4897,26 @@ interface(`files_associate_tmp',`
+
+ ########################################
+ ## <summary>
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
@@ -10583,16 +10588,10 @@ index 64ff4d7..3e91f7d 100644
+
+########################################
+## <summary>
-+## Get the attributes of the tmp directory (/tmp).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_getattr_tmp_dirs',`
- gen_require(`
+ ## Get the attributes of the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+@@ -4234,17 +4930,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -10631,7 +10630,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## </param>
#
-@@ -4271,6 +4969,7 @@ interface(`files_search_tmp',`
+@@ -4271,6 +4987,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -10639,7 +10638,7 @@ index 64ff4d7..3e91f7d 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4307,6 +5006,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +5024,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -10647,7 +10646,7 @@ index 64ff4d7..3e91f7d 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +5016,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +5034,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -10656,7 +10655,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## </param>
#
-@@ -4328,6 +5028,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +5046,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -10682,7 +10681,7 @@ index 64ff4d7..3e91f7d 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4343,6 +5062,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +5080,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -10690,7 +10689,7 @@ index 64ff4d7..3e91f7d 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4384,6 +5104,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,6 +5122,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -10723,7 +10722,7 @@ index 64ff4d7..3e91f7d 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4438,6 +5184,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4438,6 +5202,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -10766,7 +10765,7 @@ index 64ff4d7..3e91f7d 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4456,6 +5238,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4456,6 +5256,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
## <summary>
@@ -10827,7 +10826,7 @@ index 64ff4d7..3e91f7d 100644
## List all tmp directories.
## </summary>
## <param name="domain">
-@@ -4501,7 +5337,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4501,7 +5355,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -10836,7 +10835,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## </param>
#
-@@ -4561,7 +5397,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4561,7 +5415,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10845,7 +10844,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## </param>
#
-@@ -4593,6 +5429,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4593,6 +5447,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@@ -10890,7 +10889,7 @@ index 64ff4d7..3e91f7d 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
-@@ -4646,6 +5520,16 @@ interface(`files_purge_tmp',`
+@@ -4646,6 +5538,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -10907,55 +10906,67 @@ index 64ff4d7..3e91f7d 100644
')
########################################
-@@ -5223,26 +6107,26 @@ interface(`files_list_var',`
+@@ -5223,6 +6125,24 @@ interface(`files_list_var',`
########################################
## <summary>
--## Create, read, write, and delete directories
--## in the /var directory.
+## Do not audit listing of the var directory (/var).
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_var_dirs',`
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_list_var',`
- gen_require(`
- type var_t;
- ')
-
-- allow $1 var_t:dir manage_dir_perms;
++ gen_require(`
++ type var_t;
++ ')
++
+ dontaudit $1 var_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete directories
+ ## in the /var directory.
+ ## </summary>
+@@ -5578,13 +6498,10 @@ interface(`files_read_var_lib_symlinks',`
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
+-# cjp: the next two interfaces really need to be fixed
+-# in some way. They really neeed their own types.
+-
########################################
## <summary>
--## Read files in the /var directory.
-+## Create, read, write, and delete directories
-+## in the /var directory.
+-## Create, read, write, and delete the
+-## pseudorandom number generator seed.
++## manage generic symbolic links
++## in the /var/lib directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -5250,7 +6134,25 @@ interface(`files_manage_var_dirs',`
+@@ -5592,7 +6509,29 @@ interface(`files_read_var_lib_symlinks',`
## </summary>
## </param>
#
--interface(`files_read_var_files',`
-+interface(`files_manage_var_dirs',`
+-interface(`files_manage_urandom_seed',`
++interface(`files_manage_var_lib_symlinks',`
+ gen_require(`
-+ type var_t;
++ type var_lib_t;
+ ')
+
-+ allow $1 var_t:dir manage_dir_perms;
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
+')
+
++# cjp: the next two interfaces really need to be fixed
++# in some way. They really neeed their own types.
++
+########################################
+## <summary>
-+## Read files in the /var directory.
++## Create, read, write, and delete the
++## pseudorandom number generator seed.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10963,37 +10974,11 @@ index 64ff4d7..3e91f7d 100644
+## </summary>
+## </param>
+#
-+interface(`files_read_var_files',`
++interface(`files_manage_urandom_seed',`
gen_require(`
- type var_t;
+ type var_t, var_lib_t;
')
-@@ -5578,6 +6480,25 @@ interface(`files_read_var_lib_symlinks',`
- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
-+########################################
-+## <summary>
-+## manage generic symbolic links
-+## in the /var/lib directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_var_lib_symlinks',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
- # cjp: the next two interfaces really need to be fixed
- # in some way. They really neeed their own types.
-
-@@ -5623,7 +6544,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6562,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11002,7 +10987,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5631,12 +6552,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6570,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11018,7 +11003,7 @@ index 64ff4d7..3e91f7d 100644
')
########################################
-@@ -5654,6 +6576,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6594,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11026,7 +11011,7 @@ index 64ff4d7..3e91f7d 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6603,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6621,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11054,7 +11039,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,13 +6630,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6648,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11071,7 +11056,7 @@ index 64ff4d7..3e91f7d 100644
')
########################################
-@@ -5713,7 +6654,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6672,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11080,7 +11065,7 @@ index 64ff4d7..3e91f7d 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +6687,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6705,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11088,7 +11073,7 @@ index 64ff4d7..3e91f7d 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5761,7 +6701,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5761,7 +6719,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11097,7 +11082,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5769,13 +6709,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,13 +6727,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11132,7 +11117,7 @@ index 64ff4d7..3e91f7d 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6751,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6769,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11150,7 +11135,7 @@ index 64ff4d7..3e91f7d 100644
')
########################################
-@@ -5816,9 +6775,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6793,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11161,7 +11146,7 @@ index 64ff4d7..3e91f7d 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +6817,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6835,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11171,7 +11156,7 @@ index 64ff4d7..3e91f7d 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6839,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6857,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11181,7 +11166,7 @@ index 64ff4d7..3e91f7d 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6876,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +6894,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11191,7 +11176,7 @@ index 64ff4d7..3e91f7d 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +6915,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +6933,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11200,7 +11185,7 @@ index 64ff4d7..3e91f7d 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,10 +6935,48 @@ interface(`files_search_pids',`
+@@ -5981,10 +6953,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11249,7 +11234,7 @@ index 64ff4d7..3e91f7d 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6007,6 +6999,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +7017,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11275,7 +11260,7 @@ index 64ff4d7..3e91f7d 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6021,7 +7032,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7050,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11284,7 +11269,7 @@ index 64ff4d7..3e91f7d 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6040,7 +7051,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7069,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11293,7 +11278,7 @@ index 64ff4d7..3e91f7d 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7071,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7089,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11302,7 +11287,7 @@ index 64ff4d7..3e91f7d 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7133,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7151,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11310,7 +11295,7 @@ index 64ff4d7..3e91f7d 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6151,6 +7161,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6151,6 +7179,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@@ -11335,7 +11320,7 @@ index 64ff4d7..3e91f7d 100644
## Read and write generic process ID files.
## </summary>
## <param name="domain">
-@@ -6164,7 +7192,7 @@ interface(`files_rw_generic_pids',`
+@@ -6164,7 +7210,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -11344,7 +11329,7 @@ index 64ff4d7..3e91f7d 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6231,55 +7259,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,55 +7277,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -11407,7 +11392,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6287,42 +7303,35 @@ interface(`files_delete_all_pids',`
+@@ -6287,42 +7321,35 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -11457,7 +11442,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,18 +7339,18 @@ interface(`files_manage_all_pids',`
+@@ -6330,18 +7357,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -11481,7 +11466,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6349,37 +7358,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6349,37 +7376,40 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
@@ -11533,7 +11518,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6387,18 +7399,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6387,18 +7417,17 @@ interface(`files_dontaudit_search_spool',`
## </summary>
## </param>
#
@@ -11556,7 +11541,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6406,18 +7417,18 @@ interface(`files_list_spool',`
+@@ -6406,18 +7435,18 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -11580,7 +11565,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6425,19 +7436,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6425,19 +7454,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -11605,7 +11590,7 @@ index 64ff4d7..3e91f7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6445,45 +7455,312 @@ interface(`files_read_generic_spool',`
+@@ -6445,55 +7473,43 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -11656,27 +11641,31 @@ index 64ff4d7..3e91f7d 100644
- type var_t, var_spool_t;
+ attribute pidfile;
+ type var_t, var_run_t;
-+ ')
-+
+ ')
+
+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
+## Delete all process ID directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6501,7 +7517,286 @@ interface(`files_spool_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_polyinstantiate_all',`
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
@@ -11939,10 +11928,28 @@ index 64ff4d7..3e91f7d 100644
+interface(`files_spool_filetrans',`
+ gen_require(`
+ type var_t, var_spool_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-@@ -6562,3 +7839,491 @@ interface(`files_unconfined',`
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## Allow access to manage all polyinstantiated
++## directories on the system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_polyinstantiate_all',`
+ gen_require(`
+ attribute polydir, polymember, polyparent;
+ type poly_t;
+@@ -6562,3 +7857,491 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -19743,7 +19750,7 @@ index 346d011..3e23acb 100644
+ ')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 76d9f66..2f4eb80 100644
+index 76d9f66..7d17a7e 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,16 +1,38 @@
@@ -19771,7 +19778,6 @@ index 76d9f66..2f4eb80 100644
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
-+/usr/bin/sshd-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0)
@@ -19780,6 +19786,7 @@ index 76d9f66..2f4eb80 100644
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
++/usr/sbin/sshd-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+/usr/sbin/gsisshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
@@ -20487,7 +20494,7 @@ index fe0c682..225aaa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..337d97e 100644
+index 5fc0391..f4d7e57 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20902,7 +20909,7 @@ index 5fc0391..337d97e 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +422,26 @@ optional_policy(`
+@@ -294,19 +422,29 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -20923,6 +20930,9 @@ index 5fc0391..337d97e 100644
+kernel_read_system_state(ssh_keygen_t)
kernel_read_kernel_sysctls(ssh_keygen_t)
++corecmd_exec_shell(ssh_keygen_t)
++corecmd_exec_bin(ssh_keygen_t)
++
fs_search_auto_mountpoints(ssh_keygen_t)
dev_read_sysfs(ssh_keygen_t)
@@ -20930,7 +20940,7 @@ index 5fc0391..337d97e 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +458,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +461,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -20943,7 +20953,7 @@ index 5fc0391..337d97e 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +472,138 @@ optional_policy(`
+@@ -331,3 +475,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -21083,7 +21093,7 @@ index 5fc0391..337d97e 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..8f50bb9 100644
+index d1f64a0..9a5dab5 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -21163,13 +21173,16 @@ index d1f64a0..8f50bb9 100644
# /usr
#
-+/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/(s)?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/(s)?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/(s)?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/gdm3? -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -25321,7 +25334,7 @@ index 3efd5b6..362b3af 100644
+')
+
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..f263075 100644
+index 104037e..742b073 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -25554,7 +25567,7 @@ index 104037e..f263075 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -397,19 +419,27 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +419,29 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -25581,12 +25594,14 @@ index 104037e..f263075 100644
# nsswitch_domain local policy
#
++allow nsswitch_domain self:key manage_key_perms;
++
+auth_read_passwd(nsswitch_domain)
+
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
-@@ -417,15 +447,21 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +449,21 @@ files_read_etc_files(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
@@ -25610,7 +25625,7 @@ index 104037e..f263075 100644
ldap_stream_connect(nsswitch_domain)
')
')
-@@ -438,6 +474,7 @@ optional_policy(`
+@@ -438,6 +476,7 @@ optional_policy(`
likewise_stream_connect_lsassd(nsswitch_domain)
')
@@ -25618,7 +25633,7 @@ index 104037e..f263075 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,6 +493,8 @@ optional_policy(`
+@@ -456,6 +495,8 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -25627,7 +25642,7 @@ index 104037e..f263075 100644
')
optional_policy(`
-@@ -463,3 +502,133 @@ optional_policy(`
+@@ -463,3 +504,133 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -26069,19 +26084,23 @@ index 6c4b6ee..f512b72 100644
xen_rw_image_files(fsadm_t)
')
diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
-index e1a1848..c0d34e7 100644
+index e1a1848..4927638 100644
--- a/policy/modules/system/getty.fc
+++ b/policy/modules/system/getty.fc
-@@ -3,6 +3,10 @@
+@@ -3,8 +3,12 @@
/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
+-/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
+-/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
+/usr/lib/systemd/system/[^/]*getty.* -- gen_context(system_u:object_r:getty_unit_file_t,s0)
+
+/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
+
- /var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
- /var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
++/var/log/mgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
++/var/log/vgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
+
+ /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
index e4376aa..2c98c56 100644
@@ -27700,7 +27719,7 @@ index 24e7804..76da5dd 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..60b2656 100644
+index dd3be8d..97d6597 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27880,7 +27899,7 @@ index dd3be8d..60b2656 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +222,50 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +222,51 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -27928,13 +27947,14 @@ index dd3be8d..60b2656 100644
+
+userdom_use_user_ttys(init_t)
+userdom_manage_tmp_dirs(init_t)
++userdom_manage_tmp_sockets(init_t)
-miscfiles_read_localization(init_t)
+allow init_t self:process setsched;
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +274,192 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +275,198 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -27960,6 +27980,8 @@ index dd3be8d..60b2656 100644
+
+storage_raw_rw_fixed_disk(init_t)
+
++sysnet_read_dhcpc_state(init_t)
++
+optional_policy(`
+ kdump_read_crash(init_t)
+')
@@ -27970,15 +27992,14 @@ index dd3be8d..60b2656 100644
+
+optional_policy(`
+ iscsi_read_lib_files(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_config(init_t)
@@ -28104,19 +28125,25 @@ index dd3be8d..60b2656 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
-+')
+
-+optional_policy(`
++ optional_policy(`
++ devicekit_dbus_chat_power(init_t)
++ ')
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
@@ -28126,16 +28153,15 @@ index dd3be8d..60b2656 100644
+
+optional_policy(`
+ networkmanager_stream_connect(init_t)
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
-@@ -216,7 +467,29 @@ optional_policy(`
+@@ -216,7 +474,29 @@ optional_policy(`
')
optional_policy(`
@@ -28165,7 +28191,7 @@ index dd3be8d..60b2656 100644
')
########################################
-@@ -225,8 +498,9 @@ optional_policy(`
+@@ -225,8 +505,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28177,7 +28203,7 @@ index dd3be8d..60b2656 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +531,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +538,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28194,7 +28220,7 @@ index dd3be8d..60b2656 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +556,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +563,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28237,7 +28263,7 @@ index dd3be8d..60b2656 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +593,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +600,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28249,7 +28275,7 @@ index dd3be8d..60b2656 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +605,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +612,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28260,7 +28286,7 @@ index dd3be8d..60b2656 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +616,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +623,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28270,7 +28296,7 @@ index dd3be8d..60b2656 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +625,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +632,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28278,7 +28304,7 @@ index dd3be8d..60b2656 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +632,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +639,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28286,7 +28312,7 @@ index dd3be8d..60b2656 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +640,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +647,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28304,7 +28330,7 @@ index dd3be8d..60b2656 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +658,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +665,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28318,7 +28344,7 @@ index dd3be8d..60b2656 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +673,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +680,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28332,7 +28358,7 @@ index dd3be8d..60b2656 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +686,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +693,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28340,7 +28366,7 @@ index dd3be8d..60b2656 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +698,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +705,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28348,7 +28374,7 @@ index dd3be8d..60b2656 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +717,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +724,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28372,7 +28398,7 @@ index dd3be8d..60b2656 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +750,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +757,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28380,7 +28406,7 @@ index dd3be8d..60b2656 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +784,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +791,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28391,7 +28417,7 @@ index dd3be8d..60b2656 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +808,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +815,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28400,7 +28426,7 @@ index dd3be8d..60b2656 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +823,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +830,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28408,7 +28434,7 @@ index dd3be8d..60b2656 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +844,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +851,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28416,7 +28442,7 @@ index dd3be8d..60b2656 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +854,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +861,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28461,7 +28487,7 @@ index dd3be8d..60b2656 100644
')
optional_policy(`
-@@ -558,14 +899,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +906,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28493,7 +28519,7 @@ index dd3be8d..60b2656 100644
')
')
-@@ -576,6 +934,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +941,39 @@ ifdef(`distro_suse',`
')
')
@@ -28533,7 +28559,7 @@ index dd3be8d..60b2656 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +979,8 @@ optional_policy(`
+@@ -588,6 +986,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28542,7 +28568,7 @@ index dd3be8d..60b2656 100644
')
optional_policy(`
-@@ -609,6 +1002,7 @@ optional_policy(`
+@@ -609,6 +1009,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28550,7 +28576,7 @@ index dd3be8d..60b2656 100644
')
optional_policy(`
-@@ -625,6 +1019,17 @@ optional_policy(`
+@@ -625,6 +1026,17 @@ optional_policy(`
')
optional_policy(`
@@ -28568,7 +28594,7 @@ index dd3be8d..60b2656 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1046,13 @@ optional_policy(`
+@@ -641,9 +1053,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28582,7 +28608,7 @@ index dd3be8d..60b2656 100644
')
optional_policy(`
-@@ -656,15 +1065,11 @@ optional_policy(`
+@@ -656,15 +1072,11 @@ optional_policy(`
')
optional_policy(`
@@ -28600,7 +28626,7 @@ index dd3be8d..60b2656 100644
')
optional_policy(`
-@@ -685,6 +1090,15 @@ optional_policy(`
+@@ -685,6 +1097,15 @@ optional_policy(`
')
optional_policy(`
@@ -28616,7 +28642,7 @@ index dd3be8d..60b2656 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1139,7 @@ optional_policy(`
+@@ -725,6 +1146,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28624,7 +28650,7 @@ index dd3be8d..60b2656 100644
')
optional_policy(`
-@@ -742,7 +1157,13 @@ optional_policy(`
+@@ -742,7 +1164,13 @@ optional_policy(`
')
optional_policy(`
@@ -28639,7 +28665,7 @@ index dd3be8d..60b2656 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1186,10 @@ optional_policy(`
+@@ -765,6 +1193,10 @@ optional_policy(`
')
optional_policy(`
@@ -28650,7 +28676,7 @@ index dd3be8d..60b2656 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1199,20 @@ optional_policy(`
+@@ -774,10 +1206,20 @@ optional_policy(`
')
optional_policy(`
@@ -28671,7 +28697,7 @@ index dd3be8d..60b2656 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1221,10 @@ optional_policy(`
+@@ -786,6 +1228,10 @@ optional_policy(`
')
optional_policy(`
@@ -28682,7 +28708,7 @@ index dd3be8d..60b2656 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1246,6 @@ optional_policy(`
+@@ -807,8 +1253,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28691,7 +28717,7 @@ index dd3be8d..60b2656 100644
')
optional_policy(`
-@@ -817,6 +1254,10 @@ optional_policy(`
+@@ -817,6 +1261,10 @@ optional_policy(`
')
optional_policy(`
@@ -28702,7 +28728,7 @@ index dd3be8d..60b2656 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1267,12 @@ optional_policy(`
+@@ -826,10 +1274,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28715,7 +28741,7 @@ index dd3be8d..60b2656 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1299,28 @@ optional_policy(`
+@@ -856,12 +1306,28 @@ optional_policy(`
')
optional_policy(`
@@ -28745,7 +28771,7 @@ index dd3be8d..60b2656 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1330,18 @@ optional_policy(`
+@@ -871,6 +1337,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -28764,7 +28790,7 @@ index dd3be8d..60b2656 100644
')
optional_policy(`
-@@ -886,6 +1357,10 @@ optional_policy(`
+@@ -886,6 +1364,10 @@ optional_policy(`
')
optional_policy(`
@@ -28775,7 +28801,7 @@ index dd3be8d..60b2656 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1371,196 @@ optional_policy(`
+@@ -896,3 +1378,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28973,20 +28999,21 @@ index dd3be8d..60b2656 100644
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..ef9370d 100644
+index 662e79b..3cbc35d 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,19 @@
+@@ -1,14 +1,21 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
--/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+
-+/etc/(strongswan)?/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-+/etc/(strongswan)?/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+ /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/strongswan/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongswan/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
@@ -28999,7 +29026,7 @@ index 662e79b..ef9370d 100644
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,12 +31,15 @@
+@@ -26,12 +33,15 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -29015,17 +29042,17 @@ index 662e79b..ef9370d 100644
/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
-@@ -39,3 +47,5 @@
+@@ -39,3 +49,5 @@
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
+/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..f133407 100644
+index 0d4c8d3..e6ffda3 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
-@@ -55,6 +55,63 @@ interface(`ipsec_domtrans_mgmt',`
+@@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',`
domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
')
@@ -29063,6 +29090,7 @@ index 0d4c8d3..f133407 100644
+ ')
+
+ manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t)
++ files_etc_filetrans($1, ipsec_key_file_t, file, "ipsec.secrets")
+')
+
+########################################
@@ -29089,7 +29117,7 @@ index 0d4c8d3..f133407 100644
########################################
## <summary>
## Connect to racoon using a unix domain stream socket.
-@@ -120,7 +177,6 @@ interface(`ipsec_exec_mgmt',`
+@@ -120,7 +178,6 @@ interface(`ipsec_exec_mgmt',`
## </summary>
## </param>
#
@@ -29097,7 +29125,7 @@ index 0d4c8d3..f133407 100644
interface(`ipsec_signal_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -139,7 +195,6 @@ interface(`ipsec_signal_mgmt',`
+@@ -139,7 +196,6 @@ interface(`ipsec_signal_mgmt',`
## </summary>
## </param>
#
@@ -29105,7 +29133,7 @@ index 0d4c8d3..f133407 100644
interface(`ipsec_signull_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -158,7 +213,6 @@ interface(`ipsec_signull_mgmt',`
+@@ -158,7 +214,6 @@ interface(`ipsec_signull_mgmt',`
## </summary>
## </param>
#
@@ -29113,7 +29141,7 @@ index 0d4c8d3..f133407 100644
interface(`ipsec_kill_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -167,6 +221,60 @@ interface(`ipsec_kill_mgmt',`
+@@ -167,6 +222,60 @@ interface(`ipsec_kill_mgmt',`
allow $1 ipsec_mgmt_t:process sigkill;
')
@@ -29174,7 +29202,7 @@ index 0d4c8d3..f133407 100644
######################################
## <summary>
## Send and receive messages from
-@@ -225,6 +333,7 @@ interface(`ipsec_match_default_spd',`
+@@ -225,6 +334,7 @@ interface(`ipsec_match_default_spd',`
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
@@ -29182,7 +29210,7 @@ index 0d4c8d3..f133407 100644
')
########################################
-@@ -369,3 +478,26 @@ interface(`ipsec_run_setkey',`
+@@ -369,3 +479,26 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -29210,7 +29238,7 @@ index 0d4c8d3..f133407 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..5975418 100644
+index 9e54bf9..523b613 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -29229,9 +29257,10 @@ index 9e54bf9..5975418 100644
-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
-+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid };
+-allow ipsec_t self:process { getcap setcap getsched signal setsched };
++allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid };
+dontaudit ipsec_t self:capability sys_tty_config;
- allow ipsec_t self:process { getcap setcap getsched signal setsched };
++allow ipsec_t self:process { getcap setcap getsched signal signull setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
+allow ipsec_t self:packet_socket create_socket_perms;
@@ -29244,8 +29273,12 @@ index 9e54bf9..5975418 100644
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-@@ -113,7 +120,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
- allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
+@@ -110,10 +117,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+ allow ipsec_mgmt_t ipsec_t:fd use;
+ allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+-allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
++allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld signull };
kernel_read_kernel_sysctls(ipsec_t)
-kernel_read_net_sysctls(ipsec_t)
@@ -29464,7 +29497,7 @@ index 9e54bf9..5975418 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +477,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +477,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -29473,9 +29506,9 @@ index 9e54bf9..5975418 100644
seutil_read_config(setkey_t)
-userdom_use_user_terminals(setkey_t)
+-
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
-
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 1b93eb7..b2532aa 100644
--- a/policy/modules/system/iptables.fc
@@ -35067,7 +35100,7 @@ index 346a7cc..42a48b6 100644
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..ec17624 100644
+index 6944526..1f23aab 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35101,7 +35134,15 @@ index 6944526..ec17624 100644
')
########################################
-@@ -271,6 +290,43 @@ interface(`sysnet_delete_dhcpc_state',`
+@@ -250,6 +269,7 @@ interface(`sysnet_read_dhcpc_state',`
+ type dhcpc_state_t;
+ ')
+
++ list_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
+ read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+ ')
+
+@@ -271,6 +291,43 @@ interface(`sysnet_delete_dhcpc_state',`
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
@@ -35145,7 +35186,7 @@ index 6944526..ec17624 100644
#######################################
## <summary>
## Set the attributes of network config files.
-@@ -292,6 +348,44 @@ interface(`sysnet_setattr_config',`
+@@ -292,6 +349,44 @@ interface(`sysnet_setattr_config',`
#######################################
## <summary>
@@ -35190,7 +35231,7 @@ index 6944526..ec17624 100644
## Read network config files.
## </summary>
## <desc>
-@@ -331,6 +425,7 @@ interface(`sysnet_read_config',`
+@@ -331,6 +426,7 @@ interface(`sysnet_read_config',`
ifdef(`distro_redhat',`
allow $1 net_conf_t:dir list_dir_perms;
@@ -35198,7 +35239,7 @@ index 6944526..ec17624 100644
read_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -433,6 +528,7 @@ interface(`sysnet_manage_config',`
+@@ -433,6 +529,7 @@ interface(`sysnet_manage_config',`
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_redhat',`
@@ -35206,7 +35247,7 @@ index 6944526..ec17624 100644
manage_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -471,6 +567,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -471,6 +568,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@@ -35214,7 +35255,7 @@ index 6944526..ec17624 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -580,6 +677,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -580,6 +678,25 @@ interface(`sysnet_signull_ifconfig',`
########################################
## <summary>
@@ -35240,7 +35281,7 @@ index 6944526..ec17624 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -596,6 +712,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -596,6 +713,7 @@ interface(`sysnet_read_dhcp_config',`
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -35248,7 +35289,7 @@ index 6944526..ec17624 100644
')
########################################
-@@ -681,8 +798,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -681,8 +799,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@@ -35257,7 +35298,7 @@ index 6944526..ec17624 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -692,6 +807,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -692,6 +808,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
@@ -35266,7 +35307,7 @@ index 6944526..ec17624 100644
sysnet_read_config($1)
optional_policy(`
-@@ -720,8 +837,6 @@ interface(`sysnet_use_ldap',`
+@@ -720,8 +838,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -35275,7 +35316,7 @@ index 6944526..ec17624 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +848,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +849,9 @@ interface(`sysnet_use_ldap',`
dev_read_urand($1)
sysnet_read_config($1)
@@ -35285,7 +35326,7 @@ index 6944526..ec17624 100644
')
########################################
-@@ -754,7 +872,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +873,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -35293,7 +35334,7 @@ index 6944526..ec17624 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +883,74 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +884,74 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -39135,7 +39176,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..472e80a 100644
+index 3c5dba7..e5bae1c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39449,7 +39490,7 @@ index 3c5dba7..472e80a 100644
')
')
-@@ -273,6 +315,44 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +315,63 @@ interface(`userdom_manage_home_role',`
## <summary>
## Manage user temporary files
## </summary>
@@ -39470,6 +39511,25 @@ index 3c5dba7..472e80a 100644
+
+#######################################
+## <summary>
++## Manage user temporary sockets
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolebase/>
++#
++interface(`userdom_manage_tmp_sockets',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++#######################################
++## <summary>
+## Manage user temporary directories
+## </summary>
+## <param name="domain">
@@ -39494,7 +39554,7 @@ index 3c5dba7..472e80a 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,17 +367,64 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +386,64 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -39564,7 +39624,7 @@ index 3c5dba7..472e80a 100644
')
#######################################
-@@ -317,11 +444,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +463,31 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -39596,7 +39656,7 @@ index 3c5dba7..472e80a 100644
## Role access for the user tmpfs type
## that the user has full access.
## </summary>
-@@ -348,59 +495,60 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -348,59 +514,60 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -39644,10 +39704,12 @@ index 3c5dba7..472e80a 100644
- gen_require(`
- type $1_t;
- ')
--
++interface(`userdom_basic_networking',`
+
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-+interface(`userdom_basic_networking',`
++ allow $1 self:tcp_socket create_stream_socket_perms;
++ allow $1 self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
@@ -39659,9 +39721,7 @@ index 3c5dba7..472e80a 100644
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
-+ allow $1 self:tcp_socket create_stream_socket_perms;
-+ allow $1 self:udp_socket create_socket_perms;
-
+-
- corenet_all_recvfrom_labeled($1_t, $1_t)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
@@ -39687,7 +39747,7 @@ index 3c5dba7..472e80a 100644
')
#######################################
-@@ -431,6 +579,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +598,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -39695,7 +39755,7 @@ index 3c5dba7..472e80a 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +612,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +631,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -39706,7 +39766,7 @@ index 3c5dba7..472e80a 100644
')
')
-@@ -491,7 +640,8 @@ template(`userdom_common_user_template',`
+@@ -491,7 +659,8 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -39716,7 +39776,7 @@ index 3c5dba7..472e80a 100644
##############################
#
-@@ -501,41 +651,51 @@ template(`userdom_common_user_template',`
+@@ -501,41 +670,51 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -39737,27 +39797,27 @@ index 3c5dba7..472e80a 100644
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corecmd_exec_bin($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
--
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -39791,7 +39851,7 @@ index 3c5dba7..472e80a 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +706,120 @@ template(`userdom_common_user_template',`
+@@ -546,93 +725,120 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -39926,31 +39986,31 @@ index 3c5dba7..472e80a 100644
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
+ git_role($1_r, $1_t)
++ ')
++
++ optional_policy(`
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
')
optional_policy(`
- kerberos_manage_krb5_home_files($1_t)
- kerberos_relabel_krb5_home_files($1_t)
- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ lircd_stream_connect($1_usertype)
')
optional_policy(`
-@@ -642,23 +829,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +848,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -39979,7 +40039,7 @@ index 3c5dba7..472e80a 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +856,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +875,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -39988,7 +40048,7 @@ index 3c5dba7..472e80a 100644
')
optional_policy(`
-@@ -680,9 +865,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +884,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -40001,33 +40061,37 @@ index 3c5dba7..472e80a 100644
')
')
-@@ -693,32 +878,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +897,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
- resmgr_stream_connect($1_t)
+ resmgr_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ rpc_dontaudit_getattr_exports($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpc_dontaudit_getattr_exports($1_usertype)
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
@@ -40036,10 +40100,6 @@ index 3c5dba7..472e80a 100644
- virt_home_filetrans_virt_content($1_t, dir, "isos")
- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
-+ seunshare_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ slrnpull_search_spool($1_usertype)
+ ')
+
@@ -40048,7 +40108,7 @@ index 3c5dba7..472e80a 100644
')
')
-@@ -743,17 +931,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +950,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -40065,12 +40125,12 @@ index 3c5dba7..472e80a 100644
- userdom_manage_tmpfs_role($1_r, $1_t)
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable($1_exec_content, true)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable($1_exec_content, true)
++
+ tunable_policy(`$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -40086,7 +40146,7 @@ index 3c5dba7..472e80a 100644
userdom_change_password_template($1)
-@@ -761,82 +965,100 @@ template(`userdom_login_user_template', `
+@@ -761,82 +984,100 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -40179,14 +40239,14 @@ index 3c5dba7..472e80a 100644
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_exec_setfiles($1_usertype)
-+
+
+- seutil_read_config($1_t)
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
+ ')
-
-- seutil_read_config($1_t)
++
+ optional_policy(`
+ kerberos_use($1_usertype)
+ init_write_key($1_usertype)
@@ -40223,7 +40283,7 @@ index 3c5dba7..472e80a 100644
')
')
-@@ -868,6 +1090,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1109,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -40236,7 +40296,7 @@ index 3c5dba7..472e80a 100644
##############################
#
# Local policy
-@@ -907,42 +1135,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1154,99 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -40349,7 +40409,7 @@ index 3c5dba7..472e80a 100644
')
optional_policy(`
-@@ -951,12 +1236,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,18 +1255,35 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -40369,7 +40429,12 @@ index 3c5dba7..472e80a 100644
optional_policy(`
setroubleshoot_dontaudit_stream_connect($1_t)
')
-+
+-')
+
+-#######################################
+-## <summary>
+-## The template for creating a unprivileged user roughly
+-## equivalent to a regular linux user.
+ optional_policy(`
+ udev_read_db($1_usertype)
+ ')
@@ -40377,10 +40442,16 @@ index 3c5dba7..472e80a 100644
+ optional_policy(`
+ xserver_xdm_ioctl_log($1_t)
+ ')
- ')
-
- #######################################
-@@ -990,27 +1292,33 @@ template(`userdom_unpriv_user_template', `
++')
++
++#######################################
++## <summary>
++## The template for creating a unprivileged user roughly
++## equivalent to a regular linux user.
+ ## </summary>
+ ## <desc>
+ ## <p>
+@@ -990,27 +1311,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -40418,7 +40489,7 @@ index 3c5dba7..472e80a 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,38 +1329,77 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1348,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -40444,29 +40515,20 @@ index 3c5dba7..472e80a 100644
+
+ tunable_policy(`selinuxuser_tcp_server',`
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ cdrecord_role($1_r, $1_t)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ cron_role($1_r, $1_t)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ games_rw_data($1_usertype)
- ')
--')
-
--#######################################
--## <summary>
--## The template for creating an administrative user.
++ ')
++
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
+ ')
@@ -40488,32 +40550,28 @@ index 3c5dba7..472e80a 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
-+ ')
-+
-+ # Run pppd in pppd_t by default for user
-+ optional_policy(`
-+ ppp_run_cond($1_t, $1_r)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ # Run pppd in pppd_t by default for user
+@@ -1046,7 +1410,9 @@ template(`userdom_unpriv_user_template', `
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ vdagent_getattr_log($1_t)
+ vdagent_getattr_exec_files($1_t)
+ vdagent_stream_connect($1_t)
-+ ')
-+')
-+
-+#######################################
-+## <summary>
-+## The template for creating an administrative user.
- ## </summary>
- ## <desc>
- ## <p>
-@@ -1082,7 +1429,7 @@ template(`userdom_unpriv_user_template', `
+ ')
+ ')
+
+@@ -1082,7 +1448,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -40522,7 +40580,7 @@ index 3c5dba7..472e80a 100644
')
##############################
-@@ -1109,6 +1456,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1475,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -40530,7 +40588,7 @@ index 3c5dba7..472e80a 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1465,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1484,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -40540,7 +40598,7 @@ index 3c5dba7..472e80a 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1482,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1501,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -40548,7 +40606,7 @@ index 3c5dba7..472e80a 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1500,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1519,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -40563,7 +40621,7 @@ index 3c5dba7..472e80a 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1518,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1537,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -40606,7 +40664,7 @@ index 3c5dba7..472e80a 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1559,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1578,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -40615,7 +40673,7 @@ index 3c5dba7..472e80a 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1568,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1587,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -40634,7 +40692,7 @@ index 3c5dba7..472e80a 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1624,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1643,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -40643,7 +40701,7 @@ index 3c5dba7..472e80a 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1638,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1657,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -40655,7 +40713,7 @@ index 3c5dba7..472e80a 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1652,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1671,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -40698,7 +40756,7 @@ index 3c5dba7..472e80a 100644
')
optional_policy(`
-@@ -1360,14 +1737,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1756,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -40717,7 +40775,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -1408,6 +1788,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1807,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -40769,7 +40827,7 @@ index 3c5dba7..472e80a 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1937,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1956,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -40801,7 +40859,7 @@ index 3c5dba7..472e80a 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +2003,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +2022,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -40816,7 +40874,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -1573,9 +2026,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2045,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -40828,7 +40886,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -1632,6 +2087,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2106,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -40871,7 +40929,7 @@ index 3c5dba7..472e80a 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2202,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2221,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -40880,7 +40938,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -1744,10 +2237,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2256,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -40895,7 +40953,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -1772,7 +2267,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2286,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -40922,7 +40980,7 @@ index 3c5dba7..472e80a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1782,53 +2295,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2314,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -41005,7 +41063,7 @@ index 3c5dba7..472e80a 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1848,6 +2378,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2397,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -41031,7 +41089,7 @@ index 3c5dba7..472e80a 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2427,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2446,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -41069,7 +41127,7 @@ index 3c5dba7..472e80a 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2467,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2486,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -41087,7 +41145,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -1941,7 +2515,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2534,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -41096,7 +41154,7 @@ index 3c5dba7..472e80a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1949,19 +2523,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1949,19 +2542,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -41120,7 +41178,7 @@ index 3c5dba7..472e80a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,35 +2541,35 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,35 +2560,35 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -41164,7 +41222,7 @@ index 3c5dba7..472e80a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2005,46 +2577,35 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+@@ -2005,45 +2596,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
## </summary>
## </param>
#
@@ -41196,47 +41254,38 @@ index 3c5dba7..472e80a 100644
+interface(`userdom_delete_all_user_home_content',`
gen_require(`
- type user_home_dir_t, user_home_t;
-- ')
--
-- files_search_home($1)
-- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1)
+ attribute user_home_type;
')
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
+- files_search_home($1)
+- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ allow $1 user_home_type:dir_file_class_set delete_file_perms;
- ')
++')
- ########################################
- ## <summary>
--## Do not audit attempts to execute user home files.
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1)
++########################################
++## <summary>
+## Do not audit attempts to write user home files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2052,18 +2613,76 @@ interface(`userdom_exec_user_home_content_files',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_exec_user_home_content_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
+interface(`userdom_dontaudit_relabel_user_home_content_files',`
- gen_require(`
- type user_home_t;
++ gen_require(`
++ type user_home_t;
')
-- dontaudit $1 user_home_t:file exec_file_perms;
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ dontaudit $1 user_home_t:file relabel_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete files
--## in a user home subdirectory.
++')
++
++########################################
++## <summary>
+## Read user home subdirectory symbolic links.
+## </summary>
+## <param name="domain">
@@ -41248,13 +41297,13 @@ index 3c5dba7..472e80a 100644
+interface(`userdom_read_user_home_content_symlinks',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
-+ ')
+ ')
+
+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+## Execute user home files.
+## </summary>
+## <param name="domain">
@@ -41277,30 +41326,10 @@ index 3c5dba7..472e80a 100644
+
+########################################
+## <summary>
-+## Do not audit attempts to execute user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_dontaudit_exec_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ dontaudit $1 user_home_t:file exec_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete files
-+## in a user home subdirectory.
+ ## Do not audit attempts to execute user home files.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -2123,7 +2742,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2761,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -41309,7 +41338,7 @@ index 3c5dba7..472e80a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2750,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2769,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -41333,7 +41362,7 @@ index 3c5dba7..472e80a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2768,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2787,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -41349,7 +41378,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -2393,11 +3010,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +3029,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -41364,7 +41393,7 @@ index 3c5dba7..472e80a 100644
files_search_tmp($1)
')
-@@ -2417,7 +3034,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3053,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -41373,7 +41402,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -2664,6 +3281,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3300,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -41399,7 +41428,7 @@ index 3c5dba7..472e80a 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3316,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3335,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -41415,7 +41444,7 @@ index 3c5dba7..472e80a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3344,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3363,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -41424,7 +41453,7 @@ index 3c5dba7..472e80a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,14 +3352,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3371,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -41459,7 +41488,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -2817,6 +3470,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3489,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -41484,7 +41513,7 @@ index 3c5dba7..472e80a 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3506,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3525,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -41527,7 +41556,7 @@ index 3c5dba7..472e80a 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3542,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3561,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -41565,7 +41594,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -2885,8 +3587,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3606,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -41595,7 +41624,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -2958,69 +3679,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3698,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -41696,7 +41725,7 @@ index 3c5dba7..472e80a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3748,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3767,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -41711,7 +41740,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -3097,7 +3817,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3836,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -41720,7 +41749,7 @@ index 3c5dba7..472e80a 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3833,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3852,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -41754,7 +41783,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -3217,7 +3921,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3940,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -41781,7 +41810,7 @@ index 3c5dba7..472e80a 100644
')
########################################
-@@ -3272,12 +3994,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,12 +4013,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -41797,7 +41826,7 @@ index 3c5dba7..472e80a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3285,36 +4008,37 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3285,36 +4027,37 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -41845,21 +41874,23 @@ index 3c5dba7..472e80a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3322,7 +4046,63 @@ interface(`userdom_read_all_users_state',`
+@@ -3322,17 +4065,73 @@ interface(`userdom_read_all_users_state',`
## </summary>
## </param>
#
-interface(`userdom_getattr_all_users',`
+interface(`userdom_rw_inherited_user_pipes',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
+ gen_require(`
+ attribute userdomain;
+ ')
+
+- allow $1 userdomain:process getattr;
+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Inherit the file descriptors from all user domains
+## Do not audit attempts to use user ttys.
+## </summary>
+## <param name="domain">
@@ -41907,10 +41938,20 @@ index 3c5dba7..472e80a 100644
+## </param>
+#
+interface(`userdom_getattr_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-@@ -3385,6 +4165,42 @@ interface(`userdom_signal_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process getattr;
++')
++
++########################################
++## <summary>
++## Inherit the file descriptors from all user domains
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3385,6 +4184,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -41953,7 +41994,7 @@ index 3c5dba7..472e80a 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4221,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4240,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -41978,7 +42019,7 @@ index 3c5dba7..472e80a 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4272,1493 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4291,1493 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index f69bb0c..f0d0997 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -520,7 +520,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..f71a133 100644
+index cc43d25..097a770 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -705,7 +705,7 @@ index cc43d25..f71a133 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -112,23 +138,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +138,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -727,14 +727,17 @@ index cc43d25..f71a133 100644
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
-can_exec(abrt_t, abrt_tmp_t)
--
++manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+
kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
+kernel_read_network_state(abrt_t)
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -137,16 +165,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +169,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -753,7 +756,7 @@ index cc43d25..f71a133 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +189,37 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +193,37 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -794,7 +797,7 @@ index cc43d25..f71a133 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +227,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +231,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -811,7 +814,7 @@ index cc43d25..f71a133 100644
')
optional_policy(`
-@@ -209,6 +239,16 @@ optional_policy(`
+@@ -209,6 +243,16 @@ optional_policy(`
')
optional_policy(`
@@ -828,7 +831,7 @@ index cc43d25..f71a133 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +260,7 @@ optional_policy(`
+@@ -220,6 +264,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -836,7 +839,7 @@ index cc43d25..f71a133 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +271,7 @@ optional_policy(`
+@@ -230,6 +275,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -844,7 +847,7 @@ index cc43d25..f71a133 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +282,17 @@ optional_policy(`
+@@ -240,9 +286,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -863,7 +866,7 @@ index cc43d25..f71a133 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +303,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +307,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -878,7 +881,7 @@ index cc43d25..f71a133 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +322,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +326,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -886,7 +889,7 @@ index cc43d25..f71a133 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +331,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +335,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -907,7 +910,7 @@ index cc43d25..f71a133 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +352,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +356,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -934,7 +937,7 @@ index cc43d25..f71a133 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +388,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +392,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -948,7 +951,7 @@ index cc43d25..f71a133 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +406,11 @@ optional_policy(`
+@@ -330,10 +410,11 @@ optional_policy(`
#######################################
#
@@ -962,7 +965,7 @@ index cc43d25..f71a133 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +429,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +433,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1024,7 +1027,7 @@ index cc43d25..f71a133 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +487,47 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +491,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1046,17 +1049,20 @@ index cc43d25..f71a133 100644
-files_read_etc_files(abrt_domain)
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
+
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
++
++manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
-logging_send_syslog_msg(abrt_domain)
-+manage_dirs_pattern(abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_cache_t)
-+
+corecmd_exec_bin(abrt_upload_watch_t)
+
+dev_read_urand(abrt_upload_watch_t)
+
++files_search_spool(abrt_upload_watch_t)
++
+auth_read_passwd(abrt_upload_watch_t)
+
+tunable_policy(`abrt_upload_watch_anon_write',`
@@ -1953,7 +1959,7 @@ index 708b743..c2edd9a 100644
+ ps_process_pattern($1, alsa_t)
+')
diff --git a/alsa.te b/alsa.te
-index cda6d20..fbe259e 100644
+index cda6d20..443ce3c 100644
--- a/alsa.te
+++ b/alsa.te
@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t)
@@ -1974,8 +1980,9 @@ index cda6d20..fbe259e 100644
# Local policy
#
- allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
+-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin;
++allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice };
+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
+allow alsa_t self:process { getsched setsched signal_perms };
allow alsa_t self:sem create_sem_perms;
@@ -2011,10 +2018,17 @@ index cda6d20..fbe259e 100644
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.fc b/amanda.fc
-index 7f4dfbc..4d750fa 100644
+index 7f4dfbc..e5c9f45 100644
--- a/amanda.fc
+++ b/amanda.fc
-@@ -13,6 +13,8 @@
+@@ -1,5 +1,6 @@
+ /etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
+ /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
++/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+ /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
+ /etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+ # empty m4 string so the index macro is not invoked
+@@ -13,6 +14,8 @@
/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
@@ -2692,10 +2706,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..fd48ed9
+index 0000000..784557c
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,269 @@
+@@ -0,0 +1,274 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2847,6 +2861,10 @@ index 0000000..fd48ed9
+corenet_tcp_connect_http_cache_port(antivirus_domain)
+corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
+
++#support for MySQL/PostgreSQL
++corenet_tcp_connect_mysqld_port(antivirus_domain)
++corenet_tcp_connect_postgresql_port(antivirus_domain)
++
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
+corenet_tcp_connect_snmp_port(antivirus_domain)
+
@@ -2936,6 +2954,7 @@ index 0000000..fd48ed9
+
+optional_policy(`
+ mysql_stream_connect(antivirus_domain)
++ corenet_tcp_connect_mysqld_port(antivirus_domain)
+')
+
+optional_policy(`
@@ -11851,10 +11870,10 @@ index 0000000..8ac848b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..0f133be
+index 0000000..4e41e84
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,297 @@
+@@ -0,0 +1,298 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -12017,6 +12036,7 @@ index 0000000..0f133be
+')
+
+optional_policy(`
++ rpm_domtrans(cloud_init_t)
+ unconfined_domain(cloud_init_t)
+')
+
@@ -20938,10 +20958,10 @@ index 0000000..b214253
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 0000000..05c070d
+index 0000000..73d1b46
--- /dev/null
+++ b/dirsrv.te
-@@ -0,0 +1,194 @@
+@@ -0,0 +1,196 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -21000,8 +21020,10 @@ index 0000000..05c070d
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+
++manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
-+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
++manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
++fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
@@ -25929,10 +25951,10 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..237de86 100644
+index d03fd43..e814f72 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,123 +1,155 @@
+@@ -1,123 +1,157 @@
-## <summary>GNU network object model environment.</summary>
+## <summary>GNU network object model environment (GNOME)</summary>
@@ -26049,39 +26071,40 @@ index d03fd43..237de86 100644
+ ubac_constrained($1_gkeyringd_t)
domain_user_exemption_target($1_gkeyringd_t)
-- role $2 types $1_gkeyringd_t;
+ userdom_home_manager($1_gkeyringd_t)
++
+ role $2 types $1_gkeyringd_t;
- ########################################
- #
- # Gconf policy
- #
-+ role $2 types $1_gkeyringd_t;
++ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- domtrans_pattern($3, gconfd_exec_t, gconfd_t)
-+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
++ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
++ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
-+ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
-+ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
-
-- allow $3 gconfd_t:process { ptrace signal_perms };
-- ps_process_pattern($3, gconfd_t)
+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
-- ########################################
-- #
-- # Gkeyringd policy
-- #
+- allow $3 gconfd_t:process { ptrace signal_perms };
+- ps_process_pattern($3, gconfd_t)
+ corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
+ corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
+ allow $1_gkeyringd_t $3:process sigkill;
+ allow $3 $1_gkeyringd_t:fd use;
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
+
+- ########################################
+- #
+- # Gkeyringd policy
+- #
- domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+ kernel_read_system_state($1_gkeyringd_t)
@@ -26102,12 +26125,12 @@ index d03fd43..237de86 100644
ps_process_pattern($3, $1_gkeyringd_t)
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+-
+- corecmd_bin_domtrans($1_gkeyringd_t, $3)
+- corecmd_shell_domtrans($1_gkeyringd_t, $3)
+ allow $3 $1_gkeyringd_t:process signal_perms;
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
-- corecmd_bin_domtrans($1_gkeyringd_t, $3)
-- corecmd_shell_domtrans($1_gkeyringd_t, $3)
--
- gnome_stream_connect_gkeyringd($1, $3)
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
@@ -26165,7 +26188,7 @@ index d03fd43..237de86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -125,18 +157,18 @@ template(`gnome_role_template',`
+@@ -125,18 +159,18 @@ template(`gnome_role_template',`
## </summary>
## </param>
#
@@ -26189,7 +26212,7 @@ index d03fd43..237de86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -144,119 +176,114 @@ interface(`gnome_exec_gconf',`
+@@ -144,119 +178,114 @@ interface(`gnome_exec_gconf',`
## </summary>
## </param>
#
@@ -26346,7 +26369,7 @@ index d03fd43..237de86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -264,15 +291,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -264,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',`
## </summary>
## </param>
#
@@ -26373,7 +26396,7 @@ index d03fd43..237de86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -280,57 +313,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -280,57 +315,89 @@ interface(`gnome_setattr_config_dirs',`
## </summary>
## </param>
#
@@ -26481,7 +26504,7 @@ index d03fd43..237de86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -338,15 +403,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -338,15 +405,18 @@ interface(`gnome_read_generic_home_content',`
## </summary>
## </param>
#
@@ -26505,7 +26528,7 @@ index d03fd43..237de86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -354,22 +422,18 @@ interface(`gnome_manage_config',`
+@@ -354,22 +424,18 @@ interface(`gnome_manage_config',`
## </summary>
## </param>
#
@@ -26533,7 +26556,7 @@ index d03fd43..237de86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -377,53 +441,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -377,53 +443,37 @@ interface(`gnome_manage_generic_home_content',`
## </summary>
## </param>
#
@@ -26595,7 +26618,7 @@ index d03fd43..237de86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -431,17 +479,18 @@ interface(`gnome_home_filetrans',`
+@@ -431,17 +481,18 @@ interface(`gnome_home_filetrans',`
## </summary>
## </param>
#
@@ -26618,7 +26641,7 @@ index d03fd43..237de86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -449,23 +498,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -449,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
## </summary>
## </param>
#
@@ -26646,7 +26669,7 @@ index d03fd43..237de86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -473,82 +517,73 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -473,82 +519,73 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary>
## </param>
#
@@ -26753,7 +26776,7 @@ index d03fd43..237de86 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -557,52 +592,76 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -557,52 +594,76 @@ interface(`gnome_home_filetrans_gconf_home',`
## </summary>
## </param>
#
@@ -26851,7 +26874,7 @@ index d03fd43..237de86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -610,93 +669,126 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -610,93 +671,126 @@ interface(`gnome_gconf_home_filetrans',`
## </summary>
## </param>
#
@@ -27012,7 +27035,7 @@ index d03fd43..237de86 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -704,12 +796,851 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +798,851 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@@ -28189,19 +28212,21 @@ index 20f726b..c6ff2a1 100644
+
+userdom_use_inherited_user_terminals(gnomedomain)
diff --git a/gnomeclock.fc b/gnomeclock.fc
-index b687443..5d92f4e 100644
+index b687443..e4c1b83 100644
--- a/gnomeclock.fc
+++ b/gnomeclock.fc
-@@ -1,5 +1,7 @@
+@@ -1,5 +1,9 @@
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
++
++/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
++/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-+/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --git a/gnomeclock.if b/gnomeclock.if
index 3f55702..25c7ab8 100644
--- a/gnomeclock.if
@@ -52500,7 +52525,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..60a7af6 100644
+index 3270ff9..5b046fe 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -52560,7 +52585,7 @@ index 3270ff9..60a7af6 100644
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
-@@ -62,6 +83,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -62,10 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
@@ -52571,9 +52596,14 @@ index 3270ff9..60a7af6 100644
+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
+
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
- append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
- create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-@@ -83,7 +110,6 @@ kernel_request_load_module(openvpn_t)
+-append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+-create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+-setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
++manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+ logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
+
+ manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+@@ -83,7 +108,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -52581,7 +52611,7 @@ index 3270ff9..60a7af6 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -103,13 +129,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+@@ -103,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
corenet_sendrecv_http_server_packets(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
@@ -52598,7 +52628,7 @@ index 3270ff9..60a7af6 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -121,18 +149,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -121,18 +147,24 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t)
@@ -52626,7 +52656,7 @@ index 3270ff9..60a7af6 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -143,6 +177,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+@@ -143,6 +175,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(openvpn_t)
')
@@ -52637,7 +52667,7 @@ index 3270ff9..60a7af6 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
-@@ -155,3 +193,27 @@ optional_policy(`
+@@ -155,3 +191,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -73188,7 +73218,7 @@ index 3bd6446..8bde316 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..97bb4a0 100644
+index e5212e6..022f7fc 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -73206,7 +73236,7 @@ index e5212e6..97bb4a0 100644
-## generic user temporary content.
-## </p>
+## <p>
-+## Allow gssd to read temp directory. For access to kerberos tgt.
++## Allow gssd to list tmp directories and read the kerberos credential cache.
+## </p>
## </desc>
-gen_tunable(allow_gssd_read_tmp, false)
@@ -86630,7 +86660,7 @@ index 42946bc..741f2f4 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..8d5bbdd 100644
+index e9c0964..5a41683 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
@@ -87134,7 +87164,7 @@ index e9c0964..8d5bbdd 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +385,48 @@ optional_policy(`
+@@ -452,31 +385,49 @@ optional_policy(`
#######################################
#
@@ -87180,6 +87210,7 @@ index e9c0964..8d5bbdd 100644
+
+optional_policy(`
+ systemd_dbus_chat_logind(telepathy_domain)
++ systemd_write_inhibit_pipes(telepathy_domain)
+')
+
+optional_policy(`
@@ -89177,7 +89208,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..971952e 100644
+index 7116181..b957a0f 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -89231,7 +89262,7 @@ index 7116181..971952e 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +73,52 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +73,53 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -89246,6 +89277,7 @@ index 7116181..971952e 100644
-fs_getattr_xattr_fs(tuned_t)
+fs_getattr_all_fs(tuned_t)
++fs_search_all(tuned_t)
+
+auth_use_nsswitch(tuned_t)
@@ -92611,7 +92643,7 @@ index 9dec06c..73549fd 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..924d71c 100644
+index 1f22fba..a35bf47 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,166 @@
@@ -92854,7 +92886,7 @@ index 1f22fba..924d71c 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -150,295 +169,139 @@ ifdef(`enable_mls',`
+@@ -150,295 +169,140 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -93217,6 +93249,7 @@ index 1f22fba..924d71c 100644
-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu")
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
++allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virt_domain virtd_t:fd use;
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
+allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
@@ -93233,7 +93266,7 @@ index 1f22fba..924d71c 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +311,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +312,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -93280,7 +93313,7 @@ index 1f22fba..924d71c 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +346,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +347,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -93302,7 +93335,7 @@ index 1f22fba..924d71c 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +359,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +360,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -93310,7 +93343,7 @@ index 1f22fba..924d71c 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +367,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +368,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -93338,7 +93371,7 @@ index 1f22fba..924d71c 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +387,24 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +388,27 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -93354,6 +93387,9 @@ index 1f22fba..924d71c 100644
files_read_usr_src_files(virtd_t)
+files_relabelto_system_conf_files(virtd_t)
+files_relabelfrom_system_conf_files(virtd_t)
++files_relabelfrom_boot_files(virtd_t)
++files_relabelto_boot_files(virtd_t)
++files_manage_boot_files(virtd_t)
# Manages /etc/sysconfig/system-config-firewall
-# files_relabelto_system_conf_files(virtd_t)
@@ -93368,7 +93404,7 @@ index 1f22fba..924d71c 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +435,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +439,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -93388,7 +93424,7 @@ index 1f22fba..924d71c 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +457,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +461,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -93425,7 +93461,7 @@ index 1f22fba..924d71c 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +485,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +489,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -93434,7 +93470,7 @@ index 1f22fba..924d71c 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +510,12 @@ optional_policy(`
+@@ -658,20 +514,12 @@ optional_policy(`
')
optional_policy(`
@@ -93455,7 +93491,7 @@ index 1f22fba..924d71c 100644
')
optional_policy(`
-@@ -684,14 +528,20 @@ optional_policy(`
+@@ -684,14 +532,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -93478,7 +93514,7 @@ index 1f22fba..924d71c 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +554,13 @@ optional_policy(`
+@@ -704,11 +558,13 @@ optional_policy(`
')
optional_policy(`
@@ -93492,7 +93528,7 @@ index 1f22fba..924d71c 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +571,18 @@ optional_policy(`
+@@ -719,10 +575,18 @@ optional_policy(`
')
optional_policy(`
@@ -93511,7 +93547,7 @@ index 1f22fba..924d71c 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +597,262 @@ optional_policy(`
+@@ -737,44 +601,262 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -93673,7 +93709,7 @@ index 1f22fba..924d71c 100644
+optional_policy(`
+ ptchown_domtrans(virt_domain)
+')
-+
+
+optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
+')
@@ -93742,7 +93778,7 @@ index 1f22fba..924d71c 100644
+ xserver_stream_connect(virt_domain)
+ ')
+')
-
++
+########################################
+#
+# xm local policy
@@ -93796,7 +93832,7 @@ index 1f22fba..924d71c 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +863,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +867,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -93823,7 +93859,7 @@ index 1f22fba..924d71c 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +883,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +887,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -93855,7 +93891,7 @@ index 1f22fba..924d71c 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +916,20 @@ optional_policy(`
+@@ -847,14 +920,20 @@ optional_policy(`
')
optional_policy(`
@@ -93877,7 +93913,7 @@ index 1f22fba..924d71c 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +954,65 @@ optional_policy(`
+@@ -879,49 +958,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -93961,7 +93997,7 @@ index 1f22fba..924d71c 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1024,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1028,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -93981,7 +94017,7 @@ index 1f22fba..924d71c 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1045,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1049,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -94005,7 +94041,7 @@ index 1f22fba..924d71c 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1070,251 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1074,264 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -94034,12 +94070,12 @@ index 1f22fba..924d71c 100644
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -94065,8 +94101,6 @@ index 1f22fba..924d71c 100644
+
+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
-+allow svirt_sandbox_domain virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_sandbox_domain virt_lxc_var_run_t:file read_file_perms;
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
@@ -94135,6 +94169,10 @@ index 1f22fba..924d71c 100644
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -94219,21 +94257,17 @@ index 1f22fba..924d71c 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++ ssh_use_ptys(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ ssh_use_ptys(svirt_sandbox_domain)
++ udev_read_pid_files(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
-+ udev_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
')
@@ -94263,6 +94297,9 @@ index 1f22fba..924d71c 100644
+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
++
kernel_read_network_state(svirt_lxc_net_t)
kernel_read_irq_sysctls(svirt_lxc_net_t)
@@ -94339,6 +94376,18 @@ index 1f22fba..924d71c 100644
+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+
++term_use_generic_ptys(svirt_qemu_net_t)
++term_use_ptmx(svirt_qemu_net_t)
++
++dev_rw_kvm(svirt_qemu_net_t)
++
++manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
++
++list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
++read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
++
++append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
++
+kernel_read_network_state(svirt_qemu_net_t)
+kernel_read_irq_sysctls(svirt_qemu_net_t)
+
@@ -94346,7 +94395,8 @@ index 1f22fba..924d71c 100644
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
+dev_read_urand(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+corenet_tcp_bind_generic_node(svirt_qemu_net_t)
+corenet_udp_bind_generic_node(svirt_qemu_net_t)
+corenet_tcp_sendrecv_all_ports(svirt_qemu_net_t)
@@ -94354,8 +94404,7 @@ index 1f22fba..924d71c 100644
+corenet_udp_bind_all_ports(svirt_qemu_net_t)
+corenet_tcp_bind_all_ports(svirt_qemu_net_t)
+corenet_tcp_connect_all_ports(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+files_read_kernel_modules(svirt_qemu_net_t)
+
+fs_noxattr_type(svirt_sandbox_file_t)
@@ -94387,7 +94436,7 @@ index 1f22fba..924d71c 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1327,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1344,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -94402,7 +94451,7 @@ index 1f22fba..924d71c 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1345,8 @@ optional_policy(`
+@@ -1183,9 +1362,8 @@ optional_policy(`
########################################
#
@@ -94413,7 +94462,7 @@ index 1f22fba..924d71c 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1359,124 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1376,124 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3a9a3de..28ae944 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 83%{?dist}
+Release: 84%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -571,6 +571,26 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Sep 30 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-84
+- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper
+- Allow tuned to search all file system directories
+- Allow alsa_t to sys_nice, to get top performance for sound management
+- Add support for MySQL/PostgreSQL for amavis
+- Allow openvpn_t to manage openvpn_var_log_t files.
+- Allow dirsrv_t to create tmpfs_t directories
+- Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label
+- Dontaudit leaked unix_stream_sockets into gnome keyring
+- Allow telepathy domains to inhibit pipes on telepathy domains
+- Allow cloud-init to domtrans to rpm
+- Allow abrt daemon to manage abrt-watch tmp files
+- Allow abrt-upload-watcher to search /var/spool directory
+- Allow nsswitch domains to manage own process key
+- Fix labeling for mgetty.* logs
+- Allow systemd to dbus chat with upower
+- Allow ipsec to send signull to itself
+- Allow setgid cap for ipsec_t
+- Match upstream labeling
+
* Wed Sep 25 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-83
- Do not build sanbox pkg on MLS
More information about the scm-commits
mailing list