[selinux-policy] - Allow mailserver_domains to manage and transition to mailman data - Dontaudit attempts by mozilla
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Oct 17 06:30:38 UTC 2013
commit 37ab07630699df588a01ea3178df32ef4638380f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Oct 17 08:30:35 2013 +0200
- Allow mailserver_domains to manage and transition to mailman data
- Dontaudit attempts by mozilla plugin to relabel content, caused by using mv
- Allow mailserver_domains to manage and transition to mailman data
- Allow svirt_domains to read sysctl_net_t
- Allow thumb_t to use tmpfs inherited from the user
- Allow mozilla_plugin to bind to the vnc port if running with spice
- Add new attribute to discover confined_admins and assign confined admin to
- Fix zabbix to handle attributes in interfaces
- Fix zabbix to read system states for all zabbix domains
- Fix piranha_domain_template()
- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files.
- Allow lldpad sys_rouserce cap due to #986870
- Allow dovecot-auth to read nologin
- Allow openlmi-networking to read /proc/net/dev
- Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t
- Add zabbix_domain attribute for zabbix domains to treat them together
- Add labels for zabbix-poxy-* (#1018221)
- Update openlmi-storage policy to reflect #1015067
- Back port piranha tmpfs fixes from RHEL6
- Update httpd_can_sendmail boolean to allow read/write postfix spool maildro
- Add postfix_rw_spool_maildrop_files interface
- Call new userdom_admin_user_templat() also for sysadm_secadm.pp
- Fix typo in userdom_admin_user_template()
- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey
- Add new attribute to discover confined_admins
- Fix labeling for /etc/strongswan/ipsec.d
- systemd_logind seems to pass fd to anyone who dbus communicates with it
- Dontaudit leaked write descriptor to dmesg
policy-rawhide-base.patch | 476 ++++++++++++++++++++++-------
policy-rawhide-contrib.patch | 679 ++++++++++++++++++++++++++----------------
selinux-policy.spec | 32 ++-
3 files changed, 820 insertions(+), 367 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 583b8b8..c09ae40 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1490,7 +1490,7 @@ index d6cc2d9..0685b19 100644
+
+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..ff164b3 100644
+index 72bc6d8..17357e5 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -9,6 +9,10 @@ type dmesg_t;
@@ -1504,7 +1504,7 @@ index 72bc6d8..ff164b3 100644
########################################
#
# Local policy
-@@ -19,6 +23,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
+@@ -19,14 +23,17 @@ dontaudit dmesg_t self:capability sys_tty_config;
allow dmesg_t self:process signal_perms;
@@ -1512,20 +1512,22 @@ index 72bc6d8..ff164b3 100644
kernel_read_kernel_sysctls(dmesg_t)
kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t)
-@@ -27,6 +32,7 @@ kernel_list_proc(dmesg_t)
+ kernel_change_ring_buffer_level(dmesg_t)
+ kernel_list_proc(dmesg_t)
kernel_read_proc_symlinks(dmesg_t)
++kernel_dontaudit_write_kernel_sysctl(dmesg_t)
dev_read_sysfs(dmesg_t)
+dev_read_kmsg(dmesg_t)
fs_search_auto_mountpoints(dmesg_t)
-@@ -44,10 +50,13 @@ init_use_script_ptys(dmesg_t)
+@@ -44,10 +51,12 @@ init_use_script_ptys(dmesg_t)
logging_send_syslog_msg(dmesg_t)
logging_write_generic_logs(dmesg_t)
-miscfiles_read_localization(dmesg_t)
-
+-
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
-userdom_use_user_terminals(dmesg_t)
+userdom_use_inherited_user_terminals(dmesg_t)
@@ -17039,9 +17041,18 @@ index 0000000..48caabc
+allow domain unlabeled_t:packet { send recv };
+
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
-index 834a065..1105353 100644
+index 834a065..c769f81 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
+@@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0)
+
+ role auditadm_r;
+ role system_r;
+-userdom_unpriv_user_template(auditadm)
++userdom_confined_admin_template(auditadm)
+
+ ########################################
+ #
@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t)
domain_kill_all_domains(auditadm_t)
@@ -17065,10 +17076,18 @@ index 834a065..1105353 100644
consoletype_exec(auditadm_t)
')
diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
-index 3a45a3e..6b08160 100644
+index 3a45a3e..7499f24 100644
--- a/policy/modules/roles/logadm.te
+++ b/policy/modules/roles/logadm.te
-@@ -14,6 +14,5 @@ userdom_base_user_template(logadm)
+@@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0)
+
+ role logadm_r;
+
+-userdom_base_user_template(logadm)
++userdom_confined_admin_template(logadm)
+
+ ########################################
+ #
# logadmin local policy
#
@@ -17077,13 +17096,17 @@ index 3a45a3e..6b08160 100644
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index da11120..34f3a61 100644
+index da11120..d67bcca 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
-@@ -9,6 +9,8 @@ role secadm_r;
+@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0)
+
+ role secadm_r;
- userdom_unpriv_user_template(secadm)
- userdom_security_admin_template(secadm_t, secadm_r)
+-userdom_unpriv_user_template(secadm)
+-userdom_security_admin_template(secadm_t, secadm_r)
++userdom_confined_admin_template(secadm)
++userdom_security_admin(secadm_t, secadm_r)
+userdom_inherit_append_admin_home_files(secadm_t)
+userdom_read_admin_home_files(secadm_t)
@@ -18080,7 +18103,7 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te
new file mode 100644
-index 0000000..63bc797
+index 0000000..3175fd7
--- /dev/null
+++ b/policy/modules/roles/sysadm_secadm.te
@@ -0,0 +1,25 @@
@@ -18096,7 +18119,7 @@ index 0000000..63bc797
+ role sysadm_r;
+')
+
-+userdom_security_admin_template(sysadm_t, sysadm_r)
++userdom_admin_user_template(sysadm_t, sysadm_r)
+
+#######################################
+#
@@ -24669,7 +24692,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..eb629f0 100644
+index 3efd5b6..f0151a8 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -24858,7 +24881,32 @@ index 3efd5b6..eb629f0 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
-@@ -402,6 +438,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -322,6 +358,24 @@ interface(`auth_rw_cache',`
+
+ ########################################
+ ## <summary>
++## Create authentication cache
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_create_cache',`
++ gen_require(`
++ type auth_cache_t;
++ ')
++
++ create_files_pattern($1, auth_cache_t, auth_cache_t)
++')
++
++########################################
++## <summary>
+ ## Manage authentication cache
+ ## </summary>
+ ## <param name="domain">
+@@ -402,6 +456,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -24867,7 +24915,7 @@ index 3efd5b6..eb629f0 100644
')
########################################
-@@ -428,6 +466,24 @@ interface(`auth_domtrans_chkpwd',`
+@@ -428,6 +484,24 @@ interface(`auth_domtrans_chkpwd',`
########################################
## <summary>
@@ -24892,7 +24940,7 @@ index 3efd5b6..eb629f0 100644
## Execute chkpwd programs in the chkpwd domain.
## </summary>
## <param name="domain">
-@@ -448,6 +504,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +522,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -24918,7 +24966,7 @@ index 3efd5b6..eb629f0 100644
')
########################################
-@@ -467,7 +542,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +560,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -24926,7 +24974,7 @@ index 3efd5b6..eb629f0 100644
')
########################################
-@@ -664,6 +738,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +756,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -24937,7 +24985,7 @@ index 3efd5b6..eb629f0 100644
')
#######################################
-@@ -763,7 +841,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +859,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -24989,7 +25037,7 @@ index 3efd5b6..eb629f0 100644
')
#######################################
-@@ -824,9 +945,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +963,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@@ -25020,7 +25068,7 @@ index 3efd5b6..eb629f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -834,12 +975,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +993,27 @@ interface(`auth_rw_lastlog',`
## </summary>
## </param>
#
@@ -25051,7 +25099,7 @@ index 3efd5b6..eb629f0 100644
')
########################################
-@@ -854,15 +1010,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1028,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -25070,7 +25118,7 @@ index 3efd5b6..eb629f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -875,13 +1031,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1049,33 @@ interface(`auth_signal_pam',`
## </summary>
## </param>
#
@@ -25108,7 +25156,7 @@ index 3efd5b6..eb629f0 100644
')
########################################
-@@ -959,9 +1135,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1153,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -25142,7 +25190,7 @@ index 3efd5b6..eb629f0 100644
')
########################################
-@@ -1040,6 +1237,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1255,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -25153,7 +25201,7 @@ index 3efd5b6..eb629f0 100644
')
########################################
-@@ -1176,6 +1377,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1395,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -25161,7 +25209,7 @@ index 3efd5b6..eb629f0 100644
')
#######################################
-@@ -1576,6 +1778,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1796,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -25187,7 +25235,7 @@ index 3efd5b6..eb629f0 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1726,24 +1947,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1965,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -25213,7 +25261,7 @@ index 3efd5b6..eb629f0 100644
')
########################################
-@@ -1767,11 +1971,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1989,13 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -25230,7 +25278,7 @@ index 3efd5b6..eb629f0 100644
')
########################################
-@@ -1805,3 +2011,241 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2029,241 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -26009,7 +26057,7 @@ index 3694bfe..7fcd27a 100644
')
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index a97a096..f65892c 100644
+index a97a096..bf726c3 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -1,4 +1,3 @@
@@ -26025,7 +26073,14 @@ index a97a096..f65892c 100644
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -41,7 +39,46 @@
+@@ -35,13 +33,53 @@
+ /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+ /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -29149,10 +29204,10 @@ index dd3be8d..4d15ea1 100644
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..97f750e 100644
+index 662e79b..ae5a411 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,21 @@
+@@ -1,14 +1,22 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
@@ -29169,14 +29224,14 @@ index 662e79b..97f750e 100644
/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
--/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
-+/etc/(strongswan)?/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+ /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,16 +33,22 @@
+@@ -26,16 +34,22 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -36021,10 +36076,10 @@ index 0000000..e9f1096
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..685e79a
+index 0000000..f0fe449
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1393 @@
+@@ -0,0 +1,1394 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -36433,6 +36488,7 @@ index 0000000..685e79a
+ allow systemd_logind_t $1:dbus send_msg;
+ ps_process_pattern(systemd_logind_t, $1)
+ allow systemd_logind_t $1:process signal;
++ allow $1 systemd_logind_t:fd use;
+')
+
+#######################################
@@ -39453,7 +39509,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..f15c4f0 100644
+index 3c5dba7..9b2cdf7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40423,7 +40479,7 @@ index 3c5dba7..f15c4f0 100644
userdom_change_password_template($1)
-@@ -761,82 +984,100 @@ template(`userdom_login_user_template', `
+@@ -761,82 +984,101 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -40482,6 +40538,7 @@ index 3c5dba7..f15c4f0 100644
+ fs_rw_anon_inodefs_files($1_usertype)
+ auth_role($1_r, $1_t)
++ auth_create_cache($1_t)
+ auth_rw_cache($1_t)
+ auth_search_pam_console_data($1_t)
+ auth_dontaudit_read_login_records($1_t)
@@ -40560,7 +40617,7 @@ index 3c5dba7..f15c4f0 100644
')
')
-@@ -868,6 +1109,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1110,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -40573,7 +40630,7 @@ index 3c5dba7..f15c4f0 100644
##############################
#
# Local policy
-@@ -907,42 +1154,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1155,99 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -40686,7 +40743,7 @@ index 3c5dba7..f15c4f0 100644
')
optional_policy(`
-@@ -951,15 +1255,36 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,15 +1256,36 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -40726,7 +40783,7 @@ index 3c5dba7..f15c4f0 100644
## <summary>
## The template for creating a unprivileged user roughly
## equivalent to a regular linux user.
-@@ -990,27 +1315,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1316,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -40764,7 +40821,7 @@ index 3c5dba7..f15c4f0 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1352,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1353,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -40835,7 +40892,7 @@ index 3c5dba7..f15c4f0 100644
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1414,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1415,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -40846,16 +40903,26 @@ index 3c5dba7..f15c4f0 100644
')
')
-@@ -1082,7 +1452,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1453,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
- class passwd { passwd chfn chsh rootok };
++ attribute confined_admindomain;
++
+ class passwd { passwd chfn chsh rootok crontab };
')
##############################
-@@ -1109,6 +1479,7 @@ template(`userdom_admin_user_template',`
+@@ -1098,6 +1471,7 @@ template(`userdom_admin_user_template',`
+ role system_r types $1_t;
+
+ typeattribute $1_t admindomain;
++ typeattribute $1_t confined_admindomain;
+
+ ifdef(`direct_sysadm_daemon',`
+ domain_system_change_exemption($1_t)
+@@ -1109,6 +1483,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -40863,7 +40930,7 @@ index 3c5dba7..f15c4f0 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1488,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1492,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -40873,7 +40940,7 @@ index 3c5dba7..f15c4f0 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1505,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1509,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -40881,7 +40948,7 @@ index 3c5dba7..f15c4f0 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1523,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1527,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -40896,7 +40963,7 @@ index 3c5dba7..f15c4f0 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1541,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1545,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -40939,7 +41006,7 @@ index 3c5dba7..f15c4f0 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1582,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1586,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -40948,7 +41015,7 @@ index 3c5dba7..f15c4f0 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1591,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1595,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -40967,7 +41034,16 @@ index 3c5dba7..f15c4f0 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1647,8 @@ template(`userdom_security_admin_template',`
+@@ -1243,7 +1641,7 @@ template(`userdom_admin_user_template',`
+ ## </summary>
+ ## </param>
+ #
+-template(`userdom_security_admin_template',`
++template(`userdom_security_admin',`
+ allow $1 self:capability { dac_read_search dac_override };
+
+ corecmd_exec_shell($1)
+@@ -1253,6 +1651,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -40976,7 +41052,7 @@ index 3c5dba7..f15c4f0 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1661,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1665,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -40988,7 +41064,7 @@ index 3c5dba7..f15c4f0 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1675,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1679,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -41031,7 +41107,7 @@ index 3c5dba7..f15c4f0 100644
')
optional_policy(`
-@@ -1360,14 +1760,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1764,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -41050,7 +41126,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -1408,6 +1811,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -41102,7 +41178,7 @@ index 3c5dba7..f15c4f0 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1960,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -41134,7 +41210,7 @@ index 3c5dba7..f15c4f0 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +2026,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -41149,7 +41225,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -1573,9 +2049,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -41161,7 +41237,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -1632,6 +2110,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -41204,7 +41280,7 @@ index 3c5dba7..f15c4f0 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2225,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -41213,7 +41289,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -1744,10 +2260,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -41228,7 +41304,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -1772,7 +2290,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -41255,7 +41331,7 @@ index 3c5dba7..f15c4f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1782,53 +2318,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -41338,7 +41414,7 @@ index 3c5dba7..f15c4f0 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1848,6 +2401,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -41364,7 +41440,7 @@ index 3c5dba7..f15c4f0 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2450,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -41402,7 +41478,7 @@ index 3c5dba7..f15c4f0 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2490,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -41420,7 +41496,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -1941,7 +2538,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -41429,7 +41505,7 @@ index 3c5dba7..f15c4f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1949,19 +2546,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1949,19 +2550,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -41453,7 +41529,7 @@ index 3c5dba7..f15c4f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,35 +2564,35 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,35 +2568,35 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -41497,7 +41573,7 @@ index 3c5dba7..f15c4f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2005,45 +2600,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+@@ -2005,45 +2604,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
## </summary>
## </param>
#
@@ -41604,7 +41680,7 @@ index 3c5dba7..f15c4f0 100644
## Do not audit attempts to execute user home files.
## </summary>
## <param name="domain">
-@@ -2123,7 +2765,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -41613,7 +41689,7 @@ index 3c5dba7..f15c4f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2773,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -41637,7 +41713,7 @@ index 3c5dba7..f15c4f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2791,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -41653,7 +41729,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -2393,11 +3033,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -41668,7 +41744,7 @@ index 3c5dba7..f15c4f0 100644
files_search_tmp($1)
')
-@@ -2417,7 +3057,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -41677,7 +41753,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -2664,6 +3304,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -41703,7 +41779,7 @@ index 3c5dba7..f15c4f0 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3339,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -41719,7 +41795,7 @@ index 3c5dba7..f15c4f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3367,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -41728,7 +41804,7 @@ index 3c5dba7..f15c4f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,14 +3375,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -41763,7 +41839,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -2817,6 +3493,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3497,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -41788,7 +41864,7 @@ index 3c5dba7..f15c4f0 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3529,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3533,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -41831,7 +41907,7 @@ index 3c5dba7..f15c4f0 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3565,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3569,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -41869,7 +41945,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -2885,8 +3610,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -41899,7 +41975,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -2958,69 +3702,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -42000,7 +42076,7 @@ index 3c5dba7..f15c4f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3771,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -42015,7 +42091,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -3097,7 +3840,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -42024,7 +42100,7 @@ index 3c5dba7..f15c4f0 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3856,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -42058,7 +42134,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -3217,7 +3944,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -42085,7 +42161,7 @@ index 3c5dba7..f15c4f0 100644
')
########################################
-@@ -3272,12 +4017,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -42101,7 +42177,7 @@ index 3c5dba7..f15c4f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3285,36 +4031,37 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3285,36 +4035,37 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -42149,7 +42225,7 @@ index 3c5dba7..f15c4f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3322,25 +4069,81 @@ interface(`userdom_read_all_users_state',`
+@@ -3322,21 +4073,77 @@ interface(`userdom_read_all_users_state',`
## </summary>
## </param>
#
@@ -42172,10 +42248,9 @@ index 3c5dba7..f15c4f0 100644
## <summary>
-## Domain allowed access.
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_use_all_users_fds',`
++## </summary>
++## </param>
++#
+interface(`userdom_dontaudit_use_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
@@ -42229,14 +42304,10 @@ index 3c5dba7..f15c4f0 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_use_all_users_fds',`
- gen_require(`
- attribute userdomain;
- ')
-@@ -3385,6 +4188,42 @@ interface(`userdom_signal_all_users',`
+ ## </summary>
+ ## </param>
+ #
+@@ -3385,6 +4192,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -42279,7 +42350,7 @@ index 3c5dba7..f15c4f0 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4244,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4248,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -42304,7 +42375,7 @@ index 3c5dba7..f15c4f0 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4295,1493 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4299,1533 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -43797,12 +43868,52 @@ index 3c5dba7..f15c4f0 100644
+ ')
+
+ dontaudit $1 user_home_type:dir_file_class_set audit_access;
++')
++
++#######################################
++## <summary>
++## The template containing the most basic rules common to confined admin.
++## </summary>
++## <desc>
++## <p>
++## The template containing the most basic rules common to all users.
++## </p>
++## <p>
++## This template creates a user domain, types, and
++## rules for the user's tty and pty.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <rolebase/>
++#
++template(`userdom_confined_admin_template',`
++
++ gen_require(`
++ attribute confined_admindomain;
++ attribute userdomain;
++ type user_devpts_t, user_tty_device_t;
++ class context contains;
++ ')
++
++ type $1_t, userdomain, confined_admindomain;
++ role $1_r;
++ role $1_r types $1_t;
++ domain_type($1_t)
++ domain_user_exemption_target($1_t)
++ ubac_constrained($1_t)
++
++ auth_use_nsswitch($1_t)
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..fe99b11 100644
+index e2b538b..e0c6eeb 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
-@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
+@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5)
## <desc>
## <p>
@@ -43859,10 +43970,11 @@ index e2b538b..fe99b11 100644
attribute admindomain;
+attribute login_userdomain;
++attribute confined_admindomain;
# all user domains
attribute userdomain;
-@@ -58,6 +52,24 @@ attribute unpriv_userdomain;
+@@ -58,6 +53,24 @@ attribute unpriv_userdomain;
attribute user_home_content_type;
@@ -43887,7 +43999,7 @@ index e2b538b..fe99b11 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +82,227 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,359 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -44117,6 +44229,138 @@ index e2b538b..fe99b11 100644
+ xserver_filetrans_home_content(userdom_filetrans_type)
+ xserver_filetrans_admin_home_content(userdom_filetrans_type)
+')
++
++############################################################
++# Local Policy Confined Admin
++#
++gen_require(`
++ class context contains;
++')
++
++corecmd_shell_entry_type(confined_admindomain)
++corecmd_bin_entry_type(confined_admindomain)
++
++term_user_pty(confined_admindomain, user_devpts_t)
++term_user_tty(confined_admindomain, user_tty_device_t)
++term_dontaudit_getattr_generic_ptys(confined_admindomain)
++
++allow confined_admindomain self:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
++tunable_policy(`deny_ptrace',`',`
++ allow confined_admindomain self:process ptrace;
++')
++allow confined_admindomain self:fd use;
++allow confined_admindomain self:key manage_key_perms;
++
++allow confined_admindomain self:fifo_file rw_fifo_file_perms;
++allow confined_admindomain self:unix_dgram_socket { create_socket_perms sendto };
++allow confined_admindomain self:unix_stream_socket { create_stream_socket_perms connectto };
++allow confined_admindomain self:shm create_shm_perms;
++allow confined_admindomain self:sem create_sem_perms;
++allow confined_admindomain self:msgq create_msgq_perms;
++allow confined_admindomain self:msg { send receive };
++allow confined_admindomain self:context contains;
++dontaudit confined_admindomain self:socket create;
++
++allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms };
++term_create_pty(confined_admindomain, user_devpts_t)
++# avoid annoying messages on terminal hangup on role change
++dontaudit confined_admindomain user_devpts_t:chr_file ioctl;
++
++allow confined_admindomain user_tty_device_t:chr_file { setattr rw_chr_file_perms };
++# avoid annoying messages on terminal hangup on role change
++dontaudit confined_admindomain user_tty_device_t:chr_file ioctl;
++
++application_exec_all(confined_admindomain)
++
++kernel_read_kernel_sysctls(confined_admindomain)
++kernel_read_all_sysctls(confined_admindomain)
++kernel_dontaudit_list_unlabeled(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_files(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_symlinks(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_pipes(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_sockets(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_blk_files(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_chr_files(confined_admindomain)
++kernel_dontaudit_list_proc(confined_admindomain)
++
++dev_dontaudit_getattr_all_blk_files(confined_admindomain)
++dev_dontaudit_getattr_all_chr_files(confined_admindomain)
++dev_getattr_mtrr_dev(confined_admindomain)
++
++# When the user domain runs ps, there will be a number of access
++# denials when ps tries to search /proc. Do not audit these denials.
++domain_dontaudit_read_all_domains_state(confined_admindomain)
++domain_dontaudit_getattr_all_domains(confined_admindomain)
++domain_dontaudit_getsession_all_domains(confined_admindomain)
++dev_dontaudit_all_access_check(confined_admindomain)
++
++files_read_etc_files(confined_admindomain)
++files_list_mnt(confined_admindomain)
++files_list_var(confined_admindomain)
++files_read_mnt_files(confined_admindomain)
++files_dontaudit_all_access_check(confined_admindomain)
++files_read_etc_runtime_files(confined_admindomain)
++files_read_usr_files(confined_admindomain)
++files_read_usr_src_files(confined_admindomain)
++# Read directories and files with the readable_t type.
++# This type is a general type for "world"-readable files.
++files_list_world_readable(confined_admindomain)
++files_read_world_readable_files(confined_admindomain)
++files_read_world_readable_symlinks(confined_admindomain)
++files_read_world_readable_pipes(confined_admindomain)
++files_read_world_readable_sockets(confined_admindomain)
++# old broswer_domain():
++files_dontaudit_getattr_all_dirs(confined_admindomain)
++files_dontaudit_list_non_security(confined_admindomain)
++files_dontaudit_getattr_all_files(confined_admindomain)
++files_dontaudit_getattr_non_security_symlinks(confined_admindomain)
++files_dontaudit_getattr_non_security_pipes(confined_admindomain)
++files_dontaudit_getattr_non_security_sockets(confined_admindomain)
++files_dontaudit_setattr_etc_runtime_files(confined_admindomain)
++
++files_exec_usr_files(confined_admindomain)
++
++fs_list_cgroup_dirs(confined_admindomain)
++fs_dontaudit_rw_cgroup_files(confined_admindomain)
++
++storage_rw_fuse(confined_admindomain)
++
++init_stream_connect(confined_admindomain)
++# The library functions always try to open read-write first,
++# then fall back to read-only if it fails.
++init_dontaudit_rw_utmp(confined_admindomain)
++
++libs_exec_ld_so(confined_admindomain)
++
++miscfiles_read_generic_certs(confined_admindomain)
++
++miscfiles_read_all_certs(confined_admindomain)
++miscfiles_read_public_files(confined_admindomain)
++
++systemd_dbus_chat_logind(confined_admindomain)
++systemd_read_logind_sessions_files(confined_admindomain)
++systemd_write_inhibit_pipes(confined_admindomain)
++systemd_write_inherited_logind_sessions_pipes(confined_admindomain)
++systemd_login_read_pid_files(confined_admindomain)
++tunable_policy(`deny_execmem',`', `
++ # Allow loading DSOs that require executable stack.
++ allow confined_admindomain self:process execmem;
++')
++
++tunable_policy(`selinuxuser_execstack',`
++ # Allow making the stack executable via mprotect.
++ allow confined_admindomain self:process execstack;
++')
++
++optional_policy(`
++ fs_list_cgroup_dirs(confined_admindomain)
++')
++
++optional_policy(`
++ ssh_rw_stream_sockets(confined_admindomain)
++ ssh_delete_tmp(confined_admindomain)
++ ssh_signal(confined_admindomain)
++')
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index e79d545..101086d 100644
--- a/policy/support/misc_patterns.spt
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 3ce3069..3ce5e12 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3007,10 +3007,10 @@ index 0000000..784557c
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..842225c 100644
+index 550a69e..66ba451 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,199 @@
+@@ -1,161 +1,200 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3076,6 +3076,7 @@ index 550a69e..842225c 100644
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -4706,7 +4707,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..217ba9e 100644
+index 1a82e29..19bd545 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5685,7 +5686,7 @@ index 1a82e29..217ba9e 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +772,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +772,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5730,6 +5731,7 @@ index 1a82e29..217ba9e 100644
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
mta_signal_system_mail(httpd_t)
++ postfix_rw_spool_maildrop_files(httpd_t)
')
-optional_policy(`
@@ -5775,7 +5777,7 @@ index 1a82e29..217ba9e 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +818,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +819,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5856,7 +5858,7 @@ index 1a82e29..217ba9e 100644
')
optional_policy(`
-@@ -743,14 +870,6 @@ optional_policy(`
+@@ -743,14 +871,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5871,7 +5873,7 @@ index 1a82e29..217ba9e 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +884,23 @@ optional_policy(`
+@@ -765,6 +885,23 @@ optional_policy(`
')
optional_policy(`
@@ -5895,7 +5897,7 @@ index 1a82e29..217ba9e 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +917,46 @@ optional_policy(`
+@@ -781,34 +918,46 @@ optional_policy(`
')
optional_policy(`
@@ -5953,7 +5955,7 @@ index 1a82e29..217ba9e 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +964,18 @@ optional_policy(`
+@@ -816,8 +965,18 @@ optional_policy(`
')
optional_policy(`
@@ -5972,7 +5974,7 @@ index 1a82e29..217ba9e 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +984,7 @@ optional_policy(`
+@@ -826,6 +985,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5980,7 +5982,7 @@ index 1a82e29..217ba9e 100644
')
optional_policy(`
-@@ -836,20 +995,39 @@ optional_policy(`
+@@ -836,20 +996,39 @@ optional_policy(`
')
optional_policy(`
@@ -6026,7 +6028,7 @@ index 1a82e29..217ba9e 100644
')
optional_policy(`
-@@ -857,19 +1035,35 @@ optional_policy(`
+@@ -857,19 +1036,35 @@ optional_policy(`
')
optional_policy(`
@@ -6062,7 +6064,7 @@ index 1a82e29..217ba9e 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1071,170 @@ optional_policy(`
+@@ -877,65 +1072,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6255,7 +6257,7 @@ index 1a82e29..217ba9e 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1243,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1244,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6410,7 +6412,7 @@ index 1a82e29..217ba9e 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1327,104 @@ optional_policy(`
+@@ -1077,172 +1328,104 @@ optional_policy(`
')
')
@@ -6646,7 +6648,7 @@ index 1a82e29..217ba9e 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1432,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1433,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6743,7 +6745,7 @@ index 1a82e29..217ba9e 100644
########################################
#
-@@ -1315,8 +1507,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1508,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6760,7 +6762,7 @@ index 1a82e29..217ba9e 100644
')
########################################
-@@ -1324,49 +1523,38 @@ optional_policy(`
+@@ -1324,49 +1524,38 @@ optional_policy(`
# User content local policy
#
@@ -6825,7 +6827,7 @@ index 1a82e29..217ba9e 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1564,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1565,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -16917,7 +16919,7 @@ index b25b01d..e99c5c6 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..f8e9ecc 100644
+index 6ce66e7..03bc338 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -16930,7 +16932,7 @@ index 6ce66e7..f8e9ecc 100644
type ctdbd_var_run_t;
files_pid_file(ctdbd_var_run_t)
-@@ -33,6 +36,7 @@ files_pid_file(ctdbd_var_run_t)
+@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t)
#
allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
@@ -16938,7 +16940,14 @@ index 6ce66e7..f8e9ecc 100644
allow ctdbd_t self:process { setpgid signal_perms setsched };
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
allow ctdbd_t self:unix_stream_socket { accept connectto listen };
-@@ -59,6 +63,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow ctdbd_t self:packet_socket create_socket_perms;
+ allow ctdbd_t self:tcp_socket create_stream_socket_perms;
++allow ctdbd_t self:udp_socket create_socket_perms;
+
+ append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
+ create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
+@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
@@ -16950,7 +16959,7 @@ index 6ce66e7..f8e9ecc 100644
manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
-@@ -72,9 +81,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
+@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
corenet_tcp_sendrecv_generic_if(ctdbd_t)
corenet_tcp_sendrecv_generic_node(ctdbd_t)
corenet_tcp_bind_generic_node(ctdbd_t)
@@ -16962,7 +16971,7 @@ index 6ce66e7..f8e9ecc 100644
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
-@@ -85,12 +96,12 @@ dev_read_urand(ctdbd_t)
+@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
@@ -16977,7 +16986,7 @@ index 6ce66e7..f8e9ecc 100644
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
-@@ -109,6 +120,7 @@ optional_policy(`
+@@ -109,6 +121,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@@ -18265,10 +18274,18 @@ index 98a2d6a..fff0987 100644
fs_getattr_all_fs(dante_t)
diff --git a/dbadm.te b/dbadm.te
-index a67870a..76435d4 100644
+index a67870a..f7c0e61 100644
--- a/dbadm.te
+++ b/dbadm.te
-@@ -30,7 +30,7 @@ userdom_base_user_template(dbadm)
+@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
+
+ role dbadm_r;
+
+-userdom_base_user_template(dbadm)
++userdom_confined_admin_template(dbadm)
+
+ ########################################
+ #
# Local policy
#
@@ -22154,7 +22171,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..934045c 100644
+index a7bfaf0..d4a79a1 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -22408,7 +22425,7 @@ index a7bfaf0..934045c 100644
sendmail_domtrans(dovecot_t)
')
-@@ -221,46 +214,63 @@ optional_policy(`
+@@ -221,46 +214,65 @@ optional_policy(`
########################################
#
@@ -22465,6 +22482,8 @@ index a7bfaf0..934045c 100644
sysnet_use_ldap(dovecot_auth_t)
++systemd_login_read_pid_files(dovecot_auth_t)
++
+userdom_getattr_user_home_dirs(dovecot_auth_t)
+
optional_policy(`
@@ -22481,7 +22500,7 @@ index a7bfaf0..934045c 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -271,15 +281,30 @@ optional_policy(`
+@@ -271,15 +283,30 @@ optional_policy(`
')
optional_policy(`
@@ -22513,7 +22532,7 @@ index a7bfaf0..934045c 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +314,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +316,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -22574,7 +22593,7 @@ index a7bfaf0..934045c 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +359,6 @@ optional_policy(`
+@@ -326,5 +361,6 @@ optional_policy(`
')
optional_policy(`
@@ -23359,7 +23378,7 @@ index 6041113..ef3b449 100644
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/exim.te b/exim.te
-index 19325ce..b5c157f 100644
+index 19325ce..3e86b12 100644
--- a/exim.te
+++ b/exim.te
@@ -49,7 +49,7 @@ type exim_log_t;
@@ -23416,18 +23435,19 @@ index 19325ce..b5c157f 100644
')
optional_policy(`
-@@ -192,8 +190,9 @@ optional_policy(`
+@@ -192,11 +190,6 @@ optional_policy(`
')
optional_policy(`
- mailman_read_data_files(exim_t)
-+ mailman_manage_data_files(exim_t)
- mailman_domtrans(exim_t)
-+ mailman_read_log(exim_t)
+- mailman_domtrans(exim_t)
+-')
+-
+-optional_policy(`
+ nagios_search_spool(exim_t)
')
- optional_policy(`
-@@ -218,6 +217,7 @@ optional_policy(`
+@@ -218,6 +211,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -35143,7 +35163,7 @@ index ee0c7cc..c54e3d2 100644
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index d7d9b09..562c288 100644
+index d7d9b09..b93f460 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -35156,6 +35176,15 @@ index d7d9b09..562c288 100644
type slapd_lock_t;
files_lock_file(slapd_lock_t)
+@@ -44,7 +47,7 @@ files_pid_file(slapd_var_run_t)
+ # Local policy
+ #
+
+-allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
++allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search sys_resource };
+ dontaudit slapd_t self:capability sys_tty_config;
+ allow slapd_t self:process setsched;
+ allow slapd_t self:fifo_file rw_fifo_file_perms;
@@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
@@ -40492,7 +40521,7 @@ index 6194b80..1e67988 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..2356e2b 100644
+index 6a306ee..11a0f02 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -40766,12 +40795,12 @@ index 6a306ee..2356e2b 100644
-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -40901,34 +40930,34 @@ index 6a306ee..2356e2b 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ java_domtrans(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ lpd_domtrans_lpr(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
-+ nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -41019,12 +41048,12 @@ index 6a306ee..2356e2b 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -41195,12 +41224,12 @@ index 6a306ee..2356e2b 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -41224,30 +41253,30 @@ index 6a306ee..2356e2b 100644
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
- fs_read_dos_files(mozilla_plugin_t)
+-
+- fs_search_removable(mozilla_plugin_t)
+- fs_read_removable_files(mozilla_plugin_t)
+- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
+userdom_exec_user_tmp_files(mozilla_plugin_t)
-- fs_search_removable(mozilla_plugin_t)
-- fs_read_removable_files(mozilla_plugin_t)
-- fs_read_removable_symlinks(mozilla_plugin_t)
-+userdom_home_manager(mozilla_plugin_t)
-
- fs_read_iso9660_files(mozilla_plugin_t)
-+tunable_policy(`mozilla_plugin_can_network_connect',`
-+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
- ')
-
+-')
+-
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process execmem;
-')
--
++userdom_home_manager(mozilla_plugin_t)
+
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_t self:process { execmem execstack };
--')
--
++tunable_policy(`mozilla_plugin_can_network_connect',`
++ corenet_tcp_connect_all_ports(mozilla_plugin_t)
+ ')
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
@@ -41332,7 +41361,7 @@ index 6a306ee..2356e2b 100644
')
optional_policy(`
-@@ -568,108 +568,128 @@ optional_policy(`
+@@ -568,108 +568,130 @@ optional_policy(`
')
optional_policy(`
@@ -41370,14 +41399,13 @@ index 6a306ee..2356e2b 100644
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
-+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-
+-
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
++allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
@@ -41387,36 +41415,40 @@ index 6a306ee..2356e2b 100644
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
+
+-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+dev_read_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
--filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
--can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+-
+-kernel_read_system_state(mozilla_plugin_config_t)
+-kernel_request_load_module(mozilla_plugin_config_t)
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-
--ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
++
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+mozilla_filetrans_home_content(mozilla_plugin_t)
-
--kernel_read_system_state(mozilla_plugin_config_t)
--kernel_request_load_module(mozilla_plugin_config_t)
++
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file })
+mozilla_filetrans_home_content(mozilla_plugin_config_t)
++dontaudit mozilla_plugin_t mozilla_plugin_tmp_t:file relabelfrom;
corecmd_exec_bin(mozilla_plugin_config_t)
corecmd_exec_shell(mozilla_plugin_config_t)
@@ -41510,6 +41542,7 @@ index 6a306ee..2356e2b 100644
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
++ corenet_tcp_bind_vnc_port(mozilla_plugin_t)
')
-optional_policy(`
@@ -43037,7 +43070,7 @@ index ed81cac..566684a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..363dd67 100644
+index afd2fad..79fe381 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -43243,11 +43276,11 @@ index afd2fad..363dd67 100644
+
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
-
--userdom_use_user_terminals(system_mail_t)
+
-+logging_append_all_logs(system_mail_t)
+
++logging_append_all_logs(system_mail_t)
+
+-userdom_use_user_terminals(system_mail_t)
+logging_send_syslog_msg(system_mail_t)
optional_policy(`
@@ -43453,7 +43486,7 @@ index afd2fad..363dd67 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -387,24 +276,165 @@ optional_policy(`
+@@ -387,24 +276,173 @@ optional_policy(`
########################################
#
@@ -43626,6 +43659,14 @@ index afd2fad..363dd67 100644
+ antivirus_stream_connect(user_mail_domain)
+ antivirus_stream_connect(mta_user_agent)
+')
++
++optional_policy(`
++ mailman_manage_data_files(mailserver_domain)
++ mailman_domtrans(mailserver_domain)
++ mailman_append_log(mailserver_domain)
++ mailman_read_log(mailserver_domain)
++')
++
diff --git a/munin.fc b/munin.fc
index eb4b72a..4968324 100644
--- a/munin.fc
@@ -54649,7 +54690,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..073dbf3 100644
+index 7bcf327..ba2f9bb 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -54673,7 +54714,7 @@ index 7bcf327..073dbf3 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,256 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,260 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -54814,6 +54855,8 @@ index 7bcf327..073dbf3 100644
+
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;;
+
++kernel_read_network_state(pegasus_openlmi_system_t)
++
+dev_rw_sysfs(pegasus_openlmi_system_t)
+dev_read_urand(pegasus_openlmi_system_t)
+
@@ -54861,6 +54904,7 @@ index 7bcf327..073dbf3 100644
+files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
+
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
++kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
+
+dev_read_rand(pegasus_openlmi_storage_t)
+dev_read_urand(pegasus_openlmi_storage_t)
@@ -54872,7 +54916,8 @@ index 7bcf327..073dbf3 100644
+
+seutil_read_file_contexts(pegasus_openlmi_storage_t)
+
-+storage_rw_inherited_fixed_disk_dev(pegasus_openlmi_storage_t)
++storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
++storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
+
+fs_getattr_all_fs(pegasus_openlmi_storage_t)
+
@@ -54935,7 +54980,7 @@ index 7bcf327..073dbf3 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +289,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +293,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -54966,7 +55011,7 @@ index 7bcf327..073dbf3 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +315,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +319,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -54999,7 +55044,7 @@ index 7bcf327..073dbf3 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +343,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +347,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -55007,7 +55052,7 @@ index 7bcf327..073dbf3 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +358,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +362,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -55039,7 +55084,7 @@ index 7bcf327..073dbf3 100644
')
optional_policy(`
-@@ -151,16 +388,24 @@ optional_policy(`
+@@ -151,16 +392,24 @@ optional_policy(`
')
optional_policy(`
@@ -55068,7 +55113,7 @@ index 7bcf327..073dbf3 100644
')
optional_policy(`
-@@ -168,7 +413,7 @@ optional_policy(`
+@@ -168,7 +417,7 @@ optional_policy(`
')
optional_policy(`
@@ -55322,10 +55367,10 @@ index 0000000..20ea9f5
+
diff --git a/piranha.if b/piranha.if
new file mode 100644
-index 0000000..8d681d1
+index 0000000..cf54103
--- /dev/null
+++ b/piranha.if
-@@ -0,0 +1,179 @@
+@@ -0,0 +1,187 @@
+## <summary>policy for piranha</summary>
+
+#######################################
@@ -55353,6 +55398,10 @@ index 0000000..8d681d1
+ type piranha_$1_exec_t;
+ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
+
++ # tmpfs files
++ type piranha_$1_tmpfs_t, piranha_tmpfs;
++ files_tmpfs_file(piranha_$1_tmpfs_t)
++
+ # pid files
+ type piranha_$1_var_run_t;
+ files_pid_file(piranha_$1_var_run_t)
@@ -55362,6 +55411,10 @@ index 0000000..8d681d1
+ # piranha_$1_t local policy
+ #
+
++ manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
++ manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
++ fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file })
++
+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
@@ -55507,10 +55560,10 @@ index 0000000..8d681d1
+')
diff --git a/piranha.te b/piranha.te
new file mode 100644
-index 0000000..34e591f
+index 0000000..a989aea
--- /dev/null
+++ b/piranha.te
-@@ -0,0 +1,293 @@
+@@ -0,0 +1,292 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -55526,6 +55579,7 @@ index 0000000..34e591f
+gen_tunable(piranha_lvs_can_network_connect, false)
+
+attribute piranha_domain;
++attribute piranha_tmpfs;
+
+piranha_domain_template(fos)
+
@@ -55538,9 +55592,6 @@ index 0000000..34e591f
+
+piranha_domain_template(web)
+
-+type piranha_web_tmpfs_t;
-+files_tmpfs_file(piranha_web_tmpfs_t)
-+
+type piranha_web_conf_t;
+files_config_file(piranha_web_conf_t)
+
@@ -55602,10 +55653,6 @@ index 0000000..34e591f
+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
+
-+manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
-+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
-+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
-+
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
@@ -55655,6 +55702,9 @@ index 0000000..34e591f
+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
+allow piranha_lvs_t self:rawip_socket create_socket_perms;
+
++manage_files_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
++manage_dirs_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
++
+kernel_read_kernel_sysctls(piranha_lvs_t)
+
+# needed by nanny
@@ -55788,6 +55838,9 @@ index 0000000..34e591f
+
+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
+
++manage_files_pattern(piranha_pulse_t, piranha_tmpfs,piranha_tmpfs)
++manage_dirs_pattern(piranha_pulse_t, piranha_tmpfs ,piranha_tmpfs)
++
+kernel_read_network_state(piranha_domain)
+
+corenet_tcp_sendrecv_generic_if(piranha_domain)
@@ -55799,7 +55852,6 @@ index 0000000..34e591f
+corenet_tcp_bind_generic_node(piranha_domain)
+corenet_udp_bind_generic_node(piranha_domain)
+
-+
+corecmd_exec_bin(piranha_domain)
+corecmd_exec_shell(piranha_domain)
+
@@ -58689,7 +58741,7 @@ index c0e8785..c0e0959 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
-index 2e23946..e9ac366 100644
+index 2e23946..0b76d72 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
@@ -59029,8 +59081,10 @@ index 2e23946..e9ac366 100644
')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Execute the master postfix program
+-## in the caller domain.
+## Execute the master postfix in the postfix master domain.
+## </summary>
+## <param name="domain">
@@ -59047,10 +59101,8 @@ index 2e23946..e9ac366 100644
+ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+')
+
- ########################################
- ## <summary>
--## Execute the master postfix program
--## in the caller domain.
++########################################
++## <summary>
+## Execute the master postfix program in the
+## caller domain.
## </summary>
@@ -59148,15 +59200,18 @@ index 2e23946..e9ac366 100644
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the iptables domain.
+## </summary>
+## </param>
+## <rolecap/>
-+#
+ #
+-interface(`posftix_exec_postqueue',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- postfix_exec_postqueue($1)
+
+interface(`postfix_run_postqueue',`
+ gen_require(`
@@ -59166,8 +59221,8 @@ index 2e23946..e9ac366 100644
+ postfix_domtrans_postqueue($1)
+ role $2 types postfix_postqueue_t;
+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
-+')
-+
+ ')
+
+########################################
+## <summary>
+## Execute postfix_postgqueue in the postfix_postgqueue domain.
@@ -59194,18 +59249,15 @@ index 2e23946..e9ac366 100644
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
- #
--interface(`posftix_exec_postqueue',`
-- refpolicywarn(`$0($*) has been deprecated.')
-- postfix_exec_postqueue($1)
++#
+interface(`postfix_run_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
@@ -59213,8 +59265,8 @@ index 2e23946..e9ac366 100644
+
+ postfix_domtrans_postgqueue($1)
+ role $2 types postfix_postgqueue_t;
- ')
-
++')
++
+
#######################################
## <summary>
@@ -59346,7 +59398,7 @@ index 2e23946..e9ac366 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -665,11 +718,31 @@ interface(`postfix_read_spool_files',`
+@@ -665,11 +718,50 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -59361,6 +59413,25 @@ index 2e23946..e9ac366 100644
+
+#######################################
+## <summary>
++## Read, write, and delete postfix maildrop spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_rw_spool_maildrop_files',`
++ gen_require(`
++ type postfix_spool_maildrop_t;
++ ')
++
++ files_search_spool($1)
++ rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++')
++
++#######################################
++## <summary>
+## Create, read, write, and delete postfix maildrop spool files.
+## </summary>
+## <param name="domain">
@@ -59380,7 +59451,7 @@ index 2e23946..e9ac366 100644
')
########################################
-@@ -693,8 +766,8 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -693,8 +785,8 @@ interface(`postfix_domtrans_user_mail_handler',`
########################################
## <summary>
@@ -59391,7 +59462,7 @@ index 2e23946..e9ac366 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -710,37 +783,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,37 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
@@ -59550,7 +59621,7 @@ index 2e23946..e9ac366 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..2177e93 100644
+index 191a66f..f19bca4 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -59732,8 +59803,9 @@ index 191a66f..2177e93 100644
-########################################
-#
-# Common postfix user domain local policy
--#
--
++# Postfix master process local policy
+ #
+
-allow postfix_user_domains self:capability dac_override;
-
-domain_use_interactive_fds(postfix_user_domains)
@@ -59741,9 +59813,8 @@ index 191a66f..2177e93 100644
-########################################
-#
-# Master local policy
-+# Postfix master process local policy
- #
-
+-#
+-
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -59767,10 +59838,10 @@ index 191a66f..2177e93 100644
-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
++
++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
-+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-+
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
+manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -59811,29 +59882,29 @@ index 191a66f..2177e93 100644
-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
--
+
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
-delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
--
--can_exec(postfix_master_t, postfix_exec_t)
-+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++kernel_read_all_sysctls(postfix_master_t)
+-can_exec(postfix_master_t, postfix_exec_t)
+-
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
-+kernel_read_all_sysctls(postfix_master_t)
-
+-
-corenet_all_recvfrom_unlabeled(postfix_master_t)
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,50 +165,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,64 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -59893,32 +59964,30 @@ index 191a66f..2177e93 100644
mta_read_sendmail_bin(postfix_master_t)
mta_getattr_spool(postfix_master_t)
+-optional_policy(`
+- cyrus_stream_connect(postfix_master_t)
+-')
+-
+-optional_policy(`
+- kerberos_keytab_template(postfix, postfix_t)
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ mta_manage_aliases(postfix_master_t)
+ mta_etc_filetrans_aliases(postfix_master_t)
-+')
-+
- optional_policy(`
- cyrus_stream_connect(postfix_master_t)
- ')
-@@ -316,14 +212,11 @@ optional_policy(`
')
optional_policy(`
-+# for postalias
- mailman_manage_data_files(postfix_master_t)
+- mailman_manage_data_files(postfix_master_t)
++ cyrus_stream_connect(postfix_master_t)
')
optional_policy(`
- mysql_stream_connect(postfix_master_t)
--')
--
--optional_policy(`
- postgrey_search_spool(postfix_master_t)
++ kerberos_keytab_template(postfix, postfix_t)
')
-@@ -333,12 +226,14 @@ optional_policy(`
+ optional_policy(`
+@@ -333,12 +221,14 @@ optional_policy(`
########################################
#
@@ -59935,7 +60004,7 @@ index 191a66f..2177e93 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,37 +250,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -59982,7 +60051,7 @@ index 191a66f..2177e93 100644
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
-@@ -393,36 +285,50 @@ optional_policy(`
+@@ -393,36 +280,50 @@ optional_policy(`
########################################
#
@@ -60042,7 +60111,7 @@ index 191a66f..2177e93 100644
')
optional_policy(`
-@@ -434,6 +340,7 @@ optional_policy(`
+@@ -434,6 +335,7 @@ optional_policy(`
')
optional_policy(`
@@ -60050,7 +60119,7 @@ index 191a66f..2177e93 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +351,10 @@ optional_policy(`
+@@ -444,6 +346,10 @@ optional_policy(`
')
optional_policy(`
@@ -60061,7 +60130,7 @@ index 191a66f..2177e93 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +369,17 @@ optional_policy(`
+@@ -458,15 +364,17 @@ optional_policy(`
########################################
#
@@ -60085,7 +60154,7 @@ index 191a66f..2177e93 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +389,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +384,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -60105,7 +60174,7 @@ index 191a66f..2177e93 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +406,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +401,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -60113,7 +60182,7 @@ index 191a66f..2177e93 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +413,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +408,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -60139,7 +60208,7 @@ index 191a66f..2177e93 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +438,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +433,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -60159,7 +60228,7 @@ index 191a66f..2177e93 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +489,26 @@ optional_policy(`
+@@ -576,19 +484,26 @@ optional_policy(`
########################################
#
@@ -60191,7 +60260,7 @@ index 191a66f..2177e93 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +523,7 @@ optional_policy(`
+@@ -603,10 +518,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -60203,7 +60272,7 @@ index 191a66f..2177e93 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +538,24 @@ optional_policy(`
+@@ -621,17 +533,24 @@ optional_policy(`
#######################################
#
@@ -60231,7 +60300,7 @@ index 191a66f..2177e93 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +571,77 @@ optional_policy(`
+@@ -647,67 +566,77 @@ optional_policy(`
########################################
#
@@ -60327,7 +60396,7 @@ index 191a66f..2177e93 100644
')
optional_policy(`
-@@ -720,29 +654,30 @@ optional_policy(`
+@@ -720,29 +649,30 @@ optional_policy(`
########################################
#
@@ -60366,7 +60435,7 @@ index 191a66f..2177e93 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
dovecot_stream_connect(postfix_smtpd_t)
-@@ -754,6 +689,7 @@ optional_policy(`
+@@ -754,6 +684,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -60374,7 +60443,7 @@ index 191a66f..2177e93 100644
')
optional_policy(`
-@@ -764,31 +700,99 @@ optional_policy(`
+@@ -764,31 +695,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -77187,7 +77256,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..b2225a3 100644
+index 57c034b..9e91107 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -77817,7 +77886,7 @@ index 57c034b..b2225a3 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +555,40 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +555,41 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -77879,10 +77948,11 @@ index 57c034b..b2225a3 100644
- files_manage_non_auth_files(nmbd_t)
+optional_policy(`
+ ctdbd_stream_connect(nmbd_t)
++ ctdbd_manage_var_files(nmbd_t)
')
optional_policy(`
-@@ -600,19 +601,26 @@ optional_policy(`
+@@ -600,19 +602,26 @@ optional_policy(`
########################################
#
@@ -77914,7 +77984,7 @@ index 57c034b..b2225a3 100644
samba_search_var(smbcontrol_t)
samba_read_winbind_pid(smbcontrol_t)
-@@ -620,16 +628,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +629,12 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -77932,7 +78002,7 @@ index 57c034b..b2225a3 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +641,23 @@ optional_policy(`
+@@ -637,22 +642,23 @@ optional_policy(`
########################################
#
@@ -77964,7 +78034,7 @@ index 57c034b..b2225a3 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -661,26 +666,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +667,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -78000,7 +78070,7 @@ index 57c034b..b2225a3 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -692,58 +693,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +694,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -78092,7 +78162,7 @@ index 57c034b..b2225a3 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +772,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +773,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -78116,7 +78186,7 @@ index 57c034b..b2225a3 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -770,36 +786,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +787,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -78159,7 +78229,7 @@ index 57c034b..b2225a3 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -811,10 +816,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +817,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -78173,7 +78243,7 @@ index 57c034b..b2225a3 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -834,16 +840,19 @@ optional_policy(`
+@@ -834,16 +841,19 @@ optional_policy(`
#
allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
@@ -78197,7 +78267,7 @@ index 57c034b..b2225a3 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +862,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +863,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -78208,7 +78278,7 @@ index 57c034b..b2225a3 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +873,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +874,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -78238,7 +78308,7 @@ index 57c034b..b2225a3 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +896,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +897,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -78259,7 +78329,7 @@ index 57c034b..b2225a3 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +914,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +915,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -78270,7 +78340,7 @@ index 57c034b..b2225a3 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,26 +922,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,26 +923,39 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -78312,7 +78382,7 @@ index 57c034b..b2225a3 100644
')
optional_policy(`
-@@ -952,31 +970,29 @@ optional_policy(`
+@@ -952,31 +971,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -78350,7 +78420,7 @@ index 57c034b..b2225a3 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +1006,38 @@ optional_policy(`
+@@ -990,25 +1007,38 @@ optional_policy(`
########################################
#
@@ -82821,10 +82891,10 @@ index 0000000..52450c7
+')
diff --git a/smsd.te b/smsd.te
new file mode 100644
-index 0000000..92c3638
+index 0000000..1fad7b8
--- /dev/null
+++ b/smsd.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,73 @@
+policy_module(smsd, 1.0.0)
+
+########################################
@@ -82882,6 +82952,7 @@ index 0000000..92c3638
+manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+files_spool_filetrans(smsd_t, smsd_spool_t, { dir })
++can_exec(smsd_t, smsd_spool_t)
+
+manage_dirs_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
+manage_files_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
@@ -88707,10 +88778,10 @@ index 0000000..8b2dfff
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..ec3eb8f
+index 0000000..1a7c61d
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,147 @@
+@@ -0,0 +1,148 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -88759,6 +88830,7 @@ index 0000000..ec3eb8f
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
+userdom_dontaudit_access_check_user_content(thumb_t)
++userdom_rw_inherited_user_tmpfs_files(thumb_t)
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
@@ -93208,7 +93280,7 @@ index 9dec06c..73549fd 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..64b3da9 100644
+index 1f22fba..a77dab1 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,167 @@
@@ -94113,7 +94185,7 @@ index 1f22fba..64b3da9 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +602,262 @@ optional_policy(`
+@@ -737,44 +602,264 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -94149,6 +94221,14 @@ index 1f22fba..64b3da9 100644
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++kernel_read_net_sysctls(virt_domain)
+
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@@ -94159,19 +94239,14 @@ index 1f22fba..64b3da9 100644
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
--manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -94203,13 +94278,12 @@ index 1f22fba..64b3da9 100644
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-+dontaudit virt_domain virt_tmpfs_type:file { read write };
-
-allow virsh_t svirt_lxc_domain:process transition;
-+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++dontaudit virt_domain virt_tmpfs_type:file { read write };
-can_exec(virsh_t, virsh_exec_t)
++append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+corecmd_exec_bin(virt_domain)
@@ -94304,7 +94378,7 @@ index 1f22fba..64b3da9 100644
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
+')
-
++
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
@@ -94312,7 +94386,7 @@ index 1f22fba..64b3da9 100644
+ fs_read_nfs_symlinks(virt_domain)
+ fs_getattr_nfs(virt_domain)
+')
-+
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
@@ -94398,7 +94472,7 @@ index 1f22fba..64b3da9 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +868,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +870,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -94425,7 +94499,7 @@ index 1f22fba..64b3da9 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,23 +888,23 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,23 +890,23 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -94458,7 +94532,7 @@ index 1f22fba..64b3da9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -847,14 +923,20 @@ optional_policy(`
+@@ -847,14 +925,20 @@ optional_policy(`
')
optional_policy(`
@@ -94480,7 +94554,7 @@ index 1f22fba..64b3da9 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +961,65 @@ optional_policy(`
+@@ -879,49 +963,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -94564,7 +94638,7 @@ index 1f22fba..64b3da9 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1031,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1033,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -94584,7 +94658,7 @@ index 1f22fba..64b3da9 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1052,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1054,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -94608,7 +94682,7 @@ index 1f22fba..64b3da9 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1077,238 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1079,238 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -94983,7 +95057,7 @@ index 1f22fba..64b3da9 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1321,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1323,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -94998,7 +95072,7 @@ index 1f22fba..64b3da9 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1339,8 @@ optional_policy(`
+@@ -1183,9 +1341,8 @@ optional_policy(`
########################################
#
@@ -95009,7 +95083,7 @@ index 1f22fba..64b3da9 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1353,194 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1355,194 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -97854,6 +97928,27 @@ index d837e88..910aeec 100644
userdom_use_unpriv_users_fds(yam_t)
userdom_search_user_home_dirs(yam_t)
+diff --git a/zabbix.fc b/zabbix.fc
+index ce10cb1..3181728 100644
+--- a/zabbix.fc
++++ b/zabbix.fc
+@@ -4,11 +4,15 @@
+ /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+ /usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+
+-/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+ /usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
++/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+ /usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+ /usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+ /usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++/usr/sbin/zabbix_proxy -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++/usr/sbin/zabbix_proxy_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+
+ /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
+
diff --git a/zabbix.if b/zabbix.if
index dd63de0..38ce620 100644
--- a/zabbix.if
@@ -98017,10 +98112,10 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..dea93eb 100644
+index 46e4cd3..79317e6 100644
--- a/zabbix.te
+++ b/zabbix.te
-@@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3)
+@@ -6,21 +6,23 @@ policy_module(zabbix, 1.5.3)
#
## <desc>
@@ -98029,9 +98124,64 @@ index 46e4cd3..dea93eb 100644
## Determine whether zabbix can
## connect to all TCP ports
## </p>
-@@ -52,11 +52,10 @@ allow zabbix_t self:sem create_sem_perms;
- allow zabbix_t self:shm create_shm_perms;
- allow zabbix_t self:tcp_socket create_stream_socket_perms;
+ ## </desc>
+ gen_tunable(zabbix_can_network, false)
+
+-type zabbix_t;
++attribute zabbix_domain;
++
++type zabbix_t, zabbix_domain;
+ type zabbix_exec_t;
+ init_daemon_domain(zabbix_t, zabbix_exec_t)
+
+ type zabbix_initrc_exec_t;
+ init_script_file(zabbix_initrc_exec_t)
+
+-type zabbix_agent_t;
++type zabbix_agent_t, zabbix_domain;
+ type zabbix_agent_exec_t;
+ init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
+
+@@ -41,22 +43,40 @@ files_pid_file(zabbix_var_run_t)
+
+ ########################################
+ #
++# zabbix domain local policy
++#
++
++allow zabbix_domain self:capability { setuid setgid };
++allow zabbix_domain self:process { setpgid setsched getsched signal_perms };
++allow zabbix_domain self:fifo_file rw_fifo_file_perms;
++allow zabbix_domain self:sem create_sem_perms;
++allow zabbix_domain self:shm create_shm_perms;
++allow zabbix_domain self:tcp_socket { accept listen };
++allow zabbix_domain self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_all_sysctls(zabbix_domain)
++
++corenet_tcp_sendrecv_generic_if(zabbix_domain)
++corenet_tcp_sendrecv_generic_node(zabbix_domain)
++corenet_tcp_bind_generic_node(zabbix_domain)
++
++corecmd_exec_shell(zabbix_domain)
++corecmd_exec_bin(zabbix_domain)
++
++dev_read_sysfs(zabbix_domain)
++dev_read_urand(zabbix_domain)
++
++########################################
++#
+ # Local policy
+ #
+
+-allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
+-allow zabbix_t self:process { setsched signal_perms };
+-allow zabbix_t self:fifo_file rw_fifo_file_perms;
+-allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
+-allow zabbix_t self:sem create_sem_perms;
+-allow zabbix_t self:shm create_shm_perms;
+-allow zabbix_t self:tcp_socket create_stream_socket_perms;
++allow zabbix_t self:capability { dac_read_search dac_override };
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
@@ -98045,10 +98195,29 @@ index 46e4cd3..dea93eb 100644
manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-@@ -95,12 +94,8 @@ corecmd_exec_shell(zabbix_t)
+@@ -70,13 +90,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+ files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
+
+ kernel_read_system_state(zabbix_t)
+-kernel_read_kernel_sysctls(zabbix_t)
- dev_read_urand(zabbix_t)
+ corenet_all_recvfrom_unlabeled(zabbix_t)
+ corenet_all_recvfrom_netlabel(zabbix_t)
+-corenet_tcp_sendrecv_generic_if(zabbix_t)
+-corenet_tcp_sendrecv_generic_node(zabbix_t)
+-corenet_tcp_bind_generic_node(zabbix_t)
+ corenet_sendrecv_ftp_client_packets(zabbix_t)
+ corenet_tcp_connect_ftp_port(zabbix_t)
+@@ -90,17 +106,8 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t)
+ corenet_tcp_bind_zabbix_port(zabbix_t)
+ corenet_tcp_sendrecv_zabbix_port(zabbix_t)
+
+-corecmd_exec_bin(zabbix_t)
+-corecmd_exec_shell(zabbix_t)
+-
+-dev_read_urand(zabbix_t)
+-
-files_read_usr_files(zabbix_t)
-
auth_use_nsswitch(zabbix_t)
@@ -98058,7 +98227,7 @@ index 46e4cd3..dea93eb 100644
zabbix_agent_tcp_connect(zabbix_t)
tunable_policy(`zabbix_can_network',`
-@@ -110,12 +105,11 @@ tunable_policy(`zabbix_can_network',`
+@@ -110,12 +117,11 @@ tunable_policy(`zabbix_can_network',`
')
optional_policy(`
@@ -98073,7 +98242,7 @@ index 46e4cd3..dea93eb 100644
')
optional_policy(`
-@@ -125,6 +119,7 @@ optional_policy(`
+@@ -125,6 +131,7 @@ optional_policy(`
optional_policy(`
snmp_read_snmp_var_lib_files(zabbix_t)
@@ -98081,18 +98250,18 @@ index 46e4cd3..dea93eb 100644
')
########################################
-@@ -133,17 +128,14 @@ optional_policy(`
+@@ -132,18 +139,7 @@ optional_policy(`
+ # Agent local policy
#
- allow zabbix_agent_t self:capability { setuid setgid };
+-allow zabbix_agent_t self:capability { setuid setgid };
-allow zabbix_agent_t self:process { setsched getsched signal };
-+allow zabbix_agent_t self:process { setpgid setsched getsched signal };
- allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
- allow zabbix_agent_t self:sem create_sem_perms;
- allow zabbix_agent_t self:shm create_shm_perms;
- allow zabbix_agent_t self:tcp_socket { accept listen };
- allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
-
+-allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
+-allow zabbix_agent_t self:sem create_sem_perms;
+-allow zabbix_agent_t self:shm create_shm_perms;
+-allow zabbix_agent_t self:tcp_socket { accept listen };
+-allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
+-
-append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
-create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
-setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
@@ -98101,16 +98270,26 @@ index 46e4cd3..dea93eb 100644
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -154,6 +146,8 @@ files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
- kernel_read_all_sysctls(zabbix_agent_t)
- kernel_read_system_state(zabbix_agent_t)
+@@ -151,16 +147,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+ manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
+ files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
-+corecmd_exec_shell(zabbix_agent_t)
-+corecmd_exec_bin(zabbix_agent_t)
- corecmd_read_all_executables(zabbix_agent_t)
+-kernel_read_all_sysctls(zabbix_agent_t)
+ kernel_read_system_state(zabbix_agent_t)
+-corecmd_read_all_executables(zabbix_agent_t)
+-
corenet_all_recvfrom_unlabeled(zabbix_agent_t)
-@@ -182,7 +176,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+ corenet_all_recvfrom_netlabel(zabbix_agent_t)
+-corenet_tcp_sendrecv_generic_if(zabbix_agent_t)
+-corenet_tcp_sendrecv_generic_node(zabbix_agent_t)
+-corenet_tcp_bind_generic_node(zabbix_agent_t)
++
++corecmd_read_all_executables(zabbix_agent_t)
+
+ corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
+ corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
+@@ -182,7 +174,6 @@ domain_search_all_domains_state(zabbix_agent_t)
files_getattr_all_dirs(zabbix_agent_t)
files_getattr_all_files(zabbix_agent_t)
files_read_all_symlinks(zabbix_agent_t)
@@ -98118,7 +98297,7 @@ index 46e4cd3..dea93eb 100644
fs_getattr_all_fs(zabbix_agent_t)
-@@ -190,8 +183,11 @@ init_read_utmp(zabbix_agent_t)
+@@ -190,8 +181,11 @@ init_read_utmp(zabbix_agent_t)
logging_search_logs(zabbix_agent_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b037589..e751845 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 89%{?dist}
+Release: 90%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -572,6 +572,36 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Oct 17 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-90
+- Allow mailserver_domains to manage and transition to mailman data
+- Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands
+- Allow mailserver_domains to manage and transition to mailman data
+- Allow svirt_domains to read sysctl_net_t
+- Allow thumb_t to use tmpfs inherited from the user
+- Allow mozilla_plugin to bind to the vnc port if running with spice
+- Add new attribute to discover confined_admins and assign confined admin to it
+- Fix zabbix to handle attributes in interfaces
+- Fix zabbix to read system states for all zabbix domains
+- Fix piranha_domain_template()
+- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files.
+- Allow lldpad sys_rouserce cap due to #986870
+- Allow dovecot-auth to read nologin
+- Allow openlmi-networking to read /proc/net/dev
+- Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t
+- Add zabbix_domain attribute for zabbix domains to treat them together
+- Add labels for zabbix-poxy-* (#1018221)
+- Update openlmi-storage policy to reflect #1015067
+- Back port piranha tmpfs fixes from RHEL6
+- Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop
+- Add postfix_rw_spool_maildrop_files interface
+- Call new userdom_admin_user_templat() also for sysadm_secadm.pp
+- Fix typo in userdom_admin_user_template()
+- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey
+- Add new attribute to discover confined_admins
+- Fix labeling for /etc/strongswan/ipsec.d
+- systemd_logind seems to pass fd to anyone who dbus communicates with it
+- Dontaudit leaked write descriptor to dmesg
+
* Mon Oct 14 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-89
- Fix gnome_read_generic_data_home_files()
- allow openshift_cgroup_t to read/write inherited openshift file types
More information about the scm-commits
mailing list