[selinux-policy/f20] - Allow sysadm_t to read login information - Allow systemd_tmpfiles to setattr on var_log_t director
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Oct 29 12:15:08 UTC 2013
commit 06d9a8b80d21e46cfc2b023eb70043117767a781
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Oct 28 10:06:40 2013 +0100
- Allow sysadm_t to read login information
- Allow systemd_tmpfiles to setattr on var_log_t directories
- Udpdate Makefile to include systemd_contexts
- Add systemd_contexts
- Add fs_exec_hugetlbfs_files() interface
- Add daemons_enable_cluster_mode boolean
- Fix rsync_filetrans_named_content()
- Add rhcs_read_cluster_pid_files() interface
- Update rhcs.if with additional interfaces from RHEL6
- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t
- Allow glusterd_t to mounton glusterd_tmp_t
- Allow glusterd to unmout al filesystems
- Allow xenstored to read virt config
- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct lab
- Allow mozilla_plugin_t to mmap hugepages as an executable
Conflicts:
selinux-policy.spec
policy-rawhide-base.patch | 356 ++++++++++++++++++++++++++----------------
policy-rawhide-contrib.patch | 341 +++++++++++++++++++++++-----------------
selinux-policy.spec | 21 +++-
3 files changed, 440 insertions(+), 278 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 6ef476e..9f673ed 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1,5 +1,5 @@
diff --git a/Makefile b/Makefile
-index 85d4cfb..b51cf37 100644
+index 85d4cfb..7bfdfc6 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
@@ -15,7 +15,7 @@ index 85d4cfb..b51cf37 100644
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts systemd_contexts) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
@@ -58,6 +58,13 @@ index 313d837..ef3c532 100644
@echo "Success."
########################################
+diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts
+new file mode 100644
+index 0000000..ff32acc
+--- /dev/null
++++ b/config/appconfig-mcs/systemd_contexts
+@@ -0,0 +1 @@
++runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
index d387b42..150f281 100644
--- a/config/appconfig-mcs/virtual_domain_context
@@ -65,6 +72,20 @@ index d387b42..150f281 100644
@@ -1 +1,2 @@
system_u:system_r:svirt_t:s0
+system_u:system_r:svirt_tcg_t:s0
+diff --git a/config/appconfig-mls/systemd_contexts b/config/appconfig-mls/systemd_contexts
+new file mode 100644
+index 0000000..ff32acc
+--- /dev/null
++++ b/config/appconfig-mls/systemd_contexts
+@@ -0,0 +1 @@
++runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
+diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts
+new file mode 100644
+index 0000000..ff32acc
+--- /dev/null
++++ b/config/appconfig-standard/systemd_contexts
+@@ -0,0 +1 @@
++runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
index c049e10..150f281 100644
--- a/config/appconfig-standard/virtual_domain_context
@@ -3170,10 +3191,10 @@ index 1dc7a85..c6f4da0 100644
+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..19aaaed 100644
+index 7590165..fb30c11 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,57 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
@@ -3232,6 +3253,10 @@ index 7590165..19aaaed 100644
- fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
+ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
+ fs_dontaudit_list_inotifyfs(seunshare_domain)
++
++ optional_policy(`
++ gnome_dontaudit_rw_inherited_config(seunshare_domain)
++ ')
optional_policy(`
- mozilla_dontaudit_manage_user_home_files(seunshare_t)
@@ -8766,7 +8791,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..40f0157 100644
+index cf04cb5..369ddc2 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8903,7 +8928,7 @@ index cf04cb5..40f0157 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,302 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,306 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9068,6 +9093,10 @@ index cf04cb5..40f0157 100644
+')
+
+optional_policy(`
++ rsync_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
+ sysnet_filetrans_named_content(named_filetrans_domain)
+')
+
@@ -9078,7 +9107,7 @@ index cf04cb5..40f0157 100644
+ systemd_login_undefined(unconfined_domain_type)
+ systemd_filetrans_named_content(named_filetrans_domain)
+ systemd_filetrans_named_hostname(named_filetrans_domain)
-+ systemd_filetrans_home_content(named_filetrans_domain)
++ systemd_filetrans_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
@@ -12714,7 +12743,7 @@ index cda5588..924f856 100644
+/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0)
+/var/run/[^/]*/gvfs/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..f71d93e 100644
+index 8416beb..c6cd3eb 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -13322,7 +13351,33 @@ index 8416beb..f71d93e 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,11 +2607,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2098,6 +2557,25 @@ interface(`fs_rw_hugetlbfs_files',`
+
+ ########################################
+ ## <summary>
++## Execute hugetlbfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_exec_hugetlbfs_files',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $1 hugetlbfs_t:dir list_dir_perms;
++ exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++## <summary>
+ ## Allow the type to associate to hugetlbfs filesystems.
+ ## </summary>
+ ## <param name="type">
+@@ -2148,11 +2626,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -13336,7 +13391,7 @@ index 8416beb..f71d93e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2485,6 +2945,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +2964,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -13344,7 +13399,7 @@ index 8416beb..f71d93e 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2523,6 +2984,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +3003,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -13352,7 +13407,7 @@ index 8416beb..f71d93e 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2549,6 +3011,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +3030,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -13378,7 +13433,7 @@ index 8416beb..f71d93e 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2569,7 +3050,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3069,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@@ -13387,7 +13442,7 @@ index 8416beb..f71d93e 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
-@@ -2589,6 +3070,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3089,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -13430,7 +13485,7 @@ index 8416beb..f71d93e 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2603,7 +3120,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3139,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -13439,7 +13494,7 @@ index 8416beb..f71d93e 100644
')
########################################
-@@ -2627,7 +3144,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3163,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -13448,7 +13503,7 @@ index 8416beb..f71d93e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2719,6 +3236,26 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3255,26 @@ interface(`fs_search_rpc',`
########################################
## <summary>
@@ -13475,7 +13530,7 @@ index 8416beb..f71d93e 100644
## Search removable storage directories.
## </summary>
## <param name="domain">
-@@ -2741,7 +3278,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3297,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -13484,7 +13539,7 @@ index 8416beb..f71d93e 100644
## </summary>
## </param>
#
-@@ -2777,7 +3314,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3333,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -13493,7 +13548,7 @@ index 8416beb..f71d93e 100644
## </summary>
## </param>
#
-@@ -2970,6 +3507,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3526,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -13501,7 +13556,7 @@ index 8416beb..f71d93e 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +3548,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3567,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -13509,7 +13564,7 @@ index 8416beb..f71d93e 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +3589,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3608,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -13517,7 +13572,7 @@ index 8416beb..f71d93e 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3137,6 +3677,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +3696,24 @@ interface(`fs_nfs_domtrans',`
########################################
## <summary>
@@ -13542,7 +13597,7 @@ index 8416beb..f71d93e 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -3255,17 +3813,53 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,17 +3832,53 @@ interface(`fs_list_nfsd_fs',`
## </summary>
## </param>
#
@@ -13599,7 +13654,7 @@ index 8416beb..f71d93e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3273,12 +3867,12 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3273,12 +3886,12 @@ interface(`fs_getattr_nfsd_files',`
## </summary>
## </param>
#
@@ -13614,7 +13669,7 @@ index 8416beb..f71d93e 100644
')
########################################
-@@ -3392,7 +3986,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4005,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -13623,7 +13678,7 @@ index 8416beb..f71d93e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4023,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4042,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -13632,7 +13687,7 @@ index 8416beb..f71d93e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4041,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4060,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -13641,7 +13696,7 @@ index 8416beb..f71d93e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3815,6 +4409,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4428,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -13666,7 +13721,7 @@ index 8416beb..f71d93e 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3908,7 +4520,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +4539,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@@ -13675,7 +13730,7 @@ index 8416beb..f71d93e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,17 +4528,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +4547,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -13696,7 +13751,7 @@ index 8416beb..f71d93e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3934,17 +4546,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +4565,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@@ -13717,7 +13772,7 @@ index 8416beb..f71d93e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +4564,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +4583,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -13757,7 +13812,7 @@ index 8416beb..f71d93e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +4601,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +4620,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -13813,7 +13868,7 @@ index 8416beb..f71d93e 100644
')
########################################
-@@ -4105,7 +4753,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +4772,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -13822,7 +13877,7 @@ index 8416beb..f71d93e 100644
')
########################################
-@@ -4165,6 +4813,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +4832,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -13847,7 +13902,7 @@ index 8416beb..f71d93e 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4202,7 +4868,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +4887,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -13856,7 +13911,7 @@ index 8416beb..f71d93e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4221,6 +4887,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +4906,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -13917,7 +13972,7 @@ index 8416beb..f71d93e 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4278,6 +4998,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +5017,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -13962,7 +14017,7 @@ index 8416beb..f71d93e 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4297,6 +5055,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5074,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -13988,7 +14043,7 @@ index 8416beb..f71d93e 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4503,6 +5280,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5299,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -13997,7 +14052,7 @@ index 8416beb..f71d93e 100644
')
########################################
-@@ -4549,7 +5328,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5347,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -14006,7 +14061,7 @@ index 8416beb..f71d93e 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +5375,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5394,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -14033,7 +14088,7 @@ index 8416beb..f71d93e 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +5470,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +5489,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -14059,7 +14114,7 @@ index 8416beb..f71d93e 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +5730,43 @@ interface(`fs_unconfined',`
+@@ -4912,3 +5749,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -17537,7 +17592,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..15466e9 100644
+index 88d0028..eea8991 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
@@ -17852,7 +17907,7 @@ index 88d0028..15466e9 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +362,36 @@ optional_policy(`
+@@ -270,35 +362,41 @@ optional_policy(`
')
optional_policy(`
@@ -17896,7 +17951,12 @@ index 88d0028..15466e9 100644
')
optional_policy(`
-@@ -319,12 +416,19 @@ optional_policy(`
+ rsync_exec(sysadm_t)
++ rsync_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -319,12 +417,20 @@ optional_policy(`
')
optional_policy(`
@@ -17909,6 +17969,7 @@ index 88d0028..15466e9 100644
seutil_run_setfiles(sysadm_t, sysadm_r)
seutil_run_runinit(sysadm_t, sysadm_r)
+ seutil_dbus_chat_semanage(sysadm_t)
++ seutil_read_login_config(sysadm_t)
')
optional_policy(`
@@ -17917,7 +17978,7 @@ index 88d0028..15466e9 100644
')
optional_policy(`
-@@ -349,7 +453,18 @@ optional_policy(`
+@@ -349,7 +455,18 @@ optional_policy(`
')
optional_policy(`
@@ -17937,7 +17998,7 @@ index 88d0028..15466e9 100644
')
optional_policy(`
-@@ -360,19 +475,15 @@ optional_policy(`
+@@ -360,19 +477,15 @@ optional_policy(`
')
optional_policy(`
@@ -17959,7 +18020,7 @@ index 88d0028..15466e9 100644
')
optional_policy(`
-@@ -384,10 +495,6 @@ optional_policy(`
+@@ -384,10 +497,6 @@ optional_policy(`
')
optional_policy(`
@@ -17970,7 +18031,7 @@ index 88d0028..15466e9 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +502,9 @@ optional_policy(`
+@@ -395,6 +504,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -17980,7 +18041,7 @@ index 88d0028..15466e9 100644
')
optional_policy(`
-@@ -402,31 +512,34 @@ optional_policy(`
+@@ -402,31 +514,34 @@ optional_policy(`
')
optional_policy(`
@@ -18021,7 +18082,7 @@ index 88d0028..15466e9 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +552,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +554,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18032,7 +18093,7 @@ index 88d0028..15466e9 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +572,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +574,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -27947,10 +28008,10 @@ index 24e7804..76da5dd 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..d9b6a37 100644
+index dd3be8d..e9ab9ba 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -11,10 +11,24 @@ gen_require(`
+@@ -11,10 +11,31 @@ gen_require(`
## <desc>
## <p>
@@ -27974,10 +28035,17 @@ index dd3be8d..d9b6a37 100644
+## </p>
+## </desc>
+gen_tunable(daemons_dump_core, false)
++
++## <desc>
++## <p>
++## Enable cluster mode for daemons.
++## </p>
++## </desc>
++gen_tunable(daemons_enable_cluster_mode, false)
# used for direct running of init scripts
# by admin domains
-@@ -25,9 +39,17 @@ attribute direct_init_entry;
+@@ -25,9 +46,17 @@ attribute direct_init_entry;
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
@@ -27995,7 +28063,7 @@ index dd3be8d..d9b6a37 100644
# Mark file type as a daemon run directory
attribute daemonrundir;
-@@ -35,12 +57,14 @@ attribute daemonrundir;
+@@ -35,12 +64,14 @@ attribute daemonrundir;
#
# init_t is the domain of the init process.
#
@@ -28011,7 +28079,7 @@ index dd3be8d..d9b6a37 100644
#
# init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -49,6 +73,15 @@ type init_var_run_t;
+@@ -49,6 +80,15 @@ type init_var_run_t;
files_pid_file(init_var_run_t)
#
@@ -28027,7 +28095,7 @@ index dd3be8d..d9b6a37 100644
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
-@@ -57,7 +90,7 @@ type initctl_t;
+@@ -57,7 +97,7 @@ type initctl_t;
files_type(initctl_t)
mls_trusted_object(initctl_t)
@@ -28036,7 +28104,7 @@ index dd3be8d..d9b6a37 100644
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
-@@ -98,7 +131,9 @@ ifdef(`enable_mls',`
+@@ -98,7 +138,9 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -28047,7 +28115,7 @@ index dd3be8d..d9b6a37 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -110,12 +145,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -110,12 +152,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -28087,7 +28155,7 @@ index dd3be8d..d9b6a37 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +181,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +188,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -28107,7 +28175,7 @@ index dd3be8d..d9b6a37 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +200,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +207,20 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -28128,7 +28196,7 @@ index dd3be8d..d9b6a37 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +223,51 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +230,51 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -28183,7 +28251,7 @@ index dd3be8d..d9b6a37 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +276,204 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +283,204 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -28213,13 +28281,14 @@ index dd3be8d..d9b6a37 100644
+
+optional_policy(`
+ chronyd_read_keys(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ kdump_read_crash(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ gnome_filetrans_home_content(init_t)
+ gnome_manage_data(init_t)
+')
@@ -28360,14 +28429,13 @@ index dd3be8d..d9b6a37 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -28375,10 +28443,9 @@ index dd3be8d..d9b6a37 100644
+ optional_policy(`
+ devicekit_dbus_chat_power(init_t)
+ ')
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
@@ -28388,15 +28455,16 @@ index dd3be8d..d9b6a37 100644
+
+optional_policy(`
+ networkmanager_stream_connect(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
-@@ -216,7 +481,30 @@ optional_policy(`
+@@ -216,7 +488,30 @@ optional_policy(`
')
optional_policy(`
@@ -28427,7 +28495,7 @@ index dd3be8d..d9b6a37 100644
')
########################################
-@@ -225,8 +513,9 @@ optional_policy(`
+@@ -225,8 +520,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28439,7 +28507,7 @@ index dd3be8d..d9b6a37 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +546,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +553,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28456,7 +28524,7 @@ index dd3be8d..d9b6a37 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +571,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +578,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28499,7 +28567,7 @@ index dd3be8d..d9b6a37 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +608,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +615,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28511,7 +28579,7 @@ index dd3be8d..d9b6a37 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +620,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +627,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28522,7 +28590,7 @@ index dd3be8d..d9b6a37 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +631,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +638,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28532,7 +28600,7 @@ index dd3be8d..d9b6a37 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +640,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +647,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28540,7 +28608,7 @@ index dd3be8d..d9b6a37 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +647,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +654,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28548,7 +28616,7 @@ index dd3be8d..d9b6a37 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +655,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +662,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28566,7 +28634,7 @@ index dd3be8d..d9b6a37 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +673,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +680,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28580,7 +28648,7 @@ index dd3be8d..d9b6a37 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +688,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +695,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28594,7 +28662,7 @@ index dd3be8d..d9b6a37 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +701,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +708,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28602,7 +28670,7 @@ index dd3be8d..d9b6a37 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +713,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +720,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28610,7 +28678,7 @@ index dd3be8d..d9b6a37 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +732,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +739,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28634,7 +28702,7 @@ index dd3be8d..d9b6a37 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +765,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +772,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28642,7 +28710,7 @@ index dd3be8d..d9b6a37 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +799,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +806,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28653,7 +28721,7 @@ index dd3be8d..d9b6a37 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +823,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +830,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28662,7 +28730,7 @@ index dd3be8d..d9b6a37 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +838,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +845,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28670,7 +28738,7 @@ index dd3be8d..d9b6a37 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +859,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +866,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28678,7 +28746,7 @@ index dd3be8d..d9b6a37 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +869,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +876,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28723,7 +28791,7 @@ index dd3be8d..d9b6a37 100644
')
optional_policy(`
-@@ -558,14 +914,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +921,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28755,7 +28823,7 @@ index dd3be8d..d9b6a37 100644
')
')
-@@ -576,6 +949,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +956,39 @@ ifdef(`distro_suse',`
')
')
@@ -28795,7 +28863,7 @@ index dd3be8d..d9b6a37 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +994,8 @@ optional_policy(`
+@@ -588,6 +1001,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28804,7 +28872,7 @@ index dd3be8d..d9b6a37 100644
')
optional_policy(`
-@@ -609,6 +1017,7 @@ optional_policy(`
+@@ -609,6 +1024,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28812,7 +28880,7 @@ index dd3be8d..d9b6a37 100644
')
optional_policy(`
-@@ -625,6 +1034,17 @@ optional_policy(`
+@@ -625,6 +1041,17 @@ optional_policy(`
')
optional_policy(`
@@ -28830,7 +28898,7 @@ index dd3be8d..d9b6a37 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1061,13 @@ optional_policy(`
+@@ -641,9 +1068,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28844,7 +28912,7 @@ index dd3be8d..d9b6a37 100644
')
optional_policy(`
-@@ -656,15 +1080,11 @@ optional_policy(`
+@@ -656,15 +1087,11 @@ optional_policy(`
')
optional_policy(`
@@ -28862,7 +28930,7 @@ index dd3be8d..d9b6a37 100644
')
optional_policy(`
-@@ -685,6 +1105,15 @@ optional_policy(`
+@@ -685,6 +1112,15 @@ optional_policy(`
')
optional_policy(`
@@ -28878,7 +28946,7 @@ index dd3be8d..d9b6a37 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1154,7 @@ optional_policy(`
+@@ -725,6 +1161,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28886,7 +28954,7 @@ index dd3be8d..d9b6a37 100644
')
optional_policy(`
-@@ -742,7 +1172,13 @@ optional_policy(`
+@@ -742,7 +1179,13 @@ optional_policy(`
')
optional_policy(`
@@ -28901,7 +28969,7 @@ index dd3be8d..d9b6a37 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1201,10 @@ optional_policy(`
+@@ -765,6 +1208,10 @@ optional_policy(`
')
optional_policy(`
@@ -28912,7 +28980,7 @@ index dd3be8d..d9b6a37 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1214,20 @@ optional_policy(`
+@@ -774,10 +1221,20 @@ optional_policy(`
')
optional_policy(`
@@ -28933,7 +29001,7 @@ index dd3be8d..d9b6a37 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1236,10 @@ optional_policy(`
+@@ -786,6 +1243,10 @@ optional_policy(`
')
optional_policy(`
@@ -28944,7 +29012,7 @@ index dd3be8d..d9b6a37 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1261,6 @@ optional_policy(`
+@@ -807,8 +1268,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28953,7 +29021,7 @@ index dd3be8d..d9b6a37 100644
')
optional_policy(`
-@@ -817,6 +1269,10 @@ optional_policy(`
+@@ -817,6 +1276,10 @@ optional_policy(`
')
optional_policy(`
@@ -28964,7 +29032,7 @@ index dd3be8d..d9b6a37 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1282,12 @@ optional_policy(`
+@@ -826,10 +1289,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28977,7 +29045,7 @@ index dd3be8d..d9b6a37 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1314,28 @@ optional_policy(`
+@@ -856,12 +1321,28 @@ optional_policy(`
')
optional_policy(`
@@ -29007,7 +29075,7 @@ index dd3be8d..d9b6a37 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1345,18 @@ optional_policy(`
+@@ -871,6 +1352,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29026,7 +29094,7 @@ index dd3be8d..d9b6a37 100644
')
optional_policy(`
-@@ -886,6 +1372,10 @@ optional_policy(`
+@@ -886,6 +1379,10 @@ optional_policy(`
')
optional_policy(`
@@ -29037,7 +29105,7 @@ index dd3be8d..d9b6a37 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1386,196 @@ optional_policy(`
+@@ -896,3 +1393,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29234,6 +29302,28 @@ index dd3be8d..d9b6a37 100644
+ allow daemon direct_run_init:process sigchld;
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
++
++optional_policy(`
++ tunable_policy(`daemons_enable_cluster_mode',`
++ rhcs_manage_cluster_pid_files(daemon)
++ rhcs_manage_cluster_lib_files(daemon)
++ rhcs_rw_inherited_cluster_tmp_files(daemon)
++ rhcs_stream_connect_cluster_to(daemon,daemon)
++',`
++ rhcs_read_cluster_lib_files(daemon)
++ rhcs_read_cluster_pid_files(daemon)
++ ')
++
++ ')
++
++optional_policy(`
++ tunable_policy(`daemons_enable_cluster_mode',`
++ #resource agents placed config files in /etc/cluster
++ ccs_manage_config(daemon)
++',`
++ ccs_read_config(daemon)
++ ')
++ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 662e79b..a199ffd 100644
--- a/policy/modules/system/ipsec.fc
@@ -34454,7 +34544,7 @@ index 3822072..270bde3 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..59ed766 100644
+index ec01d0b..ececda2 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -34982,7 +35072,7 @@ index ec01d0b..59ed766 100644
')
########################################
-@@ -522,108 +598,191 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +598,192 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -35075,6 +35165,7 @@ index ec01d0b..59ed766 100644
+ optional_policy(`
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
++ setroubleshoot_fixit_dontaudit_leaks(load_policy_t)
+ ')
+')
+ifdef(`distro_ubuntu',`
@@ -37561,10 +37652,10 @@ index 0000000..35b4178
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..5842807
+index 0000000..f758960
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,649 @@
+@@ -0,0 +1,650 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -37895,6 +37986,7 @@ index 0000000..5842807
+
+logging_create_devlog_dev(systemd_tmpfiles_t)
+logging_send_syslog_msg(systemd_tmpfiles_t)
++logging_setattr_all_log_dirs(systemd_tmpfiles_t)
+
+miscfiles_filetrans_named_content(systemd_tmpfiles_t)
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index bc676e1..f11fea6 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -25988,10 +25988,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..dd418db
+index 0000000..d6a2e10
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,185 @@
+@@ -0,0 +1,187 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
@@ -26065,6 +26065,7 @@ index 0000000..dd418db
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
++allow glusterd_t glusterd_tmp_t:dir mounton;
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
@@ -26130,6 +26131,7 @@ index 0000000..dd418db
+domain_use_interactive_fds(glusterd_t)
+
+fs_mount_all_fs(glusterd_t)
++fs_unmount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+
+files_mounton_mnt(glusterd_t)
@@ -40908,7 +40910,7 @@ index 6194b80..d54c5ba 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..11a0f02 100644
+index 6a306ee..b236449 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -41352,7 +41354,7 @@ index 6a306ee..11a0f02 100644
')
optional_policy(`
-@@ -300,259 +324,235 @@ optional_policy(`
+@@ -300,259 +324,236 @@ optional_policy(`
########################################
#
@@ -41587,6 +41589,7 @@ index 6a306ee..11a0f02 100644
+fs_list_dos(mozilla_plugin_t)
+fs_read_noxattr_fs_files(mozilla_plugin_t)
+fs_read_hugetlbfs_files(mozilla_plugin_t)
++fs_exec_hugetlbfs_files(mozilla_plugin_t)
application_exec(mozilla_plugin_t)
+application_dontaudit_signull(mozilla_plugin_t)
@@ -41739,7 +41742,7 @@ index 6a306ee..11a0f02 100644
')
optional_policy(`
-@@ -560,7 +560,7 @@ optional_policy(`
+@@ -560,7 +561,7 @@ optional_policy(`
')
optional_policy(`
@@ -41748,7 +41751,7 @@ index 6a306ee..11a0f02 100644
')
optional_policy(`
-@@ -568,108 +568,130 @@ optional_policy(`
+@@ -568,108 +569,130 @@ optional_policy(`
')
optional_policy(`
@@ -71063,7 +71066,7 @@ index 47de2d6..98a4280 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..b8d154e 100644
+index 56bc01f..2e4d698 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -71108,7 +71111,7 @@ index 56bc01f..b8d154e 100644
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
-+ files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
++ files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file })
- optional_policy(`
- dbus_system_bus_client($1_t)
@@ -71287,139 +71290,138 @@ index 56bc01f..b8d154e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -342,10 +331,9 @@ interface(`rhcs_stream_connect_groupd',`
+@@ -342,10 +331,51 @@ interface(`rhcs_stream_connect_groupd',`
stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
')
--########################################
+#####################################
- ## <summary>
--## Read and write all cluster domains
--## shared memory.
++## <summary>
+## Allow read and write access to groupd semaphores.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -353,21 +341,20 @@ interface(`rhcs_stream_connect_groupd',`
- ## </summary>
- ## </param>
- #
--interface(`rhcs_rw_cluster_shm',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`rhcs_rw_groupd_semaphores',`
- gen_require(`
-- attribute cluster_domain, cluster_tmpfs;
++ gen_require(`
+ type groupd_t, groupd_tmpfs_t;
- ')
-
-- allow $1 cluster_domain:shm { rw_shm_perms destroy };
++ ')
++
+ allow $1 groupd_t:sem { rw_sem_perms destroy };
-
- fs_search_tmpfs($1)
-- manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
++
++ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
- ')
-
--####################################
++')
++
+########################################
- ## <summary>
--## Read and write all cluster
--## domains semaphores.
++## <summary>
+## Read and write to group shared memory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -375,17 +362,20 @@ interface(`rhcs_rw_cluster_shm',`
- ## </summary>
- ## </param>
- #
--interface(`rhcs_rw_cluster_semaphores',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`rhcs_rw_groupd_shm',`
- gen_require(`
-- attribute cluster_domain;
++ gen_require(`
+ type groupd_t, groupd_tmpfs_t;
- ')
-
-- allow $1 cluster_domain:sem { rw_sem_perms destroy };
++ ')
++
+ allow $1 groupd_t:shm { rw_shm_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
++')
++
+ ########################################
+ ## <summary>
+-## Read and write all cluster domains
+-## shared memory.
++## Read and write to group shared memory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -366,8 +396,7 @@ interface(`rhcs_rw_cluster_shm',`
+
+ ####################################
+ ## <summary>
+-## Read and write all cluster
+-## domains semaphores.
++## Read and write access to cluster domains semaphores.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -383,9 +412,10 @@ interface(`rhcs_rw_cluster_semaphores',`
+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
')
-#####################################
-+########################################
++####################################
## <summary>
-## Read and write groupd semaphores.
-+## Read and write to group shared memory.
++## Connect to cluster domains over a unix domain
++## stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -393,20 +383,20 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',`
## </summary>
## </param>
#
-interface(`rhcs_rw_groupd_semaphores',`
-+interface(`rhcs_rw_cluster_shm',`
++interface(`rhcs_stream_connect_cluster',`
gen_require(`
- type groupd_t, groupd_tmpfs_t;
-+ attribute cluster_domain, cluster_tmpfs;
++ attribute cluster_domain, cluster_pid;
')
- allow $1 groupd_t:sem { rw_sem_perms destroy };
-+ allow $1 cluster_domain:shm { rw_shm_perms destroy };
-
- fs_search_tmpfs($1)
+-
+- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-+ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
++ files_search_pids($1)
++ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
')
-########################################
-+####################################
++#####################################
## <summary>
-## Read and write groupd shared memory.
-+## Read and write access to cluster domains semaphores.
++## Connect to cluster domains over a unix domain
++## stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -414,15 +404,32 @@ interface(`rhcs_rw_groupd_semaphores',`
+ ## Domain allowed access.
## </summary>
## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
#
-interface(`rhcs_rw_groupd_shm',`
-+interface(`rhcs_rw_cluster_semaphores',`
++interface(`rhcs_stream_connect_cluster_to',`
gen_require(`
- type groupd_t, groupd_tmpfs_t;
+ attribute cluster_domain;
++ attribute cluster_pid;
')
- allow $1 groupd_t:shm { rw_shm_perms destroy };
-+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
-+')
-
+-
- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-+####################################
-+## <summary>
-+## Connect to cluster domains over a unix domain
-+## stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`rhcs_stream_connect_cluster',`
-+ gen_require(`
-+ attribute cluster_domain, cluster_pid;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
++ files_search_pids($1)
++ stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
')
######################################
-@@ -446,52 +453,322 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
## <summary>
@@ -71470,11 +71472,7 @@ index 56bc01f..b8d154e 100644
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-
-- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
-- domain_system_change_exemption($1)
-- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
-- allow $2 system_r;
++
+#####################################
+## <summary>
+## Allow domain to manage cluster lib files
@@ -71490,14 +71488,16 @@ index 56bc01f..b8d154e 100644
+ type cluster_var_lib_t;
+ ')
-- files_search_pids($1)
-- admin_pattern($1, cluster_pid)
+- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+- allow $2 system_r;
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-- files_search_locks($1)
-- admin_pattern($1, fenced_lock_t)
+- files_search_pids($1)
+- admin_pattern($1, cluster_pid)
+####################################
+## <summary>
+## Allow domain to relabel cluster lib files
@@ -71518,8 +71518,8 @@ index 56bc01f..b8d154e 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-- files_search_tmp($1)
-- admin_pattern($1, fenced_tmp_t)
+- files_search_locks($1)
+- admin_pattern($1, fenced_lock_t)
+######################################
+## <summary>
+## Execute a domain transition to run cluster administrative domain.
@@ -71535,14 +71535,14 @@ index 56bc01f..b8d154e 100644
+ type cluster_t, cluster_exec_t;
+ ')
-- files_search_var_lib($1)
-- admin_pattern($1, qdiskd_var_lib_t)
+- files_search_tmp($1)
+- admin_pattern($1, fenced_tmp_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
-- fs_search_tmpfs($1)
-- admin_pattern($1, cluster_tmpfs)
+- files_search_var_lib($1)
+- admin_pattern($1, qdiskd_var_lib_t)
+#######################################
+## <summary>
+## Execute cluster init scripts in
@@ -71558,7 +71558,9 @@ index 56bc01f..b8d154e 100644
+ gen_require(`
+ type cluster_initrc_exec_t;
+ ')
-+
+
+- fs_search_tmpfs($1)
+- admin_pattern($1, cluster_tmpfs)
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
+
@@ -71621,6 +71623,24 @@ index 56bc01f..b8d154e 100644
+
+#####################################
+## <summary>
++## Allow the specified domain to read/write inherited cluster's tmpf files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_rw_inherited_cluster_tmp_files',`
++ gen_require(`
++ type cluster_tmp_t;
++ ')
++
++ allow $1 cluster_tmp_t:file rw_inherited_file_perms;
++')
++
++#####################################
++## <summary>
+## Allow manage cluster tmp files.
+## </summary>
+## <param name="domain">
@@ -71677,6 +71697,26 @@ index 56bc01f..b8d154e 100644
+
+#####################################
+## <summary>
++## Allow read cluster pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_read_cluster_pid_files',`
++ gen_require(`
++ type cluster_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
++')
++
++
++#####################################
++## <summary>
+## Allow manage cluster pid files.
+## </summary>
+## <param name="domain">
@@ -71771,7 +71811,7 @@ index 56bc01f..b8d154e 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..b978814 100644
+index 2c2de9a..26fba30 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -71802,7 +71842,7 @@ index 2c2de9a..b978814 100644
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
-@@ -44,34 +65,281 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t;
init_script_file(foghorn_initrc_exec_t)
rhcs_domain_template(gfs_controld)
@@ -71965,8 +72005,10 @@ index 2c2de9a..b978814 100644
+ corenet_tcp_connect_all_ports(cluster_t)
+')
+
++# we need to have dirs created with var_run_t in /run/cluster
++files_create_var_run_dirs(cluster_t)
++
+tunable_policy(`cluster_manage_all_files',`
-+ files_create_var_run_dirs(cluster_t)
+ files_getattr_all_symlinks(cluster_t)
+ files_list_all(cluster_t)
+ files_manage_mnt_dirs(cluster_t)
@@ -72088,7 +72130,7 @@ index 2c2de9a..b978814 100644
')
#####################################
-@@ -79,7 +347,7 @@ optional_policy(`
+@@ -79,7 +349,7 @@ optional_policy(`
# dlm_controld local policy
#
@@ -72097,7 +72139,7 @@ index 2c2de9a..b978814 100644
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
-@@ -98,16 +366,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +368,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -72130,7 +72172,7 @@ index 2c2de9a..b978814 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +400,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +402,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -72141,7 +72183,7 @@ index 2c2de9a..b978814 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -148,9 +429,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +431,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -72152,7 +72194,7 @@ index 2c2de9a..b978814 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +439,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +441,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -72161,7 +72203,7 @@ index 2c2de9a..b978814 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +461,8 @@ optional_policy(`
+@@ -182,7 +463,8 @@ optional_policy(`
')
optional_policy(`
@@ -72171,7 +72213,7 @@ index 2c2de9a..b978814 100644
')
optional_policy(`
-@@ -190,12 +470,12 @@ optional_policy(`
+@@ -190,12 +472,12 @@ optional_policy(`
')
optional_policy(`
@@ -72187,7 +72229,7 @@ index 2c2de9a..b978814 100644
')
optional_policy(`
-@@ -203,6 +483,13 @@ optional_policy(`
+@@ -203,6 +485,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -72201,7 +72243,7 @@ index 2c2de9a..b978814 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +508,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +510,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -72222,7 +72264,7 @@ index 2c2de9a..b978814 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +546,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +548,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -72231,7 +72273,7 @@ index 2c2de9a..b978814 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +566,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +568,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -72273,7 +72315,7 @@ index 2c2de9a..b978814 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +641,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +643,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -76106,10 +76148,10 @@ index d1fd97f..7ee8502 100644
-
-miscfiles_read_localization(rssh_chroot_helper_t)
diff --git a/rsync.fc b/rsync.fc
-index d25301b..d92f567 100644
+index d25301b..f3eeec7 100644
--- a/rsync.fc
+++ b/rsync.fc
-@@ -1,7 +1,7 @@
+@@ -1,7 +1,8 @@
/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
-/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
@@ -76119,8 +76161,9 @@ index d25301b..d92f567 100644
+/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0)
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
++/var/run/swift_server\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/rsync.if b/rsync.if
-index f1140ef..02de8a5 100644
+index f1140ef..8afe362 100644
--- a/rsync.if
+++ b/rsync.if
@@ -1,16 +1,32 @@
@@ -76345,34 +76388,36 @@ index f1140ef..02de8a5 100644
## with rsync etc type.
## </summary>
## <param name="domain">
-@@ -236,46 +224,3 @@ interface(`rsync_etc_filetrans_config',`
+@@ -239,43 +227,21 @@ interface(`rsync_etc_filetrans_config',`
- files_etc_filetrans($1, rsync_etc_t, $2, $3)
- ')
--
--########################################
--## <summary>
+ ########################################
+ ## <summary>
-## All of the rules required to
-## administrate an rsync environment.
--## </summary>
--## <param name="domain">
--## <summary>
++## Transition to rsync named content
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
--## </summary>
--## </param>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
-## <rolecap/>
--#
+ #
-interface(`rsync_admin',`
-- gen_require(`
++interface(`rsync_filetrans_named_content',`
+ gen_require(`
- type rsync_t, rsync_etc_t, rsync_data_t;
- type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
-- ')
--
++ type rsync_etc_t;
++ type rsync_var_run_t;
+ ')
+
- allow $1 rsync_t:process { ptrace signal_perms };
- ps_process_pattern($1, rsync_t)
-
@@ -76391,7 +76436,10 @@ index f1140ef..02de8a5 100644
- admin_pattern($1, rsync_var_run_t)
-
- rsync_run($1, $2)
--')
++ files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.cond")
++ files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock")
++ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
+ ')
diff --git a/rsync.te b/rsync.te
index e3e7c96..ec50426 100644
--- a/rsync.te
@@ -97216,10 +97264,10 @@ index 7c7f7fa..20ce90b 100644
+ xserver_manage_core_devices(wm_domain)
+')
diff --git a/xen.fc b/xen.fc
-index 42d83b0..5f18f6e 100644
+index 42d83b0..651d1cb 100644
--- a/xen.fc
+++ b/xen.fc
-@@ -1,38 +1,41 @@
+@@ -1,38 +1,42 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
-/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
@@ -97246,6 +97294,7 @@ index 42d83b0..5f18f6e 100644
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
-/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
-/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
++/usr/sbin/oxenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+')
-/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
@@ -97545,7 +97594,7 @@ index f93558c..16e29c1 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index ed40676..0706207 100644
+index ed40676..3fe3e35 100644
--- a/xen.te
+++ b/xen.te
@@ -1,42 +1,34 @@
@@ -98064,7 +98113,7 @@ index ed40676..0706207 100644
manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
-@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t)
+@@ -448,157 +456,40 @@ dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
dev_read_sysfs(xenstored_t)
@@ -98087,11 +98136,10 @@ index ed40676..0706207 100644
-
xen_append_log(xenstored_t)
- ########################################
- #
+-########################################
+-#
-# xm local policy
-+# SSH component local policy
- #
+-#
-
-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow xm_t self:process { getcap getsched setsched setcap signal };
@@ -98187,9 +98235,14 @@ index ed40676..0706207 100644
-
optional_policy(`
- cron_system_entry(xm_t, xm_exec_t)
--')
--
--optional_policy(`
++ virt_read_config(xenstored_t)
+ ')
+
++########################################
++#
++# SSH component local policy
++#
+ optional_policy(`
- dbus_system_bus_client(xm_t)
-
- optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9116b9b..4cfb2f6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 94%{?dist}
+Release: 95%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -230,7 +230,7 @@ ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/se
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
-%config %{_sysconfdir}/selinux/%1/contexts/sytemd_contexts \
+%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
@@ -573,6 +573,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Oct 28 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-95
+- Allow sysadm_t to read login information
+- Allow systemd_tmpfiles to setattr on var_log_t directories
+- Udpdate Makefile to include systemd_contexts
+- Add systemd_contexts
+- Add fs_exec_hugetlbfs_files() interface
+- Add daemons_enable_cluster_mode boolean
+- Fix rsync_filetrans_named_content()
+- Add rhcs_read_cluster_pid_files() interface
+- Update rhcs.if with additional interfaces from RHEL6
+- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t
+- Allow glusterd_t to mounton glusterd_tmp_t
+- Allow glusterd to unmout al filesystems
+- Allow xenstored to read virt config
+- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label
+- Allow mozilla_plugin_t to mmap hugepages as an executable
+
* Thu Oct 24 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-94
- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp
More information about the scm-commits
mailing list