[selinux-policy] - Add filename transition also for servicelog.db-journal - Add files_dontaudit_access_check_root() -
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Nov 26 10:43:10 UTC 2013
commit c9b9ed2c4db3489f4d4be0e5acabc837df9f106b
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Nov 26 11:42:42 2013 +0100
- Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
- Allow mount to manage mount_var_run_t files/dirs
- Allow updapwd_t to ignore mls levels for writign shadow_t at a lower level
- Make sure boot.log is created with the correct label
- call logging_relabel_all_log_dirs() in systemd.te
- Allow systemd_tmpfiles to relabel log directories
- Allow staff_t to run frequency command
- Allow staff_t to read xserver_log file
- This reverts commit c0f9f125291f189271cbbca033f87131dab1e22f.
- Label hsperfdata_root as tmp_t
- Add plymouthd_create_log()
- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6
- Allow sssd to request the kernel loads modules
- Allow gpg_agent to use ssh-add
- Allow gpg_agent to use ssh-add
- Dontaudit access check on /root for myslqd_safe_t
- Add glusterd_brick_t files type
- Allow ctdb to getattr on al filesystems
- Allow abrt to stream connect to syslog
- Allow dnsmasq to list dnsmasq.d directory
- Watchdog opens the raw socket
- Allow watchdog to read network state info
- Dontaudit access check on lvm lock dir
- Allow sosreport to send signull to setroubleshootd
- Add setroubleshoot_signull() interface
- Fix ldap_read_certs() interface
- Allow sosreport all signal perms
- Allow sosreport to run systemctl
- Allow sosreport to dbus chat with rpm
- Allow zabbix_agentd to read all domain state
- Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom
- Allow smoltclient to execute ldconfig
- Allow sosreport to request the kernel to load a module
- Clean up rtas.if
- Clean up docker.if
- drop /var/lib/glpi/files labeling in cron.fc
- Added new policy for rasdaemon
policy-rawhide-base.patch | 704 +++++++++--------
policy-rawhide-contrib.patch | 1853 ++++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 61 ++-
3 files changed, 1945 insertions(+), 673 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 2e8bd41..3c1c755 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8707,7 +8707,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..369ddc2 100644
+index cf04cb5..83fca99 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8844,7 +8844,7 @@ index cf04cb5..369ddc2 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,306 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8985,6 +8985,10 @@ index cf04cb5..369ddc2 100644
+')
+
+optional_policy(`
++ plymouthd_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
+ postgresql_filetrans_named_content(named_filetrans_domain)
+')
+
@@ -9152,7 +9156,7 @@ index cf04cb5..369ddc2 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..7f5b8f8 100644
+index b876c48..bd5b58c 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9286,7 +9290,7 @@ index b876c48..7f5b8f8 100644
#
# /selinux
#
-@@ -178,13 +191,14 @@ ifdef(`distro_debian',`
+@@ -178,25 +191,28 @@ ifdef(`distro_debian',`
#
# /srv
#
@@ -9303,7 +9307,10 @@ index b876c48..7f5b8f8 100644
/tmp/.* <<none>>
/tmp/\.journal <<none>>
-@@ -194,9 +208,10 @@ ifdef(`distro_debian',`
+ /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /tmp/lost\+found/.* <<none>>
++/var/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0)
+
#
# /usr
#
@@ -9315,7 +9322,7 @@ index b876c48..7f5b8f8 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -204,15 +219,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +220,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -9332,7 +9339,7 @@ index b876c48..7f5b8f8 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -220,8 +229,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +230,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@@ -9341,7 +9348,7 @@ index b876c48..7f5b8f8 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -229,7 +236,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +237,7 @@ ifndef(`distro_redhat',`
#
# /var
#
@@ -9350,7 +9357,7 @@ index b876c48..7f5b8f8 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +244,24 @@ ifndef(`distro_redhat',`
+@@ -237,11 +245,24 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9376,7 +9383,7 @@ index b876c48..7f5b8f8 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -256,12 +276,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +277,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -9391,14 +9398,14 @@ index b876c48..7f5b8f8 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -271,3 +293,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +294,5 @@ ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..ed3cc8d 100644
+index f962f76..eda85f9 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10072,7 +10079,34 @@ index f962f76..ed3cc8d 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1892,25 +2298,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1765,6 +2171,26 @@ interface(`files_dontaudit_rw_root_dir',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to check the
++## access on root directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_access_check_root',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir_file_class_set audit_access;
++')
++
++
++########################################
++## <summary>
+ ## Create an object in the root directory, with a private
+ ## type using a type transition.
+ ## </summary>
+@@ -1892,25 +2318,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -10104,7 +10138,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1923,7 +2329,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2349,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -10113,7 +10147,7 @@ index f962f76..ed3cc8d 100644
')
########################################
-@@ -1946,6 +2352,24 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2372,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -10138,7 +10172,7 @@ index f962f76..ed3cc8d 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2181,6 +2605,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2625,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10163,7 +10197,7 @@ index f962f76..ed3cc8d 100644
######################################
## <summary>
## Read symbolic links in the /boot directory.
-@@ -2645,6 +3087,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3107,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10188,7 +10222,7 @@ index f962f76..ed3cc8d 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2716,6 +3176,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3196,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10196,7 +10230,7 @@ index f962f76..ed3cc8d 100644
')
########################################
-@@ -2724,7 +3185,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3205,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10205,7 +10239,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## </param>
#
-@@ -2780,6 +3241,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3261,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -10231,7 +10265,7 @@ index f962f76..ed3cc8d 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2798,6 +3278,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3298,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10256,7 +10290,7 @@ index f962f76..ed3cc8d 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2963,24 +3461,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3481,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -10281,7 +10315,7 @@ index f962f76..ed3cc8d 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3021,9 +3501,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3521,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -10292,7 +10326,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3031,18 +3509,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3529,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -10314,7 +10348,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3060,6 +3537,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3557,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -10341,7 +10375,7 @@ index f962f76..ed3cc8d 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3077,6 +3574,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3594,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10349,7 +10383,7 @@ index f962f76..ed3cc8d 100644
')
########################################
-@@ -3098,6 +3596,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3616,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10357,108 +10391,88 @@ index f962f76..ed3cc8d 100644
')
########################################
-@@ -3150,6 +3649,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3150,45 +3669,64 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
+-## Do not audit attempts to search directories on new filesystems
+## Setattr of directories on new filesystems
-+## that have not yet been labeled.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_setattr_isid_type_dirs',`
-+ gen_require(`
-+ type file_t;
-+ ')
-+
-+ allow $1 file_t:dir setattr;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3223,11 +3741,10 @@ interface(`files_delete_isid_type_dirs',`
-
- delete_dirs_pattern($1, file_t, file_t)
- ')
--
- ########################################
- ## <summary>
--## Create, read, write, and delete directories
--## on new filesystems that have not yet been labeled.
-+## Execute files on new filesystems
-+## that have not yet been labeled.
- ## </summary>
## <param name="domain">
## <summary>
-@@ -3235,18 +3752,18 @@ interface(`files_delete_isid_type_dirs',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`files_manage_isid_type_dirs',`
-+interface(`files_exec_isid_files',`
+-interface(`files_dontaudit_search_isid_type_dirs',`
++interface(`files_setattr_isid_type_dirs',`
gen_require(`
type file_t;
')
-- allow $1 file_t:dir manage_dir_perms;
-+ can_exec($1, file_t)
+- dontaudit $1 file_t:dir search_dir_perms;
++ allow $1 file_t:dir setattr;
')
########################################
## <summary>
--## Mount a filesystem on a directory on new filesystems
--## that has not yet been labeled.
-+## Moundon directories on new filesystems
-+## that have not yet been labeled.
+-## List the contents of directories on new filesystems
++## Do not audit attempts to search directories on new filesystems
+ ## that have not yet been labeled.
## </summary>
## <param name="domain">
## <summary>
-@@ -3254,17 +3771,17 @@ interface(`files_manage_isid_type_dirs',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
--interface(`files_mounton_isid_type_dirs',`
-+interface(`files_mounton_isid',`
+-interface(`files_list_isid_type_dirs',`
++interface(`files_dontaudit_search_isid_type_dirs',`
gen_require(`
type file_t;
')
-- allow $1 file_t:dir { search_dir_perms mounton };
-+ allow $1 file_t:dir mounton;
+- allow $1 file_t:dir list_dir_perms;
++ dontaudit $1 file_t:dir search_dir_perms;
')
########################################
## <summary>
--## Read files on new filesystems
-+## Relabelfrom all file opbjects on new filesystems
+-## Read and write directories on new filesystems
++## List the contents of directories on new filesystems
++## that have not yet been labeled.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_isid_type_dirs',`
++ gen_require(`
++ type file_t;
++ ')
++
++ allow $1 file_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
++## Read and write directories on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
-@@ -3273,12 +3790,69 @@ interface(`files_mounton_isid_type_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_isid_type_files',`
-+interface(`files_relabelfrom_isid_type',`
- gen_require(`
- type file_t;
- ')
+@@ -3223,6 +3761,62 @@ interface(`files_delete_isid_type_dirs',`
-- allow $1 file_t:file read_file_perms;
-+ dontaudit $1 file_t:dir_file_class_set relabelfrom;
-+')
-+
+ delete_dirs_pattern($1, file_t, file_t)
+ ')
+########################################
+## <summary>
-+## Create, read, write, and delete directories
-+## on new filesystems that have not yet been labeled.
++## Execute files on new filesystems
++## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10466,18 +10480,18 @@ index f962f76..ed3cc8d 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_isid_type_dirs',`
++interface(`files_exec_isid_files',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:dir manage_dir_perms;
++ can_exec($1, file_t)
+')
+
+########################################
+## <summary>
-+## Mount a filesystem on a directory on new filesystems
-+## that has not yet been labeled.
++## Moundon directories on new filesystems
++## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10485,17 +10499,17 @@ index f962f76..ed3cc8d 100644
+## </summary>
+## </param>
+#
-+interface(`files_mounton_isid_type_dirs',`
++interface(`files_mounton_isid',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:dir { search_dir_perms mounton };
++ allow $1 file_t:dir mounton;
+')
+
+########################################
+## <summary>
-+## Read files on new filesystems
++## Relabelfrom all file opbjects on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
@@ -10504,16 +10518,17 @@ index f962f76..ed3cc8d 100644
+## </summary>
+## </param>
+#
-+interface(`files_read_isid_type_files',`
++interface(`files_relabelfrom_isid_type',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:file read_file_perms;
- ')
++ dontaudit $1 file_t:dir_file_class_set relabelfrom;
++')
########################################
-@@ -3473,6 +4047,25 @@ interface(`files_rw_isid_type_blk_files',`
+ ## <summary>
+@@ -3473,6 +4067,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -10539,7 +10554,7 @@ index f962f76..ed3cc8d 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3814,20 +4407,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4427,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10583,7 +10598,7 @@ index f962f76..ed3cc8d 100644
')
########################################
-@@ -4217,6 +4828,171 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +4848,173 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -10750,12 +10765,14 @@ index f962f76..ed3cc8d 100644
+ ')
+
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
++ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
++')
+')
+
########################################
## <summary>
## Allow the specified type to associate
-@@ -4239,6 +5015,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5037,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -10782,7 +10799,7 @@ index f962f76..ed3cc8d 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4252,17 +5048,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5070,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -10821,7 +10838,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## </param>
#
-@@ -4289,6 +5105,7 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5127,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -10829,7 +10846,7 @@ index f962f76..ed3cc8d 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5142,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5164,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -10837,7 +10854,7 @@ index f962f76..ed3cc8d 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5152,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5174,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -10846,7 +10863,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## </param>
#
-@@ -4346,6 +5164,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,6 +5186,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -10872,7 +10889,7 @@ index f962f76..ed3cc8d 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4361,6 +5198,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5220,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -10880,7 +10897,7 @@ index f962f76..ed3cc8d 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5240,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5262,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -10913,7 +10930,7 @@ index f962f76..ed3cc8d 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4456,7 +5320,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,7 +5342,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -10922,7 +10939,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4464,17 +5328,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4464,17 +5350,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -10944,7 +10961,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4482,59 +5346,53 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4482,33 +5368,123 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -10980,58 +10997,12 @@ index f962f76..ed3cc8d 100644
')
- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp files.
-+## Allow caller to read inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
-+interface(`files_read_inherited_tmp_files',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- dontaudit $1 tmpfile:file getattr;
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
- ')
-
- ########################################
- ## <summary>
--## Allow attempts to get the attributes
--## of all tmp files.
-+## Allow caller to append inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4542,12 +5400,108 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_getattr_all_tmp_files',`
-+interface(`files_append_inherited_tmp_files',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- allow $1 tmpfile:file getattr;
-+ allow $1 tmpfile:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Allow caller to read and write inherited tmp files.
++## Allow caller to read inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11039,17 +11010,17 @@ index f962f76..ed3cc8d 100644
+## </summary>
+## </param>
+#
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_read_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
++ allow $1 tmpfile:file { append read_inherited_file_perms };
+')
+
+########################################
+## <summary>
-+## List all tmp directories.
++## Allow caller to append inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11057,76 +11028,82 @@ index f962f76..ed3cc8d 100644
+## </summary>
+## </param>
+#
-+interface(`files_list_all_tmp',`
++interface(`files_append_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:dir list_dir_perms;
++ allow $1 tmpfile:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Relabel to and from all temporary
-+## directory types.
++## Allow caller to read and write inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_tmp_dirs',`
++interface(`files_rw_inherited_tmp_file',`
+ gen_require(`
+ attribute tmpfile;
-+ type var_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
++## List all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_list_all_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ dontaudit $1 tmpfile:file getattr;
++ allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
-+## Allow attempts to get the attributes
-+## of all tmp files.
++## Relabel to and from all temporary
++## directory types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_getattr_all_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
++ type var_t;
+ ')
+
-+ allow $1 tmpfile:file getattr;
++ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
')
- ########################################
-@@ -4579,7 +5533,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4519,7 +5495,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+@@ -4579,7 +5555,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -11135,7 +11112,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## </param>
#
-@@ -4611,6 +5565,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5587,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@@ -11180,7 +11157,7 @@ index f962f76..ed3cc8d 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
-@@ -4664,6 +5656,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5678,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11197,7 +11174,7 @@ index f962f76..ed3cc8d 100644
')
########################################
-@@ -5241,6 +6243,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6265,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -11222,7 +11199,7 @@ index f962f76..ed3cc8d 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5596,6 +6616,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6638,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11248,7 +11225,7 @@ index f962f76..ed3cc8d 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6680,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6702,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11257,7 +11234,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5649,12 +6688,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6710,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11273,7 +11250,7 @@ index f962f76..ed3cc8d 100644
')
########################################
-@@ -5672,6 +6712,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6734,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11281,7 +11258,7 @@ index f962f76..ed3cc8d 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6739,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6761,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11309,7 +11286,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5706,13 +6766,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6788,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11326,7 +11303,7 @@ index f962f76..ed3cc8d 100644
')
########################################
-@@ -5731,7 +6790,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +6812,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11335,7 +11312,7 @@ index f962f76..ed3cc8d 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +6823,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +6845,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11343,7 +11320,7 @@ index f962f76..ed3cc8d 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +6837,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +6859,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11352,7 +11329,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5787,13 +6845,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +6867,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11387,7 +11364,7 @@ index f962f76..ed3cc8d 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +6887,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +6909,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11405,7 +11382,7 @@ index f962f76..ed3cc8d 100644
')
########################################
-@@ -5834,9 +6911,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +6933,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11416,7 +11393,7 @@ index f962f76..ed3cc8d 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +6953,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +6975,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11426,7 +11403,7 @@ index f962f76..ed3cc8d 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +6975,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +6997,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11436,7 +11413,7 @@ index f962f76..ed3cc8d 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7012,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7034,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11446,7 +11423,7 @@ index f962f76..ed3cc8d 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7051,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7073,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11455,7 +11432,7 @@ index f962f76..ed3cc8d 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7071,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7093,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11504,7 +11481,7 @@ index f962f76..ed3cc8d 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6025,6 +7135,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7157,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11530,7 +11507,7 @@ index f962f76..ed3cc8d 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6039,7 +7168,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7190,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11539,7 +11516,7 @@ index f962f76..ed3cc8d 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6058,7 +7187,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7209,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11548,7 +11525,7 @@ index f962f76..ed3cc8d 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7207,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7229,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11557,7 +11534,7 @@ index f962f76..ed3cc8d 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7269,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7291,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11565,7 +11542,7 @@ index f962f76..ed3cc8d 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,7 +7297,7 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,7 +7319,7 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@@ -11574,21 +11551,27 @@ index f962f76..ed3cc8d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6177,12 +7305,30 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6177,20 +7327,38 @@ interface(`files_pid_filetrans_lock_dir',`
## </summary>
## </param>
#
-interface(`files_rw_generic_pids',`
+interface(`files_rw_inherited_generic_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_run_t;
+ type var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- rw_files_pattern($1, var_run_t, var_run_t)
+ allow $1 var_run_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes of
+-## daemon runtime data files.
+## Read and write generic process ID files.
+## </summary>
+## <param name="domain">
@@ -11598,16 +11581,23 @@ index f962f76..ed3cc8d 100644
+## </param>
+#
+interface(`files_rw_generic_pids',`
- gen_require(`
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
- rw_files_pattern($1, var_run_t, var_run_t)
- ')
-@@ -6249,6 +7395,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
++ list_dirs_pattern($1, var_t, var_run_t)
++ rw_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to get the attributes of
++## daemon runtime data files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6249,6 +7417,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -11724,7 +11714,7 @@ index f962f76..ed3cc8d 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -6261,12 +7517,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6261,12 +7539,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
interface(`files_read_all_pids',`
gen_require(`
attribute pidfile;
@@ -11813,7 +11803,7 @@ index f962f76..ed3cc8d 100644
')
########################################
-@@ -6286,8 +7616,8 @@ interface(`files_delete_all_pids',`
+@@ -6286,8 +7638,8 @@ interface(`files_delete_all_pids',`
type var_t, var_run_t;
')
@@ -11823,7 +11813,7 @@ index f962f76..ed3cc8d 100644
allow $1 var_run_t:dir rmdir;
allow $1 var_run_t:lnk_file delete_lnk_file_perms;
delete_files_pattern($1, pidfile, pidfile)
-@@ -6311,36 +7641,80 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6311,36 +7663,80 @@ interface(`files_delete_all_pid_dirs',`
type var_t, var_run_t;
')
@@ -11915,7 +11905,7 @@ index f962f76..ed3cc8d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6348,12 +7722,33 @@ interface(`files_manage_all_pids',`
+@@ -6348,12 +7744,33 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -11952,7 +11942,7 @@ index f962f76..ed3cc8d 100644
')
########################################
-@@ -6580,3 +7975,491 @@ interface(`files_unconfined',`
+@@ -6580,3 +7997,492 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -12313,6 +12303,7 @@ index f962f76..ed3cc8d 100644
+ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
++ files_tmp_filetrans($1, tmp_t, dir, "hsperfdata_root")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+ files_var_filetrans($1, tmp_t, dir, "tmp")
+')
@@ -17163,7 +17154,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..faffbc3 100644
+index 0fef1fc..cf718d2 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,71 @@ policy_module(staff, 2.4.0)
@@ -17238,7 +17229,7 @@ index 0fef1fc..faffbc3 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +82,106 @@ optional_policy(`
+@@ -23,11 +82,110 @@ optional_policy(`
')
optional_policy(`
@@ -17283,6 +17274,10 @@ index 0fef1fc..faffbc3 100644
+')
+
+optional_policy(`
++ freqset_run(staff_t, staff_r)
++')
++
++optional_policy(`
+ irc_role(staff_r, staff_t)
+')
+
@@ -17346,7 +17341,7 @@ index 0fef1fc..faffbc3 100644
')
optional_policy(`
-@@ -35,15 +189,31 @@ optional_policy(`
+@@ -35,15 +193,31 @@ optional_policy(`
')
optional_policy(`
@@ -17380,7 +17375,7 @@ index 0fef1fc..faffbc3 100644
')
optional_policy(`
-@@ -52,10 +222,55 @@ optional_policy(`
+@@ -52,11 +226,57 @@ optional_policy(`
')
optional_policy(`
@@ -17434,9 +17429,11 @@ index 0fef1fc..faffbc3 100644
+
+optional_policy(`
xserver_role(staff_r, staff_t)
++ xserver_read_log(staff_t)
')
-@@ -65,10 +280,6 @@ ifndef(`distro_redhat',`
+ ifndef(`distro_redhat',`
+@@ -65,10 +285,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17447,7 +17444,7 @@ index 0fef1fc..faffbc3 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +289,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +294,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -17458,7 +17455,7 @@ index 0fef1fc..faffbc3 100644
')
optional_policy(`
-@@ -101,10 +308,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +313,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17469,7 +17466,7 @@ index 0fef1fc..faffbc3 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +328,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +333,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17480,7 +17477,7 @@ index 0fef1fc..faffbc3 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +340,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +345,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17491,7 +17488,7 @@ index 0fef1fc..faffbc3 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +371,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +376,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -25563,7 +25560,7 @@ index 3efd5b6..08c3e93 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..c3d52f9 100644
+index 09b791d..88c3a2d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -25760,15 +25757,18 @@ index 09b791d..c3d52f9 100644
miscfiles_read_generic_certs(pam_console_t)
seutil_read_file_contexts(pam_console_t)
-@@ -341,6 +362,7 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +362,10 @@ kernel_read_system_state(updpwd_t)
dev_read_urand(updpwd_t)
files_manage_etc_files(updpwd_t)
+auth_manage_passwd(updpwd_t)
++
++mls_file_read_all_levels(updpwd_t)
++mls_file_write_all_levels(updpwd_t)
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +372,7 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +375,7 @@ auth_use_nsswitch(updpwd_t)
logging_send_syslog_msg(updpwd_t)
@@ -25779,7 +25779,7 @@ index 09b791d..c3d52f9 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -380,13 +400,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +403,15 @@ term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
@@ -25796,7 +25796,7 @@ index 09b791d..c3d52f9 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -397,19 +419,29 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +422,29 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -25830,7 +25830,7 @@ index 09b791d..c3d52f9 100644
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
-@@ -417,15 +449,21 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +452,21 @@ files_read_etc_files(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
@@ -25854,7 +25854,7 @@ index 09b791d..c3d52f9 100644
ldap_stream_connect(nsswitch_domain)
')
')
-@@ -438,6 +476,7 @@ optional_policy(`
+@@ -438,6 +479,7 @@ optional_policy(`
likewise_stream_connect_lsassd(nsswitch_domain)
')
@@ -25862,7 +25862,7 @@ index 09b791d..c3d52f9 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,6 +495,8 @@ optional_policy(`
+@@ -456,6 +498,8 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -25871,7 +25871,7 @@ index 09b791d..c3d52f9 100644
')
optional_policy(`
-@@ -463,3 +504,133 @@ optional_policy(`
+@@ -463,3 +507,133 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -27969,7 +27969,7 @@ index 79a45f6..edf52ea 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..885091e 100644
+index 17eda24..641bae3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -28213,7 +28213,7 @@ index 17eda24..885091e 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +284,208 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +284,209 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -28427,10 +28427,11 @@ index 17eda24..885091e 100644
- nscd_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
++ plymouthd_filetrans_named_content(init_t)
')
optional_policy(`
-@@ -216,7 +493,30 @@ optional_policy(`
+@@ -216,7 +494,30 @@ optional_policy(`
')
optional_policy(`
@@ -28461,7 +28462,7 @@ index 17eda24..885091e 100644
')
########################################
-@@ -225,9 +525,9 @@ optional_policy(`
+@@ -225,9 +526,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28473,7 +28474,7 @@ index 17eda24..885091e 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +558,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +559,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28490,7 +28491,7 @@ index 17eda24..885091e 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +583,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +584,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28533,7 +28534,7 @@ index 17eda24..885091e 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +620,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +621,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28545,7 +28546,7 @@ index 17eda24..885091e 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +632,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +633,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28556,7 +28557,7 @@ index 17eda24..885091e 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +643,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +644,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28566,7 +28567,7 @@ index 17eda24..885091e 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +652,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +653,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28574,7 +28575,7 @@ index 17eda24..885091e 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +659,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +660,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28582,7 +28583,7 @@ index 17eda24..885091e 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +667,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +668,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28600,7 +28601,7 @@ index 17eda24..885091e 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +685,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +686,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28614,7 +28615,7 @@ index 17eda24..885091e 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +700,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +701,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28628,7 +28629,7 @@ index 17eda24..885091e 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,6 +713,7 @@ mls_process_read_up(initrc_t)
+@@ -387,6 +714,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28636,7 +28637,7 @@ index 17eda24..885091e 100644
selinux_get_enforce_mode(initrc_t)
-@@ -398,6 +725,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +726,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28644,7 +28645,7 @@ index 17eda24..885091e 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +744,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +745,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28668,7 +28669,7 @@ index 17eda24..885091e 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +777,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +778,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28676,7 +28677,7 @@ index 17eda24..885091e 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +811,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +812,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28687,7 +28688,7 @@ index 17eda24..885091e 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +835,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +836,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28696,7 +28697,7 @@ index 17eda24..885091e 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +850,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +851,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28704,7 +28705,7 @@ index 17eda24..885091e 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +871,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +872,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28712,7 +28713,7 @@ index 17eda24..885091e 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +881,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +882,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28757,7 +28758,7 @@ index 17eda24..885091e 100644
')
optional_policy(`
-@@ -559,14 +926,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +927,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28789,7 +28790,7 @@ index 17eda24..885091e 100644
')
')
-@@ -577,6 +961,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +962,39 @@ ifdef(`distro_suse',`
')
')
@@ -28829,7 +28830,7 @@ index 17eda24..885091e 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1006,8 @@ optional_policy(`
+@@ -589,6 +1007,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28838,7 +28839,7 @@ index 17eda24..885091e 100644
')
optional_policy(`
-@@ -610,6 +1029,7 @@ optional_policy(`
+@@ -610,6 +1030,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28846,7 +28847,7 @@ index 17eda24..885091e 100644
')
optional_policy(`
-@@ -626,6 +1046,17 @@ optional_policy(`
+@@ -626,6 +1047,17 @@ optional_policy(`
')
optional_policy(`
@@ -28864,7 +28865,7 @@ index 17eda24..885091e 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1073,13 @@ optional_policy(`
+@@ -642,9 +1074,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28878,7 +28879,7 @@ index 17eda24..885091e 100644
')
optional_policy(`
-@@ -657,15 +1092,11 @@ optional_policy(`
+@@ -657,15 +1093,11 @@ optional_policy(`
')
optional_policy(`
@@ -28896,7 +28897,7 @@ index 17eda24..885091e 100644
')
optional_policy(`
-@@ -686,6 +1117,15 @@ optional_policy(`
+@@ -686,6 +1118,15 @@ optional_policy(`
')
optional_policy(`
@@ -28912,7 +28913,7 @@ index 17eda24..885091e 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1166,7 @@ optional_policy(`
+@@ -726,6 +1167,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28920,7 +28921,7 @@ index 17eda24..885091e 100644
')
optional_policy(`
-@@ -743,7 +1184,13 @@ optional_policy(`
+@@ -743,7 +1185,13 @@ optional_policy(`
')
optional_policy(`
@@ -28935,7 +28936,7 @@ index 17eda24..885091e 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1213,10 @@ optional_policy(`
+@@ -766,6 +1214,10 @@ optional_policy(`
')
optional_policy(`
@@ -28946,7 +28947,7 @@ index 17eda24..885091e 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1226,20 @@ optional_policy(`
+@@ -775,10 +1227,20 @@ optional_policy(`
')
optional_policy(`
@@ -28967,7 +28968,7 @@ index 17eda24..885091e 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1248,10 @@ optional_policy(`
+@@ -787,6 +1249,10 @@ optional_policy(`
')
optional_policy(`
@@ -28978,7 +28979,7 @@ index 17eda24..885091e 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1273,6 @@ optional_policy(`
+@@ -808,8 +1274,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28987,7 +28988,7 @@ index 17eda24..885091e 100644
')
optional_policy(`
-@@ -818,6 +1281,10 @@ optional_policy(`
+@@ -818,6 +1282,10 @@ optional_policy(`
')
optional_policy(`
@@ -28998,7 +28999,7 @@ index 17eda24..885091e 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1294,12 @@ optional_policy(`
+@@ -827,10 +1295,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -29011,7 +29012,7 @@ index 17eda24..885091e 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,12 +1326,33 @@ optional_policy(`
+@@ -857,12 +1327,33 @@ optional_policy(`
')
optional_policy(`
@@ -29046,7 +29047,7 @@ index 17eda24..885091e 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -872,6 +1362,18 @@ optional_policy(`
+@@ -872,6 +1363,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29065,7 +29066,7 @@ index 17eda24..885091e 100644
')
optional_policy(`
-@@ -887,6 +1389,10 @@ optional_policy(`
+@@ -887,6 +1390,10 @@ optional_policy(`
')
optional_policy(`
@@ -29076,7 +29077,7 @@ index 17eda24..885091e 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1403,218 @@ optional_policy(`
+@@ -897,3 +1404,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31010,7 +31011,7 @@ index b50c5fe..2faaaf2 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..9b82ed0 100644
+index 4e94884..bb6086e 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -31132,11 +31133,7 @@ index 4e94884..9b82ed0 100644
+ gen_require(`
+ type devlog_t;
+ ')
-
-- # If syslog is down, the glibc syslog() function
-- # will write to the console.
-- term_write_console($1)
-- term_dontaudit_read_console($1)
++
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
+ dev_filetrans($1, devlog_t, sock_file)
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
@@ -31156,7 +31153,11 @@ index 4e94884..9b82ed0 100644
+ gen_require(`
+ type devlog_t;
+ ')
-+
+
+- # If syslog is down, the glibc syslog() function
+- # will write to the console.
+- term_write_console($1)
+- term_dontaudit_read_console($1)
+ allow $1 devlog_t:sock_file relabel_sock_file_perms;
+')
+
@@ -31198,7 +31199,33 @@ index 4e94884..9b82ed0 100644
')
########################################
-@@ -776,7 +901,25 @@ interface(`logging_append_all_logs',`
+@@ -722,6 +847,25 @@ interface(`logging_setattr_all_log_dirs',`
+ allow $1 logfile:dir setattr;
+ ')
+
++#######################################
++## <summary>
++## Relabel on all log dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`logging_relabel_all_log_dirs',`
++ gen_require(`
++ attribute logfile;
++ ')
++
++ relabel_dirs_pattern($1, logfile, logfile)
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to get the attributes
+@@ -776,7 +920,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -31225,7 +31252,7 @@ index 4e94884..9b82ed0 100644
')
########################################
-@@ -859,7 +1002,7 @@ interface(`logging_manage_all_logs',`
+@@ -859,7 +1021,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -31234,7 +31261,7 @@ index 4e94884..9b82ed0 100644
')
########################################
-@@ -885,6 +1028,44 @@ interface(`logging_read_generic_logs',`
+@@ -885,6 +1047,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
@@ -31279,7 +31306,7 @@ index 4e94884..9b82ed0 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -905,6 +1086,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1105,24 @@ interface(`logging_write_generic_logs',`
########################################
## <summary>
@@ -31304,7 +31331,7 @@ index 4e94884..9b82ed0 100644
## Dontaudit Write generic log files.
## </summary>
## <param name="domain">
-@@ -984,11 +1183,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1202,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -31322,7 +31349,7 @@ index 4e94884..9b82ed0 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -1004,6 +1208,33 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1227,33 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -31356,7 +31383,7 @@ index 4e94884..9b82ed0 100644
')
########################################
-@@ -1032,10 +1263,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1282,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -31374,7 +31401,7 @@ index 4e94884..9b82ed0 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1293,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1312,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -31383,7 +31410,7 @@ index 4e94884..9b82ed0 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1323,35 @@ interface(`logging_admin',`
+@@ -1085,3 +1342,35 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -31938,10 +31965,10 @@ index 6b91740..b250b3e 100644
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..51e9872 100644
+index 58bc27f..f0de612 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
-@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',`
+@@ -123,3 +123,113 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
@@ -32036,6 +32063,25 @@ index 58bc27f..51e9872 100644
+
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
++
++########################################
++## <summary>
++## Do not audit attempts to access check cert dirs/files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`lvm_dontaudit_access_check_lock',`
++ gen_require(`
++ type lvm_lock_t;
++ ')
++
++ dontaudit $1 lvm_lock_t:dir audit_access;
++')
++
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 79048c4..55d6ce4 100644
--- a/policy/modules/system/lvm.te
@@ -33371,7 +33417,7 @@ index 4584457..fb1c881 100644
+')
+
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 459a0ef..9a50d63 100644
+index 459a0ef..00b82b3 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -5,13 +5,6 @@ policy_module(mount, 1.16.1)
@@ -33441,12 +33487,17 @@ index 459a0ef..9a50d63 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -56,9 +76,18 @@ create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
- create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
- rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+@@ -52,13 +72,20 @@ can_exec(mount_t, mount_exec_t)
+
+ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+
+-create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+-create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+-rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
++manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
++manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
+dev_filetrans(mount_t, mount_var_run_t, dir)
-+
kernel_read_system_state(mount_t)
+kernel_read_network_state(mount_t)
@@ -33460,7 +33511,7 @@ index 459a0ef..9a50d63 100644
kernel_setsched(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
-@@ -69,31 +98,47 @@ kernel_request_load_module(mount_t)
+@@ -69,31 +96,47 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -33511,7 +33562,7 @@ index 459a0ef..9a50d63 100644
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
-@@ -101,28 +146,39 @@ files_list_all_mountpoints(mount_t)
+@@ -101,28 +144,39 @@ files_list_all_mountpoints(mount_t)
files_dontaudit_write_all_mountpoints(mount_t)
files_dontaudit_setattr_all_mountpoints(mount_t)
@@ -33557,7 +33608,7 @@ index 459a0ef..9a50d63 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -130,16 +186,21 @@ auth_use_nsswitch(mount_t)
+@@ -130,16 +184,21 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -33581,7 +33632,7 @@ index 459a0ef..9a50d63 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -155,26 +216,27 @@ ifdef(`distro_ubuntu',`
+@@ -155,26 +214,27 @@ ifdef(`distro_ubuntu',`
')
')
@@ -33621,7 +33672,7 @@ index 459a0ef..9a50d63 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -188,6 +250,9 @@ optional_policy(`
+@@ -188,6 +248,9 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -33631,7 +33682,7 @@ index 459a0ef..9a50d63 100644
')
optional_policy(`
-@@ -195,6 +260,40 @@ optional_policy(`
+@@ -195,6 +258,40 @@ optional_policy(`
')
optional_policy(`
@@ -33672,7 +33723,7 @@ index 459a0ef..9a50d63 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -203,28 +302,136 @@ optional_policy(`
+@@ -203,28 +300,136 @@ optional_policy(`
')
optional_policy(`
@@ -37642,10 +37693,10 @@ index 0000000..35b4178
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..f758960
+index 0000000..a88f6e2
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,650 @@
+@@ -0,0 +1,651 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -37977,6 +38028,7 @@ index 0000000..f758960
+logging_create_devlog_dev(systemd_tmpfiles_t)
+logging_send_syslog_msg(systemd_tmpfiles_t)
+logging_setattr_all_log_dirs(systemd_tmpfiles_t)
++logging_relabel_all_log_dirs(systemd_tmpfiles_t)
+
+miscfiles_filetrans_named_content(systemd_tmpfiles_t)
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index bd5b77e..5e7217b 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -509,7 +509,7 @@ index 058d908..9d57403 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..15c0d4e 100644
+index eb50f07..9ef43d3 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -701,7 +701,7 @@ index eb50f07..15c0d4e 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -176,29 +187,37 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +187,38 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -728,6 +728,7 @@ index eb50f07..15c0d4e 100644
+logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
++logging_stream_connect_syslog(abrt_t)
+
auth_use_nsswitch(abrt_t)
@@ -742,7 +743,7 @@ index eb50f07..15c0d4e 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +225,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +226,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -759,7 +760,7 @@ index eb50f07..15c0d4e 100644
')
optional_policy(`
-@@ -222,6 +237,20 @@ optional_policy(`
+@@ -222,6 +238,20 @@ optional_policy(`
')
optional_policy(`
@@ -780,7 +781,7 @@ index eb50f07..15c0d4e 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -233,6 +262,7 @@ optional_policy(`
+@@ -233,6 +263,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -788,7 +789,7 @@ index eb50f07..15c0d4e 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -243,6 +273,7 @@ optional_policy(`
+@@ -243,6 +274,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -796,7 +797,7 @@ index eb50f07..15c0d4e 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +284,17 @@ optional_policy(`
+@@ -253,9 +285,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -815,7 +816,7 @@ index eb50f07..15c0d4e 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +305,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +306,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -830,7 +831,7 @@ index eb50f07..15c0d4e 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +324,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +325,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -838,7 +839,7 @@ index eb50f07..15c0d4e 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +333,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +334,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -859,7 +860,7 @@ index eb50f07..15c0d4e 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +354,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +355,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -886,7 +887,7 @@ index eb50f07..15c0d4e 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +390,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +391,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -900,7 +901,7 @@ index eb50f07..15c0d4e 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +408,11 @@ optional_policy(`
+@@ -343,10 +409,11 @@ optional_policy(`
#######################################
#
@@ -914,7 +915,7 @@ index eb50f07..15c0d4e 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +431,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +432,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -966,7 +967,7 @@ index eb50f07..15c0d4e 100644
#######################################
#
-@@ -404,7 +480,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +481,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -975,7 +976,7 @@ index eb50f07..15c0d4e 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -413,16 +489,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +490,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1019,7 +1020,7 @@ index eb50f07..15c0d4e 100644
')
#######################################
-@@ -430,10 +532,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +533,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -2956,10 +2957,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..ddfe9a9 100644
+index 7caefc3..95f0e5c 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,189 @@
+@@ -1,162 +1,193 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -2986,6 +2987,7 @@ index 7caefc3..ddfe9a9 100644
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3112,6 +3114,7 @@ index 7caefc3..ddfe9a9 100644
+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
++/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3158,6 +3161,7 @@ index 7caefc3..ddfe9a9 100644
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3198,6 +3202,7 @@ index 7caefc3..ddfe9a9 100644
+
+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -7123,7 +7128,7 @@ index 1a7a97e..1d29dce 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 7fd431b..7ac00c5 100644
+index 7fd431b..e05b2d4 100644
--- a/apm.te
+++ b/apm.te
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
@@ -7154,7 +7159,15 @@ index 7fd431b..7ac00c5 100644
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
-@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
+@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
+ kernel_rw_all_sysctls(apmd_t)
+ kernel_read_system_state(apmd_t)
+ kernel_write_proc_files(apmd_t)
++kernel_request_load_module(apmd_t)
+
+ dev_read_input(apmd_t)
+ dev_read_mouse(apmd_t)
+@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
fs_dontaudit_getattr_all_symlinks(apmd_t)
fs_dontaudit_getattr_all_pipes(apmd_t)
fs_dontaudit_getattr_all_sockets(apmd_t)
@@ -7164,7 +7177,7 @@ index 7fd431b..7ac00c5 100644
corecmd_exec_all_executables(apmd_t)
-@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
+@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
auth_use_nsswitch(apmd_t)
init_domtrans_script(apmd_t)
@@ -7173,7 +7186,7 @@ index 7fd431b..7ac00c5 100644
libs_exec_ld_so(apmd_t)
libs_exec_lib_files(apmd_t)
-@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t)
+@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
logging_send_syslog_msg(apmd_t)
@@ -7193,7 +7206,7 @@ index 7fd431b..7ac00c5 100644
optional_policy(`
automount_domtrans(apmd_t)
-@@ -206,11 +209,15 @@ optional_policy(`
+@@ -206,11 +210,15 @@ optional_policy(`
')
optional_policy(`
@@ -9547,6 +9560,198 @@ index 18623e3..d9f3061 100644
optional_policy(`
mta_send_mail(httpd_bugzilla_script_t)
')
+diff --git a/bumblebee.fc b/bumblebee.fc
+new file mode 100644
+index 0000000..17eea86
+--- /dev/null
++++ b/bumblebee.fc
+@@ -0,0 +1,7 @@
++/etc/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/lib/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0)
++
++/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
+diff --git a/bumblebee.if b/bumblebee.if
+new file mode 100644
+index 0000000..f61b9c3
+--- /dev/null
++++ b/bumblebee.if
+@@ -0,0 +1,122 @@
++
++## <summary>policy for bumblebee</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the bumblebee domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bumblebee_domtrans',`
++ gen_require(`
++ type bumblebee_t, bumblebee_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
++')
++########################################
++## <summary>
++## Read bumblebee PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bumblebee_read_pid_files',`
++ gen_require(`
++ type bumblebee_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute bumblebee server in the bumblebee domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bumblebee_systemctl',`
++ gen_require(`
++ type bumblebee_t;
++ type bumblebee_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 bumblebee_unit_file_t:file read_file_perms;
++ allow $1 bumblebee_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, bumblebee_t)
++')
++
++########################################
++## <summary>
++## Connect to bumblebee over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bumblebee_stream_connect',`
++ gen_require(`
++ type bumblebee_t, bumblebee_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an bumblebee environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`bumblebee_admin',`
++ gen_require(`
++ type bumblebee_t;
++ type bumblebee_var_run_t;
++ type bumblebee_unit_file_t;
++ ')
++
++ allow $1 bumblebee_t:process { ptrace signal_perms };
++ ps_process_pattern($1, bumblebee_t)
++
++ files_search_pids($1)
++ admin_pattern($1, bumblebee_var_run_t)
++
++ bumblebee_systemctl($1)
++ admin_pattern($1, bumblebee_unit_file_t)
++ allow $1 bumblebee_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/bumblebee.te b/bumblebee.te
+new file mode 100644
+index 0000000..f39fc96
+--- /dev/null
++++ b/bumblebee.te
+@@ -0,0 +1,45 @@
++policy_module(bumblebee, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type bumblebee_t;
++type bumblebee_exec_t;
++init_daemon_domain(bumblebee_t, bumblebee_exec_t)
++
++permissive bumblebee_t;
++
++type bumblebee_var_run_t;
++files_pid_file(bumblebee_var_run_t)
++
++type bumblebee_unit_file_t;
++systemd_unit_file(bumblebee_unit_file_t)
++
++########################################
++#
++# bumblebee local policy
++#
++allow bumblebee_t self:capability { setgid };
++allow bumblebee_t self:process { fork signal_perms };
++allow bumblebee_t self:fifo_file rw_fifo_file_perms;
++allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
++
++kernel_read_system_state(bumblebee_t)
++
++dev_read_sysfs(bumblebee_t)
++
++domain_use_interactive_fds(bumblebee_t)
++
++files_read_etc_files(bumblebee_t)
++
++logging_send_syslog_msg(bumblebee_t)
++
++miscfiles_read_localization(bumblebee_t)
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
--- a/cachefilesd.fc
@@ -10678,10 +10883,10 @@ index 0000000..5977d96
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..406f3a0
+index 0000000..12585f0
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,242 @@
+@@ -0,0 +1,246 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -10858,6 +11063,10 @@ index 0000000..406f3a0
+')
+
+optional_policy(`
++ bumblebee_stream_connect(chrome_sandbox_t)
++')
++
++optional_policy(`
+ cups_stream_connect(chrome_sandbox_t)
+')
+
@@ -13248,7 +13457,7 @@ index 881d92f..eb35613 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index ce9f040..ae5517a 100644
+index ce9f040..32ebb0c 100644
--- a/condor.te
+++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@@ -13291,7 +13500,11 @@ index ce9f040..ae5517a 100644
rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
-@@ -89,13 +100,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
+@@ -86,16 +97,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
+
+ allow condor_domain condor_master_t:process signull;
+ allow condor_domain condor_master_t:tcp_socket getattr;
++allow condor_domain condor_master_t:udp_socket { read write };
kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
@@ -13305,7 +13518,7 @@ index ce9f040..ae5517a 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -109,9 +117,9 @@ dev_read_rand(condor_domain)
+@@ -109,9 +118,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
@@ -13317,7 +13530,7 @@ index ce9f040..ae5517a 100644
sysnet_dns_name_resolve(condor_domain)
-@@ -130,7 +138,7 @@ optional_policy(`
+@@ -130,7 +139,7 @@ optional_policy(`
# Master local policy
#
@@ -13326,7 +13539,7 @@ index ce9f040..ae5517a 100644
allow condor_master_t condor_domain:process { sigkill signal };
-@@ -138,6 +146,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -138,6 +147,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
@@ -13337,7 +13550,7 @@ index ce9f040..ae5517a 100644
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
-@@ -157,6 +169,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -157,6 +170,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
@@ -13346,7 +13559,7 @@ index ce9f040..ae5517a 100644
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
-@@ -174,6 +188,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -174,6 +189,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
@@ -13355,7 +13568,7 @@ index ce9f040..ae5517a 100644
#####################################
#
# Negotiator local policy
-@@ -183,6 +199,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -183,6 +200,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -13364,7 +13577,7 @@ index ce9f040..ae5517a 100644
######################################
#
# Procd local policy
-@@ -206,6 +224,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -206,6 +225,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@@ -13373,7 +13586,7 @@ index ce9f040..ae5517a 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -214,6 +234,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,6 +235,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -13382,7 +13595,7 @@ index ce9f040..ae5517a 100644
#####################################
#
# Startd local policy
-@@ -238,11 +260,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -238,11 +261,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -13395,7 +13608,7 @@ index ce9f040..ae5517a 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -254,3 +275,7 @@ optional_policy(`
+@@ -254,3 +276,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -14427,10 +14640,10 @@ index 6cedb87..530e250 100644
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/cron.fc b/cron.fc
-index ad0bae9..72c2cda 100644
+index ad0bae9..615a947 100644
--- a/cron.fc
+++ b/cron.fc
-@@ -1,66 +1,79 @@
+@@ -1,66 +1,77 @@
-/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
@@ -14466,7 +14679,8 @@ index ad0bae9..72c2cda 100644
-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
++/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
++/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -14475,12 +14689,6 @@ index ad0bae9..72c2cda 100644
-/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
-+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-
--/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
--/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
--/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -14489,17 +14697,20 @@ index ad0bae9..72c2cda 100644
+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
--#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
--/var/spool/cron/[^/]* -- <<none>>
+-/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
--/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
+-#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+-/var/spool/cron/[^/]* -- <<none>>
+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/[^/]* -- <<none>>
-+
+
+-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/crontabs/.* -- <<none>>
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
@@ -16821,7 +17032,7 @@ index b25b01d..e99c5c6 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 001b502..fa6a022 100644
+index 001b502..f3809a2 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -16873,13 +17084,15 @@ index 001b502..fa6a022 100644
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
-@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t)
+@@ -85,12 +97,14 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
-files_read_etc_files(ctdbd_t)
files_search_all_mountpoints(ctdbd_t)
++fs_getattr_all_fs(ctdbd_t)
++
+auth_read_passwd(ctdbd_t)
+
logging_send_syslog_msg(ctdbd_t)
@@ -16888,7 +17101,7 @@ index 001b502..fa6a022 100644
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
-@@ -109,6 +121,7 @@ optional_policy(`
+@@ -109,6 +123,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@@ -21608,7 +21821,7 @@ index 19aa0b8..e34a540 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index 37a3b7b..83a8692 100644
+index 37a3b7b..921056a 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -21621,7 +21834,15 @@ index 37a3b7b..83a8692 100644
########################################
#
# Local policy
-@@ -52,11 +55,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+@@ -38,6 +41,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
+ allow dnsmasq_t self:rawip_socket create_socket_perms;
+
+ read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
++list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+
+ manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
+ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -52,11 +56,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
kernel_read_kernel_sysctls(dnsmasq_t)
@@ -21637,7 +21858,7 @@ index 37a3b7b..83a8692 100644
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
-@@ -86,9 +92,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
+@@ -86,9 +93,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
auth_use_nsswitch(dnsmasq_t)
@@ -21649,7 +21870,7 @@ index 37a3b7b..83a8692 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -98,12 +104,21 @@ optional_policy(`
+@@ -98,12 +105,21 @@ optional_policy(`
')
optional_policy(`
@@ -21672,7 +21893,7 @@ index 37a3b7b..83a8692 100644
')
optional_policy(`
-@@ -124,6 +139,14 @@ optional_policy(`
+@@ -124,6 +140,14 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -21864,16 +22085,16 @@ index 0000000..484dd44
\ No newline at end of file
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..097c75c
+index 0000000..d856375
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,202 @@
+@@ -0,0 +1,196 @@
+
-+## <summary>policy for docker</summary>
++## <summary>The open-source application container engine.</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the docker domin.
++## Execute docker in the docker domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -22020,19 +22241,12 @@ index 0000000..097c75c
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`docker_admin',`
+ gen_require(`
+ type docker_t;
-+ type docker_var_lib_t;
-+ type docker_var_run_t;
-+ type docker_unit_file_t;
++ type docker_var_lib_t, docker_var_run_t;
++ type docker_unit_file_t;
+ ')
+
+ allow $1 docker_t:process { ptrace signal_perms };
@@ -22047,6 +22261,7 @@ index 0000000..097c75c
+ docker_systemctl($1)
+ admin_pattern($1, docker_unit_file_t)
+ allow $1 docker_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -22480,7 +22695,7 @@ index d5badb7..b093baa 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index 0aabc7e..2290915 100644
+index 0aabc7e..ec5bd5d 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
@@ -22806,7 +23021,7 @@ index 0aabc7e..2290915 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -277,15 +290,30 @@ optional_policy(`
+@@ -277,53 +290,78 @@ optional_policy(`
')
optional_policy(`
@@ -22837,8 +23052,13 @@ index 0aabc7e..2290915 100644
+
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
- append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -295,35 +323,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+-append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
++manage_dirs_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
++manage_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
++logging_log_filetrans(dovecot_deliver_t, dovecot_var_log_t, { file dir })
+
+ manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -22899,7 +23119,7 @@ index 0aabc7e..2290915 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -332,5 +368,6 @@ optional_policy(`
+@@ -332,5 +370,6 @@ optional_policy(`
')
optional_policy(`
@@ -24904,6 +25124,135 @@ index 92a6479..989f63a 100644
+optional_policy(`
+ xserver_read_state_xdm(fprintd_t)
')
+diff --git a/freqset.fc b/freqset.fc
+new file mode 100644
+index 0000000..3cd9c38
+--- /dev/null
++++ b/freqset.fc
+@@ -0,0 +1 @@
++/usr/lib/enlightenment/modules/cpufreq/linux-gnu-[^/]*/freqset -- gen_context(system_u:object_r:freqset_exec_t,s0)
+diff --git a/freqset.if b/freqset.if
+new file mode 100644
+index 0000000..190ccc0
+--- /dev/null
++++ b/freqset.if
+@@ -0,0 +1,76 @@
++
++## <summary>policy for freqset</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the freqset domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`freqset_domtrans',`
++ gen_require(`
++ type freqset_t, freqset_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, freqset_exec_t, freqset_t)
++')
++
++########################################
++## <summary>
++## Execute freqset in the freqset domain, and
++## allow the specified role the freqset domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the freqset domain.
++## </summary>
++## </param>
++#
++interface(`freqset_run',`
++ gen_require(`
++ type freqset_t;
++ attribute_role freqset_roles;
++ ')
++
++ freqset_domtrans($1)
++ roleattribute $2 freqset_roles;
++')
++
++########################################
++## <summary>
++## Role access for freqset
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`freqset_role',`
++ gen_require(`
++ type freqset_t;
++ attribute_role freqset_roles;
++ ')
++
++ roleattribute $1 freqset_roles;
++
++ freqset_domtrans($2)
++
++ ps_process_pattern($2, freqset_t)
++ allow $2 freqset_t:process { signull signal sigkill };
++')
+diff --git a/freqset.te b/freqset.te
+new file mode 100644
+index 0000000..0d09fbd
+--- /dev/null
++++ b/freqset.te
+@@ -0,0 +1,34 @@
++policy_module(freqset, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute_role freqset_roles;
++roleattribute system_r freqset_roles;
++
++type freqset_t;
++type freqset_exec_t;
++application_domain(freqset_t, freqset_exec_t)
++
++role freqset_roles types freqset_t;
++
++########################################
++#
++# freqset local policy
++#
++allow freqset_t self:capability { setuid };
++
++allow freqset_t self:fifo_file manage_fifo_file_perms;
++allow freqset_t self:unix_stream_socket create_stream_socket_perms;
++
++dev_rw_sysfs(freqset_t)
++
++domain_use_interactive_fds(freqset_t)
++
++files_read_etc_files(freqset_t)
++
++miscfiles_read_localization(freqset_t)
++
++userdom_use_inherited_user_terminals(freqset_t)
diff --git a/ftp.fc b/ftp.fc
index ddb75c1..44f74e6 100644
--- a/ftp.fc
@@ -25917,10 +26266,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..a3bdd8d
+index 0000000..8d5bc9d
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,189 @@
+@@ -0,0 +1,199 @@
+policy_module(glusterfs, 1.1.2)
+
+## <desc>
@@ -25973,6 +26322,9 @@ index 0000000..a3bdd8d
+type glusterd_var_lib_t;
+files_type(glusterd_var_lib_t)
+
++type gluster_brick_t;
++files_type(gluster_brick_t)
++
+########################################
+#
+# Local policy
@@ -26013,6 +26365,13 @@ index 0000000..a3bdd8d
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+
++manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
@@ -26321,10 +26680,10 @@ index 4e95c7e..0000000
-
-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
-index e39de43..5818f74 100644
+index e39de43..4c8113b 100644
--- a/gnome.fc
+++ b/gnome.fc
-@@ -1,15 +1,58 @@
+@@ -1,15 +1,59 @@
-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
@@ -26382,21 +26741,22 @@ index e39de43..5818f74 100644
+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
+
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
-
--/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
--/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
++/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
++
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
-+
+
+-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index ab09d61..d2cd4bf 100644
+index ab09d61..4b2e5f6 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,52 +1,78 @@
+@@ -1,52 +1,77 @@
-## <summary>GNU network object model environment.</summary>
+## <summary>GNU network object model environment (GNOME)</summary>
@@ -26491,20 +26851,16 @@ index ab09d61..d2cd4bf 100644
attribute gnomedomain, gkeyringd_domain;
attribute_role gconfd_roles;
- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
-+ type gnome_home_t;
-+ type gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t;
++ type gkeyringd_exec_t, gkeyring_gnome_home_t, gkeyring_tmp_t;
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
type gconf_home_t;
+ class dbus send_msg;
')
########################################
-@@ -76,12 +102,12 @@ template(`gnome_role_template',`
-
- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
-- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
-- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
+@@ -79,9 +104,11 @@ template(`gnome_role_template',`
+ userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
+ userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
- allow $3 gconfd_t:process { ptrace signal_perms };
+ allow $3 gconfd_t:process { signal_perms };
@@ -26515,24 +26871,28 @@ index ab09d61..d2cd4bf 100644
########################################
#
# Gkeyringd policy
-@@ -89,37 +115,85 @@ template(`gnome_role_template',`
+@@ -89,37 +116,91 @@ template(`gnome_role_template',`
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
- allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
-+ allow $3 { gnome_home_t gkeyringd_gnome_home_t gkeyringd_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
-+ allow $3 { gnome_home_t gkeyringd_gnome_home_t }:file { relabel_file_perms manage_file_perms };
++ allow $3 { gnome_home_t gkeyring_gnome_home_t gkeyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
++ allow $3 { gnome_home_t gkeyring_gnome_home_t }:file { relabel_file_perms manage_file_perms };
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
--
-- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
+ userdom_home_manager($1_gkeyringd_t)
+
+- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
++ gnome_home_dir_filetrans($3, gnome_home_t, ".gnome")
++ gnome_home_dir_filetrans($3, gnome_home_t, ".gnome2")
++ gnome_home_dir_filetrans($3, gnome_home_t, ".gnome2_private")
++ gnome_home_dir_filetrans($3, gkeyring_gnome_home_t, "keyrings")
- allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
-+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
++ allow $3 gkeyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
ps_process_pattern($3, $1_gkeyringd_t)
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
@@ -26566,6 +26926,7 @@ index ab09d61..d2cd4bf 100644
optional_policy(`
- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
++ dbus_session_bus_client($1_gkeyringd_t)
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
+ gnome_read_generic_data_home_files($1_gkeyringd_t)
+ gnome_read_generic_data_home_dirs($1_gkeyringd_t)
@@ -26614,7 +26975,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -127,18 +201,18 @@ template(`gnome_role_template',`
+@@ -127,18 +208,18 @@ template(`gnome_role_template',`
## </summary>
## </param>
#
@@ -26638,7 +26999,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -146,119 +220,114 @@ interface(`gnome_exec_gconf',`
+@@ -146,119 +227,114 @@ interface(`gnome_exec_gconf',`
## </summary>
## </param>
#
@@ -26795,7 +27156,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -266,15 +335,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -266,15 +342,21 @@ interface(`gnome_create_generic_home_dirs',`
## </summary>
## </param>
#
@@ -26822,7 +27183,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -282,57 +357,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -282,57 +364,89 @@ interface(`gnome_setattr_config_dirs',`
## </summary>
## </param>
#
@@ -26930,7 +27291,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -340,15 +447,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -340,15 +454,18 @@ interface(`gnome_read_generic_home_content',`
## </summary>
## </param>
#
@@ -26954,7 +27315,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -356,22 +466,18 @@ interface(`gnome_manage_config',`
+@@ -356,22 +473,18 @@ interface(`gnome_manage_config',`
## </summary>
## </param>
#
@@ -26982,7 +27343,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -379,53 +485,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -379,53 +492,37 @@ interface(`gnome_manage_generic_home_content',`
## </summary>
## </param>
#
@@ -27044,7 +27405,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -433,17 +523,18 @@ interface(`gnome_home_filetrans',`
+@@ -433,17 +530,18 @@ interface(`gnome_home_filetrans',`
## </summary>
## </param>
#
@@ -27067,7 +27428,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -451,23 +542,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -451,23 +549,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
## </summary>
## </param>
#
@@ -27095,7 +27456,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -475,82 +561,73 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -475,82 +568,73 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary>
## </param>
#
@@ -27202,7 +27563,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -559,52 +636,77 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -559,52 +643,77 @@ interface(`gnome_home_filetrans_gconf_home',`
## </summary>
## </param>
#
@@ -27301,7 +27662,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -612,93 +714,86 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -612,93 +721,86 @@ interface(`gnome_gconf_home_filetrans',`
## </summary>
## </param>
#
@@ -27426,7 +27787,7 @@ index ab09d61..d2cd4bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -706,12 +801,912 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -706,12 +808,912 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@@ -28345,7 +28706,7 @@ index ab09d61..d2cd4bf 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 63893eb..3b275e6 100644
+index 63893eb..d6f68a8 100644
--- a/gnome.te
+++ b/gnome.te
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
@@ -28405,7 +28766,7 @@ index 63893eb..3b275e6 100644
-type gnome_keyring_home_t;
-userdom_user_home_content(gnome_keyring_home_t)
-+type gkeyringd_gnome_home_t;
++type gkeyringd_gnome_home_t, gnome_home_type;
+userdom_user_home_content(gkeyringd_gnome_home_t)
-type gnome_keyring_tmp_t;
@@ -29181,7 +29542,7 @@ index 180f1b7..3c8757e 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 0e97e82..edabe2e 100644
+index 0e97e82..0a158ad 100644
--- a/gpg.te
+++ b/gpg.te
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
@@ -29431,7 +29792,7 @@ index 0e97e82..edabe2e 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -207,29 +234,35 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -207,29 +234,36 @@ tunable_policy(`use_samba_home_dirs',`
########################################
#
@@ -29439,11 +29800,12 @@ index 0e97e82..edabe2e 100644
+# GPG agent local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-
++
+# rlimit: gpg-agent wants to prevent coredumps
- allow gpg_agent_t self:process setrlimit;
++allow gpg_agent_t self:process { setrlimit signal_perms };
+
+-allow gpg_agent_t self:process setrlimit;
-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+
+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
@@ -29467,17 +29829,19 @@ index 0e97e82..edabe2e 100644
-kernel_dontaudit_search_sysctl(gpg_agent_t)
+kernel_read_system_state(gpg_agent_t)
++kernel_read_core_if(gpg_agent_t)
+corecmd_read_bin_symlinks(gpg_agent_t)
-+corecmd_search_bin(gpg_agent_t)
++corecmd_exec_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
dev_read_rand(gpg_agent_t)
-@@ -239,37 +272,40 @@ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,37 +273,41 @@ domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
-miscfiles_read_localization(gpg_agent_t)
++miscfiles_read_certs(gpg_agent_t)
-userdom_use_user_terminals(gpg_agent_t)
+# Write to the user domain tty.
@@ -29526,7 +29890,7 @@ index 0e97e82..edabe2e 100644
##############################
#
# Pinentry local policy
-@@ -277,8 +313,17 @@ optional_policy(`
+@@ -277,8 +315,17 @@ optional_policy(`
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@@ -29545,7 +29909,7 @@ index 0e97e82..edabe2e 100644
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +332,86 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +334,86 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
@@ -35241,7 +35605,7 @@ index b7e5679..c93db33 100644
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index 3602712..517bfbf 100644
+index 3602712..585c416 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,68 @@
@@ -35349,7 +35713,7 @@ index 3602712..517bfbf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -41,22 +119,27 @@ interface(`ldap_read_config',`
+@@ -41,22 +119,28 @@ interface(`ldap_read_config',`
########################################
## <summary>
@@ -35371,6 +35735,7 @@ index 3602712..517bfbf 100644
+ ')
+
+ files_search_etc($1)
++ allow $1 slapd_cert_t:dir list_dir_perms;
+ read_files_pattern($1, slapd_cert_t, slapd_cert_t)
')
@@ -35382,7 +35747,7 @@ index 3602712..517bfbf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -64,18 +147,13 @@ interface(`ldap_use',`
+@@ -64,18 +148,13 @@ interface(`ldap_use',`
## </summary>
## </param>
#
@@ -35404,7 +35769,7 @@ index 3602712..517bfbf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -83,21 +161,19 @@ interface(`ldap_stream_connect',`
+@@ -83,21 +162,19 @@ interface(`ldap_stream_connect',`
## </summary>
## </param>
#
@@ -35432,7 +35797,7 @@ index 3602712..517bfbf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -106,7 +182,7 @@ interface(`ldap_tcp_connect',`
+@@ -106,7 +183,7 @@ interface(`ldap_tcp_connect',`
## </param>
## <param name="role">
## <summary>
@@ -35441,7 +35806,7 @@ index 3602712..517bfbf 100644
## </summary>
## </param>
## <rolecap/>
-@@ -117,11 +193,16 @@ interface(`ldap_admin',`
+@@ -117,11 +194,16 @@ interface(`ldap_admin',`
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
type slapd_db_t, slapd_keytab_t;
@@ -35459,7 +35824,7 @@ index 3602712..517bfbf 100644
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 slapd_initrc_exec_t system_r;
-@@ -130,13 +211,9 @@ interface(`ldap_admin',`
+@@ -130,13 +212,9 @@ interface(`ldap_admin',`
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
@@ -35474,7 +35839,7 @@ index 3602712..517bfbf 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -144,4 +221,8 @@ interface(`ldap_admin',`
+@@ -144,4 +222,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -37999,7 +38364,7 @@ index f89651e..ea89ab1 100644
## <summary>
## All of the rules required to
diff --git a/mcelog.te b/mcelog.te
-index 59b3b3d..064c4fd 100644
+index 59b3b3d..494c4f3 100644
--- a/mcelog.te
+++ b/mcelog.te
@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
@@ -38016,7 +38381,7 @@ index 59b3b3d..064c4fd 100644
type mcelog_t;
type mcelog_exec_t;
init_daemon_domain(mcelog_t, mcelog_exec_t)
-@@ -84,17 +77,20 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
+@@ -84,17 +77,21 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
kernel_read_system_state(mcelog_t)
@@ -38026,9 +38391,10 @@ index 59b3b3d..064c4fd 100644
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
dev_rw_sysfs(mcelog_t)
-
--files_read_etc_files(mcelog_t)
-
+-files_read_etc_files(mcelog_t)
++dev_rw_cpu_microcode(mcelog_t)
+
mls_file_read_all_levels(mcelog_t)
+auth_use_nsswitch(mcelog_t)
@@ -38040,7 +38406,7 @@ index 59b3b3d..064c4fd 100644
tunable_policy(`mcelog_client',`
allow mcelog_t self:unix_stream_socket connectto;
-@@ -114,9 +110,6 @@ tunable_policy(`mcelog_server',`
+@@ -114,9 +111,6 @@ tunable_policy(`mcelog_server',`
allow mcelog_t self:unix_stream_socket { listen accept };
')
@@ -38821,6 +39187,139 @@ index b330161..5450937 100644
ps_process_pattern($1, minissdpd_t)
init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
+diff --git a/mip6d.fc b/mip6d.fc
+new file mode 100644
+index 0000000..767bbad
+--- /dev/null
++++ b/mip6d.fc
+@@ -0,0 +1,3 @@
++/usr/lib/systemd/system/mip6d.* -- gen_context(system_u:object_r:mip6d_unit_file_t,s0)
++
++/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0)
+diff --git a/mip6d.if b/mip6d.if
+new file mode 100644
+index 0000000..9e2bf1b
+--- /dev/null
++++ b/mip6d.if
+@@ -0,0 +1,80 @@
++
++## <summary>Mobile IPv6 and NEMO Basic Support implementation</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the mip6d domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mip6d_domtrans',`
++ gen_require(`
++ type mip6d_t, mip6d_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mip6d_exec_t, mip6d_t)
++')
++########################################
++## <summary>
++## Execute mip6d server in the mip6d domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mip6d_systemctl',`
++ gen_require(`
++ type mip6d_t;
++ type mip6d_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 mip6d_unit_file_t:file read_file_perms;
++ allow $1 mip6d_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, mip6d_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an mip6d environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mip6d_admin',`
++ gen_require(`
++ type mip6d_t;
++ type mip6d_unit_file_t;
++ ')
++
++ allow $1 mip6d_t:process { ptrace signal_perms };
++ ps_process_pattern($1, mip6d_t)
++
++ mip6d_systemctl($1)
++ admin_pattern($1, mip6d_unit_file_t)
++ allow $1 mip6d_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/mip6d.te b/mip6d.te
+new file mode 100644
+index 0000000..86d2351
+--- /dev/null
++++ b/mip6d.te
+@@ -0,0 +1,32 @@
++policy_module(mip6d, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mip6d_t;
++type mip6d_exec_t;
++init_daemon_domain(mip6d_t, mip6d_exec_t)
++
++type mip6d_unit_file_t;
++systemd_unit_file(mip6d_unit_file_t)
++
++########################################
++#
++# mip6d local policy
++#
++#allow mip6d_t self:capability { net_admin net_raw };
++allow mip6d_t self:process { fork signal };
++allow mip6d_t self:netlink_route_socket create_netlink_socket_perms;
++allow mip6d_t self:netlink_xfrm_socket create_netlink_socket_perms;
++allow mip6d_t self:rawip_socket create_socket_perms;
++allow mip6d_t self:udp_socket create_socket_perms;
++allow mip6d_t self:fifo_file rw_fifo_file_perms;
++allow mip6d_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_rw_net_sysctls(mip6d_t)
++kernel_read_network_state(mip6d_t)
++
++logging_send_syslog_msg(mip6d_t)
++
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 0000000..8d0e473
@@ -40840,7 +41339,7 @@ index 6194b80..ada96f0 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..7655da0 100644
+index 11ac8e4..0e84537 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@@ -41108,12 +41607,12 @@ index 11ac8e4..7655da0 100644
-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -41243,34 +41742,34 @@ index 11ac8e4..7655da0 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
-+')
-+
-+optional_policy(`
-+ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ lpd_domtrans_lpr(mozilla_t)
++ java_domtrans(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ nscd_socket_use(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
++ nscd_socket_use(mozilla_t)
++')
++
++optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -41278,7 +41777,7 @@ index 11ac8e4..7655da0 100644
')
optional_policy(`
-@@ -300,259 +324,236 @@ optional_policy(`
+@@ -300,259 +324,240 @@ optional_policy(`
########################################
#
@@ -41361,12 +41860,12 @@ index 11ac8e4..7655da0 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
--
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -41538,12 +42037,12 @@ index 11ac8e4..7655da0 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -41567,28 +42066,31 @@ index 11ac8e4..7655da0 100644
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
- fs_read_dos_files(mozilla_plugin_t)
--
-- fs_search_removable(mozilla_plugin_t)
-- fs_read_removable_files(mozilla_plugin_t)
-- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
+userdom_exec_user_tmp_files(mozilla_plugin_t)
+- fs_search_removable(mozilla_plugin_t)
+- fs_read_removable_files(mozilla_plugin_t)
+- fs_read_removable_symlinks(mozilla_plugin_t)
++userdom_home_manager(mozilla_plugin_t)
+
- fs_read_iso9660_files(mozilla_plugin_t)
--')
--
++tunable_policy(`mozilla_plugin_can_network_connect',`
++ corenet_tcp_connect_all_ports(mozilla_plugin_t)
+ ')
+
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process execmem;
-')
-+userdom_home_manager(mozilla_plugin_t)
-
+-
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_t self:process { execmem execstack };
-+tunable_policy(`mozilla_plugin_can_network_connect',`
-+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
++optional_policy(`
++ alsa_read_rw_config(mozilla_plugin_t)
++ alsa_read_home_files(mozilla_plugin_t)
')
-tunable_policy(`use_nfs_home_dirs',`
@@ -41596,8 +42098,7 @@ index 11ac8e4..7655da0 100644
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
+optional_policy(`
-+ alsa_read_rw_config(mozilla_plugin_t)
-+ alsa_read_home_files(mozilla_plugin_t)
++ apache_list_modules(mozilla_plugin_t)
')
-tunable_policy(`use_samba_home_dirs',`
@@ -41605,7 +42106,7 @@ index 11ac8e4..7655da0 100644
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
+optional_policy(`
-+ apache_list_modules(mozilla_plugin_t)
++ bumblebee_stream_connect(mozilla_plugin_t)
')
optional_policy(`
@@ -41666,7 +42167,7 @@ index 11ac8e4..7655da0 100644
')
optional_policy(`
-@@ -560,7 +561,7 @@ optional_policy(`
+@@ -560,7 +565,7 @@ optional_policy(`
')
optional_policy(`
@@ -41675,7 +42176,7 @@ index 11ac8e4..7655da0 100644
')
optional_policy(`
-@@ -568,108 +569,130 @@ optional_policy(`
+@@ -568,108 +573,130 @@ optional_policy(`
')
optional_policy(`
@@ -43380,7 +43881,7 @@ index ed81cac..e3840c1 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c..e61560a 100644
+index ff1d68c..4bf6d3b 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -43453,18 +43954,19 @@ index ff1d68c..e61560a 100644
courier_manage_spool_dirs(user_mail_domain)
courier_manage_spool_files(user_mail_domain)
courier_rw_spool_pipes(user_mail_domain)
-@@ -150,6 +147,10 @@ optional_policy(`
+@@ -150,6 +147,11 @@ optional_policy(`
')
optional_policy(`
+ openshift_rw_inherited_content(mta_user_agent)
++ openshift_dontaudit_rw_inherited_fifo_files(mta_user_agent)
+')
+
+optional_policy(`
procmail_exec(user_mail_domain)
')
-@@ -171,52 +172,69 @@ optional_policy(`
+@@ -171,52 +173,69 @@ optional_policy(`
# System local policy
#
@@ -43552,7 +44054,7 @@ index ff1d68c..e61560a 100644
')
optional_policy(`
-@@ -225,17 +243,21 @@ optional_policy(`
+@@ -225,17 +244,21 @@ optional_policy(`
')
optional_policy(`
@@ -43576,7 +44078,7 @@ index ff1d68c..e61560a 100644
courier_stream_connect_authdaemon(system_mail_t)
')
-@@ -246,6 +268,7 @@ optional_policy(`
+@@ -246,6 +269,7 @@ optional_policy(`
optional_policy(`
fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
fail2ban_append_log(system_mail_t)
@@ -43584,7 +44086,7 @@ index ff1d68c..e61560a 100644
fail2ban_rw_inherited_tmp_files(system_mail_t)
')
-@@ -258,10 +281,15 @@ optional_policy(`
+@@ -258,10 +282,15 @@ optional_policy(`
')
optional_policy(`
@@ -43600,7 +44102,7 @@ index ff1d68c..e61560a 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -272,6 +300,15 @@ optional_policy(`
+@@ -272,6 +301,15 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -43616,7 +44118,7 @@ index ff1d68c..e61560a 100644
')
optional_policy(`
-@@ -287,42 +324,36 @@ optional_policy(`
+@@ -287,42 +325,36 @@ optional_policy(`
')
optional_policy(`
@@ -43669,7 +44171,7 @@ index ff1d68c..e61560a 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -331,40 +362,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -331,40 +363,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -43718,7 +44220,7 @@ index ff1d68c..e61560a 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -372,6 +389,13 @@ optional_policy(`
+@@ -372,6 +390,13 @@ optional_policy(`
')
optional_policy(`
@@ -43732,7 +44234,7 @@ index ff1d68c..e61560a 100644
postfix_rw_inherited_master_pipes(mailserver_delivery)
')
-@@ -381,24 +405,49 @@ optional_policy(`
+@@ -381,24 +406,49 @@ optional_policy(`
########################################
#
@@ -44917,7 +45419,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 7584bbe..3d9035c 100644
+index 7584bbe..2d683f1 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
@@ -45114,7 +45616,7 @@ index 7584bbe..3d9035c 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +186,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +186,28 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -45127,6 +45629,7 @@ index 7584bbe..3d9035c 100644
-files_read_usr_files(mysqld_safe_t)
-files_search_pids(mysqld_safe_t)
-files_dontaudit_getattr_all_dirs(mysqld_safe_t)
++files_dontaudit_access_check_root(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+files_dontaudit_write_root_dirs(mysqld_safe_t)
@@ -45148,7 +45651,7 @@ index 7584bbe..3d9035c 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -209,7 +214,7 @@ optional_policy(`
+@@ -209,7 +215,7 @@ optional_policy(`
########################################
#
@@ -45157,7 +45660,7 @@ index 7584bbe..3d9035c 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -218,11 +223,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -218,11 +224,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -45175,7 +45678,7 @@ index 7584bbe..3d9035c 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -230,31 +236,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +237,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -51714,10 +52217,10 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..f2d6119
+index 0000000..0dc672f
--- /dev/null
+++ b/openshift.fc
-@@ -0,0 +1,26 @@
+@@ -0,0 +1,27 @@
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
@@ -51734,6 +52237,7 @@ index 0000000..f2d6119
+/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+
+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
++/var/log/openshift(/.*)? gen_context(system_u:object_r:openshift_log_t,s0)
+
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
@@ -51746,10 +52250,10 @@ index 0000000..f2d6119
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..e03de01
+index 0000000..cf03270
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,700 @@
+@@ -0,0 +1,702 @@
+
+## <summary> policy for openshift </summary>
+
@@ -52371,9 +52875,11 @@ index 0000000..e03de01
+interface(`openshift_dontaudit_rw_inherited_fifo_files',`
+ gen_require(`
+ type openshift_initrc_t;
++ type openshift_t;
+ ')
+
+ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
@@ -52452,10 +52958,10 @@ index 0000000..e03de01
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..cd25e8e
+index 0000000..0a6f091
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,555 @@
+@@ -0,0 +1,556 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -52946,6 +53452,7 @@ index 0000000..cd25e8e
+allow openshift_cron_t self:unix_dgram_socket create_socket_perms;
+allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms;
+
++append_files_pattern(openshift_cron_t, openshift_log_t, openshift_log_t)
+manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
@@ -53011,6 +53518,295 @@ index 0000000..cd25e8e
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
+
+diff --git a/opensm.fc b/opensm.fc
+new file mode 100644
+index 0000000..51650fa
+--- /dev/null
++++ b/opensm.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/opensm.* -- gen_context(system_u:object_r:opensm_unit_file_t,s0)
++
++/usr/libexec/opensm-launch -- gen_context(system_u:object_r:opensm_exec_t,s0)
++
++/var/cache/opensm(/.*)? gen_context(system_u:object_r:opensm_cache_t,s0)
++
++/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0)
+diff --git a/opensm.if b/opensm.if
+new file mode 100644
+index 0000000..a62f050
+--- /dev/null
++++ b/opensm.if
+@@ -0,0 +1,220 @@
++
++## <summary>Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the opensm domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`opensm_domtrans',`
++ gen_require(`
++ type opensm_t, opensm_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, opensm_exec_t, opensm_t)
++')
++
++########################################
++## <summary>
++## Search opensm cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_search_cache',`
++ gen_require(`
++ type opensm_cache_t;
++ ')
++
++ allow $1 opensm_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read opensm cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_read_cache_files',`
++ gen_require(`
++ type opensm_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, opensm_cache_t, opensm_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## opensm cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_manage_cache_files',`
++ gen_require(`
++ type opensm_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, opensm_cache_t, opensm_cache_t)
++')
++
++########################################
++## <summary>
++## Manage opensm cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_manage_cache_dirs',`
++ gen_require(`
++ type opensm_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, opensm_cache_t, opensm_cache_t)
++')
++
++########################################
++## <summary>
++## Read opensm's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`opensm_read_log',`
++ gen_require(`
++ type opensm_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, opensm_log_t, opensm_log_t)
++')
++
++########################################
++## <summary>
++## Append to opensm log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_append_log',`
++ gen_require(`
++ type opensm_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, opensm_log_t, opensm_log_t)
++')
++
++########################################
++## <summary>
++## Manage opensm log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_manage_log',`
++ gen_require(`
++ type opensm_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, opensm_log_t, opensm_log_t)
++ manage_files_pattern($1, opensm_log_t, opensm_log_t)
++ manage_lnk_files_pattern($1, opensm_log_t, opensm_log_t)
++')
++########################################
++## <summary>
++## Execute opensm server in the opensm domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`opensm_systemctl',`
++ gen_require(`
++ type opensm_t;
++ type opensm_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 opensm_unit_file_t:file read_file_perms;
++ allow $1 opensm_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, opensm_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an opensm environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`opensm_admin',`
++ gen_require(`
++ type opensm_t;
++ type opensm_cache_t;
++ type opensm_log_t;
++ type opensm_unit_file_t;
++ ')
++
++ allow $1 opensm_t:process { ptrace signal_perms };
++ ps_process_pattern($1, opensm_t)
++
++ files_search_var($1)
++ admin_pattern($1, opensm_cache_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, opensm_log_t)
++
++ opensm_systemctl($1)
++ admin_pattern($1, opensm_unit_file_t)
++ allow $1 opensm_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/opensm.te b/opensm.te
+new file mode 100644
+index 0000000..a055461
+--- /dev/null
++++ b/opensm.te
+@@ -0,0 +1,44 @@
++policy_module(opensm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type opensm_t;
++type opensm_exec_t;
++init_daemon_domain(opensm_t, opensm_exec_t)
++
++type opensm_cache_t;
++files_type(opensm_cache_t)
++
++type opensm_log_t;
++logging_log_file(opensm_log_t)
++
++type opensm_unit_file_t;
++systemd_unit_file(opensm_unit_file_t)
++
++########################################
++#
++# opensm local policy
++#
++allow opensm_t self:process { signal fork };
++allow opensm_t self:fifo_file rw_fifo_file_perms;
++allow opensm_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
++manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
++files_var_filetrans(opensm_t, opensm_cache_t, { dir file })
++
++manage_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
++logging_log_filetrans(opensm_t, opensm_log_t, file )
++
++kernel_read_system_state(opensm_t)
++
++auth_read_passwd(opensm_t)
++
++corecmd_exec_bin(opensm_t)
++
++dev_read_sysfs(opensm_t)
++
++logging_send_syslog_msg(opensm_t)
diff --git a/openvpn.fc b/openvpn.fc
index 300213f..4cdfe09 100644
--- a/openvpn.fc
@@ -54665,7 +55461,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 608f454..1e7f218 100644
+index 608f454..dfb2fb4 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -55023,7 +55819,7 @@ index 608f454..1e7f218 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +356,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +356,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -55031,7 +55827,11 @@ index 608f454..1e7f218 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +371,25 @@ init_stream_connect_script(pegasus_t)
++domain_named_filetrans(pegasus_t)
+
+ files_list_var_lib(pegasus_t)
+ files_read_var_lib_files(pegasus_t)
+@@ -128,18 +372,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -55047,6 +55847,10 @@ index 608f454..1e7f218 100644
optional_policy(`
- dbus_system_bus_client(pegasus_t)
- dbus_connect_system_bus(pegasus_t)
++ dmidecode_domtrans(pegasus_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t)
@@ -55063,7 +55867,7 @@ index 608f454..1e7f218 100644
')
optional_policy(`
-@@ -151,16 +401,24 @@ optional_policy(`
+@@ -151,16 +406,24 @@ optional_policy(`
')
optional_policy(`
@@ -55092,7 +55896,7 @@ index 608f454..1e7f218 100644
')
optional_policy(`
-@@ -168,7 +426,7 @@ optional_policy(`
+@@ -168,7 +431,7 @@ optional_policy(`
')
optional_policy(`
@@ -56529,10 +57333,10 @@ index 0000000..17f5d18
+')
+
diff --git a/plymouthd.fc b/plymouthd.fc
-index 735500f..ef1dd7a 100644
+index 735500f..2ba6832 100644
--- a/plymouthd.fc
+++ b/plymouthd.fc
-@@ -1,15 +1,15 @@
+@@ -1,15 +1,14 @@
-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
@@ -56553,11 +57357,11 @@ index 735500f..ef1dd7a 100644
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
-
+-
-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
++/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
-index 30e751f..3985ff9 100644
+index 30e751f..78fb7c6 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -1,4 +1,4 @@
@@ -56745,7 +57549,7 @@ index 30e751f..3985ff9 100644
gen_require(`
type plymouthd_var_run_t;
')
-@@ -233,36 +228,93 @@ interface(`plymouthd_read_pid_files',`
+@@ -233,36 +228,113 @@ interface(`plymouthd_read_pid_files',`
########################################
## <summary>
@@ -56753,13 +57557,12 @@ index 30e751f..3985ff9 100644
-## administrate an plymouthd environment.
+## Allow the specified domain to read
+## to plymouthd log files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="role">
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
+interface(`plymouthd_read_log',`
+ gen_require(`
@@ -56770,17 +57573,38 @@ index 30e751f..3985ff9 100644
+ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
-+########################################
++#####################################
+## <summary>
-+## Allow the specified domain to manage
-+## to plymouthd log files.
++## Allow the specified domain to create plymouthd's log files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
++interface(`plymouthd_create_log',`
++ gen_require(`
++ type plymouthd_log_t;
++ ')
++
++ logging_search_logs($1)
++ create_files_pattern($1, plymouthd_log_t, plymouthd_log_t)
++')
++
++
++########################################
++## <summary>
++## Allow the specified domain to manage
++## to plymouthd log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
++#
+interface(`plymouthd_manage_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
@@ -56802,12 +57626,12 @@ index 30e751f..3985ff9 100644
+## </summary>
+## </param>
+#
-+interface(`plymouthd_create_log',`
++interface(`plymouthd_filetrans_named_content',`
++
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
-+ logging_rw_generic_log_dirs($1)
+ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
+')
+
@@ -58371,7 +59195,7 @@ index c0e8785..c0e0959 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
-index ded95ec..0b76d72 100644
+index ded95ec..3cf7146 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
@@ -58702,8 +59526,11 @@ index ded95ec..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -382,14 +367,32 @@ interface(`postfix_domtrans_master',`
+@@ -380,16 +365,35 @@ interface(`postfix_run_map',`
+ interface(`postfix_domtrans_master',`
+ gen_require(`
type postfix_master_t, postfix_master_exec_t;
++ attribute postfix_domain;
')
- corecmd_search_bin($1)
@@ -58738,7 +59565,7 @@ index ded95ec..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -402,21 +405,18 @@ interface(`postfix_exec_master',`
+@@ -402,21 +406,18 @@ interface(`postfix_exec_master',`
type postfix_master_exec_t;
')
@@ -58761,7 +59588,7 @@ index ded95ec..0b76d72 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -428,8 +428,7 @@ interface(`postfix_stream_connect_master',`
+@@ -428,8 +429,7 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
@@ -58771,7 +59598,7 @@ index ded95ec..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -437,15 +436,18 @@ interface(`postfix_stream_connect_master',`
+@@ -437,15 +437,18 @@ interface(`postfix_stream_connect_master',`
## </summary>
## </param>
#
@@ -58794,7 +59621,7 @@ index ded95ec..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -458,14 +460,13 @@ interface(`postfix_domtrans_postdrop',`
+@@ -458,14 +461,13 @@ interface(`postfix_domtrans_postdrop',`
type postfix_postdrop_t, postfix_postdrop_exec_t;
')
@@ -58810,7 +59637,7 @@ index ded95ec..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',`
+@@ -478,30 +480,85 @@ interface(`postfix_domtrans_postqueue',`
type postfix_postqueue_t, postfix_postqueue_exec_t;
')
@@ -58830,18 +59657,15 @@ index ded95ec..0b76d72 100644
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the iptables domain.
+## </summary>
+## </param>
+## <rolecap/>
- #
--interface(`posftix_exec_postqueue',`
-- refpolicywarn(`$0($*) has been deprecated.')
-- postfix_exec_postqueue($1)
++#
+
+interface(`postfix_run_postqueue',`
+ gen_require(`
@@ -58851,8 +59675,8 @@ index ded95ec..0b76d72 100644
+ postfix_domtrans_postqueue($1)
+ role $2 types postfix_postqueue_t;
+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
- ')
-
++')
++
+########################################
+## <summary>
+## Execute postfix_postgqueue in the postfix_postgqueue domain.
@@ -58884,10 +59708,13 @@ index ded95ec..0b76d72 100644
+## <param name="role">
+## <summary>
+## Role allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`posftix_exec_postqueue',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- postfix_exec_postqueue($1)
+interface(`postfix_run_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
@@ -58895,8 +59722,8 @@ index ded95ec..0b76d72 100644
+
+ postfix_domtrans_postgqueue($1)
+ role $2 types postfix_postgqueue_t;
-+')
-+
+ ')
+
+
#######################################
## <summary>
@@ -58906,7 +59733,7 @@ index ded95ec..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',`
+@@ -514,13 +571,12 @@ interface(`postfix_exec_postqueue',`
type postfix_postqueue_exec_t;
')
@@ -58921,7 +59748,7 @@ index ded95ec..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',`
+@@ -533,13 +589,13 @@ interface(`postfix_create_private_sockets',`
type postfix_private_t;
')
@@ -58937,7 +59764,7 @@ index ded95ec..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',`
+@@ -552,13 +608,14 @@ interface(`postfix_manage_private_sockets',`
type postfix_private_t;
')
@@ -58954,7 +59781,7 @@ index ded95ec..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',`
+@@ -571,14 +628,12 @@ interface(`postfix_domtrans_smtp',`
type postfix_smtp_t, postfix_smtp_exec_t;
')
@@ -58970,7 +59797,7 @@ index ded95ec..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',`
+@@ -586,7 +641,7 @@ interface(`postfix_domtrans_smtp',`
## </summary>
## </param>
#
@@ -58979,7 +59806,7 @@ index ded95ec..0b76d72 100644
gen_require(`
attribute postfix_spool_type;
')
-@@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',`
+@@ -607,11 +662,11 @@ interface(`postfix_getattr_all_spool_files',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -58993,7 +59820,7 @@ index ded95ec..0b76d72 100644
')
########################################
-@@ -626,11 +680,11 @@ interface(`postfix_search_spool',`
+@@ -626,11 +681,11 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -59007,7 +59834,7 @@ index ded95ec..0b76d72 100644
')
########################################
-@@ -645,17 +699,16 @@ interface(`postfix_list_spool',`
+@@ -645,17 +700,16 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -59028,7 +59855,7 @@ index ded95ec..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -665,11 +718,50 @@ interface(`postfix_read_spool_files',`
+@@ -665,11 +719,50 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -59081,7 +59908,7 @@ index ded95ec..0b76d72 100644
')
########################################
-@@ -693,8 +785,8 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -693,8 +786,8 @@ interface(`postfix_domtrans_user_mail_handler',`
########################################
## <summary>
@@ -59092,7 +59919,7 @@ index ded95ec..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -710,38 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,38 +803,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
@@ -59107,17 +59934,16 @@ index ded95ec..0b76d72 100644
+ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
+ type postfix_smtpd_t, postfix_var_run_t;
- ')
-
-- allow $1 postfix_domain:process { ptrace signal_perms };
-- ps_process_pattern($1, postfix_domain)
++ ')
++
+ allow $1 postfix_bounce_t:process signal_perms;
+ ps_process_pattern($1, postfix_bounce_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_bounce_t:process ptrace;
-+ ')
+ ')
-- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+- allow $1 postfix_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, postfix_domain)
+ allow $1 postfix_cleanup_t:process signal_perms;
+ ps_process_pattern($1, postfix_cleanup_t)
+ tunable_policy(`deny_ptrace',`',`
@@ -59128,7 +59954,8 @@ index ded95ec..0b76d72 100644
+ allow $1 postfix_qmgr_t:process ptrace;
+ allow $1 postfix_smtpd_t:process ptrace;
+ ')
-+
+
+- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+ allow $1 postfix_local_t:process signal_perms;
+ ps_process_pattern($1, postfix_local_t)
+
@@ -59252,7 +60079,7 @@ index ded95ec..0b76d72 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 5cfb83e..a18b985 100644
+index 5cfb83e..efec4cc 100644
--- a/postfix.te
+++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -60067,7 +60894,7 @@ index 5cfb83e..a18b985 100644
')
optional_policy(`
-@@ -774,31 +706,99 @@ optional_policy(`
+@@ -774,31 +706,100 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -60150,6 +60977,7 @@ index 5cfb83e..a18b985 100644
+term_dontaudit_use_console(postfix_domain)
+
+corecmd_exec_shell(postfix_domain)
++corecmd_getattr_all_executables(postfix_domain)
+
+files_read_etc_runtime_files(postfix_domain)
+files_read_usr_symlinks(postfix_domain)
@@ -68119,6 +68947,224 @@ index c99753f..5e27523 100644
+optional_policy(`
+ xserver_dontaudit_search_log(mdadm_t)
+')
+diff --git a/rasdaemon.fc b/rasdaemon.fc
+new file mode 100644
+index 0000000..8e31dd0
+--- /dev/null
++++ b/rasdaemon.fc
+@@ -0,0 +1,9 @@
++/usr/lib/systemd/system/ras-mc-ctl.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
++
++/usr/lib/systemd/system/rasdaemon.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
++
++/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
++
++/usr/sbin/ras-mc-ctl -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
++
++/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_lib_t,s0)
+diff --git a/rasdaemon.if b/rasdaemon.if
+new file mode 100644
+index 0000000..a073efd
+--- /dev/null
++++ b/rasdaemon.if
+@@ -0,0 +1,156 @@
++
++## <summary>The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the rasdaemon domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_domtrans',`
++ gen_require(`
++ type rasdaemon_t, rasdaemon_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, rasdaemon_exec_t, rasdaemon_t)
++')
++
++########################################
++## <summary>
++## Search rasdaemon lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_search_lib',`
++ gen_require(`
++ type rasdaemon_var_lib_t;
++ ')
++
++ allow $1 rasdaemon_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read rasdaemon lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_read_lib_files',`
++ gen_require(`
++ type rasdaemon_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage rasdaemon lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_manage_lib_files',`
++ gen_require(`
++ type rasdaemon_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage rasdaemon lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_manage_lib_dirs',`
++ gen_require(`
++ type rasdaemon_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++')
++
++########################################
++## <summary>
++## Execute rasdaemon server in the rasdaemon domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_systemctl',`
++ gen_require(`
++ type rasdaemon_t;
++ type rasdaemon_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 rasdaemon_unit_file_t:file read_file_perms;
++ allow $1 rasdaemon_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rasdaemon_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an rasdaemon environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rasdaemon_admin',`
++ gen_require(`
++ type rasdaemon_t;
++ type rasdaemon_var_lib_t;
++ type rasdaemon_unit_file_t;
++ ')
++
++ allow $1 rasdaemon_t:process { ptrace signal_perms };
++ ps_process_pattern($1, rasdaemon_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, rasdaemon_var_lib_t)
++
++ rasdaemon_systemctl($1)
++ admin_pattern($1, rasdaemon_unit_file_t)
++ allow $1 rasdaemon_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/rasdaemon.te b/rasdaemon.te
+new file mode 100644
+index 0000000..8651ca4
+--- /dev/null
++++ b/rasdaemon.te
+@@ -0,0 +1,35 @@
++policy_module(rasdaemon, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rasdaemon_t;
++type rasdaemon_exec_t;
++init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
++
++type rasdaemon_var_lib_t;
++files_type(rasdaemon_var_lib_t)
++
++type rasdaemon_unit_file_t;
++systemd_unit_file(rasdaemon_unit_file_t)
++
++########################################
++#
++# rasdaemon local policy
++#
++allow rasdaemon_t self:fifo_file rw_fifo_file_perms;
++allow rasdaemon_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++manage_files_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++files_var_lib_filetrans(rasdaemon_t, rasdaemon_var_lib_t, { dir file })
++
++kernel_read_system_state(rasdaemon_t)
++kernel_manage_debugfs(rasdaemon_t)
++
++dev_read_sysfs(rasdaemon_t)
++
++logging_send_syslog_msg(rasdaemon_t)
++
diff --git a/razor.fc b/razor.fc
index 6723f4d..6e26673 100644
--- a/razor.fc
@@ -70913,7 +71959,7 @@ index c8bdea2..2e4d698 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..d4169cb 100644
+index 6cf79c4..65c88c9 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -71232,7 +72278,7 @@ index 6cf79c4..d4169cb 100644
')
#####################################
-@@ -79,7 +349,7 @@ optional_policy(`
+@@ -79,9 +349,11 @@ optional_policy(`
# dlm_controld local policy
#
@@ -71240,8 +72286,12 @@ index 6cf79c4..d4169cb 100644
+allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource };
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
++files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir)
++
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
-@@ -98,16 +368,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+ stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+@@ -98,16 +370,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -71274,7 +72324,7 @@ index 6cf79c4..d4169cb 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +402,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +404,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -71285,7 +72335,7 @@ index 6cf79c4..d4169cb 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -148,9 +431,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +433,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -71296,7 +72346,7 @@ index 6cf79c4..d4169cb 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +441,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +443,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -71305,7 +72355,7 @@ index 6cf79c4..d4169cb 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +463,8 @@ optional_policy(`
+@@ -182,7 +465,8 @@ optional_policy(`
')
optional_policy(`
@@ -71315,7 +72365,7 @@ index 6cf79c4..d4169cb 100644
')
optional_policy(`
-@@ -190,12 +472,12 @@ optional_policy(`
+@@ -190,12 +474,12 @@ optional_policy(`
')
optional_policy(`
@@ -71331,7 +72381,7 @@ index 6cf79c4..d4169cb 100644
')
optional_policy(`
-@@ -203,6 +485,13 @@ optional_policy(`
+@@ -203,6 +487,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -71345,7 +72395,7 @@ index 6cf79c4..d4169cb 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +510,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +512,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -71366,7 +72416,7 @@ index 6cf79c4..d4169cb 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +548,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +550,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -71375,7 +72425,7 @@ index 6cf79c4..d4169cb 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +568,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +570,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -71417,7 +72467,7 @@ index 6cf79c4..d4169cb 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +643,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +645,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -75728,16 +76778,16 @@ index 0000000..25d96cb
+
diff --git a/rtas.if b/rtas.if
new file mode 100644
-index 0000000..9381936
+index 0000000..0ec3302
--- /dev/null
+++ b/rtas.if
-@@ -0,0 +1,166 @@
+@@ -0,0 +1,162 @@
+
-+## <summary>rtas_errd - Platform diagnostics report firmware events</summary>
++## <summary>Platform diagnostics report firmware events.</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the rtas_errd domin.
++## Execute rtas_errd in the rtas_errd domin.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -75753,6 +76803,7 @@ index 0000000..9381936
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t)
+')
++
+########################################
+## <summary>
+## Read rtas_errd's log files.
@@ -75812,6 +76863,7 @@ index 0000000..9381936
+ manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+ manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+')
++
+########################################
+## <summary>
+## Read rtas_errd PID files.
@@ -75848,7 +76900,7 @@ index 0000000..9381936
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rtas_errd_unit_file_t:file read_file_perms;
+ allow $1 rtas_errd_unit_file_t:service manage_service_perms;
+
@@ -75866,19 +76918,12 @@ index 0000000..9381936
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`rtas_errd_admin',`
+ gen_require(`
+ type rtas_errd_t;
-+ type rtas_errd_log_t;
-+ type rtas_errd_var_run_t;
-+ type rtas_errd_unit_file_t;
++ type rtas_errd_log_t, rtas_errd_var_run_t;
++ type rtas_errd_unit_file_t;
+ ')
+
+ allow $1 rtas_errd_t:process { ptrace signal_perms };
@@ -75893,6 +76938,7 @@ index 0000000..9381936
+ rtas_errd_systemctl($1)
+ admin_pattern($1, rtas_errd_unit_file_t)
+ allow $1 rtas_errd_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -76965,7 +78011,7 @@ index 50d07fb..bada62f 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..d768a98 100644
+index 2b7c441..3e81196 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -77382,7 +78428,7 @@ index 2b7c441..d768a98 100644
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
-@@ -366,44 +361,54 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -366,44 +361,55 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
@@ -77431,6 +78477,7 @@ index 2b7c441..d768a98 100644
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
++ fs_rw_inherited_tmpfs_files(smbd_t)
')
-tunable_policy(`allow_smbd_anon_write',`
@@ -77448,7 +78495,7 @@ index 2b7c441..d768a98 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -419,20 +424,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +425,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -77471,7 +78518,7 @@ index 2b7c441..d768a98 100644
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -441,6 +436,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +437,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -77479,7 +78526,7 @@ index 2b7c441..d768a98 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -448,17 +444,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,17 +445,6 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -77497,7 +78544,7 @@ index 2b7c441..d768a98 100644
optional_policy(`
ccs_read_config(smbd_t)
')
-@@ -466,6 +451,7 @@ optional_policy(`
+@@ -466,6 +452,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
@@ -77505,7 +78552,7 @@ index 2b7c441..d768a98 100644
')
optional_policy(`
-@@ -479,6 +465,11 @@ optional_policy(`
+@@ -479,6 +466,11 @@ optional_policy(`
')
optional_policy(`
@@ -77517,7 +78564,7 @@ index 2b7c441..d768a98 100644
lpd_exec_lpr(smbd_t)
')
-@@ -499,9 +490,33 @@ optional_policy(`
+@@ -499,9 +491,33 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -77552,7 +78599,7 @@ index 2b7c441..d768a98 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +527,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +528,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -77567,7 +78614,7 @@ index 2b7c441..d768a98 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +543,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +544,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -77591,7 +78638,7 @@ index 2b7c441..d768a98 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -548,52 +560,41 @@ kernel_read_network_state(nmbd_t)
+@@ -548,52 +561,41 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -77657,7 +78704,7 @@ index 2b7c441..d768a98 100644
')
optional_policy(`
-@@ -606,16 +607,22 @@ optional_policy(`
+@@ -606,16 +608,22 @@ optional_policy(`
########################################
#
@@ -77684,7 +78731,7 @@ index 2b7c441..d768a98 100644
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -627,16 +634,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +635,11 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -77702,7 +78749,7 @@ index 2b7c441..d768a98 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +646,23 @@ optional_policy(`
+@@ -644,22 +647,23 @@ optional_policy(`
########################################
#
@@ -77734,7 +78781,7 @@ index 2b7c441..d768a98 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +671,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +672,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -77770,7 +78817,7 @@ index 2b7c441..d768a98 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +698,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +699,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -77862,7 +78909,7 @@ index 2b7c441..d768a98 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +777,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +778,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -77886,7 +78933,7 @@ index 2b7c441..d768a98 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +791,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +792,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -77929,7 +78976,7 @@ index 2b7c441..d768a98 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +821,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +822,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -77943,7 +78990,7 @@ index 2b7c441..d768a98 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -841,16 +845,19 @@ optional_policy(`
+@@ -841,16 +846,19 @@ optional_policy(`
#
allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
@@ -77967,7 +79014,7 @@ index 2b7c441..d768a98 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +867,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +868,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -77978,7 +79025,7 @@ index 2b7c441..d768a98 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,23 +878,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,23 +879,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -78008,7 +79055,7 @@ index 2b7c441..d768a98 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -898,13 +901,17 @@ kernel_read_system_state(winbind_t)
+@@ -898,13 +902,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -78029,7 +79076,7 @@ index 2b7c441..d768a98 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,10 +919,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,10 +920,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -78040,7 +79087,7 @@ index 2b7c441..d768a98 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -924,26 +927,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -924,26 +928,39 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -78082,7 +79129,7 @@ index 2b7c441..d768a98 100644
')
optional_policy(`
-@@ -959,31 +975,29 @@ optional_policy(`
+@@ -959,31 +976,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -78120,7 +79167,7 @@ index 2b7c441..d768a98 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1011,38 @@ optional_policy(`
+@@ -997,25 +1012,38 @@ optional_policy(`
########################################
#
@@ -79847,7 +80894,7 @@ index 98c9e0a..df51942 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756b..d252327 100644
+index 299756b..947d6b9 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -79949,7 +80996,7 @@ index 299756b..d252327 100644
')
optional_policy(`
-@@ -117,6 +130,29 @@ optional_policy(`
+@@ -117,6 +130,32 @@ optional_policy(`
# Reposd local policy
#
@@ -79978,6 +81025,9 @@ index 299756b..d252327 100644
+
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+
++dev_read_rand(sblim_sfcbd_t)
++dev_read_urand(sblim_sfcbd_t)
++
+domain_read_all_domains_state(sblim_sfcbd_t)
+domain_use_interactive_fds(sblim_sfcbd_t)
diff --git a/screen.fc b/screen.fc
@@ -81032,7 +82082,7 @@ index 0b3a971..397a522 100644
-/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
diff --git a/setroubleshoot.if b/setroubleshoot.if
-index 3a9a70b..039b0c8 100644
+index 3a9a70b..903109c 100644
--- a/setroubleshoot.if
+++ b/setroubleshoot.if
@@ -1,9 +1,8 @@
@@ -81059,7 +82109,32 @@ index 3a9a70b..039b0c8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -107,8 +105,27 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+@@ -42,6 +40,24 @@ interface(`setroubleshoot_dontaudit_stream_connect',`
+ dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
+ ')
+
++#######################################
++## <summary>
++## Send null signals to setroubleshoot.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`setroubleshoot_signull',`
++ gen_require(`
++ type setroubleshootd_t;
++ ')
++
++ allow $1 setroubleshootd_t:process signull;
++')
++
+ ########################################
+ ## <summary>
+ ## Send and receive messages from
+@@ -107,8 +123,27 @@ interface(`setroubleshoot_dbus_chat_fixit',`
########################################
## <summary>
@@ -81089,7 +82164,7 @@ index 3a9a70b..039b0c8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -119,12 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+@@ -119,12 +154,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
#
interface(`setroubleshoot_admin',`
gen_require(`
@@ -82283,7 +83358,7 @@ index ec031a0..ebf575f 100644
netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
diff --git a/smoltclient.te b/smoltclient.te
-index b3f2c6f..68f17c1 100644
+index b3f2c6f..dccac2a 100644
--- a/smoltclient.te
+++ b/smoltclient.te
@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t)
@@ -82301,6 +83376,17 @@ index b3f2c6f..68f17c1 100644
optional_policy(`
abrt_stream_connect(smoltclient_t)
+@@ -77,6 +75,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ libs_exec_ldconfig(smoltclient_t)
++')
++
++optional_policy(`
+ rpm_exec(smoltclient_t)
+ rpm_read_db(smoltclient_t)
+ ')
diff --git a/smsd.fc b/smsd.fc
new file mode 100644
index 0000000..4c3fcec
@@ -83150,7 +84236,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index f2f507d..3669dac 100644
+index f2f507d..b97161a 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@@ -83172,7 +84258,12 @@ index f2f507d..3669dac 100644
optional_policy(`
pulseaudio_tmpfs_content(sosreport_tmpfs_t)
')
-@@ -37,6 +37,8 @@ allow sosreport_t self:process { setsched signull };
+@@ -33,10 +33,12 @@ optional_policy(`
+
+ allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
+ dontaudit sosreport_t self:capability sys_ptrace;
+-allow sosreport_t self:process { setsched signull };
++allow sosreport_t self:process signal_perms;
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
allow sosreport_t self:unix_stream_socket { accept listen };
@@ -83194,7 +84285,26 @@ index f2f507d..3669dac 100644
manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
-@@ -69,6 +77,8 @@ dev_read_urand(sosreport_t)
+@@ -58,6 +66,18 @@ kernel_read_all_sysctls(sosreport_t)
+ kernel_read_software_raid_state(sosreport_t)
+ kernel_search_debugfs(sosreport_t)
+ kernel_read_messages(sosreport_t)
++kernel_request_load_module(sosreport_t)
++
++corenet_all_recvfrom_netlabel(sosreport_t)
++corenet_tcp_sendrecv_generic_if(sosreport_t)
++corenet_tcp_sendrecv_generic_node(sosreport_t)
++corenet_tcp_sendrecv_generic_port(sosreport_t)
++corenet_tcp_bind_generic_node(sosreport_t)
++corenet_tcp_bind_all_rpc_ports(sosreport_t)
++corenet_udp_bind_all_rpc_ports(sosreport_t)
++corenet_tcp_connect_http_port(sosreport_t)
++corenet_tcp_connect_all_ports(sosreport_t)
++corenet_sendrecv_http_client_packets(sosreport_t)
+
+ corecmd_exec_all_executables(sosreport_t)
+
+@@ -69,6 +89,8 @@ dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
dev_rw_generic_usb_dev(sosreport_t)
@@ -83203,7 +84313,7 @@ index f2f507d..3669dac 100644
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
-@@ -83,7 +93,6 @@ files_list_all(sosreport_t)
+@@ -83,7 +105,6 @@ files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
files_read_non_auth_files(sosreport_t)
@@ -83211,7 +84321,7 @@ index f2f507d..3669dac 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -92,25 +101,32 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -92,25 +113,34 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -83234,6 +84344,8 @@ index f2f507d..3669dac 100644
init_domtrans_script(sosreport_t)
+init_getattr_initctl(sosreport_t)
++init_status(sosreport_t)
++init_stream_connect(sosreport_t)
libs_domtrans_ldconfig(sosreport_t)
@@ -83247,7 +84359,7 @@ index f2f507d..3669dac 100644
optional_policy(`
abrt_manage_pid_files(sosreport_t)
-@@ -119,6 +135,10 @@ optional_policy(`
+@@ -119,6 +149,10 @@ optional_policy(`
')
optional_policy(`
@@ -83258,10 +84370,14 @@ index f2f507d..3669dac 100644
cups_stream_connect(sosreport_t)
')
-@@ -127,6 +147,11 @@ optional_policy(`
+@@ -127,6 +161,15 @@ optional_policy(`
')
optional_policy(`
++ lvm_dontaudit_access_check_lock(sosreport_t)
++')
++
++optional_policy(`
+ # needed by modinfo
+ modutils_read_module_deps(sosreport_t)
+')
@@ -83270,6 +84386,27 @@ index f2f507d..3669dac 100644
fstools_domtrans(sosreport_t)
')
+@@ -136,6 +179,10 @@ optional_policy(`
+ optional_policy(`
+ hal_dbus_chat(sosreport_t)
+ ')
++
++ optional_policy(`
++ rpm_dbus_chat(sosreport_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -157,5 +204,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ setroubleshoot_signull(sosreport_t)
++')
++
++optional_policy(`
+ xserver_stream_connect(sosreport_t)
+ ')
diff --git a/soundserver.if b/soundserver.if
index a5abc5a..b9eff74 100644
--- a/soundserver.if
@@ -85242,7 +86379,7 @@ index a240455..16a04bf 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..49327eb 100644
+index 2d8db1f..290807b 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -85279,9 +86416,11 @@ index 2d8db1f..49327eb 100644
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -63,16 +64,9 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +63,11 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
++kernel_request_load_module(sssd_t)
-corenet_all_recvfrom_unlabeled(sssd_t)
-corenet_all_recvfrom_netlabel(sssd_t)
@@ -85297,7 +86436,7 @@ index 2d8db1f..49327eb 100644
corecmd_exec_bin(sssd_t)
-@@ -83,9 +77,7 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,9 +78,7 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -85307,7 +86446,7 @@ index 2d8db1f..49327eb 100644
files_list_var_lib(sssd_t)
fs_list_inotifyfs(sssd_t)
-@@ -94,14 +86,15 @@ selinux_validate_context(sssd_t)
+@@ -94,14 +87,15 @@ selinux_validate_context(sssd_t)
seutil_read_file_contexts(sssd_t)
# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
@@ -85325,7 +86464,7 @@ index 2d8db1f..49327eb 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +106,32 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -90721,7 +91860,7 @@ index af9acc0..cdaf82e 100644
admin_pattern($1, uucpd_log_t)
diff --git a/uucp.te b/uucp.te
-index 849f607..d7c8ed8 100644
+index 849f607..e01ec6d 100644
--- a/uucp.te
+++ b/uucp.te
@@ -31,7 +31,7 @@ type uucpd_ro_t;
@@ -90733,7 +91872,7 @@ index 849f607..d7c8ed8 100644
type uucpd_log_t;
logging_log_file(uucpd_log_t)
-@@ -84,15 +84,19 @@ kernel_read_kernel_sysctls(uucpd_t)
+@@ -84,15 +84,20 @@ kernel_read_kernel_sysctls(uucpd_t)
kernel_read_system_state(uucpd_t)
kernel_read_network_state(uucpd_t)
@@ -90749,12 +91888,13 @@ index 849f607..d7c8ed8 100644
corenet_tcp_connect_ssh_port(uucpd_t)
corenet_tcp_sendrecv_ssh_port(uucpd_t)
++corenet_tcp_bind_uucpd_port(uucpd_t)
+corenet_tcp_connect_uucpd_port(uucpd_t)
+
corecmd_exec_bin(uucpd_t)
corecmd_exec_shell(uucpd_t)
-@@ -110,7 +114,7 @@ auth_use_nsswitch(uucpd_t)
+@@ -110,7 +115,7 @@ auth_use_nsswitch(uucpd_t)
logging_send_syslog_msg(uucpd_t)
@@ -90763,7 +91903,7 @@ index 849f607..d7c8ed8 100644
optional_policy(`
cron_system_entry(uucpd_t, uucpd_exec_t)
-@@ -125,10 +129,6 @@ optional_policy(`
+@@ -125,10 +130,6 @@ optional_policy(`
')
optional_policy(`
@@ -90774,7 +91914,7 @@ index 849f607..d7c8ed8 100644
ssh_exec(uucpd_t)
')
-@@ -160,10 +160,15 @@ auth_use_nsswitch(uux_t)
+@@ -160,10 +161,15 @@ auth_use_nsswitch(uux_t)
logging_search_logs(uux_t)
logging_send_syslog_msg(uux_t)
@@ -95416,10 +96556,10 @@ index eecd0e0..8df2e8c 100644
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.te b/watchdog.te
-index 3548317..d8655b2 100644
+index 3548317..c93e88b 100644
--- a/watchdog.te
+++ b/watchdog.te
-@@ -12,12 +12,18 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
+@@ -12,29 +12,41 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
type watchdog_initrc_exec_t;
init_script_file(watchdog_initrc_exec_t)
@@ -95438,9 +96578,15 @@ index 3548317..d8655b2 100644
########################################
#
# Local policy
-@@ -29,8 +35,12 @@ allow watchdog_t self:process { setsched signal_perms };
+ #
+
+-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
++allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw };
+ dontaudit watchdog_t self:capability sys_tty_config;
+ allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
allow watchdog_t self:tcp_socket { accept listen };
++allow watchdog_t self:rawip_socket create_socket_perms;
-allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
@@ -95453,7 +96599,12 @@ index 3548317..d8655b2 100644
manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
-@@ -63,7 +73,6 @@ domain_signull_all_domains(watchdog_t)
+
++kernel_read_network_state(watchdog_t)
+ kernel_read_system_state(watchdog_t)
+ kernel_read_kernel_sysctls(watchdog_t)
+ kernel_unmount_proc(watchdog_t)
+@@ -63,7 +75,6 @@ domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
@@ -95461,7 +96612,11 @@ index 3548317..d8655b2 100644
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
-@@ -75,8 +84,6 @@ auth_append_login_records(watchdog_t)
+@@ -72,11 +83,10 @@ fs_getattr_all_fs(watchdog_t)
+ fs_search_auto_mountpoints(watchdog_t)
+
+ auth_append_login_records(watchdog_t)
++auth_read_passwd(watchdog_t)
logging_send_syslog_msg(watchdog_t)
@@ -95470,7 +96625,7 @@ index 3548317..d8655b2 100644
sysnet_dns_name_resolve(watchdog_t)
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
-@@ -97,3 +104,28 @@ optional_policy(`
+@@ -97,3 +107,28 @@ optional_policy(`
optional_policy(`
udev_read_db(watchdog_t)
')
@@ -97883,7 +99038,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..16f1ab6 100644
+index 7f496c6..1498539 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,21 +6,23 @@ policy_module(zabbix, 1.6.0)
@@ -98060,7 +99215,13 @@ index 7f496c6..16f1ab6 100644
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -182,7 +174,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+@@ -177,12 +169,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+ dev_getattr_all_blk_files(zabbix_agent_t)
+ dev_getattr_all_chr_files(zabbix_agent_t)
+
+-domain_search_all_domains_state(zabbix_agent_t)
++domain_read_all_domains_state(zabbix_agent_t)
+
files_getattr_all_dirs(zabbix_agent_t)
files_getattr_all_files(zabbix_agent_t)
files_read_all_symlinks(zabbix_agent_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0aed8ab..6ff82f3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -575,6 +575,65 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Nov 26 2013 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-6
+- Add filename transition also for servicelog.db-journal
+- Add files_dontaudit_access_check_root()
+- Add lvm_dontaudit_access_check_lock() interface
+- Allow mount to manage mount_var_run_t files/dirs
+- Allow updapwd_t to ignore mls levels for writign shadow_t at a lower level
+- Make sure boot.log is created with the correct label
+- call logging_relabel_all_log_dirs() in systemd.te
+- Allow systemd_tmpfiles to relabel log directories
+- Allow staff_t to run frequency command
+- Allow staff_t to read xserver_log file
+- This reverts commit c0f9f125291f189271cbbca033f87131dab1e22f.
+- Label hsperfdata_root as tmp_t
+- Add plymouthd_create_log()
+- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6
+- Allow sssd to request the kernel loads modules
+- Allow gpg_agent to use ssh-add
+- Allow gpg_agent to use ssh-add
+- Dontaudit access check on /root for myslqd_safe_t
+- Add glusterd_brick_t files type
+- Allow ctdb to getattr on al filesystems
+- Allow abrt to stream connect to syslog
+- Allow dnsmasq to list dnsmasq.d directory
+- Watchdog opens the raw socket
+- Allow watchdog to read network state info
+- Dontaudit access check on lvm lock dir
+- Allow sosreport to send signull to setroubleshootd
+- Add setroubleshoot_signull() interface
+- Fix ldap_read_certs() interface
+- Allow sosreport all signal perms
+- Allow sosreport to run systemctl
+- Allow sosreport to dbus chat with rpm
+- Allow zabbix_agentd to read all domain state
+- Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom
+- Allow smoltclient to execute ldconfig
+- Allow sosreport to request the kernel to load a module
+- Clean up rtas.if
+- Clean up docker.if
+- drop /var/lib/glpi/files labeling in cron.fc
+- Added new policy for rasdaemon
+- Add apache labeling for glpi
+- Allow pegasus to transition to dmidecode
+- Make sure boot.log is created with the correct label
+- Fix typo in openshift.te
+- remove dup bumblebee_systemctl()
+- Allow watchdog to read /etc/passwd
+- Allow condor domains to read/write condor_master udp_socket
+- Allow openshift_cron_t to append to openshift log files, label /var/log/openshift
+- Add back file_pid_filetrans for /var/run/dlm_controld
+- Allow smbd_t to use inherited tmpfs content
+- Allow mcelog to use the /dev/cpu device
+- sosreport runs rpcinfo
+- sosreport runs subscription-manager
+- Allow setpgid for sosreport
+- Allow browser plugins to connect to bumblebee
+- New policy for bumblebee and freqset
+- Add new policy for mip6d daemon
+- Add new policy for opensm daemon
+
* Mon Nov 18 2013 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-5
- Add back /dev/shm labeling
More information about the scm-commits
mailing list