[selinux-policy/f20] - Dontaudit openshift domains trying to use rawip_sockets, th - Allow git_system_t to read git_user_
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Nov 26 17:31:15 UTC 2013
commit 7a2febf9feca822c1293d5a2de8179845273f491
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Nov 26 18:30:54 2013 +0100
- Dontaudit openshift domains trying to use rawip_sockets, th
- Allow git_system_t to read git_user_content if the git_syst
- Add lsmd_plugin_t for lsm plugins
- Allow dovecot-deliver to search mountpoints
- Add labeling for /etc/mdadm.conf
- Allow opelmi admin providers to dbus chat with init_t
- Allow sblim domain to read /dev/urandom and /dev/random
- Allow apmd to request the kernel load modules
- Add glusterd_brick_t type
- label mate-keyring-daemon with gkeyringd_exec_t
- Add plymouthd_create_log()
- Dontaudit leaks from openshift domains into mail domains, n
- Allow sssd to request the kernel loads modules
- Allow gpg_agent to use ssh-add
- Allow gpg_agent to use ssh-add
- Dontaudit access check on /root for myslqd_safe_t
- Allow ctdb to getattr on al filesystems
- Allow abrt to stream connect to syslog
- Allow dnsmasq to list dnsmasq.d directory
- Watchdog opens the raw socket
- Allow watchdog to read network state info
- Dontaudit access check on lvm lock dir
- Allow sosreport to send signull to setroubleshootd
- Add setroubleshoot_signull() interface
- Fix ldap_read_certs() interface
- Allow sosreport all signal perms
- Allow sosreport to run systemctl
- Allow sosreport to dbus chat with rpm
- Add glusterd_brick_t files type
- Allow zabbix_agentd to read all domain state
- Clean up rtas.if
- Allow smoltclient to execute ldconfig
- Allow sosreport to request the kernel to load a module
- Fix userdom_confined_admin_template()
- Add back exec_content boolean for secadm, logadm, auditadm
- Fix files_filetrans_system_db_named_files() interface
- Allow sulogin to getattr on /proc/kcore
- Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
policy-f20-base.patch | 341 ++++++++++---------
policy-f20-contrib.patch | 831 ++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 44 +++-
3 files changed, 846 insertions(+), 370 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index d597f1d..3e34ed5 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -9586,7 +9586,7 @@ index c2c6e05..52d2b7c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..b5f1e4f 100644
+index 64ff4d7..6b66f85 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10285,7 +10285,34 @@ index 64ff4d7..b5f1e4f 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1874,25 +2298,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1747,6 +2171,26 @@ interface(`files_dontaudit_rw_root_dir',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to check the
++## access on root directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_access_check_root',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir_file_class_set audit_access;
++')
++
++
++########################################
++## <summary>
+ ## Create an object in the root directory, with a private
+ ## type using a type transition.
+ ## </summary>
+@@ -1874,25 +2318,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -10317,7 +10344,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1905,7 +2329,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2349,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -10326,7 +10353,7 @@ index 64ff4d7..b5f1e4f 100644
')
########################################
-@@ -1928,6 +2352,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2372,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -10351,7 +10378,7 @@ index 64ff4d7..b5f1e4f 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2163,6 +2605,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2163,6 +2625,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10376,7 +10403,7 @@ index 64ff4d7..b5f1e4f 100644
######################################
## <summary>
## Read symbolic links in the /boot directory.
-@@ -2627,6 +3087,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3107,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10401,7 +10428,7 @@ index 64ff4d7..b5f1e4f 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +3176,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3196,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10409,7 +10436,7 @@ index 64ff4d7..b5f1e4f 100644
')
########################################
-@@ -2706,7 +3185,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3205,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10418,7 +10445,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## </param>
#
-@@ -2762,6 +3241,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3261,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -10444,7 +10471,7 @@ index 64ff4d7..b5f1e4f 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2780,6 +3278,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3298,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10469,7 +10496,7 @@ index 64ff4d7..b5f1e4f 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2945,24 +3461,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3481,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -10494,7 +10521,7 @@ index 64ff4d7..b5f1e4f 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3501,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3521,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -10505,7 +10532,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3509,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3529,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -10527,7 +10554,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,6 +3537,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3557,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -10554,7 +10581,7 @@ index 64ff4d7..b5f1e4f 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3059,6 +3574,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3594,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10562,7 +10589,7 @@ index 64ff4d7..b5f1e4f 100644
')
########################################
-@@ -3080,6 +3596,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3616,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10570,58 +10597,11 @@ index 64ff4d7..b5f1e4f 100644
')
########################################
-@@ -3132,45 +3649,64 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3669,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
--## Do not audit attempts to search directories on new filesystems
+## Setattr of directories on new filesystems
- ## that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_isid_type_dirs',`
-+interface(`files_setattr_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
-- dontaudit $1 file_t:dir search_dir_perms;
-+ allow $1 file_t:dir setattr;
- ')
-
- ########################################
- ## <summary>
--## List the contents of directories on new filesystems
-+## Do not audit attempts to search directories on new filesystems
- ## that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_list_isid_type_dirs',`
-+interface(`files_dontaudit_search_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
-- allow $1 file_t:dir list_dir_perms;
-+ dontaudit $1 file_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Read and write directories on new filesystems
-+## List the contents of directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
@@ -10630,21 +10610,20 @@ index 64ff4d7..b5f1e4f 100644
+## </summary>
+## </param>
+#
-+interface(`files_list_isid_type_dirs',`
++interface(`files_setattr_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:dir list_dir_perms;
++ allow $1 file_t:dir setattr;
+')
+
+########################################
+## <summary>
-+## Read and write directories on new filesystems
+ ## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
- ## <param name="domain">
-@@ -3205,6 +3741,62 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3205,6 +3761,62 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
@@ -10707,7 +10686,7 @@ index 64ff4d7..b5f1e4f 100644
########################################
## <summary>
-@@ -3455,6 +4047,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +4067,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -10733,7 +10712,7 @@ index 64ff4d7..b5f1e4f 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4407,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4427,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10777,7 +10756,7 @@ index 64ff4d7..b5f1e4f 100644
')
########################################
-@@ -4199,6 +4828,171 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,6 +4848,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -10944,12 +10923,13 @@ index 64ff4d7..b5f1e4f 100644
+ ')
+
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
++ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
+')
+
########################################
## <summary>
## Allow the specified type to associate
-@@ -4221,6 +5015,26 @@ interface(`files_associate_tmp',`
+@@ -4221,6 +5036,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -10976,7 +10956,7 @@ index 64ff4d7..b5f1e4f 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4234,17 +5048,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4234,17 +5069,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -11015,7 +10995,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## </param>
#
-@@ -4271,6 +5105,7 @@ interface(`files_search_tmp',`
+@@ -4271,6 +5126,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -11023,7 +11003,7 @@ index 64ff4d7..b5f1e4f 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4307,6 +5142,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +5163,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -11031,7 +11011,7 @@ index 64ff4d7..b5f1e4f 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +5152,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +5173,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -11040,7 +11020,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## </param>
#
-@@ -4328,6 +5164,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +5185,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -11066,7 +11046,7 @@ index 64ff4d7..b5f1e4f 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4343,6 +5198,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +5219,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -11074,7 +11054,7 @@ index 64ff4d7..b5f1e4f 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4384,6 +5240,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,6 +5261,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -11107,7 +11087,7 @@ index 64ff4d7..b5f1e4f 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4438,7 +5320,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4438,7 +5341,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -11116,7 +11096,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4446,17 +5328,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4446,17 +5349,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -11138,7 +11118,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4464,34 +5346,124 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4464,44 +5367,134 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -11176,14 +11156,17 @@ index 64ff4d7..b5f1e4f 100644
- allow $1 var_t:dir search_dir_perms;
- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ allow $1 tmpfile:dir { search_dir_perms setattr };
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of all tmp files.
+## Allow caller to read inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
+## Domain allowed access.
+## </summary>
+## </param>
@@ -11270,19 +11253,20 @@ index 64ff4d7..b5f1e4f 100644
+
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
-@@ -4501,7 +5473,7 @@ interface(`files_relabel_all_tmp_dirs',`
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
++')
++
++########################################
++## <summary>
++## Do not audit attempts to get the attributes
++## of all tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
## </summary>
## </param>
#
-@@ -4561,7 +5533,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4561,7 +5554,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -11291,7 +11275,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## </param>
#
-@@ -4593,6 +5565,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4593,6 +5586,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@@ -11336,7 +11320,7 @@ index 64ff4d7..b5f1e4f 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
-@@ -4646,6 +5656,16 @@ interface(`files_purge_tmp',`
+@@ -4646,6 +5677,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11353,7 +11337,7 @@ index 64ff4d7..b5f1e4f 100644
')
########################################
-@@ -5223,6 +6243,24 @@ interface(`files_list_var',`
+@@ -5223,6 +6264,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -11378,7 +11362,7 @@ index 64ff4d7..b5f1e4f 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5578,6 +6616,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5578,6 +6637,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11404,7 +11388,7 @@ index 64ff4d7..b5f1e4f 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5623,7 +6680,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6701,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11413,7 +11397,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5631,12 +6688,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6709,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11429,7 +11413,7 @@ index 64ff4d7..b5f1e4f 100644
')
########################################
-@@ -5654,6 +6712,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6733,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11437,7 +11421,7 @@ index 64ff4d7..b5f1e4f 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6739,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6760,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11465,7 +11449,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,13 +6766,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6787,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11482,7 +11466,7 @@ index 64ff4d7..b5f1e4f 100644
')
########################################
-@@ -5713,7 +6790,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6811,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11491,7 +11475,7 @@ index 64ff4d7..b5f1e4f 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +6823,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6844,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11499,7 +11483,7 @@ index 64ff4d7..b5f1e4f 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5761,7 +6837,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5761,7 +6858,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11508,7 +11492,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5769,13 +6845,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,13 +6866,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11543,7 +11527,7 @@ index 64ff4d7..b5f1e4f 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6887,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6908,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11561,7 +11545,7 @@ index 64ff4d7..b5f1e4f 100644
')
########################################
-@@ -5816,9 +6911,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6932,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11572,7 +11556,7 @@ index 64ff4d7..b5f1e4f 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +6953,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6974,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11582,7 +11566,7 @@ index 64ff4d7..b5f1e4f 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6975,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6996,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11592,7 +11576,7 @@ index 64ff4d7..b5f1e4f 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +7012,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +7033,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11602,7 +11586,7 @@ index 64ff4d7..b5f1e4f 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +7051,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +7072,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11611,7 +11595,7 @@ index 64ff4d7..b5f1e4f 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,10 +7071,48 @@ interface(`files_search_pids',`
+@@ -5981,10 +7092,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11660,7 +11644,7 @@ index 64ff4d7..b5f1e4f 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6007,6 +7135,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +7156,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11686,7 +11670,7 @@ index 64ff4d7..b5f1e4f 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6021,7 +7168,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7189,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11695,7 +11679,7 @@ index 64ff4d7..b5f1e4f 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6040,7 +7187,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7208,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11704,7 +11688,7 @@ index 64ff4d7..b5f1e4f 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7207,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7228,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11713,7 +11697,7 @@ index 64ff4d7..b5f1e4f 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7269,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7290,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11721,7 +11705,7 @@ index 64ff4d7..b5f1e4f 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6151,7 +7297,7 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6151,7 +7318,7 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@@ -11730,7 +11714,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6159,20 +7305,38 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6159,14 +7326,32 @@ interface(`files_pid_filetrans_lock_dir',`
## </summary>
## </param>
#
@@ -11745,12 +11729,10 @@ index 64ff4d7..b5f1e4f 100644
- list_dirs_pattern($1, var_t, var_run_t)
- rw_files_pattern($1, var_run_t, var_run_t)
+ allow $1 var_run_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes of
--## daemon runtime data files.
++')
++
++########################################
++## <summary>
+## Read and write generic process ID files.
+## </summary>
+## <param name="domain">
@@ -11767,16 +11749,10 @@ index 64ff4d7..b5f1e4f 100644
+ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to get the attributes of
-+## daemon runtime data files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6231,6 +7395,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+ ')
+
+ ########################################
+@@ -6231,6 +7416,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -11893,7 +11869,7 @@ index 64ff4d7..b5f1e4f 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -6243,12 +7517,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6243,12 +7538,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
interface(`files_read_all_pids',`
gen_require(`
attribute pidfile;
@@ -11982,7 +11958,7 @@ index 64ff4d7..b5f1e4f 100644
')
########################################
-@@ -6268,8 +7616,8 @@ interface(`files_delete_all_pids',`
+@@ -6268,8 +7637,8 @@ interface(`files_delete_all_pids',`
type var_t, var_run_t;
')
@@ -11992,7 +11968,7 @@ index 64ff4d7..b5f1e4f 100644
allow $1 var_run_t:dir rmdir;
allow $1 var_run_t:lnk_file delete_lnk_file_perms;
delete_files_pattern($1, pidfile, pidfile)
-@@ -6293,36 +7641,80 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6293,36 +7662,80 @@ interface(`files_delete_all_pid_dirs',`
type var_t, var_run_t;
')
@@ -12084,7 +12060,7 @@ index 64ff4d7..b5f1e4f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,12 +7722,33 @@ interface(`files_manage_all_pids',`
+@@ -6330,12 +7743,33 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -12121,7 +12097,7 @@ index 64ff4d7..b5f1e4f 100644
')
########################################
-@@ -6562,3 +7975,492 @@ interface(`files_unconfined',`
+@@ -6562,3 +7996,492 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -25736,7 +25712,7 @@ index 3efd5b6..08c3e93 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..348e8cf 100644
+index 104037e..79f9c96 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -25933,15 +25909,18 @@ index 104037e..348e8cf 100644
miscfiles_read_generic_certs(pam_console_t)
seutil_read_file_contexts(pam_console_t)
-@@ -341,6 +362,7 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +362,10 @@ kernel_read_system_state(updpwd_t)
dev_read_urand(updpwd_t)
files_manage_etc_files(updpwd_t)
+auth_manage_passwd(updpwd_t)
++
++mls_file_read_all_levels(updpwd_t)
++mls_file_write_all_levels(updpwd_t)
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +372,7 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +375,7 @@ auth_use_nsswitch(updpwd_t)
logging_send_syslog_msg(updpwd_t)
@@ -25952,7 +25931,7 @@ index 104037e..348e8cf 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -380,13 +400,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +403,15 @@ term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
@@ -25969,7 +25948,7 @@ index 104037e..348e8cf 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -397,19 +419,29 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +422,29 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -26003,7 +25982,7 @@ index 104037e..348e8cf 100644
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
-@@ -417,15 +449,21 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +452,21 @@ files_read_etc_files(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
@@ -26027,7 +26006,7 @@ index 104037e..348e8cf 100644
ldap_stream_connect(nsswitch_domain)
')
')
-@@ -438,6 +476,7 @@ optional_policy(`
+@@ -438,6 +479,7 @@ optional_policy(`
likewise_stream_connect_lsassd(nsswitch_domain)
')
@@ -26035,7 +26014,7 @@ index 104037e..348e8cf 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,6 +495,8 @@ optional_policy(`
+@@ -456,6 +498,8 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -26044,7 +26023,7 @@ index 104037e..348e8cf 100644
')
optional_policy(`
-@@ -463,3 +504,133 @@ optional_policy(`
+@@ -463,3 +507,133 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -30891,7 +30870,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..ed59137 100644
+index c04ac46..5edc27b 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -31015,10 +30994,11 @@ index c04ac46..ed59137 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,37 +211,56 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,37 +211,57 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
++kernel_getattr_core_if(sulogin_t)
+kernel_read_crypto_sysctls(sulogin_t)
kernel_read_system_state(sulogin_t)
@@ -31074,7 +31054,7 @@ index c04ac46..ed59137 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +272,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -32137,10 +32117,10 @@ index 879bb1e..b250b3e 100644
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..51e9872 100644
+index 58bc27f..f0de612 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
-@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',`
+@@ -123,3 +123,113 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
@@ -32235,6 +32215,25 @@ index 58bc27f..51e9872 100644
+
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
++
++########################################
++## <summary>
++## Do not audit attempts to access check cert dirs/files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`lvm_dontaudit_access_check_lock',`
++ gen_require(`
++ type lvm_lock_t;
++ ')
++
++ dontaudit $1 lvm_lock_t:dir audit_access;
++')
++
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index e8c59a5..b22837c 100644
--- a/policy/modules/system/lvm.te
@@ -39868,7 +39867,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..2890de8 100644
+index 3c5dba7..662bac5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -42740,7 +42739,7 @@ index 3c5dba7..2890de8 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4318,1630 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4318,1646 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -44273,6 +44272,22 @@ index 3c5dba7..2890de8 100644
+ ubac_constrained($1_t)
+
+ auth_use_nsswitch($1_t)
++
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable($1_exec_content, true)
++
++ tunable_policy(`$1_exec_content',`
++ userdom_exec_user_tmp_files($1_t)
++ userdom_exec_user_home_content_files($1_t)
++ ')
++ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
++ fs_exec_nfs_files($1_t)
++ ')
++
++ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
++ fs_exec_cifs_files($1_t)
++ ')
++ ')
+')
+
+########################################
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 7ad8120..17d0954 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -520,7 +520,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..1ec0046 100644
+index cc43d25..135f947 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -756,7 +756,7 @@ index cc43d25..1ec0046 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +193,37 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +193,38 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -783,6 +783,7 @@ index cc43d25..1ec0046 100644
+logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
++logging_stream_connect_syslog(abrt_t)
+
auth_use_nsswitch(abrt_t)
@@ -797,7 +798,7 @@ index cc43d25..1ec0046 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +231,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +232,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -814,7 +815,7 @@ index cc43d25..1ec0046 100644
')
optional_policy(`
-@@ -209,6 +243,20 @@ optional_policy(`
+@@ -209,6 +244,20 @@ optional_policy(`
')
optional_policy(`
@@ -835,7 +836,7 @@ index cc43d25..1ec0046 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +268,7 @@ optional_policy(`
+@@ -220,6 +269,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -843,7 +844,7 @@ index cc43d25..1ec0046 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +279,7 @@ optional_policy(`
+@@ -230,6 +280,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -851,7 +852,7 @@ index cc43d25..1ec0046 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +290,17 @@ optional_policy(`
+@@ -240,9 +291,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -870,7 +871,7 @@ index cc43d25..1ec0046 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +311,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +312,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -885,7 +886,7 @@ index cc43d25..1ec0046 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +330,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +331,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -893,7 +894,7 @@ index cc43d25..1ec0046 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +339,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +340,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -914,7 +915,7 @@ index cc43d25..1ec0046 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +360,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +361,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -941,7 +942,7 @@ index cc43d25..1ec0046 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +396,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +397,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -955,7 +956,7 @@ index cc43d25..1ec0046 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +414,11 @@ optional_policy(`
+@@ -330,10 +415,11 @@ optional_policy(`
#######################################
#
@@ -969,7 +970,7 @@ index cc43d25..1ec0046 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +437,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +438,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1031,7 +1032,7 @@ index cc43d25..1ec0046 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +495,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +496,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -3011,10 +3012,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..66ba451 100644
+index 550a69e..117a400 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,200 @@
+@@ -1,161 +1,204 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3041,6 +3042,7 @@ index 550a69e..66ba451 100644
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3167,6 +3169,7 @@ index 550a69e..66ba451 100644
+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
++/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3213,6 +3216,7 @@ index 550a69e..66ba451 100644
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3250,6 +3254,7 @@ index 550a69e..66ba451 100644
+
+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -7195,7 +7200,7 @@ index 1a7a97e..1d29dce 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 3590e2f..e1494bd 100644
+index 3590e2f..1d8a844 100644
--- a/apm.te
+++ b/apm.te
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
@@ -7226,7 +7231,15 @@ index 3590e2f..e1494bd 100644
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
-@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
+@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
+ kernel_rw_all_sysctls(apmd_t)
+ kernel_read_system_state(apmd_t)
+ kernel_write_proc_files(apmd_t)
++kernel_request_load_module(apmd_t)
+
+ dev_read_input(apmd_t)
+ dev_read_mouse(apmd_t)
+@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
fs_dontaudit_getattr_all_symlinks(apmd_t)
fs_dontaudit_getattr_all_pipes(apmd_t)
fs_dontaudit_getattr_all_sockets(apmd_t)
@@ -7236,7 +7249,7 @@ index 3590e2f..e1494bd 100644
corecmd_exec_all_executables(apmd_t)
-@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
+@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
auth_use_nsswitch(apmd_t)
init_domtrans_script(apmd_t)
@@ -7245,7 +7258,7 @@ index 3590e2f..e1494bd 100644
libs_exec_ld_so(apmd_t)
libs_exec_lib_files(apmd_t)
-@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t)
+@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
logging_send_syslog_msg(apmd_t)
@@ -7265,7 +7278,7 @@ index 3590e2f..e1494bd 100644
optional_policy(`
automount_domtrans(apmd_t)
-@@ -206,11 +209,15 @@ optional_policy(`
+@@ -206,11 +210,15 @@ optional_policy(`
')
optional_policy(`
@@ -14820,7 +14833,7 @@ index a3bbc21..7fd7d8f 100644
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/cron.fc b/cron.fc
-index 6e76215..224142a 100644
+index 6e76215..4819e90 100644
--- a/cron.fc
+++ b/cron.fc
@@ -3,6 +3,9 @@
@@ -14833,17 +14846,18 @@ index 6e76215..224142a 100644
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-@@ -12,9 +15,6 @@
+@@ -12,9 +15,7 @@
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
-
-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
++/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-@@ -27,13 +27,23 @@
+@@ -27,13 +28,23 @@
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
@@ -14870,7 +14884,7 @@ index 6e76215..224142a 100644
/var/spool/cron/crontabs/.* -- <<none>>
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-@@ -43,19 +53,23 @@
+@@ -43,19 +54,23 @@
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -17130,7 +17144,7 @@ index b25b01d..e99c5c6 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..03bc338 100644
+index 6ce66e7..dc080a7 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -17182,13 +17196,15 @@ index 6ce66e7..03bc338 100644
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
-@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t)
+@@ -85,12 +97,14 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
-files_read_etc_files(ctdbd_t)
files_search_all_mountpoints(ctdbd_t)
++fs_getattr_all_fs(ctdbd_t)
++
+auth_read_passwd(ctdbd_t)
+
logging_send_syslog_msg(ctdbd_t)
@@ -17197,7 +17213,7 @@ index 6ce66e7..03bc338 100644
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
-@@ -109,6 +121,7 @@ optional_policy(`
+@@ -109,6 +123,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@@ -21886,7 +21902,7 @@ index 19aa0b8..e34a540 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..a3e6c7c 100644
+index ba14bcf..34a4c71 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -21899,7 +21915,15 @@ index ba14bcf..a3e6c7c 100644
########################################
#
# Local policy
-@@ -52,11 +55,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+@@ -38,6 +41,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
+ allow dnsmasq_t self:rawip_socket create_socket_perms;
+
+ read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
++list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+
+ manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
+ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -52,11 +56,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
kernel_read_kernel_sysctls(dnsmasq_t)
@@ -21915,7 +21939,7 @@ index ba14bcf..a3e6c7c 100644
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
-@@ -86,9 +92,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
+@@ -86,9 +93,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
auth_use_nsswitch(dnsmasq_t)
@@ -21927,7 +21951,7 @@ index ba14bcf..a3e6c7c 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -98,12 +104,21 @@ optional_policy(`
+@@ -98,12 +105,21 @@ optional_policy(`
')
optional_policy(`
@@ -21950,7 +21974,7 @@ index ba14bcf..a3e6c7c 100644
')
optional_policy(`
-@@ -124,6 +139,14 @@ optional_policy(`
+@@ -124,6 +140,14 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -22142,16 +22166,16 @@ index 0000000..484dd44
\ No newline at end of file
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..097c75c
+index 0000000..d856375
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,202 @@
+@@ -0,0 +1,196 @@
+
-+## <summary>policy for docker</summary>
++## <summary>The open-source application container engine.</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the docker domin.
++## Execute docker in the docker domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -22298,19 +22322,12 @@ index 0000000..097c75c
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`docker_admin',`
+ gen_require(`
+ type docker_t;
-+ type docker_var_lib_t;
-+ type docker_var_run_t;
-+ type docker_unit_file_t;
++ type docker_var_lib_t, docker_var_run_t;
++ type docker_unit_file_t;
+ ')
+
+ allow $1 docker_t:process { ptrace signal_perms };
@@ -22325,6 +22342,7 @@ index 0000000..097c75c
+ docker_systemctl($1)
+ admin_pattern($1, docker_unit_file_t)
+ allow $1 docker_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -22765,7 +22783,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..d4a79a1 100644
+index a7bfaf0..38bfca8 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -23126,7 +23144,7 @@ index a7bfaf0..d4a79a1 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +316,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +316,44 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -23153,6 +23171,7 @@ index a7bfaf0..d4a79a1 100644
-logging_search_logs(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
+files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
++files_search_all_mountpoints(dovecot_deliver_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_deliver_t)
@@ -23187,7 +23206,7 @@ index a7bfaf0..d4a79a1 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +361,6 @@ optional_policy(`
+@@ -326,5 +362,6 @@ optional_policy(`
')
optional_policy(`
@@ -25899,7 +25918,7 @@ index 1e29af1..6c64f55 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 93b0301..ad8eb38 100644
+index 93b0301..f719b0a 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -25962,7 +25981,17 @@ index 93b0301..ad8eb38 100644
files_search_var_lib(git_system_t)
auth_use_nsswitch(git_system_t)
-@@ -255,12 +252,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -165,6 +162,9 @@ logging_send_syslog_msg(git_system_t)
+
+ tunable_policy(`git_system_enable_homedirs',`
+ userdom_search_user_home_dirs(git_system_t)
++ list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
++ read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
++
+ ')
+
+ tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+@@ -255,12 +255,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -26346,10 +26375,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..0f9d485
+index 0000000..3a71ad6
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,189 @@
+@@ -0,0 +1,199 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
@@ -26402,6 +26431,9 @@ index 0000000..0f9d485
+type glusterd_var_lib_t;
+files_type(glusterd_var_lib_t)
+
++type glusterd_brick_t;
++files_type(glusterd_brick_t)
++
+########################################
+#
+# Local policy
@@ -26442,6 +26474,13 @@ index 0000000..0f9d485
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+
++manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
@@ -26747,10 +26786,10 @@ index fd02acc..0000000
-
-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
-index e39de43..5818f74 100644
+index e39de43..4c8113b 100644
--- a/gnome.fc
+++ b/gnome.fc
-@@ -1,15 +1,58 @@
+@@ -1,15 +1,59 @@
-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
@@ -26808,14 +26847,15 @@ index e39de43..5818f74 100644
+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
+
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
-
--/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
--/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
++/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
++
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
-+
+
+-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
@@ -29625,7 +29665,7 @@ index 180f1b7..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 44cf341..8aa9dd9 100644
+index 44cf341..52ce110 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
@@ -29926,7 +29966,7 @@ index 44cf341..8aa9dd9 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -207,29 +225,35 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -207,29 +225,36 @@ tunable_policy(`use_samba_home_dirs',`
########################################
#
@@ -29934,11 +29974,12 @@ index 44cf341..8aa9dd9 100644
+# GPG agent local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-
++
+# rlimit: gpg-agent wants to prevent coredumps
- allow gpg_agent_t self:process setrlimit;
++allow gpg_agent_t self:process { setrlimit signal_perms };
+
+-allow gpg_agent_t self:process setrlimit;
-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+
+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
@@ -29962,17 +30003,19 @@ index 44cf341..8aa9dd9 100644
-kernel_dontaudit_search_sysctl(gpg_agent_t)
+kernel_read_system_state(gpg_agent_t)
++kernel_read_core_if(gpg_agent_t)
+corecmd_read_bin_symlinks(gpg_agent_t)
-+corecmd_search_bin(gpg_agent_t)
++corecmd_exec_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
dev_read_rand(gpg_agent_t)
-@@ -239,37 +263,40 @@ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,37 +264,41 @@ domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
-miscfiles_read_localization(gpg_agent_t)
++miscfiles_read_certs(gpg_agent_t)
-userdom_use_user_terminals(gpg_agent_t)
+# Write to the user domain tty.
@@ -30021,7 +30064,7 @@ index 44cf341..8aa9dd9 100644
##############################
#
# Pinentry local policy
-@@ -277,8 +304,17 @@ optional_policy(`
+@@ -277,8 +306,17 @@ optional_policy(`
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@@ -30040,7 +30083,7 @@ index 44cf341..8aa9dd9 100644
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +323,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +325,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
@@ -35815,7 +35858,7 @@ index bc25c95..6692d91 100644
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index ee0c7cc..c54e3d2 100644
+index ee0c7cc..9cdc21e 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,68 @@
@@ -35923,7 +35966,7 @@ index ee0c7cc..c54e3d2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -41,22 +119,27 @@ interface(`ldap_read_config',`
+@@ -41,22 +119,28 @@ interface(`ldap_read_config',`
########################################
## <summary>
@@ -35945,6 +35988,7 @@ index ee0c7cc..c54e3d2 100644
+ ')
+
+ files_search_etc($1)
++ allow $1 slapd_cert_t:dir list_dir_perms;
+ read_files_pattern($1, slapd_cert_t, slapd_cert_t)
')
@@ -35956,7 +36000,7 @@ index ee0c7cc..c54e3d2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -64,18 +147,13 @@ interface(`ldap_use',`
+@@ -64,18 +148,13 @@ interface(`ldap_use',`
## </summary>
## </param>
#
@@ -35978,7 +36022,7 @@ index ee0c7cc..c54e3d2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -83,21 +161,19 @@ interface(`ldap_stream_connect',`
+@@ -83,21 +162,19 @@ interface(`ldap_stream_connect',`
## </summary>
## </param>
#
@@ -36006,7 +36050,7 @@ index ee0c7cc..c54e3d2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -106,7 +182,7 @@ interface(`ldap_tcp_connect',`
+@@ -106,7 +183,7 @@ interface(`ldap_tcp_connect',`
## </param>
## <param name="role">
## <summary>
@@ -36015,7 +36059,7 @@ index ee0c7cc..c54e3d2 100644
## </summary>
## </param>
## <rolecap/>
-@@ -115,28 +191,28 @@ interface(`ldap_admin',`
+@@ -115,28 +192,28 @@ interface(`ldap_admin',`
gen_require(`
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
@@ -36053,7 +36097,7 @@ index ee0c7cc..c54e3d2 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -144,4 +220,8 @@ interface(`ldap_admin',`
+@@ -144,4 +221,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -37398,12 +37442,14 @@ index b9270f7..15f3748 100644
')
diff --git a/lsm.fc b/lsm.fc
new file mode 100644
-index 0000000..81cd4e0
+index 0000000..d60293d
--- /dev/null
+++ b/lsm.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,7 @@
+/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
+
++/usr/bin/.*_lsmplugin -- gen_context(system_u:object_r:lsmd_plugin_exec_t,s0)
++
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+
+/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
@@ -37514,10 +37560,10 @@ index 0000000..da30c5d
+')
diff --git a/lsm.te b/lsm.te
new file mode 100644
-index 0000000..6611d9f
+index 0000000..9e92442
--- /dev/null
+++ b/lsm.te
-@@ -0,0 +1,34 @@
+@@ -0,0 +1,63 @@
+policy_module(lsm, 1.0.0)
+
+########################################
@@ -37535,6 +37581,14 @@ index 0000000..6611d9f
+type lsmd_unit_file_t;
+systemd_unit_file(lsmd_unit_file_t)
+
++type lsmd_plugin_t;
++type lsmd_plugin_exec_t;
++application_domain(lsmd_plugin_t, lsmd_plugin_exec_t)
++role system_r types lsmd_plugin_t;
++
++type lsmd_plugin_tmp_t;
++files_tmp_file(lsmd_plugin_tmp_t)
++
+########################################
+#
+# lsmd local policy
@@ -37552,6 +37606,27 @@ index 0000000..6611d9f
+corecmd_exec_bin(lsmd_t)
+
+logging_send_syslog_msg(lsmd_t)
++
++########################################
++#
++# Local lsmd plugin policy
++#
++
++domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
++
++allow lsmd_t lsmd_plugin_exec_t:file read_file_perms;
++
++manage_files_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
++manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
++files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
++
++kernel_read_system_state(lsmd_plugin_t)
++
++dev_read_urand(lsmd_plugin_t)
++
++corecmd_exec_bin(lsmd_plugin_t)
++
++sysnet_read_config(lsmd_plugin_t)
diff --git a/mailman.fc b/mailman.fc
index 7fa381b..bbe6b01 100644
--- a/mailman.fc
@@ -44139,7 +44214,7 @@ index ed81cac..566684a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..09ebbbe 100644
+index afd2fad..1943352 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -44556,7 +44631,7 @@ index afd2fad..09ebbbe 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -387,24 +277,173 @@ optional_policy(`
+@@ -387,24 +277,174 @@ optional_policy(`
########################################
#
@@ -44705,6 +44780,7 @@ index afd2fad..09ebbbe 100644
+
+optional_policy(`
+ openshift_rw_inherited_content(mta_user_agent)
++ openshift_dontaudit_rw_inherited_fifo_files(mta_user_agent)
+')
+
+optional_policy(`
@@ -45882,7 +45958,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..4383f87 100644
+index 9f6179e..6337dad 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -46093,7 +46169,7 @@ index 9f6179e..4383f87 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +185,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +185,28 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -46106,6 +46182,7 @@ index 9f6179e..4383f87 100644
-files_read_usr_files(mysqld_safe_t)
-files_search_pids(mysqld_safe_t)
-files_dontaudit_getattr_all_dirs(mysqld_safe_t)
++files_dontaudit_access_check_root(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+files_dontaudit_write_root_dirs(mysqld_safe_t)
@@ -46127,7 +46204,7 @@ index 9f6179e..4383f87 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +213,7 @@ optional_policy(`
+@@ -205,7 +214,7 @@ optional_policy(`
########################################
#
@@ -46136,7 +46213,7 @@ index 9f6179e..4383f87 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +222,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +223,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -46154,7 +46231,7 @@ index 9f6179e..4383f87 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +235,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +236,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -52799,10 +52876,10 @@ index 0000000..0dc672f
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..e03de01
+index 0000000..9451b83
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,700 @@
+@@ -0,0 +1,702 @@
+
+## <summary> policy for openshift </summary>
+
@@ -53424,9 +53501,11 @@ index 0000000..e03de01
+interface(`openshift_dontaudit_rw_inherited_fifo_files',`
+ gen_require(`
+ type openshift_initrc_t;
++ type openshift_t;
+ ')
+
+ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
@@ -53505,10 +53584,10 @@ index 0000000..e03de01
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..0a6f091
+index 0000000..3c4beaf
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,556 @@
+@@ -0,0 +1,558 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -53651,6 +53730,8 @@ index 0000000..0a6f091
+allow openshift_domain self:shm create_shm_perms;
+allow openshift_domain self:sem create_sem_perms;
+dontaudit openshift_domain self:dir write;
++dontaudit openshift_domain self:rawip_socket create_socket_perms;
++
+dontaudit openshift_t self:unix_stream_socket recvfrom;
+dontaudit openshift_domain self:netlink_tcpdiag_socket create;
+dontaudit openshift_domain self:netlink_route_socket nlmsg_write;
@@ -55927,10 +56008,10 @@ index 96db654..ff3aadd 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..31122bd 100644
+index dfd46e4..87bda41 100644
--- a/pegasus.fc
+++ b/pegasus.fc
-@@ -1,15 +1,26 @@
+@@ -1,15 +1,25 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
@@ -55954,13 +56035,12 @@ index dfd46e4..31122bd 100644
+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-+#openlmi agents
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+
@@ -56066,7 +56146,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..22a5b66 100644
+index 7bcf327..801965a 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -56090,7 +56170,7 @@ index 7bcf327..22a5b66 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,269 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,277 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -56271,6 +56351,14 @@ index 7bcf327..22a5b66 100644
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_admin_t)
++
++ optional_policy(`
++ init_dbus_chat(pegasus_openlmi_admin_t)
++ ')
++')
++
++optional_policy(`
++ sssd_search_lib(pegasus_openlmi_admin_t)
+')
+
+######################################
@@ -56365,7 +56453,7 @@ index 7bcf327..22a5b66 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +302,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +310,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -56396,7 +56484,7 @@ index 7bcf327..22a5b66 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +328,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +336,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -56429,7 +56517,7 @@ index 7bcf327..22a5b66 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +356,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +364,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -56437,7 +56525,11 @@ index 7bcf327..22a5b66 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +371,25 @@ init_stream_connect_script(pegasus_t)
++domain_named_filetrans(pegasus_t)
+
+ files_list_var_lib(pegasus_t)
+ files_read_var_lib_files(pegasus_t)
+@@ -128,18 +380,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -56453,6 +56545,10 @@ index 7bcf327..22a5b66 100644
optional_policy(`
- dbus_system_bus_client(pegasus_t)
- dbus_connect_system_bus(pegasus_t)
++ dmidecode_domtrans(pegasus_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t)
@@ -56469,7 +56565,7 @@ index 7bcf327..22a5b66 100644
')
optional_policy(`
-@@ -151,16 +401,24 @@ optional_policy(`
+@@ -151,16 +414,24 @@ optional_policy(`
')
optional_policy(`
@@ -56498,7 +56594,7 @@ index 7bcf327..22a5b66 100644
')
optional_policy(`
-@@ -168,7 +426,7 @@ optional_policy(`
+@@ -168,7 +439,7 @@ optional_policy(`
')
optional_policy(`
@@ -58271,10 +58367,10 @@ index 0000000..17f5d18
+')
+
diff --git a/plymouthd.fc b/plymouthd.fc
-index 735500f..ef1dd7a 100644
+index 735500f..2ba6832 100644
--- a/plymouthd.fc
+++ b/plymouthd.fc
-@@ -1,15 +1,15 @@
+@@ -1,15 +1,14 @@
-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
@@ -58295,11 +58391,11 @@ index 735500f..ef1dd7a 100644
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
-
+-
-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
++/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
-index 30e751f..3985ff9 100644
+index 30e751f..78fb7c6 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -1,4 +1,4 @@
@@ -58487,7 +58583,7 @@ index 30e751f..3985ff9 100644
gen_require(`
type plymouthd_var_run_t;
')
-@@ -233,36 +228,93 @@ interface(`plymouthd_read_pid_files',`
+@@ -233,36 +228,113 @@ interface(`plymouthd_read_pid_files',`
########################################
## <summary>
@@ -58495,13 +58591,12 @@ index 30e751f..3985ff9 100644
-## administrate an plymouthd environment.
+## Allow the specified domain to read
+## to plymouthd log files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="role">
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
+interface(`plymouthd_read_log',`
+ gen_require(`
@@ -58512,17 +58607,38 @@ index 30e751f..3985ff9 100644
+ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
-+########################################
++#####################################
+## <summary>
-+## Allow the specified domain to manage
-+## to plymouthd log files.
++## Allow the specified domain to create plymouthd's log files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
++interface(`plymouthd_create_log',`
++ gen_require(`
++ type plymouthd_log_t;
++ ')
++
++ logging_search_logs($1)
++ create_files_pattern($1, plymouthd_log_t, plymouthd_log_t)
++')
++
++
++########################################
++## <summary>
++## Allow the specified domain to manage
++## to plymouthd log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
++#
+interface(`plymouthd_manage_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
@@ -58544,12 +58660,12 @@ index 30e751f..3985ff9 100644
+## </summary>
+## </param>
+#
-+interface(`plymouthd_create_log',`
++interface(`plymouthd_filetrans_named_content',`
++
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
-+ logging_rw_generic_log_dirs($1)
+ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
+')
+
@@ -60126,7 +60242,7 @@ index c0e8785..c0e0959 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
-index 2e23946..0b76d72 100644
+index 2e23946..d8a163f 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
@@ -60457,7 +60573,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -382,14 +367,32 @@ interface(`postfix_domtrans_master',`
+@@ -382,14 +367,31 @@ interface(`postfix_domtrans_master',`
type postfix_master_t, postfix_master_exec_t;
')
@@ -60465,7 +60581,6 @@ index 2e23946..0b76d72 100644
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
-+
########################################
## <summary>
-## Execute the master postfix program
@@ -60493,7 +60608,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -402,21 +405,18 @@ interface(`postfix_exec_master',`
+@@ -402,21 +404,18 @@ interface(`postfix_exec_master',`
type postfix_master_exec_t;
')
@@ -60516,7 +60631,7 @@ index 2e23946..0b76d72 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -428,8 +428,7 @@ interface(`postfix_stream_connect_master',`
+@@ -428,8 +427,7 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
@@ -60526,7 +60641,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -437,15 +436,18 @@ interface(`postfix_stream_connect_master',`
+@@ -437,15 +435,18 @@ interface(`postfix_stream_connect_master',`
## </summary>
## </param>
#
@@ -60549,7 +60664,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -458,14 +460,13 @@ interface(`postfix_domtrans_postdrop',`
+@@ -458,14 +459,13 @@ interface(`postfix_domtrans_postdrop',`
type postfix_postdrop_t, postfix_postdrop_exec_t;
')
@@ -60565,7 +60680,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',`
+@@ -478,30 +478,85 @@ interface(`postfix_domtrans_postqueue',`
type postfix_postqueue_t, postfix_postqueue_exec_t;
')
@@ -60585,18 +60700,15 @@ index 2e23946..0b76d72 100644
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the iptables domain.
+## </summary>
+## </param>
+## <rolecap/>
- #
--interface(`posftix_exec_postqueue',`
-- refpolicywarn(`$0($*) has been deprecated.')
-- postfix_exec_postqueue($1)
++#
+
+interface(`postfix_run_postqueue',`
+ gen_require(`
@@ -60606,8 +60718,8 @@ index 2e23946..0b76d72 100644
+ postfix_domtrans_postqueue($1)
+ role $2 types postfix_postqueue_t;
+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
- ')
-
++')
++
+########################################
+## <summary>
+## Execute postfix_postgqueue in the postfix_postgqueue domain.
@@ -60639,10 +60751,13 @@ index 2e23946..0b76d72 100644
+## <param name="role">
+## <summary>
+## Role allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`posftix_exec_postqueue',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- postfix_exec_postqueue($1)
+interface(`postfix_run_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
@@ -60650,8 +60765,8 @@ index 2e23946..0b76d72 100644
+
+ postfix_domtrans_postgqueue($1)
+ role $2 types postfix_postgqueue_t;
-+')
-+
+ ')
+
+
#######################################
## <summary>
@@ -60661,7 +60776,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',`
+@@ -514,13 +569,12 @@ interface(`postfix_exec_postqueue',`
type postfix_postqueue_exec_t;
')
@@ -60676,7 +60791,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',`
+@@ -533,13 +587,13 @@ interface(`postfix_create_private_sockets',`
type postfix_private_t;
')
@@ -60692,7 +60807,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',`
+@@ -552,13 +606,14 @@ interface(`postfix_manage_private_sockets',`
type postfix_private_t;
')
@@ -60709,7 +60824,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',`
+@@ -571,14 +626,12 @@ interface(`postfix_domtrans_smtp',`
type postfix_smtp_t, postfix_smtp_exec_t;
')
@@ -60725,7 +60840,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',`
+@@ -586,7 +639,7 @@ interface(`postfix_domtrans_smtp',`
## </summary>
## </param>
#
@@ -60734,7 +60849,7 @@ index 2e23946..0b76d72 100644
gen_require(`
attribute postfix_spool_type;
')
-@@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',`
+@@ -607,11 +660,11 @@ interface(`postfix_getattr_all_spool_files',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -60748,7 +60863,7 @@ index 2e23946..0b76d72 100644
')
########################################
-@@ -626,11 +680,11 @@ interface(`postfix_search_spool',`
+@@ -626,11 +679,11 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -60762,7 +60877,7 @@ index 2e23946..0b76d72 100644
')
########################################
-@@ -645,17 +699,16 @@ interface(`postfix_list_spool',`
+@@ -645,17 +698,16 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -60783,7 +60898,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -665,11 +718,50 @@ interface(`postfix_read_spool_files',`
+@@ -665,11 +717,50 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -60836,7 +60951,7 @@ index 2e23946..0b76d72 100644
')
########################################
-@@ -693,8 +785,8 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -693,8 +784,8 @@ interface(`postfix_domtrans_user_mail_handler',`
########################################
## <summary>
@@ -60847,7 +60962,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -710,37 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,37 +801,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
@@ -69566,20 +69681,22 @@ index b31f2d7..046f5b8 100644
userdom_dontaudit_search_user_home_dirs(radvd_t)
diff --git a/raid.fc b/raid.fc
-index 5806046..5578653 100644
+index 5806046..d83ec27 100644
--- a/raid.fc
+++ b/raid.fc
-@@ -3,6 +3,9 @@
+@@ -3,6 +3,11 @@
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
++/etc/mdadm\.conf -- gen_context(system_u:object_r:mdadm_conf_t,s0)
++
+/usr/lib/systemd/system/mdmon at .* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+
/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-@@ -16,6 +19,7 @@
+@@ -16,6 +21,7 @@
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -69929,6 +70046,224 @@ index 2c1730b..4699a1e 100644
+optional_policy(`
+ xserver_dontaudit_search_log(mdadm_t)
+')
+diff --git a/rasdaemon.fc b/rasdaemon.fc
+new file mode 100644
+index 0000000..8e31dd0
+--- /dev/null
++++ b/rasdaemon.fc
+@@ -0,0 +1,9 @@
++/usr/lib/systemd/system/ras-mc-ctl.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
++
++/usr/lib/systemd/system/rasdaemon.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
++
++/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
++
++/usr/sbin/ras-mc-ctl -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
++
++/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_lib_t,s0)
+diff --git a/rasdaemon.if b/rasdaemon.if
+new file mode 100644
+index 0000000..a073efd
+--- /dev/null
++++ b/rasdaemon.if
+@@ -0,0 +1,156 @@
++
++## <summary>The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the rasdaemon domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_domtrans',`
++ gen_require(`
++ type rasdaemon_t, rasdaemon_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, rasdaemon_exec_t, rasdaemon_t)
++')
++
++########################################
++## <summary>
++## Search rasdaemon lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_search_lib',`
++ gen_require(`
++ type rasdaemon_var_lib_t;
++ ')
++
++ allow $1 rasdaemon_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read rasdaemon lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_read_lib_files',`
++ gen_require(`
++ type rasdaemon_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage rasdaemon lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_manage_lib_files',`
++ gen_require(`
++ type rasdaemon_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage rasdaemon lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_manage_lib_dirs',`
++ gen_require(`
++ type rasdaemon_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++')
++
++########################################
++## <summary>
++## Execute rasdaemon server in the rasdaemon domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_systemctl',`
++ gen_require(`
++ type rasdaemon_t;
++ type rasdaemon_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 rasdaemon_unit_file_t:file read_file_perms;
++ allow $1 rasdaemon_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rasdaemon_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an rasdaemon environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rasdaemon_admin',`
++ gen_require(`
++ type rasdaemon_t;
++ type rasdaemon_var_lib_t;
++ type rasdaemon_unit_file_t;
++ ')
++
++ allow $1 rasdaemon_t:process { ptrace signal_perms };
++ ps_process_pattern($1, rasdaemon_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, rasdaemon_var_lib_t)
++
++ rasdaemon_systemctl($1)
++ admin_pattern($1, rasdaemon_unit_file_t)
++ allow $1 rasdaemon_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/rasdaemon.te b/rasdaemon.te
+new file mode 100644
+index 0000000..8651ca4
+--- /dev/null
++++ b/rasdaemon.te
+@@ -0,0 +1,35 @@
++policy_module(rasdaemon, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rasdaemon_t;
++type rasdaemon_exec_t;
++init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
++
++type rasdaemon_var_lib_t;
++files_type(rasdaemon_var_lib_t)
++
++type rasdaemon_unit_file_t;
++systemd_unit_file(rasdaemon_unit_file_t)
++
++########################################
++#
++# rasdaemon local policy
++#
++allow rasdaemon_t self:fifo_file rw_fifo_file_perms;
++allow rasdaemon_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++manage_files_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++files_var_lib_filetrans(rasdaemon_t, rasdaemon_var_lib_t, { dir file })
++
++kernel_read_system_state(rasdaemon_t)
++kernel_manage_debugfs(rasdaemon_t)
++
++dev_read_sysfs(rasdaemon_t)
++
++logging_send_syslog_msg(rasdaemon_t)
++
diff --git a/razor.fc b/razor.fc
index 6723f4d..6e26673 100644
--- a/razor.fc
@@ -77746,16 +78081,16 @@ index 0000000..25d96cb
+
diff --git a/rtas.if b/rtas.if
new file mode 100644
-index 0000000..9381936
+index 0000000..0ec3302
--- /dev/null
+++ b/rtas.if
-@@ -0,0 +1,166 @@
+@@ -0,0 +1,162 @@
+
-+## <summary>rtas_errd - Platform diagnostics report firmware events</summary>
++## <summary>Platform diagnostics report firmware events.</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the rtas_errd domin.
++## Execute rtas_errd in the rtas_errd domin.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -77771,6 +78106,7 @@ index 0000000..9381936
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t)
+')
++
+########################################
+## <summary>
+## Read rtas_errd's log files.
@@ -77830,6 +78166,7 @@ index 0000000..9381936
+ manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+ manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+')
++
+########################################
+## <summary>
+## Read rtas_errd PID files.
@@ -77866,7 +78203,7 @@ index 0000000..9381936
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rtas_errd_unit_file_t:file read_file_perms;
+ allow $1 rtas_errd_unit_file_t:service manage_service_perms;
+
@@ -77884,19 +78221,12 @@ index 0000000..9381936
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`rtas_errd_admin',`
+ gen_require(`
+ type rtas_errd_t;
-+ type rtas_errd_log_t;
-+ type rtas_errd_var_run_t;
-+ type rtas_errd_unit_file_t;
++ type rtas_errd_log_t, rtas_errd_var_run_t;
++ type rtas_errd_unit_file_t;
+ ')
+
+ allow $1 rtas_errd_t:process { ptrace signal_perms };
@@ -77911,6 +78241,7 @@ index 0000000..9381936
+ rtas_errd_systemctl($1)
+ admin_pattern($1, rtas_errd_unit_file_t)
+ allow $1 rtas_errd_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -81898,7 +82229,7 @@ index 98c9e0a..df51942 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 4a23d84..62df1db 100644
+index 4a23d84..f149aad 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
@@ -81935,7 +82266,7 @@ index 4a23d84..62df1db 100644
######################################
#
# Common sblim domain local policy
-@@ -32,11 +39,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+@@ -32,31 +39,36 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
@@ -81957,9 +82288,11 @@ index 4a23d84..62df1db 100644
corenet_tcp_sendrecv_generic_if(sblim_domain)
corenet_tcp_sendrecv_generic_node(sblim_domain)
-@@ -44,19 +58,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
+ corenet_tcp_sendrecv_repository_port(sblim_domain)
dev_read_sysfs(sblim_domain)
++dev_read_rand(sblim_domain)
++dev_read_urand(sblim_domain)
-logging_send_syslog_msg(sblim_domain)
-
@@ -81980,7 +82313,7 @@ index 4a23d84..62df1db 100644
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
-@@ -84,6 +94,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
+@@ -84,6 +96,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
init_read_utmp(sblim_gatherd_t)
@@ -81989,7 +82322,7 @@ index 4a23d84..62df1db 100644
sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +115,9 @@ optional_policy(`
+@@ -103,8 +117,9 @@ optional_policy(`
')
optional_policy(`
@@ -82000,7 +82333,7 @@ index 4a23d84..62df1db 100644
')
optional_policy(`
-@@ -117,6 +130,29 @@ optional_policy(`
+@@ -117,6 +132,32 @@ optional_policy(`
# Reposd local policy
#
@@ -82029,6 +82362,9 @@ index 4a23d84..62df1db 100644
+
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+
++dev_read_rand(sblim_sfcbd_t)
++dev_read_urand(sblim_sfcbd_t)
++
+domain_read_all_domains_state(sblim_sfcbd_t)
+domain_use_interactive_fds(sblim_sfcbd_t)
diff --git a/screen.fc b/screen.fc
@@ -83147,7 +83483,7 @@ index 0b3a971..397a522 100644
-/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
diff --git a/setroubleshoot.if b/setroubleshoot.if
-index 3a9a70b..039b0c8 100644
+index 3a9a70b..903109c 100644
--- a/setroubleshoot.if
+++ b/setroubleshoot.if
@@ -1,9 +1,8 @@
@@ -83174,7 +83510,32 @@ index 3a9a70b..039b0c8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -107,8 +105,27 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+@@ -42,6 +40,24 @@ interface(`setroubleshoot_dontaudit_stream_connect',`
+ dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
+ ')
+
++#######################################
++## <summary>
++## Send null signals to setroubleshoot.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`setroubleshoot_signull',`
++ gen_require(`
++ type setroubleshootd_t;
++ ')
++
++ allow $1 setroubleshootd_t:process signull;
++')
++
+ ########################################
+ ## <summary>
+ ## Send and receive messages from
+@@ -107,8 +123,27 @@ interface(`setroubleshoot_dbus_chat_fixit',`
########################################
## <summary>
@@ -83204,7 +83565,7 @@ index 3a9a70b..039b0c8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -119,12 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+@@ -119,12 +154,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
#
interface(`setroubleshoot_admin',`
gen_require(`
@@ -84412,7 +84773,7 @@ index a8b1aaf..fc0a2be 100644
netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
diff --git a/smoltclient.te b/smoltclient.te
-index 9c8f9a5..14f15a4 100644
+index 9c8f9a5..f074b4d 100644
--- a/smoltclient.te
+++ b/smoltclient.te
@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t)
@@ -84430,6 +84791,17 @@ index 9c8f9a5..14f15a4 100644
optional_policy(`
abrt_stream_connect(smoltclient_t)
+@@ -77,6 +75,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ libs_exec_ldconfig(smoltclient_t)
++')
++
++optional_policy(`
+ rpm_exec(smoltclient_t)
+ rpm_read_db(smoltclient_t)
+ ')
diff --git a/smsd.fc b/smsd.fc
new file mode 100644
index 0000000..4c3fcec
@@ -85279,7 +85651,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..499d7e9 100644
+index 703efa3..a1b4abd 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
@@ -85300,7 +85672,7 @@ index 703efa3..499d7e9 100644
-allow sosreport_t self:process { setsched signull };
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override chown };
+dontaudit sosreport_t self:capability sys_ptrace;
-+allow sosreport_t self:process { setpgid setsched signull };
++allow sosreport_t self:process signal_perms;
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
allow sosreport_t self:unix_stream_socket { accept listen };
@@ -85322,10 +85694,12 @@ index 703efa3..499d7e9 100644
manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
-@@ -49,6 +61,17 @@ kernel_read_software_raid_state(sosreport_t)
+@@ -48,6 +60,18 @@ kernel_read_all_sysctls(sosreport_t)
+ kernel_read_software_raid_state(sosreport_t)
kernel_search_debugfs(sosreport_t)
kernel_read_messages(sosreport_t)
-
++kernel_request_load_module(sosreport_t)
++
+corenet_all_recvfrom_netlabel(sosreport_t)
+corenet_tcp_sendrecv_generic_if(sosreport_t)
+corenet_tcp_sendrecv_generic_node(sosreport_t)
@@ -85336,11 +85710,10 @@ index 703efa3..499d7e9 100644
+corenet_tcp_connect_http_port(sosreport_t)
+corenet_tcp_connect_all_ports(sosreport_t)
+corenet_sendrecv_http_client_packets(sosreport_t)
-+
+
corecmd_exec_all_executables(sosreport_t)
- dev_getattr_all_chr_files(sosreport_t)
-@@ -58,6 +81,9 @@ dev_read_rand(sosreport_t)
+@@ -58,6 +82,9 @@ dev_read_rand(sosreport_t)
dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
@@ -85350,7 +85723,7 @@ index 703efa3..499d7e9 100644
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
-@@ -65,12 +91,13 @@ domain_getattr_all_sockets(sosreport_t)
+@@ -65,12 +92,13 @@ domain_getattr_all_sockets(sosreport_t)
domain_getattr_all_pipes(sosreport_t)
files_getattr_all_sockets(sosreport_t)
@@ -85365,7 +85738,7 @@ index 703efa3..499d7e9 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -79,27 +106,41 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -79,27 +107,43 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -85388,6 +85761,8 @@ index 703efa3..499d7e9 100644
init_domtrans_script(sosreport_t)
+init_getattr_initctl(sosreport_t)
++init_status(sosreport_t)
++init_stream_connect(sosreport_t)
libs_domtrans_ldconfig(sosreport_t)
@@ -85410,10 +85785,14 @@ index 703efa3..499d7e9 100644
')
optional_policy(`
-@@ -111,6 +152,11 @@ optional_policy(`
+@@ -111,6 +155,15 @@ optional_policy(`
')
optional_policy(`
++ lvm_dontaudit_access_check_lock(sosreport_t)
++')
++
++optional_policy(`
+ # needed by modinfo
+ modutils_read_module_deps(sosreport_t)
+')
@@ -85422,6 +85801,27 @@ index 703efa3..499d7e9 100644
fstools_domtrans(sosreport_t)
')
+@@ -120,6 +173,10 @@ optional_policy(`
+ optional_policy(`
+ hal_dbus_chat(sosreport_t)
+ ')
++
++ optional_policy(`
++ rpm_dbus_chat(sosreport_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -141,5 +198,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ setroubleshoot_signull(sosreport_t)
++')
++
++optional_policy(`
+ xserver_stream_connect(sosreport_t)
+ ')
diff --git a/soundserver.if b/soundserver.if
index a5abc5a..b9eff74 100644
--- a/soundserver.if
@@ -87414,7 +87814,7 @@ index a240455..16a04bf 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 8b537aa..3bce4df 100644
+index 8b537aa..92ad8d0 100644
--- a/sssd.te
+++ b/sssd.te
@@ -1,4 +1,4 @@
@@ -87457,9 +87857,11 @@ index 8b537aa..3bce4df 100644
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -63,16 +64,9 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +63,11 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
++kernel_request_load_module(sssd_t)
-corenet_all_recvfrom_unlabeled(sssd_t)
-corenet_all_recvfrom_netlabel(sssd_t)
@@ -87475,7 +87877,7 @@ index 8b537aa..3bce4df 100644
corecmd_exec_bin(sssd_t)
-@@ -83,9 +77,7 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,9 +78,7 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -87485,7 +87887,7 @@ index 8b537aa..3bce4df 100644
files_list_var_lib(sssd_t)
fs_list_inotifyfs(sssd_t)
-@@ -94,14 +86,15 @@ selinux_validate_context(sssd_t)
+@@ -94,14 +87,15 @@ selinux_validate_context(sssd_t)
seutil_read_file_contexts(sssd_t)
# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
@@ -87503,7 +87905,7 @@ index 8b537aa..3bce4df 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +106,32 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -97607,10 +98009,10 @@ index eecd0e0..8df2e8c 100644
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.te b/watchdog.te
-index 29f79e8..01df7d7 100644
+index 29f79e8..026b259 100644
--- a/watchdog.te
+++ b/watchdog.te
-@@ -12,12 +12,18 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
+@@ -12,29 +12,41 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
type watchdog_initrc_exec_t;
init_script_file(watchdog_initrc_exec_t)
@@ -97629,9 +98031,15 @@ index 29f79e8..01df7d7 100644
########################################
#
# Local policy
-@@ -29,8 +35,12 @@ allow watchdog_t self:process { setsched signal_perms };
+ #
+
+-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
++allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw };
+ dontaudit watchdog_t self:capability sys_tty_config;
+ allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
allow watchdog_t self:tcp_socket { accept listen };
++allow watchdog_t self:rawip_socket create_socket_perms;
-allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
@@ -97644,7 +98052,12 @@ index 29f79e8..01df7d7 100644
manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
-@@ -63,7 +73,6 @@ domain_signull_all_domains(watchdog_t)
+
++kernel_read_network_state(watchdog_t)
+ kernel_read_system_state(watchdog_t)
+ kernel_read_kernel_sysctls(watchdog_t)
+ kernel_unmount_proc(watchdog_t)
+@@ -63,7 +75,6 @@ domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
@@ -97652,7 +98065,7 @@ index 29f79e8..01df7d7 100644
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
-@@ -72,11 +81,10 @@ fs_getattr_all_fs(watchdog_t)
+@@ -72,11 +83,10 @@ fs_getattr_all_fs(watchdog_t)
fs_search_auto_mountpoints(watchdog_t)
auth_append_login_records(watchdog_t)
@@ -97665,7 +98078,7 @@ index 29f79e8..01df7d7 100644
sysnet_dns_name_resolve(watchdog_t)
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
-@@ -97,3 +105,28 @@ optional_policy(`
+@@ -97,3 +107,28 @@ optional_policy(`
optional_policy(`
udev_read_db(watchdog_t)
')
@@ -100079,7 +100492,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..79317e6 100644
+index 46e4cd3..2fcd510 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,21 +6,23 @@ policy_module(zabbix, 1.5.3)
@@ -100256,7 +100669,13 @@ index 46e4cd3..79317e6 100644
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -182,7 +174,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+@@ -177,12 +169,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+ dev_getattr_all_blk_files(zabbix_agent_t)
+ dev_getattr_all_chr_files(zabbix_agent_t)
+
+-domain_search_all_domains_state(zabbix_agent_t)
++domain_read_all_domains_state(zabbix_agent_t)
+
files_getattr_all_dirs(zabbix_agent_t)
files_getattr_all_files(zabbix_agent_t)
files_read_all_symlinks(zabbix_agent_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f8633b7..3baf4df 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 104%{?dist}
+Release: 105%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -573,6 +573,48 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Nov 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-105
+- Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel.
+- Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on
+- Add lsmd_plugin_t for lsm plugins
+- Allow dovecot-deliver to search mountpoints
+- Add labeling for /etc/mdadm.conf
+- Allow opelmi admin providers to dbus chat with init_t
+- Allow sblim domain to read /dev/urandom and /dev/random
+- Allow apmd to request the kernel load modules
+- Add glusterd_brick_t type
+- label mate-keyring-daemon with gkeyringd_exec_t
+- Add plymouthd_create_log()
+- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6
+- Allow sssd to request the kernel loads modules
+- Allow gpg_agent to use ssh-add
+- Allow gpg_agent to use ssh-add
+- Dontaudit access check on /root for myslqd_safe_t
+- Allow ctdb to getattr on al filesystems
+- Allow abrt to stream connect to syslog
+- Allow dnsmasq to list dnsmasq.d directory
+- Watchdog opens the raw socket
+- Allow watchdog to read network state info
+- Dontaudit access check on lvm lock dir
+- Allow sosreport to send signull to setroubleshootd
+- Add setroubleshoot_signull() interface
+- Fix ldap_read_certs() interface
+- Allow sosreport all signal perms
+- Allow sosreport to run systemctl
+- Allow sosreport to dbus chat with rpm
+- Add glusterd_brick_t files type
+- Allow zabbix_agentd to read all domain state
+- Clean up rtas.if
+- Allow smoltclient to execute ldconfig
+- Allow sosreport to request the kernel to load a module
+- Fix userdom_confined_admin_template()
+- Add back exec_content boolean for secadm, logadm, auditadm
+- Fix files_filetrans_system_db_named_files() interface
+- Allow sulogin to getattr on /proc/kcore
+- Add filename transition also for servicelog.db-journal
+- Add files_dontaudit_access_check_root()
+- Add lvm_dontaudit_access_check_lock() interface
+
* Thu Nov 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-104
- Allow watchdog to read /etc/passwd
- Allow browser plugins to connect to bumblebee
More information about the scm-commits
mailing list