[selinux-policy] - DRM master and input event devices are used by the TakeDevice API - Clean up bumblebee policy - U
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Dec 9 07:16:23 UTC 2013
commit 4b8334da4ce8f7817a06bb286ab49c46c377fb19
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Dec 9 08:16:07 2013 +0100
- DRM master and input event devices are used by the TakeDevice API
- Clean up bumblebee policy
- Update pegasus_openlmi_storage_t policy
- opensm policy clean up
- openwsman policy clean up
- ninfod policy clean up
- Allow conman to connect to freeipmi services and clean up conman policy
- Allow conmand just bind on 7890 port
- Add freeipmi_stream_connect() interface
- Allow logwatch read madm.conf to support RAID setup
- Add raid_read_conf_files() interface
- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
- add rpm_named_filetrans_log_files() interface
- Added policy for conmand
- Allow dkim-milter to create files/dirs in /tmp
- update freeipmi policy
- Add policy for freeipmi services
- Added rdisc_admin and rdisc_systemctl interfaces
- Fix aliases in pegasus.te
- Allow chrome sandbox to read generic cache files in homedir
- Dontaudit mandb searching all mountpoints
- Make sure wine domains create .wine with the correct label
- Add proper aliases for pegasus_openlmi_services_exec_t and pegasus_openlmi_services_t
- Allow windbind the kill capability
- DRM master and input event devices are used by the TakeDevice API
- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
- Added support for default conman port
- Add interfaces for ipmi devices
- Make sure wine domains create .wine with the correct label
- Allow manage dirs in kernel_manage_debugfs interface.
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
- Fix userdom_confined_admin_template()
- Add back exec_content boolean for secadm, logadm, auditadm
- Fix files_filetrans_system_db_named_files() interface
- Allow sulogin to getattr on /proc/kcore
- Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
policy-rawhide-base.patch | 830 ++++++++++++++++++++----------------------
policy-rawhide-contrib.patch | 825 +++++++++++++++++++++++++++++++++++-------
selinux-policy.spec | 44 +++-
3 files changed, 1138 insertions(+), 561 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 2faa209..0dea9cd 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5363,7 +5363,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..6c1f7f5 100644
+index b191055..a5e72c3 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5450,7 +5450,7 @@ index b191055..6c1f7f5 100644
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
-@@ -96,19 +119,19 @@ network_port(boinc, tcp,31416,s0)
+@@ -96,19 +119,20 @@ network_port(boinc, tcp,31416,s0)
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
@@ -5466,6 +5466,7 @@ index b191055..6c1f7f5 100644
network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
network_port(comsat, udp,512,s0)
network_port(condor, tcp,9618,s0, udp,9618,s0)
++network_port(conman, tcp,7890,s0, udp,7890,s0)
network_port(couchdb, tcp,5984,s0, udp,5984,s0)
-network_port(cslistener, tcp,9000,s0, udp,9000,s0)
-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
@@ -5473,7 +5474,7 @@ index b191055..6c1f7f5 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -119,20 +142,27 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+@@ -119,20 +143,27 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -5503,7 +5504,7 @@ index b191055..6c1f7f5 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +170,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +171,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5570,7 +5571,7 @@ index b191055..6c1f7f5 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +223,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +224,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5609,7 +5610,7 @@ index b191055..6c1f7f5 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -215,39 +260,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -215,39 +261,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5662,7 +5663,7 @@ index b191055..6c1f7f5 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -259,8 +310,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -259,8 +311,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5673,7 +5674,7 @@ index b191055..6c1f7f5 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
-@@ -271,10 +323,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -271,10 +324,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5686,7 +5687,7 @@ index b191055..6c1f7f5 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +340,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +341,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5713,7 +5714,7 @@ index b191055..6c1f7f5 100644
########################################
#
-@@ -333,6 +389,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +390,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5722,7 +5723,7 @@ index b191055..6c1f7f5 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +403,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +404,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -5871,7 +5872,7 @@ index b31c054..e4d61f5 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..b708d28 100644
+index 76f285e..2b2f4b0 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6288,122 +6289,85 @@ index 76f285e..b708d28 100644
#######################################
## <summary>
## Set the attributes of the dlm control devices.
-@@ -2402,7 +2605,7 @@ interface(`dev_filetrans_lirc',`
+@@ -1883,6 +2086,25 @@ interface(`dev_rw_dri',`
########################################
## <summary>
--## Get the attributes of the lvm comtrol device.
-+## Get the attributes of the loop comtrol device.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2410,17 +2613,17 @@ interface(`dev_filetrans_lirc',`
- ## </summary>
- ## </param>
- #
--interface(`dev_getattr_lvm_control',`
-+interface(`dev_getattr_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, lvm_control_t)
-+ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ## <summary>
--## Read the lvm comtrol device.
-+## Read the loop comtrol device.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2428,17 +2631,17 @@ interface(`dev_getattr_lvm_control',`
- ## </summary>
- ## </param>
- #
--interface(`dev_read_lvm_control',`
-+interface(`dev_read_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, lvm_control_t)
-+ read_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ## <summary>
--## Read and write the lvm control device.
-+## Read and write the loop control device.
++## Read and write the dri devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_inherited_dri',`
++ gen_require(`
++ type device_t, dri_device_t;
++ ')
++
++ allow $1 device_t:dir search_dir_perms;
++ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++## <summary>
+ ## Dontaudit read and write on the dri devices.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -2446,17 +2649,17 @@ interface(`dev_read_lvm_control',`
- ## </summary>
- ## </param>
- #
--interface(`dev_rw_lvm_control',`
-+interface(`dev_rw_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, lvm_control_t)
-+ rw_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
+@@ -2017,7 +2239,7 @@ interface(`dev_rw_input_dev',`
########################################
## <summary>
--## Do not audit attempts to read and write lvm control device.
-+## Do not audit attempts to read and write loop control device.
+-## Get the attributes of the framebuffer device node.
++## Read input event devices (/dev/input).
## </summary>
## <param name="domain">
## <summary>
-@@ -2464,17 +2667,17 @@ interface(`dev_rw_lvm_control',`
+@@ -2025,17 +2247,19 @@ interface(`dev_rw_input_dev',`
## </summary>
## </param>
#
--interface(`dev_dontaudit_rw_lvm_control',`
-+interface(`dev_dontaudit_rw_loop_control',`
+-interface(`dev_getattr_framebuffer_dev',`
++interface(`dev_rw_inherited_input_dev',`
gen_require(`
-- type lvm_control_t;
-+ type loop_control_device_t;
+- type device_t, framebuf_device_t;
++ type device_t, event_device_t;
')
-- dontaudit $1 lvm_control_t:chr_file rw_file_perms;
-+ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
+- getattr_chr_files_pattern($1, device_t, framebuf_device_t)
++ allow $1 device_t:dir search_dir_perms;
++ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
')
++
########################################
## <summary>
--## Delete the lvm control device.
-+## Delete the loop control device.
+-## Set the attributes of the framebuffer device node.
++## Read ipmi devices.
## </summary>
## <param name="domain">
## <summary>
-@@ -2482,35 +2685,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
+@@ -2043,36 +2267,35 @@ interface(`dev_getattr_framebuffer_dev',`
## </summary>
## </param>
#
--interface(`dev_delete_lvm_control_dev',`
-+interface(`dev_delete_loop_control_dev',`
+-interface(`dev_setattr_framebuffer_dev',`
++interface(`dev_read_ipmi_dev',`
gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
+- type device_t, framebuf_device_t;
++ type device_t, ipmi_device_t;
')
-- delete_chr_files_pattern($1, device_t, lvm_control_t)
-+ delete_chr_files_pattern($1, device_t, loop_control_device_t)
+- setattr_chr_files_pattern($1, device_t, framebuf_device_t)
++ read_chr_files_pattern($1, device_t, ipmi_device_t)
')
########################################
## <summary>
--## dontaudit getattr raw memory devices (e.g. /dev/mem).
-+## Get the attributes of the loop comtrol device.
+-## Dot not audit attempts to set the attributes
+-## of the framebuffer device node.
++## Read and write ipmi devices.
## </summary>
## <param name="domain">
## <summary>
@@ -6412,46 +6376,41 @@ index 76f285e..b708d28 100644
## </summary>
## </param>
#
--interface(`dev_dontaudit_getattr_memory_dev',`
-+interface(`dev_getattr_lvm_control',`
+-interface(`dev_dontaudit_setattr_framebuffer_dev',`
++interface(`dev_rw_ipmi_dev',`
gen_require(`
-- type memory_device_t;
-+ type device_t, lvm_control_t;
+- type framebuf_device_t;
++ type device_t, ipmi_device_t;
')
-- dontaudit $1 memory_device_t:chr_file getattr;
-+ getattr_chr_files_pattern($1, device_t, lvm_control_t)
+- dontaudit $1 framebuf_device_t:chr_file setattr;
++ rw_chr_files_pattern($1, device_t, ipmi_device_t)
')
########################################
## <summary>
--## Read raw memory devices (e.g. /dev/mem).
-+## Read the lvm comtrol device.
+-## Read the framebuffer.
++## Get the attributes of the framebuffer device node.
## </summary>
## <param name="domain">
## <summary>
-@@ -2518,16 +2721,106 @@ interface(`dev_dontaudit_getattr_memory_dev',`
+@@ -2080,9 +2303,64 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',`
## </summary>
## </param>
#
--interface(`dev_read_raw_memory',`
-+interface(`dev_read_lvm_control',`
+-interface(`dev_read_framebuffer',`
++interface(`dev_getattr_framebuffer_dev',`
gen_require(`
-- type device_t, memory_device_t;
-- attribute memory_raw_read;
-+ type device_t, lvm_control_t;
- ')
-
-- read_chr_files_pattern($1, device_t, memory_device_t)
--
-- allow $1 self:capability sys_rawio;
-- typeattribute $1 memory_raw_read;
-+ read_chr_files_pattern($1, device_t, lvm_control_t)
+- type framebuf_device_t;
++ type device_t, framebuf_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
-+## Read and write the lvm control device.
++## Set the attributes of the framebuffer device node.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6459,17 +6418,18 @@ index 76f285e..b708d28 100644
+## </summary>
+## </param>
+#
-+interface(`dev_rw_lvm_control',`
++interface(`dev_setattr_framebuffer_dev',`
+ gen_require(`
-+ type device_t, lvm_control_t;
++ type device_t, framebuf_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, lvm_control_t)
++ setattr_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read and write lvm control device.
++## Dot not audit attempts to set the attributes
++## of the framebuffer device node.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6477,17 +6437,72 @@ index 76f285e..b708d28 100644
+## </summary>
+## </param>
+#
-+interface(`dev_dontaudit_rw_lvm_control',`
++interface(`dev_dontaudit_setattr_framebuffer_dev',`
++ gen_require(`
++ type framebuf_device_t;
++ ')
++
++ dontaudit $1 framebuf_device_t:chr_file setattr;
++')
++
++########################################
++## <summary>
++## Read the framebuffer.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_framebuffer',`
++ gen_require(`
++ type framebuf_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, framebuf_device_t)
+@@ -2402,7 +2680,97 @@ interface(`dev_filetrans_lirc',`
+
+ ########################################
+ ## <summary>
+-## Get the attributes of the lvm comtrol device.
++## Get the attributes of the loop comtrol device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_getattr_loop_control',`
++ gen_require(`
++ type device_t, loop_control_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++## <summary>
++## Read the loop comtrol device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_loop_control',`
+ gen_require(`
-+ type lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
-+ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
++ read_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+## <summary>
-+## Delete the lvm control device.
++## Read and write the loop control device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6495,17 +6510,17 @@ index 76f285e..b708d28 100644
+## </summary>
+## </param>
+#
-+interface(`dev_delete_lvm_control_dev',`
++interface(`dev_rw_loop_control',`
+ gen_require(`
-+ type device_t, lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
-+ delete_chr_files_pattern($1, device_t, lvm_control_t)
++ rw_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+## <summary>
-+## dontaudit getattr raw memory devices (e.g. /dev/mem).
++## Do not audit attempts to read and write loop control device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6513,17 +6528,17 @@ index 76f285e..b708d28 100644
+## </summary>
+## </param>
+#
-+interface(`dev_dontaudit_getattr_memory_dev',`
++interface(`dev_dontaudit_rw_loop_control',`
+ gen_require(`
-+ type memory_device_t;
++ type loop_control_device_t;
+ ')
+
-+ dontaudit $1 memory_device_t:chr_file getattr;
++ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
-+## Read raw memory devices (e.g. /dev/mem).
++## Delete the loop control device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6531,20 +6546,21 @@ index 76f285e..b708d28 100644
+## </summary>
+## </param>
+#
-+interface(`dev_read_raw_memory',`
++interface(`dev_delete_loop_control_dev',`
+ gen_require(`
-+ type device_t, memory_device_t;
-+ attribute memory_raw_read;
++ type device_t, loop_control_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, memory_device_t)
++ delete_chr_files_pattern($1, device_t, loop_control_device_t)
++')
+
-+ allow $1 self:capability sys_rawio;
-+ typeattribute $1 memory_raw_read;
- ')
-
- ########################################
-@@ -2725,7 +3018,7 @@ interface(`dev_write_misc',`
++########################################
++## <summary>
++## Get the attributes of the loop comtrol device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2725,7 +3093,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -6553,7 +6569,7 @@ index 76f285e..b708d28 100644
## </summary>
## </param>
#
-@@ -2903,20 +3196,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3271,20 @@ interface(`dev_getattr_mtrr_dev',`
########################################
## <summary>
@@ -6578,7 +6594,7 @@ index 76f285e..b708d28 100644
## </p>
## </desc>
## <param name="domain">
-@@ -2925,43 +3218,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3293,34 @@ interface(`dev_getattr_mtrr_dev',`
## </summary>
## </param>
#
@@ -6634,7 +6650,7 @@ index 76f285e..b708d28 100644
## range registers (MTRR).
## </summary>
## <param name="domain">
-@@ -2970,13 +3254,13 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3329,13 @@ interface(`dev_write_mtrr',`
## </summary>
## </param>
#
@@ -6651,7 +6667,7 @@ index 76f285e..b708d28 100644
')
########################################
-@@ -3144,6 +3428,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3503,42 @@ interface(`dev_create_null_dev',`
########################################
## <summary>
@@ -6694,7 +6710,7 @@ index 76f285e..b708d28 100644
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
## </summary>
-@@ -3163,6 +3483,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3558,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
########################################
## <summary>
@@ -6719,7 +6735,7 @@ index 76f285e..b708d28 100644
## Read and write BIOS non-volatile RAM.
## </summary>
## <param name="domain">
-@@ -3254,7 +3592,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3667,25 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -6746,7 +6762,7 @@ index 76f285e..b708d28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3262,12 +3618,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3693,13 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
@@ -6763,7 +6779,7 @@ index 76f285e..b708d28 100644
')
########################################
-@@ -3399,7 +3756,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +3831,7 @@ interface(`dev_dontaudit_read_rand',`
########################################
## <summary>
@@ -6772,7 +6788,7 @@ index 76f285e..b708d28 100644
## number generator devices (e.g., /dev/random)
## </summary>
## <param name="domain">
-@@ -3413,7 +3770,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +3845,7 @@ interface(`dev_dontaudit_append_rand',`
type random_device_t;
')
@@ -6781,7 +6797,7 @@ index 76f285e..b708d28 100644
')
########################################
-@@ -3855,7 +4212,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4287,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -6790,7 +6806,7 @@ index 76f285e..b708d28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3863,53 +4220,53 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,53 +4295,53 @@ interface(`dev_getattr_sysfs_dirs',`
## </summary>
## </param>
#
@@ -6855,7 +6871,7 @@ index 76f285e..b708d28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3917,37 +4274,35 @@ interface(`dev_list_sysfs',`
+@@ -3917,37 +4349,35 @@ interface(`dev_list_sysfs',`
## </summary>
## </param>
#
@@ -6900,7 +6916,7 @@ index 76f285e..b708d28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3955,47 +4310,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,26 +4385,145 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
## </summary>
## </param>
#
@@ -6918,91 +6934,63 @@ index 76f285e..b708d28 100644
## <summary>
-## Read hardware state information.
+## Do not audit attempts to search sysfs.
- ## </summary>
--## <desc>
--## <p>
--## Allow the specified domain to read the contents of
--## the sysfs filesystem. This filesystem contains
--## information, parameters, and other settings on the
--## hardware installed on the system.
--## </p>
--## </desc>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
--## <infoflow type="read" weight="10"/>
- #
--interface(`dev_read_sysfs',`
++## </summary>
++## </param>
++#
+interface(`dev_dontaudit_search_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- read_files_pattern($1, sysfs_t, sysfs_t)
-- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
-- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ gen_require(`
++ type sysfs_t;
++ ')
++
+ dontaudit $1 sysfs_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Allow caller to modify hardware state information.
++')
++
++########################################
++## <summary>
+## List the contents of the sysfs directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4003,20 +4346,18 @@ interface(`dev_read_sysfs',`
- ## </summary>
- ## </param>
- #
--interface(`dev_rw_sysfs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`dev_list_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- rw_files_pattern($1, sysfs_t, sysfs_t)
- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
- list_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
- ########################################
- ## <summary>
--## Read and write the TPM device.
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
+## Write in a sysfs directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4024,22 +4365,211 @@ interface(`dev_rw_sysfs',`
- ## </summary>
- ## </param>
- #
--interface(`dev_rw_tpm',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+# cjp: added for cpuspeed
+interface(`dev_write_sysfs_dirs',`
- gen_require(`
-- type device_t, tpm_device_t;
++ gen_require(`
+ type sysfs_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, tpm_device_t)
++ ')
++
+ allow $1 sysfs_t:dir write;
- ')
-
- ########################################
- ## <summary>
--## Read from pseudo random number generator devices (e.g., /dev/urandom).
++')
++
++########################################
++## <summary>
+## Do not audit attempts to write in a sysfs directory.
- ## </summary>
--## <desc>
--## <p>
--## Allow the specified domain to read from pseudo random number
--## generator devices (e.g., /dev/urandom). Typically this is
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
@@ -7044,7 +7032,15 @@ index 76f285e..b708d28 100644
+########################################
+## <summary>
+## Relabel cpu online hardware state information.
-+## </summary>
+ ## </summary>
+-## <desc>
+-## <p>
+-## Allow the specified domain to read the contents of
+-## the sysfs filesystem. This filesystem contains
+-## information, parameters, and other settings on the
+-## hardware installed on the system.
+-## </p>
+-## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -7074,47 +7070,13 @@ index 76f285e..b708d28 100644
+## hardware installed on the system.
+## </p>
+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <infoflow type="read" weight="10"/>
-+#
-+interface(`dev_read_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ read_files_pattern($1, sysfs_t, sysfs_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+## <summary>
-+## Allow caller to modify hardware state information.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_rw_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ rw_files_pattern($1, sysfs_t, sysfs_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+## <summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+@@ -4016,6 +4565,62 @@ interface(`dev_rw_sysfs',`
+
+ ########################################
+ ## <summary>
+## Relabel hardware state directories.
+## </summary>
+## <param name="domain">
@@ -7171,34 +7133,10 @@ index 76f285e..b708d28 100644
+
+########################################
+## <summary>
-+## Read and write the TPM device.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_rw_tpm',`
-+ gen_require(`
-+ type device_t, tpm_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, tpm_device_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read from pseudo random number generator devices (e.g., /dev/urandom).
-+## </summary>
-+## <desc>
-+## <p>
-+## Allow the specified domain to read from pseudo random number
-+## generator devices (e.g., /dev/urandom). Typically this is
- ## used in situations when a cryptographically secure random
- ## number is not necessarily needed. One example is the Stack
- ## Smashing Protector (SSP, formerly known as ProPolice) support
-@@ -4113,6 +4643,25 @@ interface(`dev_write_urand',`
+ ## Read and write the TPM device.
+ ## </summary>
+ ## <param name="domain">
+@@ -4113,6 +4718,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -7224,7 +7162,7 @@ index 76f285e..b708d28 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4409,9 +4958,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5033,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -7236,7 +7174,7 @@ index 76f285e..b708d28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4419,17 +4968,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5043,17 @@ interface(`dev_rw_usbfs',`
## </summary>
## </param>
#
@@ -7259,7 +7197,7 @@ index 76f285e..b708d28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4437,12 +4986,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5061,12 @@ interface(`dev_getattr_video_dev',`
## </summary>
## </param>
#
@@ -7275,7 +7213,7 @@ index 76f285e..b708d28 100644
')
########################################
-@@ -4539,6 +5088,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5163,134 @@ interface(`dev_write_video_dev',`
########################################
## <summary>
@@ -7410,7 +7348,7 @@ index 76f285e..b708d28 100644
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
-@@ -4557,6 +5234,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5309,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -7435,7 +7373,7 @@ index 76f285e..b708d28 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4762,6 +5457,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5532,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -7462,7 +7400,7 @@ index 76f285e..b708d28 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4851,3 +5566,943 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5641,943 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -8707,7 +8645,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..83fca99 100644
+index cf04cb5..c47a578 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8844,7 +8782,7 @@ index cf04cb5..83fca99 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,314 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8876,6 +8814,10 @@ index cf04cb5..83fca99 100644
+ seutil_filetrans_named_content(named_filetrans_domain)
+')
+
++optional_policy(`
++ wine_filetrans_named_content(named_filetrans_domain)
++')
++
+storage_filetrans_all_named_dev(named_filetrans_domain)
+
+term_filetrans_all_named_dev(named_filetrans_domain)
@@ -14241,7 +14183,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..fe5be66 100644
+index e100d88..e7d9f85 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -14253,6 +14195,16 @@ index e100d88..fe5be66 100644
')
########################################
+@@ -762,8 +762,8 @@ interface(`kernel_manage_debugfs',`
+ ')
+
+ manage_files_pattern($1, debugfs_t, debugfs_t)
++ manage_dirs_pattern($1,debugfs_t, debugfs_t)
+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+- list_dirs_pattern($1, debugfs_t, debugfs_t)
+ ')
+
+ ########################################
@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',`
########################################
@@ -37706,10 +37658,10 @@ index 0000000..35b4178
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a88f6e2
+index 0000000..c31945a
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,651 @@
+@@ -0,0 +1,652 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -37820,6 +37772,7 @@ index 0000000..a88f6e2
+dev_getattr_all_blk_files(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
++dev_rw_inherited_dri(systemd_logind_t)
+dev_setattr_all_chr_files(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
@@ -39717,7 +39670,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..dacbee8 100644
+index 9dc60c6..a964b08 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40687,7 +40640,7 @@ index 9dc60c6..dacbee8 100644
userdom_change_password_template($1)
-@@ -761,82 +984,101 @@ template(`userdom_login_user_template', `
+@@ -761,83 +984,107 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -40793,39 +40746,45 @@ index 9dc60c6..dacbee8 100644
+ kerberos_use($1_usertype)
+ init_write_key($1_usertype)
+ ')
++
++ optional_policy(`
++ mysql_filetrans_named_content($1_usertype)
++ ')
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ mysql_filetrans_named_content($1_usertype)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
++ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
++ oddjob_run_mkhomedir($1_t, $1_r)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
-+ oddjob_run_mkhomedir($1_t, $1_r)
++ wine_filetrans_named_content($1_usertype)
')
++
')
-@@ -868,6 +1110,12 @@ template(`userdom_restricted_user_template',`
+ #######################################
+@@ -868,6 +1115,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -40838,7 +40797,7 @@ index 9dc60c6..dacbee8 100644
##############################
#
# Local policy
-@@ -907,60 +1155,144 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,56 +1160,140 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -40917,12 +40876,14 @@ index 9dc60c6..dacbee8 100644
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
+ ')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ accountsd_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
@@ -40937,14 +40898,12 @@ index 9dc60c6..dacbee8 100644
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ fprintd_dbus_chat($1_t)
- ')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ realmd_dbus_chat($1_t)
')
@@ -40970,10 +40929,6 @@ index 9dc60c6..dacbee8 100644
-')
-#######################################
--## <summary>
--## The template for creating a unprivileged user roughly
--## equivalent to a regular linux user.
--## </summary>
+ optional_policy(`
+ rtkit_scheduled($1_usertype)
+ ')
@@ -40996,14 +40951,10 @@ index 9dc60c6..dacbee8 100644
+')
+
+#######################################
-+## <summary>
-+## The template for creating a unprivileged user roughly
-+## equivalent to a regular linux user.
-+## </summary>
- ## <desc>
- ## <p>
+ ## <summary>
## The template for creating a unprivileged user roughly
-@@ -987,27 +1319,33 @@ template(`userdom_unpriv_user_template', `
+ ## equivalent to a regular linux user.
+@@ -987,27 +1324,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -41041,7 +40992,7 @@ index 9dc60c6..dacbee8 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1356,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1361,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -41067,11 +41018,9 @@ index 9dc60c6..dacbee8 100644
+
+ tunable_policy(`selinuxuser_tcp_server',`
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ cdrecord_role($1_r, $1_t)
+ ')
+
@@ -41104,15 +41053,17 @@ index 9dc60c6..dacbee8 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1418,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1423,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -41123,7 +41074,7 @@ index 9dc60c6..dacbee8 100644
')
')
-@@ -1079,7 +1456,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1461,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -41134,7 +41085,7 @@ index 9dc60c6..dacbee8 100644
')
##############################
-@@ -1095,6 +1474,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1479,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -41142,7 +41093,7 @@ index 9dc60c6..dacbee8 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1106,6 +1486,7 @@ template(`userdom_admin_user_template',`
+@@ -1106,6 +1491,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -41150,7 +41101,7 @@ index 9dc60c6..dacbee8 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1114,6 +1495,9 @@ template(`userdom_admin_user_template',`
+@@ -1114,6 +1500,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -41160,7 +41111,7 @@ index 9dc60c6..dacbee8 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1128,6 +1512,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1517,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -41168,7 +41119,7 @@ index 9dc60c6..dacbee8 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1530,14 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1535,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -41183,7 +41134,7 @@ index 9dc60c6..dacbee8 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1548,38 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1553,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -41226,7 +41177,7 @@ index 9dc60c6..dacbee8 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1589,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1594,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -41235,7 +41186,7 @@ index 9dc60c6..dacbee8 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1598,17 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1603,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -41254,7 +41205,7 @@ index 9dc60c6..dacbee8 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1644,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1649,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -41263,7 +41214,7 @@ index 9dc60c6..dacbee8 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1654,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1659,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -41272,7 +41223,7 @@ index 9dc60c6..dacbee8 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1668,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1673,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -41284,7 +41235,7 @@ index 9dc60c6..dacbee8 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1682,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1687,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -41327,7 +41278,7 @@ index 9dc60c6..dacbee8 100644
')
optional_policy(`
-@@ -1357,14 +1767,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1772,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -41346,7 +41297,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -1405,6 +1818,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1405,6 +1823,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -41398,7 +41349,7 @@ index 9dc60c6..dacbee8 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1509,11 +1967,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1972,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -41430,7 +41381,7 @@ index 9dc60c6..dacbee8 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1555,6 +2033,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2038,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -41445,7 +41396,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -1570,9 +2056,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2061,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -41457,7 +41408,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -1629,6 +2117,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2122,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -41500,7 +41451,7 @@ index 9dc60c6..dacbee8 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1708,6 +2232,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1708,6 +2237,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -41509,7 +41460,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -1741,10 +2267,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2272,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -41524,7 +41475,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -1769,7 +2297,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2302,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -41551,7 +41502,7 @@ index 9dc60c6..dacbee8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1779,53 +2325,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1779,53 +2330,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -41634,7 +41585,7 @@ index 9dc60c6..dacbee8 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1845,6 +2408,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1845,6 +2413,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -41660,7 +41611,7 @@ index 9dc60c6..dacbee8 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1875,14 +2457,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1875,14 +2462,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -41698,7 +41649,7 @@ index 9dc60c6..dacbee8 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1893,11 +2497,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2502,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -41716,7 +41667,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -1938,7 +2545,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2550,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -41725,7 +41676,7 @@ index 9dc60c6..dacbee8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,10 +2553,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2558,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -41738,7 +41689,7 @@ index 9dc60c6..dacbee8 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2564,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2569,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@@ -41747,7 +41698,7 @@ index 9dc60c6..dacbee8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1966,17 +2572,71 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,30 +2577,84 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -41766,18 +41717,21 @@ index 9dc60c6..dacbee8 100644
## <summary>
-## Do not audit attempts to write user home files.
+## Delete sock files in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_relabel_user_home_content_files',`
+interface(`userdom_delete_user_home_content_sock_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
+ gen_require(`
+ type user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:file relabel_file_perms;
+ allow $1 user_home_t:sock_file delete_file_perms;
+')
+
@@ -41820,10 +41774,23 @@ index 9dc60c6..dacbee8 100644
+########################################
+## <summary>
+## Do not audit attempts to write user home files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2007,8 +2667,7 @@ interface(`userdom_read_user_home_content_symlinks',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_relabel_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ dontaudit $1 user_home_t:file relabel_file_perms;
+ ')
+
+ ########################################
+@@ -2007,8 +2672,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -41833,7 +41800,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -2024,20 +2683,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2688,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -41858,7 +41825,7 @@ index 9dc60c6..dacbee8 100644
########################################
## <summary>
-@@ -2120,7 +2773,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2778,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -41867,7 +41834,7 @@ index 9dc60c6..dacbee8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2781,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2786,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -41891,7 +41858,7 @@ index 9dc60c6..dacbee8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2799,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2804,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -41907,7 +41874,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -2390,11 +3041,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2390,11 +3046,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -41922,7 +41889,7 @@ index 9dc60c6..dacbee8 100644
files_search_tmp($1)
')
-@@ -2414,7 +3065,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3070,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -41931,7 +41898,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -2661,6 +3312,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3317,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -41957,7 +41924,7 @@ index 9dc60c6..dacbee8 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2677,13 +3347,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2677,13 +3352,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -41973,7 +41940,7 @@ index 9dc60c6..dacbee8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2704,7 +3375,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2704,7 +3380,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -41982,7 +41949,7 @@ index 9dc60c6..dacbee8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2712,14 +3383,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2712,14 +3388,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -42017,7 +41984,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -2814,6 +3501,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3506,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -42042,7 +42009,7 @@ index 9dc60c6..dacbee8 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3537,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3542,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -42085,7 +42052,7 @@ index 9dc60c6..dacbee8 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3573,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3578,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -42123,7 +42090,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -2882,8 +3618,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3623,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -42153,7 +42120,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -2955,69 +3710,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3715,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -42254,7 +42221,7 @@ index 9dc60c6..dacbee8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3025,12 +3779,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3784,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -42269,7 +42236,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -3094,7 +3848,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +3853,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -42278,7 +42245,7 @@ index 9dc60c6..dacbee8 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +3864,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +3869,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -42312,7 +42279,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -3214,7 +3952,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +3957,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -42339,7 +42306,7 @@ index 9dc60c6..dacbee8 100644
')
########################################
-@@ -3269,12 +4025,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4030,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -42355,7 +42322,7 @@ index 9dc60c6..dacbee8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,44 +4039,120 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,40 +4044,116 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -42405,10 +42372,9 @@ index 9dc60c6..dacbee8 100644
## <summary>
-## Domain allowed access.
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_getattr_all_users',`
++## </summary>
++## </param>
++#
+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
@@ -42481,14 +42447,10 @@ index 9dc60c6..dacbee8 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_getattr_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-@@ -3382,6 +4215,42 @@ interface(`userdom_signal_all_users',`
+ ## </summary>
+ ## </param>
+ #
+@@ -3382,6 +4220,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -42531,7 +42493,7 @@ index 9dc60c6..dacbee8 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4271,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4276,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -42556,7 +42518,7 @@ index 9dc60c6..dacbee8 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4322,1646 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4327,1646 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 0d19f60..3a8e03d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9563,29 +9563,28 @@ index 18623e3..d9f3061 100644
')
diff --git a/bumblebee.fc b/bumblebee.fc
new file mode 100644
-index 0000000..17eea86
+index 0000000..b5ee23b
--- /dev/null
+++ b/bumblebee.fc
@@ -0,0 +1,7 @@
-+/etc/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
-+/usr/lib/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0)
+
+/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
-index 0000000..f61b9c3
+index 0000000..23a4f86
--- /dev/null
+++ b/bumblebee.if
-@@ -0,0 +1,122 @@
-+
+@@ -0,0 +1,126 @@
+## <summary>policy for bumblebee</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the bumblebee domin.
++## Execute bumblebee in the bumblebee domin.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9601,6 +9600,7 @@ index 0000000..f61b9c3
+ corecmd_search_bin($1)
+ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
+')
++
+########################################
+## <summary>
+## Read bumblebee PID files.
@@ -9637,7 +9637,7 @@ index 0000000..f61b9c3
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bumblebee_unit_file_t:file read_file_perms;
+ allow $1 bumblebee_unit_file_t:service manage_service_perms;
+
@@ -9687,9 +9687,13 @@ index 0000000..f61b9c3
+ type bumblebee_unit_file_t;
+ ')
+
-+ allow $1 bumblebee_t:process { ptrace signal_perms };
++ allow $1 bumblebee_t:process { signal_perms };
+ ps_process_pattern($1, bumblebee_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bumblebee_t:process ptrace;
++ ')
++
+ files_search_pids($1)
+ admin_pattern($1, bumblebee_var_run_t)
+
@@ -9704,10 +9708,10 @@ index 0000000..f61b9c3
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..f39fc96
+index 0000000..a774878
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,44 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -9719,8 +9723,6 @@ index 0000000..f39fc96
+type bumblebee_exec_t;
+init_daemon_domain(bumblebee_t, bumblebee_exec_t)
+
-+permissive bumblebee_t;
-+
+type bumblebee_var_run_t;
+files_pid_file(bumblebee_var_run_t)
+
@@ -9731,6 +9733,7 @@ index 0000000..f39fc96
+#
+# bumblebee local policy
+#
++
+allow bumblebee_t self:capability { setgid };
+allow bumblebee_t self:process { fork signal_perms };
+allow bumblebee_t self:fifo_file rw_fifo_file_perms;
@@ -10884,10 +10887,10 @@ index 0000000..5977d96
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..12585f0
+index 0000000..748f5d5
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,246 @@
+@@ -0,0 +1,247 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -11016,6 +11019,7 @@ index 0000000..12585f0
+userdom_manage_home_certs(chrome_sandbox_t)
+
+optional_policy(`
++ gnome_read_generic_cache_files(chrome_sandbox_t)
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
@@ -13618,6 +13622,218 @@ index ce9f040..32ebb0c 100644
+optional_policy(`
+ unconfined_domain(condor_startd_t)
+')
+diff --git a/conman.fc b/conman.fc
+new file mode 100644
+index 0000000..5f97ba9
+--- /dev/null
++++ b/conman.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0)
++
++/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0)
++
++/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
++/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
++
+diff --git a/conman.if b/conman.if
+new file mode 100644
+index 0000000..54b4b04
+--- /dev/null
++++ b/conman.if
+@@ -0,0 +1,142 @@
++## <summary>Conman is a program for connecting to remote consoles being managed by conmand</summary>
++
++########################################
++## <summary>
++## Execute conman in the conman domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`conman_domtrans',`
++ gen_require(`
++ type conman_t, conman_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, conman_exec_t, conman_t)
++')
++
++########################################
++## <summary>
++## Read conman's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`conman_read_log',`
++ gen_require(`
++ type conman_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++## <summary>
++## Append to conman log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`conman_append_log',`
++ gen_require(`
++ type conman_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++## <summary>
++## Manage conman log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`conman_manage_log',`
++ gen_require(`
++ type conman_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, conman_log_t, conman_log_t)
++ manage_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++## <summary>
++## Execute conman server in the conman domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`conman_systemctl',`
++ gen_require(`
++ type conman_t;
++ type conman_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 conman_unit_file_t:file read_file_perms;
++ allow $1 conman_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, conman_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an conman environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`conman_admin',`
++ gen_require(`
++ type conman_t;
++ type conman_log_t;
++ type conman_unit_file_t;
++ ')
++
++ allow $1 conman_t:process { signal_perms };
++ ps_process_pattern($1, conman_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 conman_t:process ptrace;
++ ')
++
++ logging_search_logs($1)
++ admin_pattern($1, conman_log_t)
++
++ conman_systemctl($1)
++ admin_pattern($1, conman_unit_file_t)
++ allow $1 conman_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/conman.te b/conman.te
+new file mode 100644
+index 0000000..0de2d4d
+--- /dev/null
++++ b/conman.te
+@@ -0,0 +1,45 @@
++policy_module(conman, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type conman_t;
++type conman_exec_t;
++init_daemon_domain(conman_t, conman_exec_t)
++
++type conman_log_t;
++logging_log_file(conman_log_t)
++
++type conman_unit_file_t;
++systemd_unit_file(conman_unit_file_t)
++
++########################################
++#
++# conman local policy
++#
++
++allow conman_t self:capability { sys_tty_config };
++allow conman_t self:process { setrlimit signal_perms };
++
++allow conman_t self:fifo_file rw_fifo_file_perms;
++allow conman_t self:unix_stream_socket create_stream_socket_perms;
++allow conman_t self:tcp_socket { listen create_socket_perms };
++
++manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
++manage_files_pattern(conman_t, conman_log_t, conman_log_t)
++logging_log_filetrans(conman_t, conman_log_t, { dir })
++
++corenet_tcp_bind_generic_node(conman_t)
++corenet_tcp_bind_conman_port(conman_t)
++
++corecmd_exec_bin(conman_t)
++
++auth_read_passwd(conman_t)
++
++logging_send_syslog_msg(conman_t)
++
++optional_policy(`
++ freeipmi_stream_connect(conman_t)
++')
diff --git a/consolekit.fc b/consolekit.fc
index 23c9558..29e5fd3 100644
--- a/consolekit.fc
@@ -19111,7 +19327,7 @@ index 62d22cb..fefd4b4 100644
+ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index c9998c8..fa4f188 100644
+index c9998c8..163708f 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@@ -19155,7 +19371,7 @@ index c9998c8..fa4f188 100644
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,58 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,61 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
@@ -19214,7 +19430,9 @@ index c9998c8..fa4f188 100644
-domain_use_interactive_fds(system_dbusd_t)
-domain_read_all_domains_state(system_dbusd_t)
--
++dev_rw_inherited_input_dev(system_dbusd_t)
++dev_rw_inherited_dri(system_dbusd_t)
+
-files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
+files_rw_inherited_non_security_files(system_dbusd_t)
@@ -19232,7 +19450,7 @@ index c9998c8..fa4f188 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +121,159 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -19290,10 +19508,9 @@ index c9998c8..fa4f188 100644
+optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(system_dbusd_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(system_dbusd_t)
+')
+
@@ -19310,9 +19527,10 @@ index c9998c8..fa4f188 100644
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(system_dbusd_t)
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
@@ -19406,7 +19624,7 @@ index c9998c8..fa4f188 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +282,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -19431,7 +19649,7 @@ index c9998c8..fa4f188 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +301,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -19439,7 +19657,7 @@ index c9998c8..fa4f188 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +310,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -19481,7 +19699,7 @@ index c9998c8..fa4f188 100644
')
########################################
-@@ -244,5 +344,6 @@ optional_policy(`
+@@ -244,5 +347,6 @@ optional_policy(`
# Unconfined access to this module
#
@@ -25127,6 +25345,180 @@ index 92a6479..989f63a 100644
+optional_policy(`
+ xserver_read_state_xdm(fprintd_t)
')
+diff --git a/freeipmi.fc b/freeipmi.fc
+new file mode 100644
+index 0000000..0942a2e
+--- /dev/null
++++ b/freeipmi.fc
+@@ -0,0 +1,17 @@
++/usr/lib/systemd/system/bmc-watchdog.* -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_unit_file_t,s0)
++/usr/lib/systemd/system/ipmidetectd.* -- gen_context(system_u:object_r:freeipmi_ipmidetectd_unit_file_t,s0)
++/usr/lib/systemd/system/ipmiseld.* -- gen_context(system_u:object_r:freeipmi_ipmiseld_unit_file_t,s0)
++
++/usr/sbin/bmc-watchdog -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_exec_t,s0)
++/usr/sbin/ipmidetectd -- gen_context(system_u:object_r:freeipmi_ipmidetectd_exec_t,s0)
++/usr/sbin/ipmiseld -- gen_context(system_u:object_r:freeipmi_ipmiseld_exec_t,s0)
++
++/var/cache/ipmiseld(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
++/var/cache/ipmimonitoringsdrcache(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
++
++/var/lib/freeipmi(/.*)? gen_context(system_u:object_r:freeipmi_var_lib_t,s0)
++
++
++/var/run/ipmidetectd\.pid -- gen_context(system_u:object_r:freeipmi_ipmidetectd_var_run_t,s0)
++/var/run/ipmiseld\.pid -- gen_context(system_u:object_r:freeipmi_ipmiseld_var_run_t,s0)
++/var/run/bmc-watchdog\.pid -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0)
+diff --git a/freeipmi.if b/freeipmi.if
+new file mode 100644
+index 0000000..dc94853
+--- /dev/null
++++ b/freeipmi.if
+@@ -0,0 +1,71 @@
++## <summary>Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification</summary>
++
++#####################################
++## <summary>
++## Creates types and rules for a basic
++## freeipmi init daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`freeipmi_domain_template',`
++ gen_require(`
++ attribute freeipmi_domain, freeipmi_pid;
++ ')
++
++ #############################
++ #
++ # Declarations
++ #
++
++ type freeipmi_$1_t, freeipmi_domain;
++ type freeipmi_$1_exec_t;
++ init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t)
++ role system_r types freeipmi_$1_t;
++
++ type freeipmi_$1_unit_file_t;
++ systemd_unit_file(freeipmi_$1_unit_file_t)
++
++ type freeipmi_$1_var_run_t, freeipmi_pid;
++ files_pid_file(freeipmi_$1_var_run_t)
++
++ #############################
++ #
++ # Local policy
++ #
++
++ manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t)
++
++ kernel_read_system_state(freeipmi_$1_t)
++
++ corenet_all_recvfrom_netlabel(freeipmi_$1_t)
++ corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
++
++ auth_use_nsswitch(freeipmi_$1_t)
++
++ logging_send_syslog_msg(freeipmi_$1_t)
++')
++
++####################################
++## <summary>
++## Connect to cluster domains over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`freeipmi_stream_connect',`
++ gen_require(`
++ attribute freeipmi_domain, freeipmi_pid;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain)
++')
++
+diff --git a/freeipmi.te b/freeipmi.te
+new file mode 100644
+index 0000000..1408208
+--- /dev/null
++++ b/freeipmi.te
+@@ -0,0 +1,68 @@
++policy_module(freeipmi, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute freeipmi_domain;
++attribute freeipmi_pid;
++
++freeipmi_domain_template(ipmidetectd)
++freeipmi_domain_template(ipmiseld)
++freeipmi_domain_template(bmc_watchdog)
++
++type freeipmi_var_lib_t;
++files_type(freeipmi_var_lib_t)
++
++type freeipmi_var_cache_t;
++files_type(freeipmi_var_cache_t)
++
++########################################
++#
++# freeipmi_domain local policy
++#
++
++allow freeipmi_domain self:fifo_file rw_fifo_file_perms;
++allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms;
++allow freeipmi_domain self:sem create_sem_perms;
++
++manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
++manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
++manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
++files_var_filetrans(freeipmi_domain, freeipmi_var_cache_t, { dir })
++
++manage_dirs_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
++manage_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
++manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
++files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
++
++sysnet_dns_name_resolve(freeipmi_domain)
++
++#######################################
++#
++# bmc-watchdog local policy
++#
++
++files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
++
++dev_read_raw_memory(freeipmi_bmc_watchdog_t)
++dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)
++
++#######################################
++#
++# ipmidetectd local policy
++#
++
++files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
++
++#######################################
++#
++# ipmiseld local policy
++#
++
++allow freeipmi_ipmiseld_t self:capability sys_rawio;
++
++allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms;
++
++files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid")
diff --git a/freqset.fc b/freqset.fc
new file mode 100644
index 0000000..3cd9c38
@@ -31492,10 +31884,38 @@ index 08b7560..417e630 100644
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
-index 1a35420..4b9b978 100644
+index 1a35420..2ea1241 100644
--- a/iscsi.if
+++ b/iscsi.if
-@@ -80,17 +80,31 @@ interface(`iscsi_read_lib_files',`
+@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',`
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete
++## iscsid lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`iscsi_manage_lock',`
++ gen_require(`
++ type iscsi_lock_t;
++ ')
++
++ files_search_locks($1)
++ manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t)
++ manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
+ ## iscsid sempaphores.
+ ## </summary>
+ ## <param name="domain">
+@@ -80,17 +101,31 @@ interface(`iscsi_read_lib_files',`
########################################
## <summary>
@@ -31532,7 +31952,7 @@ index 1a35420..4b9b978 100644
## </summary>
## </param>
## <rolecap/>
-@@ -99,16 +113,15 @@ interface(`iscsi_admin',`
+@@ -99,16 +134,15 @@ interface(`iscsi_admin',`
gen_require(`
type iscsid_t, iscsi_lock_t, iscsi_log_t;
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
@@ -36738,7 +37158,7 @@ index be0ab84..8c532a6 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index ab65034..ca924b3 100644
+index ab65034..52cbb90 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -6,6 +6,13 @@ policy_module(logwatch, 1.12.2)
@@ -36825,19 +37245,20 @@ index ab65034..ca924b3 100644
corenet_sendrecv_smtp_client_packets(logwatch_t)
corenet_tcp_connect_smtp_port(logwatch_t)
corenet_tcp_sendrecv_smtp_port(logwatch_t)
-@@ -160,6 +169,11 @@ optional_policy(`
+@@ -160,6 +169,12 @@ optional_policy(`
')
optional_policy(`
+ raid_domtrans_mdadm(logwatch_t)
+ raid_access_check_mdadm(logwatch_t)
++ raid_read_conf_files(logwatch_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -187,6 +201,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -187,6 +202,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -38333,7 +38754,7 @@ index 327f3f7..4f61561 100644
+ ')
')
diff --git a/mandb.te b/mandb.te
-index e6136fd..f5203f5 100644
+index e6136fd..14e2c47 100644
--- a/mandb.te
+++ b/mandb.te
@@ -10,9 +10,18 @@ roleattribute system_r mandb_roles;
@@ -38375,12 +38796,13 @@ index e6136fd..f5203f5 100644
kernel_read_kernel_sysctls(mandb_t)
kernel_read_system_state(mandb_t)
-@@ -33,11 +54,11 @@ dev_search_sysfs(mandb_t)
+@@ -33,11 +54,12 @@ dev_search_sysfs(mandb_t)
domain_use_interactive_fds(mandb_t)
-files_read_etc_files(mandb_t)
+files_search_locks(mandb_t)
++files_dontaudit_search_all_mountpoints(mandb_t)
miscfiles_manage_man_cache(mandb_t)
+miscfiles_setattr_man_pages(mandb_t)
@@ -39039,10 +39461,10 @@ index cba62db..562833a 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 4dc99f4..4385417 100644
+index 4dc99f4..22dbcb9 100644
--- a/milter.te
+++ b/milter.te
-@@ -5,73 +5,106 @@ policy_module(milter, 1.5.0)
+@@ -5,73 +5,113 @@ policy_module(milter, 1.5.0)
# Declarations
#
@@ -39057,6 +39479,9 @@ index 4dc99f4..4385417 100644
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
++type dkim_milter_tmp_t;
++files_tmp_file(dkim_milter_tmp_t)
++
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
@@ -39116,6 +39541,10 @@ index 4dc99f4..4385417 100644
-logging_send_syslog_msg(milter_domains)
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
++manage_files_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
++manage_dirs_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
++files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, { dir file })
++
+kernel_read_kernel_sysctls(dkim_milter_t)
+
+auth_use_nsswitch(dkim_milter_t)
@@ -39176,7 +39605,7 @@ index 4dc99f4..4385417 100644
optional_policy(`
mysql_stream_connect(greylist_milter_t)
-@@ -79,30 +112,45 @@ optional_policy(`
+@@ -79,30 +119,45 @@ optional_policy(`
########################################
#
@@ -47724,16 +48153,16 @@ index 0000000..cc31b9f
+
diff --git a/ninfod.if b/ninfod.if
new file mode 100644
-index 0000000..7c813e9
+index 0000000..a7f57d9
--- /dev/null
+++ b/ninfod.if
-@@ -0,0 +1,75 @@
+@@ -0,0 +1,79 @@
+
+## <summary>Respond to IPv6 Node Information Queries</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the ninfod domin.
++## Execute ninfod in the ninfod domin.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -47766,7 +48195,7 @@ index 0000000..7c813e9
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ninfod_unit_file_t:file read_file_perms;
+ allow $1 ninfod_unit_file_t:service manage_service_perms;
+
@@ -47789,12 +48218,16 @@ index 0000000..7c813e9
+interface(`ninfod_admin',`
+ gen_require(`
+ type ninfod_t;
-+ type ninfod_unit_file_t;
++ type ninfod_unit_file_t;
+ ')
+
-+ allow $1 ninfod_t:process { ptrace signal_perms };
++ allow $1 ninfod_t:process { signal_perms };
+ ps_process_pattern($1, ninfod_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ninfod_t:process ptrace;
++ ')
++
+ ninfod_systemctl($1)
+ admin_pattern($1, ninfod_unit_file_t)
+ allow $1 ninfod_unit_file_t:service all_service_perms;
@@ -53726,16 +54159,16 @@ index 0000000..51650fa
+/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0)
diff --git a/opensm.if b/opensm.if
new file mode 100644
-index 0000000..a62f050
+index 0000000..776fda7
--- /dev/null
+++ b/opensm.if
-@@ -0,0 +1,220 @@
+@@ -0,0 +1,223 @@
+
+## <summary>Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the opensm domin.
++## Execute opensm in the opensm domin.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -53838,7 +54271,6 @@ index 0000000..a62f050
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
+interface(`opensm_read_log',`
+ gen_require(`
@@ -53905,7 +54337,7 @@ index 0000000..a62f050
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 opensm_unit_file_t:file read_file_perms;
+ allow $1 opensm_unit_file_t:service manage_service_perms;
+
@@ -53930,12 +54362,16 @@ index 0000000..a62f050
+ type opensm_t;
+ type opensm_cache_t;
+ type opensm_log_t;
-+ type opensm_unit_file_t;
++ type opensm_unit_file_t;
+ ')
+
-+ allow $1 opensm_t:process { ptrace signal_perms };
++ allow $1 opensm_t:process { signal_perms };
+ ps_process_pattern($1, opensm_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 opensm_t:process ptrace;
++ ')
++
+ files_search_var($1)
+ admin_pattern($1, opensm_cache_t)
+
@@ -54641,15 +55077,15 @@ index 0000000..00d0643
+/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0)
diff --git a/openwsman.if b/openwsman.if
new file mode 100644
-index 0000000..9c67ac5
+index 0000000..42ed4ba
--- /dev/null
+++ b/openwsman.if
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,78 @@
+## <summary>WS-Management Server</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the openwsman domin.
++## Execute openwsman in the openwsman domin.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -54682,7 +55118,7 @@ index 0000000..9c67ac5
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 openwsman_unit_file_t:file read_file_perms;
+ allow $1 openwsman_unit_file_t:service manage_service_perms;
+
@@ -54705,12 +55141,16 @@ index 0000000..9c67ac5
+interface(`openwsman_admin',`
+ gen_require(`
+ type openwsman_t;
-+ type openwsman_unit_file_t;
++ type openwsman_unit_file_t;
+ ')
+
-+ allow $1 openwsman_t:process { ptrace signal_perms };
++ allow $1 openwsman_t:process { signal_perms };
+ ps_process_pattern($1, openwsman_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 openwsman_t:process ptrace;
++ ')
++
+ openwsman_systemctl($1)
+ admin_pattern($1, openwsman_unit_file_t)
+ allow $1 openwsman_unit_file_t:service all_service_perms;
@@ -55657,7 +56097,7 @@ index 1fb1964..f92c71a 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..87bda41 100644
+index dfd46e4..6b5b74b 100644
--- a/pegasus.fc
+++ b/pegasus.fc
@@ -1,15 +1,25 @@
@@ -55689,7 +56129,7 @@ index dfd46e4..87bda41 100644
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+
@@ -55795,7 +56235,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 608f454..555f313 100644
+index 608f454..938df5d 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -55814,7 +56254,7 @@ index 608f454..555f313 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,278 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,288 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -56011,7 +56451,10 @@ index 608f454..555f313 100644
+# pegasus openlmi storage local policy
+#
+
-+allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio };
++allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio sys_resource ipc_lock };
++allow pegasus_openlmi_storage_t self:process setrlimit;
++
++allow pegasus_openlmi_storage_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
@@ -56023,6 +56466,7 @@ index 608f454..555f313 100644
+
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
++kernel_request_load_module(pegasus_openlmi_storage_t)
+
+dev_read_rand(pegasus_openlmi_storage_t)
+dev_read_urand(pegasus_openlmi_storage_t)
@@ -56037,6 +56481,8 @@ index 608f454..555f313 100644
+storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
+storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
+
++files_read_kernel_modules(pegasus_openlmi_storage_t)
++
+fs_getattr_all_fs(pegasus_openlmi_storage_t)
+
+modutils_domtrans_insmod(pegasus_openlmi_storage_t)
@@ -56053,6 +56499,10 @@ index 608f454..555f313 100644
+')
+
+optional_policy(`
++ iscsi_manage_lock(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
+ lvm_domtrans(pegasus_openlmi_storage_t)
+')
+
@@ -56098,7 +56548,7 @@ index 608f454..555f313 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +311,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +321,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -56129,7 +56579,7 @@ index 608f454..555f313 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +337,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +347,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -56162,7 +56612,7 @@ index 608f454..555f313 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +365,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +375,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -56174,7 +56624,7 @@ index 608f454..555f313 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +381,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +391,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -56210,7 +56660,7 @@ index 608f454..555f313 100644
')
optional_policy(`
-@@ -151,16 +415,24 @@ optional_policy(`
+@@ -151,16 +425,24 @@ optional_policy(`
')
optional_policy(`
@@ -56239,7 +56689,7 @@ index 608f454..555f313 100644
')
optional_policy(`
-@@ -168,7 +440,7 @@ optional_policy(`
+@@ -168,7 +450,7 @@ optional_policy(`
')
optional_policy(`
@@ -68951,7 +69401,7 @@ index 5806046..d83ec27 100644
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
-index 951db7f..98a0758 100644
+index 951db7f..c0cabe8 100644
--- a/raid.if
+++ b/raid.if
@@ -1,9 +1,8 @@
@@ -69032,7 +69482,7 @@ index 951db7f..98a0758 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -57,47 +78,94 @@ interface(`raid_run_mdadm',`
+@@ -57,47 +78,112 @@ interface(`raid_run_mdadm',`
## </summary>
## </param>
#
@@ -69100,7 +69550,7 @@ index 951db7f..98a0758 100644
+
+########################################
+## <summary>
-+## Manage mdadm config files.
++## Read mdadm config files.
+## </summary>
+## <param name="domain">
## <summary>
@@ -69111,7 +69561,7 @@ index 951db7f..98a0758 100644
-## <rolecap/>
#
-interface(`raid_admin_mdadm',`
-+interface(`raid_manage_conf_files',`
++interface(`raid_read_conf_files',`
gen_require(`
- type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t;
+ type mdadm_conf_t;
@@ -69119,7 +69569,24 @@ index 951db7f..98a0758 100644
- allow $1 mdadm_t:process { ptrace signal_perms };
- ps_process_pattern($1, mdadm_t)
--
++ read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
++')
++
++########################################
++## <summary>
++## Manage mdadm config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`raid_manage_conf_files',`
++ gen_require(`
++ type mdadm_conf_t;
++ ')
+
- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mdadm_initrc_exec_t system_r;
@@ -70023,6 +70490,68 @@ index e9765c0..ea21331 100644
+/usr/lib/systemd/system/rdisc.* -- gen_context(system_u:object_r:rdisc_unit_file_t,s0)
/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
+diff --git a/rdisc.if b/rdisc.if
+index 170ef52..7dd9193 100644
+--- a/rdisc.if
++++ b/rdisc.if
+@@ -18,3 +18,57 @@ interface(`rdisc_exec',`
+ corecmd_search_bin($1)
+ can_exec($1, rdisc_exec_t)
+ ')
++
++########################################
++## <summary>
++## Execute rdisc server in the rdisc domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rdisc_systemctl',`
++ gen_require(`
++ type rdisc_t;
++ type rdisc_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 rdisc_unit_file_t:file read_file_perms;
++ allow $1 rdisc_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rdisc_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an rdisc environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rdisc_admin',`
++ gen_require(`
++ type rdisc_t;
++ type rdisc_unit_file_t;
++ ')
++
++ allow $1 rdisc_t:process { ptrace signal_perms };
++ ps_process_pattern($1, rdisc_t)
++
++ rdisc_systemctl($1)
++ admin_pattern($1, rdisc_unit_file_t)
++ allow $1 rdisc_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
diff --git a/rdisc.te b/rdisc.te
index 9196c1d..b775931 100644
--- a/rdisc.te
@@ -75365,7 +75894,7 @@ index ebe91fc..576ca21 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index ef3b225..fbef499 100644
+index ef3b225..0c8576e 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -75596,10 +76125,12 @@ index ef3b225..fbef499 100644
- logging_search_logs($1)
- append_files_pattern($1, rpm_log_t, rpm_log_t)
+ allow $1 rpm_log_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rpm log files.
+## Create, read, write, and delete the RPM log.
+## </summary>
+## <param name="domain">
@@ -75614,26 +76145,42 @@ index ef3b225..fbef499 100644
+ ')
+
+ read_files_pattern($1, rpm_log_t, rpm_log_t)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## rpm log files.
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
## <summary>
-@@ -302,7 +378,7 @@ interface(`rpm_manage_log',`
+@@ -302,7 +378,25 @@ interface(`rpm_manage_log',`
########################################
## <summary>
-## Inherit and use rpm script file descriptors.
++## Create rpm logs with an correct label.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_named_filetrans_log_files',`
++ gen_require(`
++ type rpm_log_t;
++ ')
++ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
++ logging_log_named_filetrans($1, rpm_log_t, file, "upd2date")
++')
++
++########################################
++## <summary>
+## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
## <summary>
-@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +414,8 @@ interface(`rpm_use_script_fds',`
########################################
## <summary>
@@ -75644,7 +76191,7 @@ index ef3b225..fbef499 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +429,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -75661,7 +76208,7 @@ index ef3b225..fbef499 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +450,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -75679,7 +76226,7 @@ index ef3b225..fbef499 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +470,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -75695,7 +76242,7 @@ index ef3b225..fbef499 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +497,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
## <summary>
@@ -75704,7 +76251,7 @@ index ef3b225..fbef499 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -420,8 +500,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +518,7 @@ interface(`rpm_read_cache',`
########################################
## <summary>
@@ -75714,7 +76261,7 @@ index ef3b225..fbef499 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +539,7 @@ interface(`rpm_manage_cache',`
########################################
## <summary>
@@ -75723,7 +76270,7 @@ index ef3b225..fbef499 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,11 +538,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +556,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -75737,7 +76284,7 @@ index ef3b225..fbef499 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -482,8 +562,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +580,7 @@ interface(`rpm_delete_db',`
########################################
## <summary>
@@ -75747,7 +76294,7 @@ index ef3b225..fbef499 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -503,8 +582,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +600,28 @@ interface(`rpm_manage_db',`
########################################
## <summary>
@@ -75777,7 +76324,7 @@ index ef3b225..fbef499 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +634,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -75786,7 +76333,7 @@ index ef3b225..fbef499 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +660,7 @@ interface(`rpm_read_pid_files',`
#####################################
## <summary>
@@ -75796,7 +76343,7 @@ index ef3b225..fbef499 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +679,7 @@ interface(`rpm_manage_pid_files',`
######################################
## <summary>
@@ -75806,7 +76353,7 @@ index ef3b225..fbef499 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -573,66 +670,104 @@ interface(`rpm_manage_pid_files',`
+@@ -573,66 +688,104 @@ interface(`rpm_manage_pid_files',`
## </param>
#
interface(`rpm_pid_filetrans',`
@@ -78376,7 +78923,7 @@ index 50d07fb..bada62f 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..3e81196 100644
+index 2b7c441..1912f75 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -79355,10 +79902,12 @@ index 2b7c441..3e81196 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -841,16 +846,19 @@ optional_policy(`
+@@ -840,17 +845,20 @@ optional_policy(`
+ # Winbind local policy
#
- allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+-allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
++allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice };
+allow winbind_t self:capability2 block_suspend;
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
@@ -84603,7 +85152,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index f2f507d..a41b9d3 100644
+index f2f507d..f7ba057 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@@ -84764,7 +85313,7 @@ index f2f507d..a41b9d3 100644
')
optional_policy(`
-@@ -151,9 +198,16 @@ optional_policy(`
+@@ -151,9 +198,17 @@ optional_policy(`
')
optional_policy(`
@@ -84775,6 +85324,7 @@ index f2f507d..a41b9d3 100644
+ rpm_manage_cache(sosreport_t)
+ rpm_manage_log(sosreport_t)
+ rpm_manage_pid_files(sosreport_t)
++ rpm_named_filetrans_log_files(sosreport_t)
+ rpm_read_db(sosreport_t)
+ rpm_signull(sosreport_t)
+')
@@ -97307,7 +97857,7 @@ index ae919b9..e0b1983 100644
manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
')
diff --git a/wine.if b/wine.if
-index fd2b6cc..52a2e72 100644
+index fd2b6cc..938c4a7 100644
--- a/wine.if
+++ b/wine.if
@@ -1,46 +1,57 @@
@@ -97456,8 +98006,31 @@ index fd2b6cc..52a2e72 100644
')
########################################
+@@ -165,3 +169,22 @@ interface(`wine_rw_shm',`
+
+ allow $1 wine_t:shm rw_shm_perms;
+ ')
++
++########################################
++## <summary>
++## Transition to wine named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`wine_filetrans_named_content',`
++ gen_require(`
++ type wine_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, wine_home_t, dir, ".wine")
++')
++
diff --git a/wine.te b/wine.te
-index 491b87b..689460b 100644
+index 491b87b..391f3a1 100644
--- a/wine.te
+++ b/wine.te
@@ -14,10 +14,11 @@ policy_module(wine, 1.11.0)
@@ -97473,7 +98046,7 @@ index 491b87b..689460b 100644
type wine_exec_t;
userdom_user_application_domain(wine_t, wine_exec_t)
role wine_roles types wine_t;
-@@ -25,56 +26,57 @@ role wine_roles types wine_t;
+@@ -25,56 +26,58 @@ role wine_roles types wine_t;
type wine_home_t;
userdom_user_home_content(wine_home_t)
@@ -97485,34 +98058,34 @@ index 491b87b..689460b 100644
# Local policy
#
+domain_mmap_low(wine_t)
-+
-+optional_policy(`
-+ unconfined_domain(wine_t)
-+')
-allow wine_t self:process { execstack execmem execheap };
-allow wine_t self:fifo_file manage_fifo_file_perms;
++optional_policy(`
++ unconfined_domain(wine_t)
++')
-can_exec(wine_t, wine_exec_t)
+
+-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
+########################################
+#
+# Common wine domain policy
+#
--userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
-+allow wine_domain self:process { execstack execmem execheap };
-+allow wine_domain self:fifo_file manage_fifo_file_perms;
-
-manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
-+can_exec(wine_domain, wine_exec_t)
++allow wine_domain self:process { execstack execmem execheap };
++allow wine_domain self:fifo_file manage_fifo_file_perms;
-domain_mmap_low(wine_t)
++can_exec(wine_domain, wine_exec_t)
++
+manage_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t)
-+userdom_user_home_dir_filetrans(wine_domain, wine_home_t, dir, ".wine")
+userdom_tmpfs_filetrans(wine_domain, file)
++wine_filetrans_named_content(wine_domain)
-files_execmod_all_files(wine_t)
+files_execmod_all_files(wine_domain)
@@ -97542,19 +98115,19 @@ index 491b87b..689460b 100644
optional_policy(`
- rtkit_scheduled(wine_t)
--')
--
--optional_policy(`
-- unconfined_domain(wine_t)
+ rtkit_scheduled(wine_domain)
')
optional_policy(`
-- xserver_read_xdm_pid(wine_t)
-- xserver_rw_shm(wine_t)
+- unconfined_domain(wine_t)
+ xserver_read_xdm_pid(wine_domain)
+ xserver_rw_shm(wine_domain)
')
+
+-optional_policy(`
+- xserver_read_xdm_pid(wine_t)
+- xserver_rw_shm(wine_t)
+-')
diff --git a/wireshark.te b/wireshark.te
index ff6ef38..436d3bf 100644
--- a/wireshark.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 35404c8..2fec2d9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -575,6 +575,48 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Dec 9 2013 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-9
+- DRM master and input event devices are used by the TakeDevice API
+- Clean up bumblebee policy
+- Update pegasus_openlmi_storage_t policy
+- opensm policy clean up
+- openwsman policy clean up
+- ninfod policy clean up
+- Allow conman to connect to freeipmi services and clean up conman policy
+- Allow conmand just bind on 7890 port
+- Add freeipmi_stream_connect() interface
+- Allow logwatch read madm.conf to support RAID setup
+- Add raid_read_conf_files() interface
+- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
+- add rpm_named_filetrans_log_files() interface
+- Added policy for conmand
+- Allow dkim-milter to create files/dirs in /tmp
+- update freeipmi policy
+- Add policy for freeipmi services
+- Added rdisc_admin and rdisc_systemctl interfaces
+- Fix aliases in pegasus.te
+- Allow chrome sandbox to read generic cache files in homedir
+- Dontaudit mandb searching all mountpoints
+- Make sure wine domains create .wine with the correct label
+- Add proper aliases for pegasus_openlmi_services_exec_t and pegasus_openlmi_services_t
+- Allow windbind the kill capability
+- DRM master and input event devices are used by the TakeDevice API
+- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
+- Added support for default conman port
+- Add interfaces for ipmi devices
+- Make sure wine domains create .wine with the correct label
+- Allow manage dirs in kernel_manage_debugfs interface.
+- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
+- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
+- Fix userdom_confined_admin_template()
+- Add back exec_content boolean for secadm, logadm, auditadm
+- Fix files_filetrans_system_db_named_files() interface
+- Allow sulogin to getattr on /proc/kcore
+- Add filename transition also for servicelog.db-journal
+- Add files_dontaudit_access_check_root()
+- Add lvm_dontaudit_access_check_lock() interface
+- Allow mount to manage mount_var_run_t files/dirs
+
* Tue Dec 3 2013 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-8
- Add back fixes for gnome_role_template()
- Label /usr/sbin/htcacheclean as httpd_exec_t
More information about the scm-commits
mailing list