[selinux-policy/f20] - Allow freeipmi_ipmidetectd_t to use freeipmi port - Update freeipmi_domain_template() - Allow jour
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Dec 12 15:27:04 UTC 2013
commit 8003ba16c065048e35f62efe4c73937115dd2977
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Dec 12 16:26:55 2013 +0100
- Allow freeipmi_ipmidetectd_t to use freeipmi port
- Update freeipmi_domain_template()
- Allow journalctl running as ABRT to read /run/log/journal
- Allow NM to read dispatcher.d directory
- Update freeipmi policy
- Type transitions with a filename not allowed inside conditionals
- Allow tor to bind to hplip port
- Make new type to texlive files in homedir
- Allow zabbix_agent to transition to dmidecode
- Add rules for docker
- Allow sosreport to send signull to unconfined_t
- Add virt_noatsecure and virt_rlimitinh interfaces
- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port
- Add sysadm_u_default_contexts
- Add logging_read_syslog_pid()
- Fix userdom_manage_home_texlive() interface
- Make new type to texlive files in homedir
- Add filename transitions for /run and /lock links
- Allow virtd to inherit rlimit information
policy-f20-base.patch | 212 +++++++++++++-----
policy-f20-contrib.patch | 543 ++++++++++++++++++++++++++--------------------
selinux-policy.spec | 28 ++-
3 files changed, 488 insertions(+), 295 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 760f6d6..e8b6035 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -71,6 +71,24 @@ index 881a292..80110a4 100644
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+diff --git a/config/appconfig-mcs/sysadm_u_default_contexts b/config/appconfig-mcs/sysadm_u_default_contexts
+new file mode 100644
+index 0000000..b8fda95
+--- /dev/null
++++ b/config/appconfig-mcs/sysadm_u_default_contexts
+@@ -0,0 +1,12 @@
++system_r:local_login_t:s0 sysadm_r:sysadm_t:s0
++system_r:remote_login_t:s0 sysadm_r:sysadm_t:s0
++system_r:sshd_t:s0 sysadm_r:sysadm_t:s0
++system_r:crond_t:s0 sysadm_r:sysadm_t:s0
++system_r:xdm_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
++system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
++
diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts
new file mode 100644
index 0000000..ff32acc
@@ -144,6 +162,24 @@ index c2a5ea8..f63999e 100644
system_r:xdm_t staff_r:staff_t
staff_r:staff_su_t staff_r:staff_t
staff_r:staff_sudo_t staff_r:staff_t
+diff --git a/config/appconfig-standard/sysadm_u_default_contexts b/config/appconfig-standard/sysadm_u_default_contexts
+new file mode 100644
+index 0000000..b8fda95
+--- /dev/null
++++ b/config/appconfig-standard/sysadm_u_default_contexts
+@@ -0,0 +1,12 @@
++system_r:local_login_t:s0 sysadm_r:sysadm_t:s0
++system_r:remote_login_t:s0 sysadm_r:sysadm_t:s0
++system_r:sshd_t:s0 sysadm_r:sysadm_t:s0
++system_r:crond_t:s0 sysadm_r:sysadm_t:s0
++system_r:xdm_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
++system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
++
diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts
new file mode 100644
index 0000000..ff32acc
@@ -5549,7 +5585,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..d11b74d 100644
+index 4edc40d..e9c2c94 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5660,7 +5696,7 @@ index 4edc40d..d11b74d 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -119,19 +143,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+@@ -119,19 +143,27 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -5677,6 +5713,7 @@ index 4edc40d..d11b74d 100644
-network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
+network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
++network_port(freeipmi, tcp,9225,s0, udp,9225,s0)
+network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
@@ -5689,7 +5726,7 @@ index 4edc40d..d11b74d 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +170,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +171,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5756,7 +5793,7 @@ index 4edc40d..d11b74d 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +223,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +224,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5795,7 +5832,7 @@ index 4edc40d..d11b74d 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +260,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +261,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5848,7 +5885,7 @@ index 4edc40d..d11b74d 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +310,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +311,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5859,7 +5896,7 @@ index 4edc40d..d11b74d 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +322,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +323,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5872,7 +5909,7 @@ index 4edc40d..d11b74d 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -285,19 +339,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -285,19 +340,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5899,7 +5936,7 @@ index 4edc40d..d11b74d 100644
########################################
#
-@@ -330,6 +388,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +389,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5908,7 +5945,7 @@ index 4edc40d..d11b74d 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +402,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +403,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -9545,7 +9582,7 @@ index c2c6e05..52d2b7c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..6b66f85 100644
+index 64ff4d7..42ac33d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -12056,7 +12093,7 @@ index 64ff4d7..6b66f85 100644
')
########################################
-@@ -6562,3 +7996,492 @@ interface(`files_unconfined',`
+@@ -6562,3 +7996,496 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -12383,6 +12420,7 @@ index 64ff4d7..6b66f85 100644
+ type tmp_t;
+ type var_t;
+ type var_run_t;
++ type var_lock_t;
+ type tmp_t;
+ ')
+
@@ -12397,6 +12435,8 @@ index 64ff4d7..6b66f85 100644
+ files_root_filetrans($1, usr_t, dir, "emul")
+ files_root_filetrans($1, var_t, dir, "srv")
+ files_root_filetrans($1, var_run_t, dir, "run")
++ files_root_filetrans($1, var_run_t, lnk_file, "run")
++ files_root_filetrans($1, var_lock_t, lnk_file, "lock")
+ files_root_filetrans($1, tmp_t, dir, "sandbox")
+ files_root_filetrans($1, tmp_t, dir, "tmp")
+ files_root_filetrans($1, var_t, dir, "nsr")
@@ -12420,6 +12460,7 @@ index 64ff4d7..6b66f85 100644
+ files_tmp_filetrans($1, tmp_t, dir, "hsperfdata_root")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+ files_var_filetrans($1, tmp_t, dir, "tmp")
++ files_var_filetrans($1, var_run_t, dir, "run")
+')
+
+########################################
@@ -25715,7 +25756,7 @@ index 3efd5b6..08c3e93 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..79f9c96 100644
+index 104037e..98a441d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -26026,7 +26067,7 @@ index 104037e..79f9c96 100644
')
optional_policy(`
-@@ -463,3 +507,133 @@ optional_policy(`
+@@ -463,3 +507,134 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -26054,7 +26095,7 @@ index 104037e..79f9c96 100644
+manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t)
+manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
+manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
-+files_var_filetrans(login_pgm, auth_cache_t, dir)
++files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey")
+
+manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
+manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
@@ -26102,6 +26143,7 @@ index 104037e..79f9c96 100644
+logging_set_tty_audit(login_pgm)
+
+miscfiles_dontaudit_write_generic_cert_files(login_pgm)
++miscfiles_filetrans_named_content(login_pgm)
+
+seutil_read_config(login_pgm)
+seutil_read_login_config(login_pgm)
@@ -28122,7 +28164,7 @@ index 24e7804..76da5dd 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..0996734 100644
+index dd3be8d..8b457a1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -29164,12 +29206,14 @@ index dd3be8d..0996734 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1326,33 @@ optional_policy(`
+@@ -856,12 +1326,35 @@ optional_policy(`
')
optional_policy(`
+ virt_read_config(init_t)
+ virt_stream_connect(init_t)
++ virt_noatsecure(init_t)
++ virt_rlimitinh(init_t)
+')
+
+optional_policy(`
@@ -29199,7 +29243,7 @@ index dd3be8d..0996734 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1362,18 @@ optional_policy(`
+@@ -871,6 +1364,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29218,7 +29262,7 @@ index dd3be8d..0996734 100644
')
optional_policy(`
-@@ -886,6 +1389,10 @@ optional_policy(`
+@@ -886,6 +1391,10 @@ optional_policy(`
')
optional_policy(`
@@ -29229,7 +29273,7 @@ index dd3be8d..0996734 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1403,218 @@ optional_policy(`
+@@ -896,3 +1405,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31170,7 +31214,7 @@ index b50c5fe..2faaaf2 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..bb6086e 100644
+index 4e94884..ae63d78 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -31260,24 +31304,17 @@ index 4e94884..bb6086e 100644
########################################
## <summary>
## Send system log messages.
-@@ -530,22 +592,85 @@ interface(`logging_log_filetrans',`
+@@ -530,22 +592,104 @@ interface(`logging_log_filetrans',`
#
interface(`logging_send_syslog_msg',`
gen_require(`
- type syslogd_t, devlog_t;
+ attribute syslog_client_type;
- ')
-
-- allow $1 devlog_t:lnk_file read_lnk_file_perms;
-- allow $1 devlog_t:sock_file write_sock_file_perms;
++ ')
++
+ typeattribute $1 syslog_client_type;
+')
-
-- # the type of socket depends on the syslog daemon
-- allow $1 syslogd_t:unix_dgram_socket sendto;
-- allow $1 syslogd_t:unix_stream_socket connectto;
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 self:unix_stream_socket create_socket_perms;
++
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
@@ -31312,17 +31349,13 @@ index 4e94884..bb6086e 100644
+ gen_require(`
+ type devlog_t;
+ ')
-
-- # If syslog is down, the glibc syslog() function
-- # will write to the console.
-- term_write_console($1)
-- term_dontaudit_read_console($1)
++
+ allow $1 devlog_t:sock_file relabel_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## Relabel the syslog pid sock_file.
++## Allow domain to read the syslog pid files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -31330,16 +31363,42 @@ index 4e94884..bb6086e 100644
+## </summary>
+## </param>
+#
-+interface(`logging_relabel_syslog_pid_socket',`
++interface(`logging_read_syslog_pid',`
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
+
-+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
++ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
++ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+')
+
+########################################
+## <summary>
++## Relabel the syslog pid sock_file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_relabel_syslog_pid_socket',`
++ gen_require(`
++ type syslogd_var_run_t;
+ ')
+
+- allow $1 devlog_t:lnk_file read_lnk_file_perms;
+- allow $1 devlog_t:sock_file write_sock_file_perms;
++ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
++')
+
+- # the type of socket depends on the syslog daemon
+- allow $1 syslogd_t:unix_dgram_socket sendto;
+- allow $1 syslogd_t:unix_stream_socket connectto;
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 self:unix_stream_socket create_socket_perms;
++########################################
++## <summary>
+## Connect to the syslog control unix stream socket.
+## </summary>
+## <param name="domain">
@@ -31352,13 +31411,17 @@ index 4e94884..bb6086e 100644
+ gen_require(`
+ type syslogd_t, syslogd_var_run_t;
+ ')
-+
+
+- # If syslog is down, the glibc syslog() function
+- # will write to the console.
+- term_write_console($1)
+- term_dontaudit_read_console($1)
+ files_search_pids($1)
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
')
########################################
-@@ -722,6 +847,25 @@ interface(`logging_setattr_all_log_dirs',`
+@@ -722,6 +866,25 @@ interface(`logging_setattr_all_log_dirs',`
allow $1 logfile:dir setattr;
')
@@ -31384,7 +31447,7 @@ index 4e94884..bb6086e 100644
########################################
## <summary>
## Do not audit attempts to get the attributes
-@@ -776,7 +920,25 @@ interface(`logging_append_all_logs',`
+@@ -776,7 +939,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -31411,7 +31474,7 @@ index 4e94884..bb6086e 100644
')
########################################
-@@ -859,7 +1021,7 @@ interface(`logging_manage_all_logs',`
+@@ -859,7 +1040,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -31420,7 +31483,7 @@ index 4e94884..bb6086e 100644
')
########################################
-@@ -885,6 +1047,44 @@ interface(`logging_read_generic_logs',`
+@@ -885,6 +1066,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
@@ -31465,7 +31528,7 @@ index 4e94884..bb6086e 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -905,6 +1105,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1124,24 @@ interface(`logging_write_generic_logs',`
########################################
## <summary>
@@ -31490,7 +31553,7 @@ index 4e94884..bb6086e 100644
## Dontaudit Write generic log files.
## </summary>
## <param name="domain">
-@@ -984,11 +1202,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1221,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -31508,7 +31571,7 @@ index 4e94884..bb6086e 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -1004,6 +1227,33 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1246,33 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -31542,7 +31605,7 @@ index 4e94884..bb6086e 100644
')
########################################
-@@ -1032,10 +1282,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1301,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -31560,7 +31623,7 @@ index 4e94884..bb6086e 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1312,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1331,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -31569,7 +31632,7 @@ index 4e94884..bb6086e 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1342,35 @@ interface(`logging_admin',`
+@@ -1085,3 +1361,35 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -39857,10 +39920,10 @@ index 0280b32..61f19e9 100644
-')
+attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..65191bd 100644
+index db75976..e4eb903 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,21 @@
+@@ -1,4 +1,24 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -39881,10 +39944,13 @@ index db75976..65191bd 100644
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs/.* <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
++HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..5b45016 100644
+index 3c5dba7..1e5eb3b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -42726,7 +42792,7 @@ index 3c5dba7..5b45016 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4323,1646 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4323,1671 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -43440,6 +43506,31 @@ index 3c5dba7..5b45016 100644
+ read_lnk_files_pattern($1, audio_home_t, audio_home_t)
+')
+
++######################################
++## <summary>
++## Manage texlive content in the users homedir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_manage_home_texlive',`
++ gen_require(`
++ type texlive_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012")
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013")
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014")
++ manage_dirs_pattern($1, texlive_home_t, texlive_home_t)
++ manage_files_pattern($1, texlive_home_t, texlive_home_t)
++ manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t)
++')
++
+########################################
+## <summary>
+## Do not audit attempts to write all user home content files.
@@ -44374,7 +44465,7 @@ index 3c5dba7..5b45016 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..e0c6eeb 100644
+index e2b538b..af7e095 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5)
@@ -44463,7 +44554,7 @@ index e2b538b..e0c6eeb 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,359 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,366 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -44504,6 +44595,10 @@ index e2b538b..e0c6eeb 100644
+userdom_user_home_content(audio_home_t)
+ubac_constrained(audio_home_t)
+
++type texlive_home_t;
++userdom_user_home_content(texlive_home_t)
++ubac_constrained(texlive_home_t)
++
+type home_bin_t;
+userdom_user_home_content(home_bin_t)
+ubac_constrained(home_bin_t)
@@ -44617,6 +44712,9 @@ index e2b538b..e0c6eeb 100644
+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014")
+
+optional_policy(`
+ gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 42c23c2..1f59ff1 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -538,7 +538,7 @@ index 058d908..ff0f9c2 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..135f947 100644
+index cc43d25..0560e0a 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -774,7 +774,7 @@ index cc43d25..135f947 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +193,38 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +193,39 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -802,6 +802,7 @@ index cc43d25..135f947 100644
+logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
+logging_stream_connect_syslog(abrt_t)
++logging_read_syslog_pid(abrt_t)
+
auth_use_nsswitch(abrt_t)
@@ -816,7 +817,7 @@ index cc43d25..135f947 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +232,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +233,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -833,7 +834,7 @@ index cc43d25..135f947 100644
')
optional_policy(`
-@@ -209,6 +244,20 @@ optional_policy(`
+@@ -209,6 +245,20 @@ optional_policy(`
')
optional_policy(`
@@ -854,7 +855,7 @@ index cc43d25..135f947 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +269,7 @@ optional_policy(`
+@@ -220,6 +270,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -862,7 +863,7 @@ index cc43d25..135f947 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +280,7 @@ optional_policy(`
+@@ -230,6 +281,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -870,7 +871,7 @@ index cc43d25..135f947 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +291,17 @@ optional_policy(`
+@@ -240,9 +292,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -889,7 +890,7 @@ index cc43d25..135f947 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +312,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +313,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -904,7 +905,7 @@ index cc43d25..135f947 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +331,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +332,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -912,7 +913,7 @@ index cc43d25..135f947 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +340,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +341,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -933,7 +934,7 @@ index cc43d25..135f947 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +361,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +362,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -960,7 +961,7 @@ index cc43d25..135f947 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +397,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +398,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -974,7 +975,7 @@ index cc43d25..135f947 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +415,11 @@ optional_policy(`
+@@ -330,10 +416,11 @@ optional_policy(`
#######################################
#
@@ -988,7 +989,7 @@ index cc43d25..135f947 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +438,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +439,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1050,7 +1051,7 @@ index cc43d25..135f947 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +496,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +497,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -22609,10 +22610,10 @@ index 0000000..d856375
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..1229d66
+index 0000000..85e2ddb
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,145 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -22709,18 +22710,25 @@ index 0000000..1229d66
+#
+
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
-+allow docker_t self:process { setsched signal_perms };
++allow docker_t self:process { setpgid setsched signal_perms };
+allow docker_t self:netlink_route_socket nlmsg_write;
++allow docker_t self:netlink_audit_socket create_netlink_perms;
+allow docker_t self:unix_dgram_socket create_socket_perms;
++allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto }
+
+allow docker_t docker_var_lib_t:dir mounton;
++allow docker_t docker_var_lib_t:chr_file mounton;
++can_exec(docker_t, docker_var_lib_t)
+
+kernel_setsched(docker_t)
++kernel_get_sysvipc_info(docker_t)
+
+dev_getattr_all_blk_files(docker_t)
++dev_getattr_sysfs_fs(docker_t)
+dev_read_urand(docker_t)
+dev_read_lvm_control(docker_t)
+dev_read_sysfs(docker_t)
++dev_rw_lvm_control(docker_t)
+
+files_manage_isid_type_dirs(docker_t)
+files_manage_isid_type_files(docker_t)
@@ -22743,9 +22751,14 @@ index 0000000..1229d66
+modutils_domtrans_insmod(docker_t)
+
+optional_policy(`
++ udev_read_db(docker_t)
++')
++
++optional_policy(`
+ virt_read_config(docker_t)
+ virt_exec(docker_t)
+')
++
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
--- a/dovecot.fc
@@ -25489,10 +25502,10 @@ index 0000000..0942a2e
+/var/run/bmc-watchdog\.pid -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0)
diff --git a/freeipmi.if b/freeipmi.if
new file mode 100644
-index 0000000..dc94853
+index 0000000..9715f27
--- /dev/null
+++ b/freeipmi.if
-@@ -0,0 +1,71 @@
+@@ -0,0 +1,73 @@
+## <summary>Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification</summary>
+
+#####################################
@@ -25539,6 +25552,8 @@ index 0000000..dc94853
+ corenet_all_recvfrom_netlabel(freeipmi_$1_t)
+ corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
+
++ dev_read_raw_memory(freeipmi_$1_t)
++
+ auth_use_nsswitch(freeipmi_$1_t)
+
+ logging_send_syslog_msg(freeipmi_$1_t)
@@ -25566,10 +25581,10 @@ index 0000000..dc94853
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
-index 0000000..1408208
+index 0000000..8071a76
--- /dev/null
+++ b/freeipmi.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,75 @@
+policy_module(freeipmi, 1.0.0)
+
+########################################
@@ -25598,6 +25613,7 @@ index 0000000..1408208
+allow freeipmi_domain self:fifo_file rw_fifo_file_perms;
+allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms;
+allow freeipmi_domain self:sem create_sem_perms;
++allow freeipmi_domain self:tcp_socket { listen create_stream_socket_perms };
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
@@ -25609,6 +25625,9 @@ index 0000000..1408208
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
+
++dev_read_rand(freeipmi_domain)
++dev_read_urand(freeipmi_domain)
++
+sysnet_dns_name_resolve(freeipmi_domain)
+
+#######################################
@@ -25618,9 +25637,10 @@ index 0000000..1408208
+
+files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+
-+dev_read_raw_memory(freeipmi_bmc_watchdog_t)
+dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)
+
++allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
++
+#######################################
+#
+# ipmidetectd local policy
@@ -25628,6 +25648,8 @@ index 0000000..1408208
+
+files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
+
++corenet_tcp_bind_freeipmi_port(freeipmi_ipmidetectd_t)
++
+#######################################
+#
+# ipmiseld local policy
@@ -41249,10 +41271,10 @@ index 0000000..b694afc
+')
+
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..a4d75bf 100644
+index 6ffaba2..cb1e8b0 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,69 @@
+@@ -1,38 +1,67 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -41294,8 +41316,6 @@ index 6ffaba2..a4d75bf 100644
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -41356,7 +41376,7 @@ index 6ffaba2..a4d75bf 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..ada96f0 100644
+index 6194b80..7fbb9e7 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -42047,7 +42067,7 @@ index 6194b80..ada96f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +499,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +499,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -42116,8 +42136,6 @@ index 6194b80..ada96f0 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
@@ -42131,7 +42149,7 @@ index 6194b80..ada96f0 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..3451a03 100644
+index 6a306ee..32542a8 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -42394,7 +42412,7 @@ index 6a306ee..3451a03 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,57 +196,76 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -42447,12 +42465,6 @@ index 6a306ee..3451a03 100644
- fs_manage_nfs_dirs(mozilla_t)
- fs_manage_nfs_files(mozilla_t)
- fs_manage_nfs_symlinks(mozilla_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mozilla_t)
-- fs_manage_cifs_files(mozilla_t)
-- fs_manage_cifs_symlinks(mozilla_t)
+userdom_home_manager(mozilla_t)
+
+# Uploads, local html
@@ -42504,8 +42516,16 @@ index 6a306ee..3451a03 100644
+ userdom_dontaudit_read_user_home_content_files(mozilla_t)
')
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_t)
+- fs_manage_cifs_files(mozilla_t)
+- fs_manage_cifs_symlinks(mozilla_t)
+-')
++userdom_manage_home_texlive(mozilla_t)
+
optional_policy(`
-@@ -244,19 +276,12 @@ optional_policy(`
+ apache_read_user_scripts(mozilla_t)
+@@ -244,19 +278,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -42527,7 +42547,7 @@ index 6a306ee..3451a03 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +290,32 @@ optional_policy(`
+@@ -265,33 +292,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -42540,34 +42560,34 @@ index 6a306ee..3451a03 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ java_domtrans(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ lpd_domtrans_lpr(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
-+ nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -42575,7 +42595,7 @@ index 6a306ee..3451a03 100644
')
optional_policy(`
-@@ -300,259 +324,240 @@ optional_policy(`
+@@ -300,259 +326,241 @@ optional_policy(`
########################################
#
@@ -42654,16 +42674,17 @@ index 6a306ee..3451a03 100644
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
++userdom_manage_home_texlive(mozilla_plugin_t)
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -42835,12 +42856,12 @@ index 6a306ee..3451a03 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -42864,26 +42885,26 @@ index 6a306ee..3451a03 100644
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
- fs_read_dos_files(mozilla_plugin_t)
+-
+- fs_search_removable(mozilla_plugin_t)
+- fs_read_removable_files(mozilla_plugin_t)
+- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
+userdom_exec_user_tmp_files(mozilla_plugin_t)
-- fs_search_removable(mozilla_plugin_t)
-- fs_read_removable_files(mozilla_plugin_t)
-- fs_read_removable_symlinks(mozilla_plugin_t)
+- fs_read_iso9660_files(mozilla_plugin_t)
+-')
+userdom_home_manager(mozilla_plugin_t)
-- fs_read_iso9660_files(mozilla_plugin_t)
+-tunable_policy(`allow_execmem',`
+- allow mozilla_plugin_t self:process execmem;
+tunable_policy(`mozilla_plugin_can_network_connect',`
+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
')
--tunable_policy(`allow_execmem',`
-- allow mozilla_plugin_t self:process execmem;
--')
--
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_t self:process { execmem execstack };
+optional_policy(`
@@ -42965,7 +42986,7 @@ index 6a306ee..3451a03 100644
')
optional_policy(`
-@@ -560,7 +565,7 @@ optional_policy(`
+@@ -560,7 +568,7 @@ optional_policy(`
')
optional_policy(`
@@ -42974,7 +42995,7 @@ index 6a306ee..3451a03 100644
')
optional_policy(`
-@@ -568,108 +573,130 @@ optional_policy(`
+@@ -568,108 +576,130 @@ optional_policy(`
')
optional_policy(`
@@ -43007,8 +43028,7 @@ index 6a306ee..3451a03 100644
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-
+-
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
@@ -43017,8 +43037,7 @@ index 6a306ee..3451a03 100644
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
-+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
@@ -43028,20 +43047,22 @@ index 6a306ee..3451a03 100644
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
-+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
++allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
+
+-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+dev_read_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
--can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
--ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
--
-kernel_read_system_state(mozilla_plugin_config_t)
-kernel_request_load_module(mozilla_plugin_config_t)
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
@@ -48334,7 +48355,7 @@ index 0e8508c..ee2e3de 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..e61d367 100644
+index 0b48a30..340630c 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -48365,7 +48386,7 @@ index 0b48a30..e61d367 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -39,25 +42,44 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,25 +42,47 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
@@ -48411,6 +48432,9 @@ index 0b48a30..e61d367 100644
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
++list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
++read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
++
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
@@ -48419,7 +48443,7 @@ index 0b48a30..e61d367 100644
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-@@ -68,6 +90,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,6 +93,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -48427,7 +48451,7 @@ index 0b48a30..e61d367 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,17 +104,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,17 +107,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -48446,7 +48470,7 @@ index 0b48a30..e61d367 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +122,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +125,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -48472,7 +48496,7 @@ index 0b48a30..e61d367 100644
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
-@@ -125,13 +138,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +141,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@@ -48486,7 +48510,7 @@ index 0b48a30..e61d367 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +146,17 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,6 +149,17 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -48504,7 +48528,7 @@ index 0b48a30..e61d367 100644
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
-@@ -148,10 +165,11 @@ init_domtrans_script(NetworkManager_t)
+@@ -148,10 +168,11 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -48517,7 +48541,7 @@ index 0b48a30..e61d367 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +184,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +187,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -48554,7 +48578,7 @@ index 0b48a30..e61d367 100644
')
optional_policy(`
-@@ -196,10 +225,6 @@ optional_policy(`
+@@ -196,10 +228,6 @@ optional_policy(`
')
optional_policy(`
@@ -48565,7 +48589,7 @@ index 0b48a30..e61d367 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +235,11 @@ optional_policy(`
+@@ -210,16 +238,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -48584,7 +48608,7 @@ index 0b48a30..e61d367 100644
')
')
-@@ -231,18 +251,19 @@ optional_policy(`
+@@ -231,18 +254,19 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -48607,7 +48631,7 @@ index 0b48a30..e61d367 100644
')
optional_policy(`
-@@ -250,6 +271,10 @@ optional_policy(`
+@@ -250,6 +274,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -48618,7 +48642,7 @@ index 0b48a30..e61d367 100644
')
optional_policy(`
-@@ -257,11 +282,10 @@ optional_policy(`
+@@ -257,11 +285,10 @@ optional_policy(`
')
optional_policy(`
@@ -48634,7 +48658,7 @@ index 0b48a30..e61d367 100644
')
optional_policy(`
-@@ -274,10 +298,17 @@ optional_policy(`
+@@ -274,10 +301,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -48652,7 +48676,7 @@ index 0b48a30..e61d367 100644
')
optional_policy(`
-@@ -289,6 +320,7 @@ optional_policy(`
+@@ -289,6 +323,7 @@ optional_policy(`
')
optional_policy(`
@@ -48660,7 +48684,7 @@ index 0b48a30..e61d367 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +328,7 @@ optional_policy(`
+@@ -296,7 +331,7 @@ optional_policy(`
')
optional_policy(`
@@ -48669,7 +48693,7 @@ index 0b48a30..e61d367 100644
')
optional_policy(`
-@@ -307,6 +339,7 @@ optional_policy(`
+@@ -307,6 +342,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -48677,7 +48701,7 @@ index 0b48a30..e61d367 100644
')
optional_policy(`
-@@ -320,13 +353,19 @@ optional_policy(`
+@@ -320,13 +356,19 @@ optional_policy(`
')
optional_policy(`
@@ -48701,7 +48725,7 @@ index 0b48a30..e61d367 100644
')
optional_policy(`
-@@ -356,6 +395,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +398,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -77176,7 +77200,7 @@ index ebe91fc..576ca21 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..952ee2a 100644
+index 0628d50..e9dbd7e 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -77453,7 +77477,7 @@ index 0628d50..952ee2a 100644
+ type rpm_log_t;
+ ')
+ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
-+ logging_log_named_filetrans($1, rpm_log_t, file, "upd2date")
++ logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
+')
+
+########################################
@@ -86546,7 +86570,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..a0dbe3f 100644
+index 703efa3..bdd8566 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
@@ -86708,7 +86732,7 @@ index 703efa3..a0dbe3f 100644
')
optional_policy(`
-@@ -135,9 +193,17 @@ optional_policy(`
+@@ -135,9 +193,21 @@ optional_policy(`
')
optional_policy(`
@@ -86726,6 +86750,10 @@ index 703efa3..a0dbe3f 100644
+
+optional_policy(`
+ setroubleshoot_signull(sosreport_t)
++')
++
++optional_policy(`
++ unconfined_signull(sosreport_t)
')
optional_policy(`
@@ -91794,11 +91822,10 @@ index 0000000..39d17b7
+files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
diff --git a/thumb.fc b/thumb.fc
new file mode 100644
-index 0000000..92b6843
+index 0000000..115bf6c
--- /dev/null
+++ b/thumb.fc
-@@ -0,0 +1,18 @@
-+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+@@ -0,0 +1,17 @@
+HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0)
@@ -91815,7 +91842,7 @@ index 0000000..92b6843
+/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/mate-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
+
-+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/lib/tumbler-?[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
index 0000000..c1fd8b4
@@ -91957,10 +91984,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..b57cc3c
+index 0000000..2ddef5c
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,149 @@
+@@ -0,0 +1,150 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -92010,6 +92037,7 @@ index 0000000..b57cc3c
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
+userdom_dontaudit_access_check_user_content(thumb_t)
+userdom_rw_inherited_user_tmpfs_files(thumb_t)
++userdom_manage_home_texlive(thumb_t)
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
@@ -92852,7 +92880,7 @@ index 61c2e07..5e1df41 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 964a395..78962c4 100644
+index 964a395..ea77295 100644
--- a/tor.te
+++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.8.4)
@@ -92887,7 +92915,15 @@ index 964a395..78962c4 100644
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
-@@ -98,19 +107,22 @@ dev_read_urand(tor_t)
+@@ -85,6 +94,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+ corenet_sendrecv_tor_server_packets(tor_t)
+ corenet_tcp_bind_tor_port(tor_t)
+ corenet_tcp_sendrecv_tor_port(tor_t)
++corenet_tcp_bind_hplip_port(tor_t)
+
+ corenet_sendrecv_all_client_packets(tor_t)
+ corenet_tcp_connect_all_ports(tor_t)
+@@ -98,19 +108,22 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
@@ -94792,7 +94828,7 @@ index c30da4c..9bad8b9 100644
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..73549fd 100644
+index 9dec06c..43128c6 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -95807,7 +95843,7 @@ index 9dec06c..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,94 +658,189 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +658,189 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -95998,93 +96034,110 @@ index 9dec06c..73549fd 100644
## <summary>
-## Append virt log files.
+## Do not audit attempts to write virt daemon unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`virt_dontaudit_write_pipes',`
++ gen_require(`
++ type virtd_t;
++ ')
++
++ dontaudit $1 virtd_t:fd use;
++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -935,19 +848,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
-interface(`virt_append_log',`
-+interface(`virt_dontaudit_write_pipes',`
++interface(`virt_kill_svirt',`
gen_require(`
- type virt_log_t;
-+ type virtd_t;
++ attribute virt_domain;
')
- logging_search_logs($1)
- append_files_pattern($1, virt_log_t, virt_log_t)
-+ dontaudit $1 virtd_t:fd use;
-+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++ allow $1 virt_domain:process sigkill;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt log files.
-+## Send a sigkill to virtual machines
++## Send a sigkill to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +848,17 @@ interface(`virt_append_log',`
+@@ -955,20 +866,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
-interface(`virt_manage_log',`
-+interface(`virt_kill_svirt',`
++interface(`virt_kill',`
gen_require(`
- type virt_log_t;
-+ attribute virt_domain;
++ type virtd_t;
')
- logging_search_logs($1)
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
- manage_files_pattern($1, virt_log_t, virt_log_t)
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+ allow $1 virt_domain:process sigkill;
++ allow $1 virtd_t:process sigkill;
')
########################################
## <summary>
-## Search virt image directories.
-+## Send a sigkill to virtd daemon.
++## Send a signal to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +866,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +884,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
-interface(`virt_search_images',`
-+interface(`virt_kill',`
++interface(`virt_signal_svirt',`
gen_require(`
- attribute virt_image_type;
-+ type virtd_t;
++ attribute virt_domain;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-+ allow $1 virtd_t:process sigkill;
++ allow $1 virt_domain:process signal;
')
########################################
## <summary>
-## Read virt image files.
-+## Send a signal to virtual machines
++## Manage virt home files.
## </summary>
## <param name="domain">
## <summary>
-@@ -995,73 +884,75 @@ interface(`virt_search_images',`
+@@ -995,36 +902,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
-interface(`virt_read_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_manage_home_files',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ attribute virt_domain;
++ type virt_home_t;
')
- virt_search_lib($1)
@@ -96093,7 +96146,8 @@ index 9dec06c..73549fd 100644
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 virt_domain:process signal;
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
+')
- tunable_policy(`virt_use_nfs',`
@@ -96102,105 +96156,70 @@ index 9dec06c..73549fd 100644
- fs_read_nfs_symlinks($1)
+########################################
+## <summary>
-+## Manage virt home files.
++## allow domain to read
++## virt tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed access
+## </summary>
+## </param>
+#
-+interface(`virt_manage_home_files',`
++interface(`virt_read_tmpfs_files',`
+ gen_require(`
-+ type virt_home_t;
++ attribute virt_tmpfs_type;
')
- tunable_policy(`virt_use_samba',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
-- ')
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
- ')
-
- ########################################
- ## <summary>
--## Read and write all virt image
--## character files.
-+## allow domain to read
-+## virt tmpfs files
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain allowed access
- ## </summary>
- ## </param>
- #
--interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_read_tmpfs_files',`
- gen_require(`
-- attribute virt_image_type;
-+ attribute virt_tmpfs_type;
- ')
-
-- virt_search_lib($1)
-- allow $1 virt_image_type:dir list_dir_perms;
-- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+ allow $1 virt_tmpfs_type:file read_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## svirt cache files.
++')
++
++########################################
++## <summary>
+## allow domain to manage
+## virt tmpfs files
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access
- ## </summary>
- ## </param>
- #
--interface(`virt_manage_svirt_cache',`
-- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
-- virt_manage_virt_cache($1)
++## </summary>
++## </param>
++#
+interface(`virt_manage_tmpfs_files',`
+ gen_require(`
+ attribute virt_tmpfs_type;
-+ ')
+ ')
+
+ allow $1 virt_tmpfs_type:file manage_file_perms;
')
########################################
## <summary>
--## Create, read, write, and delete
--## virt cache content.
+-## Read and write all virt image
+-## character files.
+## Create .virt directory in the user home directory
+## with an correct label.
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +960,28 @@ interface(`virt_manage_svirt_cache',`
+@@ -1032,20 +960,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
--interface(`virt_manage_virt_cache',`
+-interface(`virt_rw_all_image_chr_files',`
+interface(`virt_filetrans_home_content',`
gen_require(`
-- type virt_cache_t;
+- attribute virt_image_type;
+ type virt_home_t;
+ type svirt_home_t;
')
-- files_search_var($1)
-- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
-- manage_files_pattern($1, virt_cache_t, virt_cache_t)
-- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
@@ -96217,42 +96236,36 @@ index 9dec06c..73549fd 100644
########################################
## <summary>
-## Create, read, write, and delete
--## virt image files.
+-## svirt cache files.
+## Dontaudit attempts to Read virt_image_type devices.
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +989,148 @@ interface(`virt_manage_virt_cache',`
+@@ -1053,37 +989,129 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
--interface(`virt_manage_images',`
+-interface(`virt_manage_svirt_cache',`
+- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
+- virt_manage_virt_cache($1)
+interface(`virt_dontaudit_read_chr_dev',`
- gen_require(`
-- type virt_var_lib_t;
- attribute virt_image_type;
- ')
-
-- virt_search_lib($1)
-- allow $1 virt_image_type:dir list_dir_perms;
-- manage_dirs_pattern($1, virt_image_type, virt_image_type)
-- manage_files_pattern($1, virt_image_type, virt_image_type)
-- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
-- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
-+')
+ ')
-- tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs($1)
-- fs_manage_nfs_files($1)
-- fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt cache content.
+## Creates types and rules for a basic
+## virt_lxc process domain.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="prefix">
-+## <summary>
+ ## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
@@ -96260,12 +96273,8 @@ index 9dec06c..73549fd 100644
+template(`virt_sandbox_domain_template',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
- ')
-
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_files($1)
-- fs_read_cifs_symlinks($1)
++ ')
++
+ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
@@ -96300,7 +96309,7 @@ index 9dec06c..73549fd 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
+ ## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -96319,22 +96328,30 @@ index 9dec06c..73549fd 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_virt_cache',`
+interface(`virt_filetrans_named_content',`
-+ gen_require(`
+ gen_require(`
+- type virt_cache_t;
+ type virt_lxc_var_run_t;
+ type virt_var_run_t;
-+ ')
-+
+ ')
+
+- files_search_var($1)
+- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+- manage_files_pattern($1, virt_cache_t, virt_cache_t)
+- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt image files.
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
+## </summary>
@@ -96365,6 +96382,37 @@ index 9dec06c..73549fd 100644
+########################################
+## <summary>
+## Read and write to svirt_image devices.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1091,36 +1119,54 @@ interface(`virt_manage_virt_cache',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_images',`
++interface(`virt_rw_svirt_dev',`
+ gen_require(`
+- type virt_var_lib_t;
+- attribute virt_image_type;
++ type svirt_image_t;
+ ')
+
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- manage_dirs_pattern($1, virt_image_type, virt_image_type)
+- manage_files_pattern($1, virt_image_type, virt_image_type)
+- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++ allow $1 svirt_image_t:chr_file rw_file_perms;
++')
+
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_read_nfs_symlinks($1)
++########################################
++## <summary>
++## Read and write to svirt_image devices.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -96372,12 +96420,34 @@ index 9dec06c..73549fd 100644
+## </summary>
+## </param>
+#
-+interface(`virt_rw_svirt_dev',`
++interface(`virt_rlimitinh',`
+ gen_require(`
-+ type svirt_image_t;
++ type virtd_t;
+ ')
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
++ allow $1 virtd_t:process { rlimitinh };
++')
++
++########################################
++## <summary>
++## Read and write to svirt_image devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_noatsecure',`
++ gen_require(`
++ type virtd_t;
')
+
-+ allow $1 svirt_image_t:chr_file rw_file_perms;
++ allow $1 virtd_t:process { noatsecure rlimitinh };
')
########################################
@@ -96389,7 +96459,7 @@ index 9dec06c..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1146,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1182,36 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -101424,7 +101494,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..2fcd510 100644
+index 46e4cd3..4b38bfa 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,21 +6,23 @@ policy_module(zabbix, 1.5.3)
@@ -101615,7 +101685,7 @@ index 46e4cd3..2fcd510 100644
fs_getattr_all_fs(zabbix_agent_t)
-@@ -190,8 +181,11 @@ init_read_utmp(zabbix_agent_t)
+@@ -190,8 +181,14 @@ init_read_utmp(zabbix_agent_t)
logging_search_logs(zabbix_agent_t)
@@ -101626,9 +101696,12 @@ index 46e4cd3..2fcd510 100644
zabbix_tcp_connect(zabbix_agent_t)
+
+optional_policy(`
-+ hostname_exec(zabbix_agent_t)
++ dmidecode_domtrans(zabbix_agent_t)
+')
+
++optional_policy(`
++ hostname_exec(zabbix_agent_t)
++')
diff --git a/zarafa.fc b/zarafa.fc
index faf99ed..44e94fa 100644
--- a/zarafa.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d49e679..336cf4b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 109%{?dist}
+Release: 110%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -251,7 +251,8 @@ ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/se
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/sysadm_u
%define relabel() \
. %{_sysconfdir}/selinux/config; \
@@ -573,7 +574,28 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Wed Dec 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-109
+* Thu Dec 12 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-110
+- Allow freeipmi_ipmidetectd_t to use freeipmi port
+- Update freeipmi_domain_template()
+- Allow journalctl running as ABRT to read /run/log/journal
+- Allow NM to read dispatcher.d directory
+- Update freeipmi policy
+- Type transitions with a filename not allowed inside conditionals
+- Allow tor to bind to hplip port
+- Make new type to texlive files in homedir
+- Allow zabbix_agent to transition to dmidecode
+- Add rules for docker
+- Allow sosreport to send signull to unconfined_t
+- Add virt_noatsecure and virt_rlimitinh interfaces
+- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port
+- Add sysadm_u_default_contexts
+- Add logging_read_syslog_pid()
+- Fix userdom_manage_home_texlive() interface
+- Make new type to texlive files in homedir
+- Add filename transitions for /run and /lock links
+- Allow virtd to inherit rlimit information
+
+* Tue Dec 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-109
- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t
- Add labeling for /usr/lib/systemd/system/mariadb.service
- Allow hyperv_domain to read sysfs
More information about the scm-commits
mailing list