[selinux-policy] - Allow freeipmi_ipmidetectd_t to use freeipmi port - Update freeipmi_domain_template() - Allow jour
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Dec 12 16:24:00 UTC 2013
commit 2397102af826b308cfd7c9938f03d6c3939ec9df
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Dec 12 17:23:54 2013 +0100
- Allow freeipmi_ipmidetectd_t to use freeipmi port
- Update freeipmi_domain_template()
- Allow journalctl running as ABRT to read /run/log/journal
- Allow NM to read dispatcher.d directory
- Update freeipmi policy
- Type transitions with a filename not allowed inside conditionals
- Allow tor to bind to hplip port
- Make new type to texlive files in homedir
- Allow zabbix_agent to transition to dmidecode
- Add rules for docker
- Allow sosreport to send signull to unconfined_t
- Add virt_noatsecure and virt_rlimitinh interfaces
- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipm
- Add sysadm_u_default_contexts
- Add logging_read_syslog_pid()
- Fix userdom_manage_home_texlive() interface
- Make new type to texlive files in homedir
- Add filename transitions for /run and /lock links
- Allow virtd to inherit rlimit information
config.tgz | Bin 3332 -> 3467 bytes
modules-targeted-contrib.conf | 7 +
policy-rawhide-base.patch | 1248 +++++++++++++++++++++++++++++------------
policy-rawhide-contrib.patch | 760 +++++++++++++++++--------
selinux-policy.spec | 26 +-
5 files changed, 1449 insertions(+), 592 deletions(-)
---
diff --git a/config.tgz b/config.tgz
index 4f55b2e..89c20a6 100644
Binary files a/config.tgz and b/config.tgz differ
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index d6a30a1..493d4a2 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -2436,3 +2436,10 @@ minissdpd = module
# based on IntelligentPlatform Management Interface specification
#
freeipmi = module
+
+# Layer: contrib
+# Module: freeipmi
+#
+# ipa policy module contain SELinux policies for IPA services
+#
+ipa = module
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 0dea9cd..85fde71 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -71,6 +71,24 @@ index 881a292..80110a4 100644
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+diff --git a/config/appconfig-mcs/sysadm_u_default_contexts b/config/appconfig-mcs/sysadm_u_default_contexts
+new file mode 100644
+index 0000000..b8fda95
+--- /dev/null
++++ b/config/appconfig-mcs/sysadm_u_default_contexts
+@@ -0,0 +1,12 @@
++system_r:local_login_t:s0 sysadm_r:sysadm_t:s0
++system_r:remote_login_t:s0 sysadm_r:sysadm_t:s0
++system_r:sshd_t:s0 sysadm_r:sysadm_t:s0
++system_r:crond_t:s0 sysadm_r:sysadm_t:s0
++system_r:xdm_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
++system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
++
diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts
new file mode 100644
index 0000000..ff32acc
@@ -144,6 +162,24 @@ index c2a5ea8..f63999e 100644
system_r:xdm_t staff_r:staff_t
staff_r:staff_su_t staff_r:staff_t
staff_r:staff_sudo_t staff_r:staff_t
+diff --git a/config/appconfig-standard/sysadm_u_default_contexts b/config/appconfig-standard/sysadm_u_default_contexts
+new file mode 100644
+index 0000000..b8fda95
+--- /dev/null
++++ b/config/appconfig-standard/sysadm_u_default_contexts
+@@ -0,0 +1,12 @@
++system_r:local_login_t:s0 sysadm_r:sysadm_t:s0
++system_r:remote_login_t:s0 sysadm_r:sysadm_t:s0
++system_r:sshd_t:s0 sysadm_r:sysadm_t:s0
++system_r:crond_t:s0 sysadm_r:sysadm_t:s0
++system_r:xdm_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
++system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
++
diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts
new file mode 100644
index 0000000..ff32acc
@@ -5363,7 +5399,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..a5e72c3 100644
+index b191055..4dec289 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5474,7 +5510,7 @@ index b191055..a5e72c3 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -119,20 +143,27 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+@@ -119,20 +143,28 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -5491,6 +5527,7 @@ index b191055..a5e72c3 100644
-network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
+network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
++network_port(freeipmi, tcp,9225,s0, udp,9225,s0)
+network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
@@ -5504,7 +5541,7 @@ index b191055..a5e72c3 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +171,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +172,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5571,7 +5608,7 @@ index b191055..a5e72c3 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +224,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +225,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5610,7 +5647,7 @@ index b191055..a5e72c3 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -215,39 +261,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -215,39 +262,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5663,7 +5700,7 @@ index b191055..a5e72c3 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -259,8 +311,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -259,8 +312,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5674,7 +5711,7 @@ index b191055..a5e72c3 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
-@@ -271,10 +324,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -271,10 +325,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5687,7 +5724,7 @@ index b191055..a5e72c3 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +341,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +342,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5714,7 +5751,7 @@ index b191055..a5e72c3 100644
########################################
#
-@@ -333,6 +390,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +391,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5723,7 +5760,7 @@ index b191055..a5e72c3 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +404,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +405,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -5779,7 +5816,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..e4d61f5 100644
+index b31c054..53df7ae 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -5846,7 +5883,16 @@ index b31c054..e4d61f5 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -198,12 +208,22 @@ ifdef(`distro_debian',`
+@@ -172,6 +182,8 @@ ifdef(`distro_suse', `
+ /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
+
++/dev/uhid -c gen_context(system_u:object_r:uhid_device_t,s0)
++
+ /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+@@ -198,12 +210,22 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -5872,7 +5918,7 @@ index b31c054..e4d61f5 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..2b2f4b0 100644
+index 76f285e..9f56be1 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7400,7 +7446,7 @@ index 76f285e..2b2f4b0 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4851,3 +5641,943 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5641,945 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -7551,6 +7597,7 @@ index 76f285e..2b2f4b0 100644
+gen_require(`
+ type device_t;
+ type usb_device_t;
++ type uhid_device_t;
+ type sound_device_t;
+ type apm_bios_t;
+ type mouse_device_t;
@@ -8277,6 +8324,7 @@ index 76f285e..2b2f4b0 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
++ filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid")
+ dev_filetrans_xserver_named_dev($1)
+')
+
@@ -8345,7 +8393,7 @@ index 76f285e..2b2f4b0 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a871..e6b93c4 100644
+index 0b1a871..a3a5f7f 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -8411,17 +8459,23 @@ index 0b1a871..e6b93c4 100644
#
# Type for /dev/tpm
#
-@@ -266,6 +275,9 @@ dev_node(usbmon_device_t)
+@@ -266,6 +275,15 @@ dev_node(usbmon_device_t)
type userio_device_t;
dev_node(userio_device_t)
++#
++# uhid_device_t is the type for /dev/uhid
++#
++type uhid_device_t;
++dev_node(uhid_device_t)
++
+type vfio_device_t;
+dev_node(vfio_device_t)
+
type v4l_device_t;
dev_node(v4l_device_t)
-@@ -274,6 +286,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +292,7 @@ dev_node(v4l_device_t)
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -8429,7 +8483,7 @@ index 0b1a871..e6b93c4 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -319,5 +332,5 @@ files_associate_tmp(device_node)
+@@ -319,5 +338,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -9347,7 +9401,7 @@ index b876c48..bd5b58c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..7d12144 100644
+index f962f76..70fb827 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -11142,7 +11196,33 @@ index f962f76..7d12144 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5596,6 +6637,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5527,6 +6568,25 @@ interface(`files_rw_var_lib_dirs',`
+
+ ########################################
+ ## <summary>
++## Create directories in /var/lib
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ allow $1 var_lib_t:dir { create rw_dir_perms };
++')
++
++
++########################################
++## <summary>
+ ## Create objects in the /var/lib directory
+ ## </summary>
+ ## <param name="domain">
+@@ -5596,6 +6656,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11168,7 +11248,7 @@ index f962f76..7d12144 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6701,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6720,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11177,7 +11257,7 @@ index f962f76..7d12144 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5649,12 +6709,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6728,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11193,7 +11273,7 @@ index f962f76..7d12144 100644
')
########################################
-@@ -5672,6 +6733,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6752,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11201,7 +11281,7 @@ index f962f76..7d12144 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6760,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6779,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11229,7 +11309,7 @@ index f962f76..7d12144 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5706,13 +6787,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6806,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11246,7 +11326,7 @@ index f962f76..7d12144 100644
')
########################################
-@@ -5731,7 +6811,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +6830,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11255,7 +11335,7 @@ index f962f76..7d12144 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +6844,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +6863,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11263,7 +11343,7 @@ index f962f76..7d12144 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +6858,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +6877,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11272,7 +11352,7 @@ index f962f76..7d12144 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5787,13 +6866,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +6885,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11307,7 +11387,7 @@ index f962f76..7d12144 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +6908,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +6927,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11325,7 +11405,7 @@ index f962f76..7d12144 100644
')
########################################
-@@ -5834,9 +6932,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +6951,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11336,7 +11416,7 @@ index f962f76..7d12144 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +6974,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +6993,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11346,7 +11426,7 @@ index f962f76..7d12144 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +6996,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7015,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11356,7 +11436,7 @@ index f962f76..7d12144 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7033,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7052,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11366,7 +11446,7 @@ index f962f76..7d12144 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7072,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7091,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11375,7 +11455,7 @@ index f962f76..7d12144 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7092,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7111,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11424,42 +11504,64 @@ index f962f76..7d12144 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6025,6 +7156,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,28 +7175,47 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
+-## List the contents of the runtime process
+-## ID directories (/var/run).
+## Do not audit attempts to search
+## the all /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
++interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
+- type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
++ dontaudit $1 pidfile:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic process ID files.
+-## </summary>
++## List the contents of the runtime process
++## ID directories (/var/run).
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_search_all_pids',`
++interface(`files_list_pids',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
-+ dontaudit $1 pidfile:dir search_dir_perms;
++ files_search_pids($1)
++ list_dirs_pattern($1, var_t, var_run_t)
+')
+
+########################################
+## <summary>
- ## List the contents of the runtime process
- ## ID directories (/var/run).
- ## </summary>
-@@ -6039,7 +7189,7 @@ interface(`files_list_pids',`
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
- ')
-
-@@ -6058,7 +7208,7 @@ interface(`files_read_generic_pids',`
++## Read generic process ID files.
++## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+@@ -6058,7 +7227,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11468,7 +11570,7 @@ index f962f76..7d12144 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7228,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7247,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11477,7 +11579,7 @@ index f962f76..7d12144 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7290,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7309,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11485,36 +11587,11 @@ index f962f76..7d12144 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,7 +7318,7 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7337,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
--## Read and write generic process ID files.
+## rw generic pid files inherited from another process
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6177,19 +7326,37 @@ interface(`files_pid_filetrans_lock_dir',`
- ## </summary>
- ## </param>
- #
--interface(`files_rw_generic_pids',`
-+interface(`files_rw_inherited_generic_pid_files',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- rw_files_pattern($1, var_run_t, var_run_t)
-+ allow $1 var_run_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes of
-+## Read and write generic process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11522,252 +11599,359 @@ index f962f76..7d12144 100644
+## </summary>
+## </param>
+#
-+interface(`files_rw_generic_pids',`
++interface(`files_rw_inherited_generic_pid_files',`
+ gen_require(`
-+ type var_t, var_run_t;
++ type var_run_t;
+ ')
+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ rw_files_pattern($1, var_run_t, var_run_t)
++ allow $1 var_run_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to get the attributes of
- ## daemon runtime data files.
+ ## Read and write generic process ID files.
## </summary>
## <param name="domain">
-@@ -6249,6 +7416,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6182,7 +7368,7 @@ interface(`files_rw_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6249,55 +7435,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
+-## Read all process ID files.
+## Relable all pid directories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_read_all_pids',`
+interface(`files_relabel_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
+ relabel_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process IDs.
+## Delete all pid sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
+interface(`files_delete_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ allow $1 pidfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process ID directories.
+## Create all pid sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6305,42 +7479,35 @@ interface(`files_delete_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
+interface(`files_create_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
+ allow $1 pidfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Create all pid named pipes
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain alloed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
+interface(`files_create_all_pid_pipes',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Delete all pid named pipes
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6348,18 +7515,18 @@ interface(`files_manage_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
+interface(`files_delete_all_pid_pipes',`
-+ gen_require(`
+ gen_require(`
+- attribute polymember;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- allow $1 polymember:dir mounton;
+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of generic spool
+-## directories (/var/spool).
+## manage all pidfile directories
+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6367,37 +7534,40 @@ interface(`files_mounton_all_poly_members',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
+interface(`files_manage_all_pid_dirs',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
+ manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
+ ')
+
+
-+########################################
-+## <summary>
- ## Read all process ID files.
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search generic
+-## spool directories.
++## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -6261,12 +7538,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
- interface(`files_read_all_pids',`
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_search_spool',`
++interface(`files_read_all_pids',`
gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
+- type var_spool_t;
++ attribute pidfile;
+ type var_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, pidfile)
- read_files_pattern($1, pidfile, pidfile)
+- dontaudit $1 var_spool_t:dir search_dir_perms;
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of generic spool
+-## (/var/spool) directories.
+## Relable all pid files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6405,18 +7575,17 @@ interface(`files_dontaudit_search_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
+interface(`files_relabel_all_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+ relabel_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
+## Execute generic programs in /var/run in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6424,18 +7593,18 @@ interface(`files_list_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
+interface(`files_exec_generic_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ type var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic spool files.
+## manage all pidfiles
+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6443,19 +7612,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
+interface(`files_manage_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
++ manage_files_pattern($1,pidfile,pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool files.
++## Mount filesystems on all polyinstantiation
++## member directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6463,55 +7631,130 @@ interface(`files_read_generic_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool',`
++interface(`files_mounton_all_poly_members',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute polymember;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
++ allow $1 polymember:dir mounton;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the spool directory
+-## with a private type with a type transition.
++## Delete all process IDs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file">
++## <rolecap/>
++#
++interface(`files_delete_all_pids',`
+ gen_require(`
+ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
-+ manage_files_pattern($1,pidfile,pidfile)
++ files_search_pids($1)
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+')
+
+########################################
+## <summary>
-+## Mount filesystems on all polyinstantiation
-+## member directories.
++## Delete all process ID directories.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Type to which the created node will be transitioned.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="class">
+#
-+interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_pid_dirs',`
+ gen_require(`
-+ attribute polymember;
++ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
-+ allow $1 polymember:dir mounton;
- ')
-
- ########################################
-@@ -6286,8 +7637,8 @@ interface(`files_delete_all_pids',`
- type var_t, var_run_t;
- ')
-
+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:dir rmdir;
- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
- delete_files_pattern($1, pidfile, pidfile)
-@@ -6311,36 +7662,80 @@ interface(`files_delete_all_pid_dirs',`
- type var_t, var_run_t;
- ')
-
-+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- delete_dirs_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write and delete all
--## var_run (pid) content
++ allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
+## Make the specified type a file
+## used for spool files.
+## </summary>
@@ -11798,11 +11982,14 @@ index f962f76..7d12144 100644
+## </p>
+## </desc>
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+## Type of the file to be used as a
+## spool file.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
+## <infoflow type="none"/>
+#
+interface(`files_spool_file',`
@@ -11817,76 +12004,334 @@ index f962f76..7d12144 100644
+########################################
+## <summary>
+## Create all spool sockets
- ## </summary>
- ## <param name="domain">
++## </summary>
++## <param name="domain">
## <summary>
--## Domain alloed access.
+-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
#
--interface(`files_manage_all_pids',`
+-interface(`files_spool_filetrans',`
+interface(`files_create_all_spool_sockets',`
gen_require(`
-- attribute pidfile;
+- type var_t, var_spool_t;
+ attribute spoolfile;
')
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
+ allow $1 spoolfile:sock_file create_sock_file_perms;
')
########################################
## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
+## Delete all spool sockets
## </summary>
## <param name="domain">
## <summary>
-@@ -6348,12 +7743,33 @@ interface(`files_manage_all_pids',`
+@@ -6519,64 +7762,749 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
--interface(`files_mounton_all_poly_members',`
+-interface(`files_polyinstantiate_all',`
+interface(`files_delete_all_spool_sockets',`
gen_require(`
-- attribute polymember;
+- attribute polydir, polymember, polyparent;
+- type poly_t;
+ attribute spoolfile;
')
-- allow $1 polymember:dir mounton;
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+-
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+- ')
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Unconfined access to files.
++## Relabel to and from all spool
++## directory types.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_unconfined',`
++interface(`files_relabel_all_spool_dirs',`
+ gen_require(`
+- attribute files_unconfined_type;
++ attribute spoolfile;
++ type var_t;
+ ')
+
+- typeattribute $1 files_unconfined_type;
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
+')
+
+########################################
+## <summary>
-+## Relabel to and from all spool
-+## directory types.
++## Search the contents of generic spool
++## directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_spool_dirs',`
++interface(`files_search_spool',`
+ gen_require(`
-+ attribute spoolfile;
-+ type var_t;
++ type var_t, var_spool_t;
+ ')
+
-+ relabel_dirs_pattern($1, spoolfile, spoolfile)
- ')
-
- ########################################
-@@ -6580,3 +7996,492 @@ interface(`files_unconfined',`
-
- typeattribute $1 files_unconfined_type;
- ')
++ search_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search generic
++## spool directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_spool',`
++ gen_require(`
++ type var_spool_t;
++ ')
++
++ dontaudit $1 var_spool_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## List the contents of generic spool
++## (/var/spool) directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_spool_dirs',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Read generic spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete generic
++## spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Create objects in the spool directory
++## with a private type with a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="file">
++## <summary>
++## Type to which the created node will be transitioned.
++## </summary>
++## </param>
++## <param name="class">
++## <summary>
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_spool_filetrans',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## Allow access to manage all polyinstantiated
++## directories on the system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_polyinstantiate_all',`
++ gen_require(`
++ attribute polydir, polymember, polyparent;
++ type poly_t;
++ ')
++
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
++
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
++ allow $1 polyparent:dir { getattr mounton };
++
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
++')
++
++########################################
++## <summary>
++## Unconfined access to files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_unconfined',`
++ gen_require(`
++ attribute files_unconfined_type;
++ ')
++
++ typeattribute $1 files_unconfined_type;
++')
+
+########################################
+## <summary>
@@ -12210,6 +12655,7 @@ index f962f76..7d12144 100644
+ type tmp_t;
+ type var_t;
+ type var_run_t;
++ type var_lock_t;
+ type tmp_t;
+ ')
+
@@ -12224,6 +12670,8 @@ index f962f76..7d12144 100644
+ files_root_filetrans($1, usr_t, dir, "emul")
+ files_root_filetrans($1, var_t, dir, "srv")
+ files_root_filetrans($1, var_run_t, dir, "run")
++ files_root_filetrans($1, var_run_t, lnk_file, "run")
++ files_root_filetrans($1, var_lock_t, lnk_file, "lock")
+ files_root_filetrans($1, tmp_t, dir, "sandbox")
+ files_root_filetrans($1, tmp_t, dir, "tmp")
+ files_root_filetrans($1, var_t, dir, "nsr")
@@ -12247,6 +12695,7 @@ index f962f76..7d12144 100644
+ files_tmp_filetrans($1, tmp_t, dir, "hsperfdata_root")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+ files_var_filetrans($1, tmp_t, dir, "tmp")
++ files_var_filetrans($1, var_run_t, dir, "run")
+')
+
+########################################
@@ -12375,7 +12824,7 @@ index f962f76..7d12144 100644
+ ')
+
+ allow $1 etc_t:service status;
-+')
+ ')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abd..92d1a8f 100644
--- a/policy/modules/kernel/files.te
@@ -14183,7 +14632,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..e7d9f85 100644
+index e100d88..2b0a5b3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -14271,7 +14720,33 @@ index e100d88..e7d9f85 100644
')
########################################
-@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1025,6 +1058,25 @@ interface(`kernel_write_proc_files',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to check the
++## access on generic proc entries.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`kernel_dontaudit_access_check_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ dontaudit $1 proc_t:dir_file_class_set audit_access;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts by caller to
+ ## read system state information in proc.
+ ## </summary>
+@@ -1477,6 +1529,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@@ -14296,7 +14771,7 @@ index e100d88..e7d9f85 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2155,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -14305,7 +14780,7 @@ index e100d88..e7d9f85 100644
')
########################################
-@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2352,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -14331,7 +14806,7 @@ index e100d88..e7d9f85 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2395,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -14340,7 +14815,7 @@ index e100d88..e7d9f85 100644
## </summary>
## </param>
#
-@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2577,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -14365,7 +14840,7 @@ index e100d88..e7d9f85 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2632,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -14390,7 +14865,7 @@ index e100d88..e7d9f85 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2667,6 +2773,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2792,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -14415,7 +14890,7 @@ index e100d88..e7d9f85 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2694,6 +2818,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2837,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -14441,7 +14916,7 @@ index e100d88..e7d9f85 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2803,6 +2946,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +2965,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -14475,7 +14950,7 @@ index e100d88..e7d9f85 100644
########################################
## <summary>
-@@ -2958,6 +3128,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3147,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -14500,7 +14975,7 @@ index e100d88..e7d9f85 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2972,5 +3160,300 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3179,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -25519,7 +25994,7 @@ index 3efd5b6..08c3e93 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..88c3a2d 100644
+index 09b791d..7345117 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -25830,7 +26305,7 @@ index 09b791d..88c3a2d 100644
')
optional_policy(`
-@@ -463,3 +507,133 @@ optional_policy(`
+@@ -463,3 +507,134 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -25858,7 +26333,7 @@ index 09b791d..88c3a2d 100644
+manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t)
+manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
+manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
-+files_var_filetrans(login_pgm, auth_cache_t, dir)
++files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey")
+
+manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
+manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
@@ -25906,6 +26381,7 @@ index 09b791d..88c3a2d 100644
+logging_set_tty_audit(login_pgm)
+
+miscfiles_dontaudit_write_generic_cert_files(login_pgm)
++miscfiles_filetrans_named_content(login_pgm)
+
+seutil_read_config(login_pgm)
+seutil_read_login_config(login_pgm)
@@ -27928,7 +28404,7 @@ index 79a45f6..edf52ea 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..641bae3 100644
+index 17eda24..3ac9985 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -28971,12 +29447,14 @@ index 17eda24..641bae3 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,12 +1327,33 @@ optional_policy(`
+@@ -857,12 +1327,35 @@ optional_policy(`
')
optional_policy(`
+ virt_read_config(init_t)
+ virt_stream_connect(init_t)
++ virt_noatsecure(init_t)
++ virt_rlimitinh(init_t)
+')
+
+optional_policy(`
@@ -29006,7 +29484,7 @@ index 17eda24..641bae3 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -872,6 +1363,18 @@ optional_policy(`
+@@ -872,6 +1365,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29025,7 +29503,7 @@ index 17eda24..641bae3 100644
')
optional_policy(`
-@@ -887,6 +1390,10 @@ optional_policy(`
+@@ -887,6 +1392,10 @@ optional_policy(`
')
optional_policy(`
@@ -29036,7 +29514,7 @@ index 17eda24..641bae3 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1404,218 @@ optional_policy(`
+@@ -897,3 +1406,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -30692,7 +31170,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa99..d4b6b3b 100644
+index 446fa99..050a2ac 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -30816,7 +31294,16 @@ index 446fa99..d4b6b3b 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,37 +211,57 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -202,7 +198,7 @@ optional_policy(`
+ # Sulogin local policy
+ #
+
+-allow sulogin_t self:capability dac_override;
++allow sulogin_t self:capability { dac_override sys_admin };
+ allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow sulogin_t self:fd use;
+ allow sulogin_t self:fifo_file rw_fifo_file_perms;
+@@ -215,18 +211,27 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -30840,12 +31327,11 @@ index 446fa99..d4b6b3b 100644
init_getpgid_script(sulogin_t)
+init_getpgid(sulogin_t)
++init_getattr_initctl(sulogin_t)
logging_send_syslog_msg(sulogin_t)
-+
- seutil_read_config(sulogin_t)
- seutil_read_default_contexts(sulogin_t)
+@@ -235,17 +240,28 @@ seutil_read_default_contexts(sulogin_t)
userdom_use_unpriv_users_fds(sulogin_t)
@@ -30976,7 +31462,7 @@ index b50c5fe..2faaaf2 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..bb6086e 100644
+index 4e94884..ae63d78 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -31066,24 +31552,17 @@ index 4e94884..bb6086e 100644
########################################
## <summary>
## Send system log messages.
-@@ -530,22 +592,85 @@ interface(`logging_log_filetrans',`
+@@ -530,22 +592,104 @@ interface(`logging_log_filetrans',`
#
interface(`logging_send_syslog_msg',`
gen_require(`
- type syslogd_t, devlog_t;
+ attribute syslog_client_type;
- ')
-
-- allow $1 devlog_t:lnk_file read_lnk_file_perms;
-- allow $1 devlog_t:sock_file write_sock_file_perms;
++ ')
++
+ typeattribute $1 syslog_client_type;
+')
-
-- # the type of socket depends on the syslog daemon
-- allow $1 syslogd_t:unix_dgram_socket sendto;
-- allow $1 syslogd_t:unix_stream_socket connectto;
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 self:unix_stream_socket create_socket_perms;
++
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
@@ -31118,17 +31597,13 @@ index 4e94884..bb6086e 100644
+ gen_require(`
+ type devlog_t;
+ ')
-
-- # If syslog is down, the glibc syslog() function
-- # will write to the console.
-- term_write_console($1)
-- term_dontaudit_read_console($1)
++
+ allow $1 devlog_t:sock_file relabel_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## Relabel the syslog pid sock_file.
++## Allow domain to read the syslog pid files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -31136,16 +31611,42 @@ index 4e94884..bb6086e 100644
+## </summary>
+## </param>
+#
-+interface(`logging_relabel_syslog_pid_socket',`
++interface(`logging_read_syslog_pid',`
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
+
-+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
++ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
++ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+')
+
+########################################
+## <summary>
++## Relabel the syslog pid sock_file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_relabel_syslog_pid_socket',`
++ gen_require(`
++ type syslogd_var_run_t;
+ ')
+
+- allow $1 devlog_t:lnk_file read_lnk_file_perms;
+- allow $1 devlog_t:sock_file write_sock_file_perms;
++ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
++')
+
+- # the type of socket depends on the syslog daemon
+- allow $1 syslogd_t:unix_dgram_socket sendto;
+- allow $1 syslogd_t:unix_stream_socket connectto;
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 self:unix_stream_socket create_socket_perms;
++########################################
++## <summary>
+## Connect to the syslog control unix stream socket.
+## </summary>
+## <param name="domain">
@@ -31158,13 +31659,17 @@ index 4e94884..bb6086e 100644
+ gen_require(`
+ type syslogd_t, syslogd_var_run_t;
+ ')
-+
+
+- # If syslog is down, the glibc syslog() function
+- # will write to the console.
+- term_write_console($1)
+- term_dontaudit_read_console($1)
+ files_search_pids($1)
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
')
########################################
-@@ -722,6 +847,25 @@ interface(`logging_setattr_all_log_dirs',`
+@@ -722,6 +866,25 @@ interface(`logging_setattr_all_log_dirs',`
allow $1 logfile:dir setattr;
')
@@ -31190,7 +31695,7 @@ index 4e94884..bb6086e 100644
########################################
## <summary>
## Do not audit attempts to get the attributes
-@@ -776,7 +920,25 @@ interface(`logging_append_all_logs',`
+@@ -776,7 +939,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -31217,7 +31722,7 @@ index 4e94884..bb6086e 100644
')
########################################
-@@ -859,7 +1021,7 @@ interface(`logging_manage_all_logs',`
+@@ -859,7 +1040,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -31226,7 +31731,7 @@ index 4e94884..bb6086e 100644
')
########################################
-@@ -885,6 +1047,44 @@ interface(`logging_read_generic_logs',`
+@@ -885,6 +1066,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
@@ -31271,7 +31776,7 @@ index 4e94884..bb6086e 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -905,6 +1105,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1124,24 @@ interface(`logging_write_generic_logs',`
########################################
## <summary>
@@ -31296,7 +31801,7 @@ index 4e94884..bb6086e 100644
## Dontaudit Write generic log files.
## </summary>
## <param name="domain">
-@@ -984,11 +1202,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1221,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -31314,7 +31819,7 @@ index 4e94884..bb6086e 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -1004,6 +1227,33 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1246,33 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -31348,7 +31853,7 @@ index 4e94884..bb6086e 100644
')
########################################
-@@ -1032,10 +1282,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1301,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -31366,7 +31871,7 @@ index 4e94884..bb6086e 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1312,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1331,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -31375,7 +31880,7 @@ index 4e94884..bb6086e 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1342,35 @@ interface(`logging_admin',`
+@@ -1085,3 +1361,35 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -39643,10 +40148,10 @@ index 5fe902d..61f19e9 100644
-')
+attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..65191bd 100644
+index db75976..e4eb903 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,21 @@
+@@ -1,4 +1,24 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -39667,10 +40172,13 @@ index db75976..65191bd 100644
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs/.* <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
++HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..a964b08 100644
+index 9dc60c6..0deded7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -42518,7 +43026,7 @@ index 9dc60c6..a964b08 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4327,1646 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4327,1673 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -43232,6 +43740,33 @@ index 9dc60c6..a964b08 100644
+ read_lnk_files_pattern($1, audio_home_t, audio_home_t)
+')
+
++######################################
++## <summary>
++## Manage texlive content in the users homedir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_manage_home_texlive',`
++ gen_require(`
++ type texlive_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++
++ userdom_user_home_dir_filetrans($1, texlive_cert_t, dir, ".texlive2012")
++ userdom_user_home_dir_filetrans($1, texlive_cert_t, dir, ".texlive2013")
++ userdom_user_home_dir_filetrans($1, texlive_cert_t, dir, ".texlive2014")
++ manage_dirs_pattern($1, texlive_home_t, texlive_home_t)
++ manage_files_pattern($1, texlive_home_t, texlive_home_t)
++ manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t)
++')
++
++
+########################################
+## <summary>
+## Do not audit attempts to write all user home content files.
@@ -44166,7 +44701,7 @@ index 9dc60c6..a964b08 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..ce05b4f 100644
+index f4ac38d..cf1296e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -44255,7 +44790,7 @@ index f4ac38d..ce05b4f 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,359 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,366 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -44296,6 +44831,10 @@ index f4ac38d..ce05b4f 100644
+userdom_user_home_content(audio_home_t)
+ubac_constrained(audio_home_t)
+
++type texlive_home_t;
++userdom_user_home_content(texlive_home_t)
++ubac_constrained(texlive_home_t)
++
+type home_bin_t;
+userdom_user_home_content(home_bin_t)
+ubac_constrained(home_bin_t)
@@ -44409,6 +44948,9 @@ index f4ac38d..ce05b4f 100644
+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014")
+
+optional_policy(`
+ gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 3a8e03d..6e51ffc 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -509,7 +509,7 @@ index 058d908..9d57403 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..9ef43d3 100644
+index eb50f07..021ddae 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -701,7 +701,7 @@ index eb50f07..9ef43d3 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -176,29 +187,38 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +187,39 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -729,6 +729,7 @@ index eb50f07..9ef43d3 100644
+logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
+logging_stream_connect_syslog(abrt_t)
++logging_read_syslog_pid(abrt_t)
+
auth_use_nsswitch(abrt_t)
@@ -743,7 +744,7 @@ index eb50f07..9ef43d3 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +226,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +227,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -760,7 +761,7 @@ index eb50f07..9ef43d3 100644
')
optional_policy(`
-@@ -222,6 +238,20 @@ optional_policy(`
+@@ -222,6 +239,20 @@ optional_policy(`
')
optional_policy(`
@@ -781,7 +782,7 @@ index eb50f07..9ef43d3 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -233,6 +263,7 @@ optional_policy(`
+@@ -233,6 +264,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -789,7 +790,7 @@ index eb50f07..9ef43d3 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -243,6 +274,7 @@ optional_policy(`
+@@ -243,6 +275,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -797,7 +798,7 @@ index eb50f07..9ef43d3 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +285,17 @@ optional_policy(`
+@@ -253,9 +286,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -816,7 +817,7 @@ index eb50f07..9ef43d3 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +306,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +307,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -831,7 +832,7 @@ index eb50f07..9ef43d3 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +325,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +326,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -839,7 +840,7 @@ index eb50f07..9ef43d3 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +334,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +335,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -860,7 +861,7 @@ index eb50f07..9ef43d3 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +355,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +356,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -887,7 +888,7 @@ index eb50f07..9ef43d3 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +391,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +392,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -901,7 +902,7 @@ index eb50f07..9ef43d3 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +409,11 @@ optional_policy(`
+@@ -343,10 +410,11 @@ optional_policy(`
#######################################
#
@@ -915,7 +916,7 @@ index eb50f07..9ef43d3 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +432,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +433,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -967,7 +968,7 @@ index eb50f07..9ef43d3 100644
#######################################
#
-@@ -404,7 +481,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +482,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -976,7 +977,7 @@ index eb50f07..9ef43d3 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -413,16 +490,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +491,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1020,7 +1021,7 @@ index eb50f07..9ef43d3 100644
')
#######################################
-@@ -430,10 +533,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +534,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -9708,10 +9709,10 @@ index 0000000..23a4f86
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..a774878
+index 0000000..8d91220
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,47 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -9746,6 +9747,7 @@ index 0000000..a774878
+files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(bumblebee_t)
++kernel_dontaudit_access_check_proc(bumblebee_t)
+
+dev_read_sysfs(bumblebee_t)
+
@@ -9755,6 +9757,8 @@ index 0000000..a774878
+
+logging_send_syslog_msg(bumblebee_t)
+
++modutils_domtrans_insmod(bumblebee_t)
++
+miscfiles_read_localization(bumblebee_t)
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
@@ -22507,10 +22511,10 @@ index 0000000..d856375
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..1229d66
+index 0000000..85e2ddb
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,145 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -22607,18 +22611,25 @@ index 0000000..1229d66
+#
+
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
-+allow docker_t self:process { setsched signal_perms };
++allow docker_t self:process { setpgid setsched signal_perms };
+allow docker_t self:netlink_route_socket nlmsg_write;
++allow docker_t self:netlink_audit_socket create_netlink_perms;
+allow docker_t self:unix_dgram_socket create_socket_perms;
++allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto }
+
+allow docker_t docker_var_lib_t:dir mounton;
++allow docker_t docker_var_lib_t:chr_file mounton;
++can_exec(docker_t, docker_var_lib_t)
+
+kernel_setsched(docker_t)
++kernel_get_sysvipc_info(docker_t)
+
+dev_getattr_all_blk_files(docker_t)
++dev_getattr_sysfs_fs(docker_t)
+dev_read_urand(docker_t)
+dev_read_lvm_control(docker_t)
+dev_read_sysfs(docker_t)
++dev_rw_lvm_control(docker_t)
+
+files_manage_isid_type_dirs(docker_t)
+files_manage_isid_type_files(docker_t)
@@ -22641,9 +22652,14 @@ index 0000000..1229d66
+modutils_domtrans_insmod(docker_t)
+
+optional_policy(`
++ udev_read_db(docker_t)
++')
++
++optional_policy(`
+ virt_read_config(docker_t)
+ virt_exec(docker_t)
+')
++
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
--- a/dovecot.fc
@@ -25447,10 +25463,10 @@ index 0000000..dc94853
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
-index 0000000..1408208
+index 0000000..43a12cb
--- /dev/null
+++ b/freeipmi.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,70 @@
+policy_module(freeipmi, 1.0.0)
+
+########################################
@@ -25509,6 +25525,8 @@ index 0000000..1408208
+
+files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
+
++corenet_tcp_bind_freeipmi_port(freeipmi_ipmidetectd_t)
++
+#######################################
+#
+# ipmiseld local policy
@@ -31053,10 +31071,10 @@ index 6517fad..17c3627 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..d2ad022 100644
+index 4eb7041..ddc67b0 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,55 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,57 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -31091,7 +31109,7 @@ index 4eb7041..d2ad022 100644
#
-# Local policy
+# hyperv domain local policy
-+#
+ #
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
@@ -31099,17 +31117,19 @@ index 4eb7041..d2ad022 100644
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
++dev_read_sysfs(hyperv_domain)
++
+########################################
#
+# hypervkvp local policy
- #
-
--allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
--allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
++#
++
+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
-+
+
+-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+logging_send_syslog_msg(hypervkvp_t)
-logging_send_syslog_msg(hypervkvpd_t)
@@ -31548,6 +31568,82 @@ index d443fee..475b7f4 100644
logging_send_syslog_msg(iodined_t)
+diff --git a/ipa.fc b/ipa.fc
+new file mode 100644
+index 0000000..9278f85
+--- /dev/null
++++ b/ipa.fc
+@@ -0,0 +1,4 @@
++/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
++
++/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
++
+diff --git a/ipa.if b/ipa.if
+new file mode 100644
+index 0000000..c6cf456
+--- /dev/null
++++ b/ipa.if
+@@ -0,0 +1,21 @@
++## <summary>Policy for IPA services.</summary>
++
++########################################
++## <summary>
++## Execute rtas_errd in the rtas_errd domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ipa_domtrans_otpd',`
++ gen_require(`
++ type ipa_otpd_t, ipa_otpd_t_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t)
++')
++
+diff --git a/ipa.te b/ipa.te
+new file mode 100644
+index 0000000..02f7cfa
+--- /dev/null
++++ b/ipa.te
+@@ -0,0 +1,33 @@
++policy_module(ipa, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute ipa_domain;
++
++type ipa_otpd_t, ipa_domain;
++type ipa_otpd_exec_t;
++init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
++
++type ipa_otpd_unit_file_t;
++systemd_unit_file(ipa_otpd_unit_file_t)
++
++########################################
++#
++# ipa_otpd local policy
++#
++
++allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
++allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
++
++corenet_tcp_connect_radius_port(ipa_otpd_t)
++
++optional_policy(`
++ dirsrv_stream_connect(ipa_otpd_t)
++')
++
++optional_policy(`
++ kerberos_use(ipa_otpd_t)
++')
diff --git a/irc.fc b/irc.fc
index 48e7739..c3285c2 100644
--- a/irc.fc
@@ -36037,7 +36133,7 @@ index b7e5679..c93db33 100644
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index 3602712..585c416 100644
+index 3602712..fc7b071 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,68 @@
@@ -36145,7 +36241,7 @@ index 3602712..585c416 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -41,22 +119,28 @@ interface(`ldap_read_config',`
+@@ -41,22 +119,29 @@ interface(`ldap_read_config',`
########################################
## <summary>
@@ -36169,6 +36265,7 @@ index 3602712..585c416 100644
+ files_search_etc($1)
+ allow $1 slapd_cert_t:dir list_dir_perms;
+ read_files_pattern($1, slapd_cert_t, slapd_cert_t)
++ read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t)
')
########################################
@@ -36179,7 +36276,7 @@ index 3602712..585c416 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -64,18 +148,13 @@ interface(`ldap_use',`
+@@ -64,18 +149,13 @@ interface(`ldap_use',`
## </summary>
## </param>
#
@@ -36201,7 +36298,7 @@ index 3602712..585c416 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -83,21 +162,19 @@ interface(`ldap_stream_connect',`
+@@ -83,21 +163,19 @@ interface(`ldap_stream_connect',`
## </summary>
## </param>
#
@@ -36229,7 +36326,7 @@ index 3602712..585c416 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -106,7 +183,7 @@ interface(`ldap_tcp_connect',`
+@@ -106,7 +184,7 @@ interface(`ldap_tcp_connect',`
## </param>
## <param name="role">
## <summary>
@@ -36238,7 +36335,7 @@ index 3602712..585c416 100644
## </summary>
## </param>
## <rolecap/>
-@@ -117,11 +194,16 @@ interface(`ldap_admin',`
+@@ -117,11 +195,16 @@ interface(`ldap_admin',`
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
type slapd_db_t, slapd_keytab_t;
@@ -36256,7 +36353,7 @@ index 3602712..585c416 100644
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 slapd_initrc_exec_t system_r;
-@@ -130,13 +212,9 @@ interface(`ldap_admin',`
+@@ -130,13 +213,9 @@ interface(`ldap_admin',`
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
@@ -36271,7 +36368,7 @@ index 3602712..585c416 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -144,4 +222,8 @@ interface(`ldap_admin',`
+@@ -144,4 +223,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -40943,10 +41040,10 @@ index 0000000..b694afc
+')
+
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..a4d75bf 100644
+index 6ffaba2..cb1e8b0 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,69 @@
+@@ -1,38 +1,67 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -40988,8 +41085,6 @@ index 6ffaba2..a4d75bf 100644
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -41050,7 +41145,7 @@ index 6ffaba2..a4d75bf 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..ada96f0 100644
+index 6194b80..7fbb9e7 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -41741,7 +41836,7 @@ index 6194b80..ada96f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +499,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +499,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -41810,8 +41905,6 @@ index 6194b80..ada96f0 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
@@ -41825,7 +41918,7 @@ index 6194b80..ada96f0 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..0e84537 100644
+index 11ac8e4..1be2a97 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@@ -42082,7 +42175,7 @@ index 11ac8e4..0e84537 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +196,74 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -42190,10 +42283,11 @@ index 11ac8e4..0e84537 100644
+ userdom_dontaudit_read_user_tmp_files(mozilla_t)
+ userdom_dontaudit_list_user_home_dirs(mozilla_t)
+ userdom_dontaudit_read_user_home_content_files(mozilla_t)
++ userdom_manage_home_texlive(mozilla_t)
')
optional_policy(`
-@@ -244,19 +276,12 @@ optional_policy(`
+@@ -244,19 +277,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -42215,7 +42309,7 @@ index 11ac8e4..0e84537 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +290,32 @@ optional_policy(`
+@@ -265,33 +291,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -42263,7 +42357,7 @@ index 11ac8e4..0e84537 100644
')
optional_policy(`
-@@ -300,259 +324,240 @@ optional_policy(`
+@@ -300,259 +325,241 @@ optional_policy(`
########################################
#
@@ -42342,6 +42436,7 @@ index 11ac8e4..0e84537 100644
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
++userdom_manage_home_texlive(mozilla_plugin_t)
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
@@ -42653,7 +42748,7 @@ index 11ac8e4..0e84537 100644
')
optional_policy(`
-@@ -560,7 +565,7 @@ optional_policy(`
+@@ -560,7 +567,7 @@ optional_policy(`
')
optional_policy(`
@@ -42662,7 +42757,7 @@ index 11ac8e4..0e84537 100644
')
optional_policy(`
-@@ -568,108 +573,130 @@ optional_policy(`
+@@ -568,108 +575,130 @@ optional_policy(`
')
optional_policy(`
@@ -45312,10 +45407,10 @@ index b708708..cead88c 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
-index 06f8666..7ef9c78 100644
+index 06f8666..4a315d5 100644
--- a/mysql.fc
+++ b/mysql.fc
-@@ -1,12 +1,24 @@
+@@ -1,12 +1,25 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
@@ -45334,6 +45429,7 @@ index 06f8666..7ef9c78 100644
+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+
+/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
++/usr/lib/systemd/system/mariadb.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+
+#
+# /etc
@@ -45349,7 +45445,7 @@ index 06f8666..7ef9c78 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-@@ -14,14 +26,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
+@@ -14,14 +27,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -47290,10 +47386,10 @@ index fe1068b..98166ee 100644
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
-index 94b9734..485f368 100644
+index 94b9734..bb9c83e 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
-@@ -1,44 +1,44 @@
+@@ -1,44 +1,46 @@
-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -47322,7 +47418,7 @@ index 94b9734..485f368 100644
-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
++/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
@@ -47336,6 +47432,7 @@ index 94b9734..485f368 100644
/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/bin/teamd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
@@ -47356,6 +47453,7 @@ index 94b9734..485f368 100644
/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/teamd(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
@@ -47766,7 +47864,7 @@ index 86dc29d..5b73942 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..c7fd930 100644
+index 55f2009..076a73e 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -47791,7 +47889,7 @@ index 55f2009..c7fd930 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -39,25 +42,47 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,25 +42,50 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
@@ -47840,15 +47938,18 @@ index 55f2009..c7fd930 100644
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
+
++list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
++read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
-
++
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-@@ -68,6 +93,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,6 +96,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -47856,7 +47957,7 @@ index 55f2009..c7fd930 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,17 +107,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,17 +110,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -47875,7 +47976,7 @@ index 55f2009..c7fd930 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +125,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +128,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -47901,7 +48002,7 @@ index 55f2009..c7fd930 100644
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
-@@ -125,13 +141,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +144,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@@ -47915,7 +48016,7 @@ index 55f2009..c7fd930 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +149,17 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,6 +152,17 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -47933,7 +48034,7 @@ index 55f2009..c7fd930 100644
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
-@@ -148,10 +168,11 @@ init_domtrans_script(NetworkManager_t)
+@@ -148,10 +171,11 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -47946,7 +48047,7 @@ index 55f2009..c7fd930 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +187,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +190,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -47983,7 +48084,7 @@ index 55f2009..c7fd930 100644
')
optional_policy(`
-@@ -196,10 +228,6 @@ optional_policy(`
+@@ -196,10 +231,6 @@ optional_policy(`
')
optional_policy(`
@@ -47994,7 +48095,7 @@ index 55f2009..c7fd930 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +238,11 @@ optional_policy(`
+@@ -210,16 +241,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -48013,7 +48114,7 @@ index 55f2009..c7fd930 100644
')
')
-@@ -231,18 +254,19 @@ optional_policy(`
+@@ -231,18 +257,19 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -48036,7 +48137,7 @@ index 55f2009..c7fd930 100644
')
optional_policy(`
-@@ -250,6 +274,10 @@ optional_policy(`
+@@ -250,6 +277,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -48047,7 +48148,7 @@ index 55f2009..c7fd930 100644
')
optional_policy(`
-@@ -257,11 +285,10 @@ optional_policy(`
+@@ -257,11 +288,10 @@ optional_policy(`
')
optional_policy(`
@@ -48063,7 +48164,7 @@ index 55f2009..c7fd930 100644
')
optional_policy(`
-@@ -274,10 +301,17 @@ optional_policy(`
+@@ -274,10 +304,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -48081,7 +48182,7 @@ index 55f2009..c7fd930 100644
')
optional_policy(`
-@@ -289,6 +323,7 @@ optional_policy(`
+@@ -289,6 +326,7 @@ optional_policy(`
')
optional_policy(`
@@ -48089,7 +48190,7 @@ index 55f2009..c7fd930 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +331,7 @@ optional_policy(`
+@@ -296,7 +334,7 @@ optional_policy(`
')
optional_policy(`
@@ -48098,7 +48199,7 @@ index 55f2009..c7fd930 100644
')
optional_policy(`
-@@ -307,6 +342,7 @@ optional_policy(`
+@@ -307,6 +345,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -48106,7 +48207,7 @@ index 55f2009..c7fd930 100644
')
optional_policy(`
-@@ -320,14 +356,20 @@ optional_policy(`
+@@ -320,14 +359,20 @@ optional_policy(`
')
optional_policy(`
@@ -48132,7 +48233,7 @@ index 55f2009..c7fd930 100644
')
optional_policy(`
-@@ -357,6 +399,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +402,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -56097,10 +56198,10 @@ index 1fb1964..f92c71a 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..6b5b74b 100644
+index dfd46e4..4694942 100644
--- a/pegasus.fc
+++ b/pegasus.fc
-@@ -1,15 +1,25 @@
+@@ -1,15 +1,29 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
@@ -56109,29 +56210,33 @@ index dfd46e4..6b5b74b 100644
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
++
++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
-+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
++/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
++
++/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
++
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
++/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
@@ -59856,7 +59961,7 @@ index 5ad5291..7f1ae2a 100644
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/portreserve.te b/portreserve.te
-index 00b01e2..ffbfcee 100644
+index 00b01e2..47ab4d9 100644
--- a/portreserve.te
+++ b/portreserve.te
@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
@@ -59867,13 +59972,17 @@ index 00b01e2..ffbfcee 100644
corenet_all_recvfrom_netlabel(portreserve_t)
corenet_tcp_sendrecv_generic_if(portreserve_t)
corenet_udp_sendrecv_generic_if(portreserve_t)
-@@ -56,6 +55,5 @@ corenet_sendrecv_all_server_packets(portreserve_t)
+@@ -56,6 +55,8 @@ corenet_sendrecv_all_server_packets(portreserve_t)
corenet_tcp_bind_all_ports(portreserve_t)
corenet_udp_bind_all_ports(portreserve_t)
-files_read_etc_files(portreserve_t)
-
+-
userdom_dontaudit_search_user_home_content(portreserve_t)
++
++optional_policy(`
++ sssd_search_lib(portreserve_t)
++')
diff --git a/portslave.te b/portslave.te
index cbe36c1..8ebeb87 100644
--- a/portslave.te
@@ -75894,7 +76003,7 @@ index ebe91fc..576ca21 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index ef3b225..0c8576e 100644
+index ef3b225..064712b 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -76171,7 +76280,7 @@ index ef3b225..0c8576e 100644
+ type rpm_log_t;
+ ')
+ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
-+ logging_log_named_filetrans($1, rpm_log_t, file, "upd2date")
++ logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
+')
+
+########################################
@@ -85152,7 +85261,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index f2f507d..f7ba057 100644
+index f2f507d..de22c9c 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@@ -85313,7 +85422,7 @@ index f2f507d..f7ba057 100644
')
optional_policy(`
-@@ -151,9 +198,17 @@ optional_policy(`
+@@ -151,9 +198,21 @@ optional_policy(`
')
optional_policy(`
@@ -85331,6 +85440,10 @@ index f2f507d..f7ba057 100644
+
+optional_policy(`
+ setroubleshoot_signull(sosreport_t)
++')
++
++optional_policy(`
++ unconfined_signull(sosreport_t)
')
optional_policy(`
@@ -90367,11 +90480,10 @@ index 0000000..39d17b7
+files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
diff --git a/thumb.fc b/thumb.fc
new file mode 100644
-index 0000000..92b6843
+index 0000000..115bf6c
--- /dev/null
+++ b/thumb.fc
-@@ -0,0 +1,18 @@
-+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+@@ -0,0 +1,17 @@
+HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0)
@@ -90388,7 +90500,7 @@ index 0000000..92b6843
+/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/mate-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
+
-+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/lib/tumbler-?[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
index 0000000..c1fd8b4
@@ -90530,10 +90642,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..b57cc3c
+index 0000000..2ddef5c
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,149 @@
+@@ -0,0 +1,150 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -90583,6 +90695,7 @@ index 0000000..b57cc3c
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
+userdom_dontaudit_access_check_user_content(thumb_t)
+userdom_rw_inherited_user_tmpfs_files(thumb_t)
++userdom_manage_home_texlive(thumb_t)
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
@@ -91431,7 +91544,7 @@ index 61c2e07..5e1df41 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 5ceacde..5fde651 100644
+index 5ceacde..40e9303 100644
--- a/tor.te
+++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
@@ -91466,7 +91579,15 @@ index 5ceacde..5fde651 100644
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
-@@ -98,19 +107,22 @@ dev_read_urand(tor_t)
+@@ -85,6 +94,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+ corenet_sendrecv_tor_server_packets(tor_t)
+ corenet_tcp_bind_tor_port(tor_t)
+ corenet_tcp_sendrecv_tor_port(tor_t)
++corenet_tcp_bind_hplip_port(tor_t)
+
+ corenet_sendrecv_all_client_packets(tor_t)
+ corenet_tcp_connect_all_ports(tor_t)
+@@ -98,19 +108,22 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
@@ -91583,7 +91704,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 393a330..90924a4 100644
+index 393a330..3e41bff 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -91644,7 +91765,7 @@ index 393a330..90924a4 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +76,55 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +76,57 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -91669,6 +91790,8 @@ index 393a330..90924a4 100644
-miscfiles_read_localization(tuned_t)
+mount_read_pid_files(tuned_t)
++
++modutils_domtrans_insmod(tuned_t)
udev_read_pid_files(tuned_t)
@@ -93350,7 +93473,7 @@ index a4f20bc..9bad8b9 100644
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..73549fd 100644
+index facdee8..43128c6 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -94365,7 +94488,7 @@ index facdee8..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,94 +658,189 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +658,189 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -94556,93 +94679,110 @@ index facdee8..73549fd 100644
## <summary>
-## Append virt log files.
+## Do not audit attempts to write virt daemon unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`virt_dontaudit_write_pipes',`
++ gen_require(`
++ type virtd_t;
++ ')
++
++ dontaudit $1 virtd_t:fd use;
++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -935,19 +848,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
-interface(`virt_append_log',`
-+interface(`virt_dontaudit_write_pipes',`
++interface(`virt_kill_svirt',`
gen_require(`
- type virt_log_t;
-+ type virtd_t;
++ attribute virt_domain;
')
- logging_search_logs($1)
- append_files_pattern($1, virt_log_t, virt_log_t)
-+ dontaudit $1 virtd_t:fd use;
-+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++ allow $1 virt_domain:process sigkill;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt log files.
-+## Send a sigkill to virtual machines
++## Send a sigkill to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +848,17 @@ interface(`virt_append_log',`
+@@ -955,20 +866,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
-interface(`virt_manage_log',`
-+interface(`virt_kill_svirt',`
++interface(`virt_kill',`
gen_require(`
- type virt_log_t;
-+ attribute virt_domain;
++ type virtd_t;
')
- logging_search_logs($1)
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
- manage_files_pattern($1, virt_log_t, virt_log_t)
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+ allow $1 virt_domain:process sigkill;
++ allow $1 virtd_t:process sigkill;
')
########################################
## <summary>
-## Search virt image directories.
-+## Send a sigkill to virtd daemon.
++## Send a signal to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +866,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +884,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
-interface(`virt_search_images',`
-+interface(`virt_kill',`
++interface(`virt_signal_svirt',`
gen_require(`
- attribute virt_image_type;
-+ type virtd_t;
++ attribute virt_domain;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-+ allow $1 virtd_t:process sigkill;
++ allow $1 virt_domain:process signal;
')
########################################
## <summary>
-## Read virt image files.
-+## Send a signal to virtual machines
++## Manage virt home files.
## </summary>
## <param name="domain">
## <summary>
-@@ -995,73 +884,75 @@ interface(`virt_search_images',`
+@@ -995,36 +902,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
-interface(`virt_read_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_manage_home_files',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ attribute virt_domain;
++ type virt_home_t;
')
- virt_search_lib($1)
@@ -94651,7 +94791,8 @@ index facdee8..73549fd 100644
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 virt_domain:process signal;
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
+')
- tunable_policy(`virt_use_nfs',`
@@ -94660,105 +94801,70 @@ index facdee8..73549fd 100644
- fs_read_nfs_symlinks($1)
+########################################
+## <summary>
-+## Manage virt home files.
++## allow domain to read
++## virt tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed access
+## </summary>
+## </param>
+#
-+interface(`virt_manage_home_files',`
++interface(`virt_read_tmpfs_files',`
+ gen_require(`
-+ type virt_home_t;
++ attribute virt_tmpfs_type;
')
- tunable_policy(`virt_use_samba',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
-- ')
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
- ')
-
- ########################################
- ## <summary>
--## Read and write all virt image
--## character files.
-+## allow domain to read
-+## virt tmpfs files
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain allowed access
- ## </summary>
- ## </param>
- #
--interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_read_tmpfs_files',`
- gen_require(`
-- attribute virt_image_type;
-+ attribute virt_tmpfs_type;
- ')
-
-- virt_search_lib($1)
-- allow $1 virt_image_type:dir list_dir_perms;
-- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+ allow $1 virt_tmpfs_type:file read_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## svirt cache files.
++')
++
++########################################
++## <summary>
+## allow domain to manage
+## virt tmpfs files
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access
- ## </summary>
- ## </param>
- #
--interface(`virt_manage_svirt_cache',`
-- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
-- virt_manage_virt_cache($1)
++## </summary>
++## </param>
++#
+interface(`virt_manage_tmpfs_files',`
+ gen_require(`
+ attribute virt_tmpfs_type;
-+ ')
+ ')
+
+ allow $1 virt_tmpfs_type:file manage_file_perms;
')
########################################
## <summary>
--## Create, read, write, and delete
--## virt cache content.
+-## Read and write all virt image
+-## character files.
+## Create .virt directory in the user home directory
+## with an correct label.
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +960,28 @@ interface(`virt_manage_svirt_cache',`
+@@ -1032,20 +960,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
--interface(`virt_manage_virt_cache',`
+-interface(`virt_rw_all_image_chr_files',`
+interface(`virt_filetrans_home_content',`
gen_require(`
-- type virt_cache_t;
+- attribute virt_image_type;
+ type virt_home_t;
+ type svirt_home_t;
')
-- files_search_var($1)
-- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
-- manage_files_pattern($1, virt_cache_t, virt_cache_t)
-- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
@@ -94775,42 +94881,36 @@ index facdee8..73549fd 100644
########################################
## <summary>
-## Create, read, write, and delete
--## virt image files.
+-## svirt cache files.
+## Dontaudit attempts to Read virt_image_type devices.
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +989,148 @@ interface(`virt_manage_virt_cache',`
+@@ -1053,37 +989,129 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
--interface(`virt_manage_images',`
+-interface(`virt_manage_svirt_cache',`
+- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
+- virt_manage_virt_cache($1)
+interface(`virt_dontaudit_read_chr_dev',`
- gen_require(`
-- type virt_var_lib_t;
- attribute virt_image_type;
- ')
-
-- virt_search_lib($1)
-- allow $1 virt_image_type:dir list_dir_perms;
-- manage_dirs_pattern($1, virt_image_type, virt_image_type)
-- manage_files_pattern($1, virt_image_type, virt_image_type)
-- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
-- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
-+')
+ ')
-- tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs($1)
-- fs_manage_nfs_files($1)
-- fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt cache content.
+## Creates types and rules for a basic
+## virt_lxc process domain.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="prefix">
-+## <summary>
+ ## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
@@ -94818,12 +94918,8 @@ index facdee8..73549fd 100644
+template(`virt_sandbox_domain_template',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
- ')
-
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_files($1)
-- fs_read_cifs_symlinks($1)
++ ')
++
+ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
@@ -94858,7 +94954,7 @@ index facdee8..73549fd 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
+ ## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -94877,22 +94973,30 @@ index facdee8..73549fd 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_virt_cache',`
+interface(`virt_filetrans_named_content',`
-+ gen_require(`
+ gen_require(`
+- type virt_cache_t;
+ type virt_lxc_var_run_t;
+ type virt_var_run_t;
-+ ')
-+
+ ')
+
+- files_search_var($1)
+- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+- manage_files_pattern($1, virt_cache_t, virt_cache_t)
+- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt image files.
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
+## </summary>
@@ -94923,6 +95027,37 @@ index facdee8..73549fd 100644
+########################################
+## <summary>
+## Read and write to svirt_image devices.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1091,36 +1119,54 @@ interface(`virt_manage_virt_cache',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_images',`
++interface(`virt_rw_svirt_dev',`
+ gen_require(`
+- type virt_var_lib_t;
+- attribute virt_image_type;
++ type svirt_image_t;
+ ')
+
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- manage_dirs_pattern($1, virt_image_type, virt_image_type)
+- manage_files_pattern($1, virt_image_type, virt_image_type)
+- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++ allow $1 svirt_image_t:chr_file rw_file_perms;
++')
+
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_read_nfs_symlinks($1)
++########################################
++## <summary>
++## Read and write to svirt_image devices.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -94930,12 +95065,34 @@ index facdee8..73549fd 100644
+## </summary>
+## </param>
+#
-+interface(`virt_rw_svirt_dev',`
++interface(`virt_rlimitinh',`
+ gen_require(`
-+ type svirt_image_t;
++ type virtd_t;
')
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
++ allow $1 virtd_t:process { rlimitinh };
++')
+
-+ allow $1 svirt_image_t:chr_file rw_file_perms;
++########################################
++## <summary>
++## Read and write to svirt_image devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_noatsecure',`
++ gen_require(`
++ type virtd_t;
+ ')
++
++ allow $1 virtd_t:process { noatsecure rlimitinh };
')
########################################
@@ -94947,7 +95104,7 @@ index facdee8..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1146,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1182,36 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -97064,6 +97221,132 @@ index 6b72968..de409cc 100644
userdom_dontaudit_search_user_home_dirs(vlock_t)
-userdom_use_user_terminals(vlock_t)
+userdom_use_inherited_user_terminals(vlock_t)
+diff --git a/vmtools.fc b/vmtools.fc
+new file mode 100644
+index 0000000..5726cdb
+--- /dev/null
++++ b/vmtools.fc
+@@ -0,0 +1,3 @@
++/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmtools_exec_t,s0)
++
++/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0)
+diff --git a/vmtools.if b/vmtools.if
+new file mode 100644
+index 0000000..044be2f
+--- /dev/null
++++ b/vmtools.if
+@@ -0,0 +1,78 @@
++## <summary>VMware Tools daemon</summary>
++
++########################################
++## <summary>
++## Execute vmtools in the vmtools domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`vmtools_domtrans',`
++ gen_require(`
++ type vmtools_t, vmtools_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, vmtools_exec_t, vmtools_t)
++')
++########################################
++## <summary>
++## Execute vmtools server in the vmtools domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`vmtools_systemctl',`
++ gen_require(`
++ type vmtools_t;
++ type vmtools_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 vmtools_unit_file_t:file read_file_perms;
++ allow $1 vmtools_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, vmtools_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an vmtools environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`vmtools_admin',`
++ gen_require(`
++ type vmtools_t;
++ type vmtools_unit_file_t;
++ ')
++
++ allow $1 vmtools_t:process { signal_perms };
++ ps_process_pattern($1, vmtools_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ninfod_t:process ptrace;
++ ')
++
++ vmtools_systemctl($1)
++ admin_pattern($1, vmtools_unit_file_t)
++ allow $1 vmtools_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/vmtools.te b/vmtools.te
+new file mode 100644
+index 0000000..7918651
+--- /dev/null
++++ b/vmtools.te
+@@ -0,0 +1,27 @@
++policy_module(vmtools, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type vmtools_t;
++type vmtools_exec_t;
++init_daemon_domain(vmtools_t, vmtools_exec_t)
++
++type vmtools_unit_file_t;
++systemd_unit_file(vmtools_unit_file_t)
++
++########################################
++#
++# vmtools local policy
++#
++allow vmtools_t self:fifo_file rw_fifo_file_perms;
++allow vmtools_t self:unix_stream_socket create_stream_socket_perms;
++allow vmtools_t self:unix_dgram_socket create_socket_perms;
++
++auth_use_nsswitch(vmtools_t)
++
++dev_read_urand(vmtools_t)
++
++logging_send_syslog_msg(vmtools_t)
diff --git a/vmware.if b/vmware.if
index 20a1fb2..470ea95 100644
--- a/vmware.if
@@ -99998,7 +100281,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..1498539 100644
+index 7f496c6..922b7e0 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,21 +6,23 @@ policy_module(zabbix, 1.6.0)
@@ -100189,7 +100472,7 @@ index 7f496c6..1498539 100644
fs_getattr_all_fs(zabbix_agent_t)
-@@ -190,8 +181,11 @@ init_read_utmp(zabbix_agent_t)
+@@ -190,8 +181,14 @@ init_read_utmp(zabbix_agent_t)
logging_search_logs(zabbix_agent_t)
@@ -100200,9 +100483,12 @@ index 7f496c6..1498539 100644
zabbix_tcp_connect(zabbix_agent_t)
+
+optional_policy(`
-+ hostname_exec(zabbix_agent_t)
++ dmidecode_domtrans(zabbix_agent_t)
+')
+
++optional_policy(`
++ hostname_exec(zabbix_agent_t)
++')
diff --git a/zarafa.fc b/zarafa.fc
index faf99ed..44e94fa 100644
--- a/zarafa.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2fec2d9..302876e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -252,7 +252,8 @@ ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/se
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/sysadm_u
%define relabel() \
. %{_sysconfdir}/selinux/config; \
@@ -575,6 +576,27 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Dec 13 2013 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-10
+- Allow freeipmi_ipmidetectd_t to use freeipmi port
+- Update freeipmi_domain_template()
+- Allow journalctl running as ABRT to read /run/log/journal
+- Allow NM to read dispatcher.d directory
+- Update freeipmi policy
+- Type transitions with a filename not allowed inside conditionals
+- Allow tor to bind to hplip port
+- Make new type to texlive files in homedir
+- Allow zabbix_agent to transition to dmidecode
+- Add rules for docker
+- Allow sosreport to send signull to unconfined_t
+- Add virt_noatsecure and virt_rlimitinh interfaces
+- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port
+- Add sysadm_u_default_contexts
+- Add logging_read_syslog_pid()
+- Fix userdom_manage_home_texlive() interface
+- Make new type to texlive files in homedir
+- Add filename transitions for /run and /lock links
+- Allow virtd to inherit rlimit information
+
* Mon Dec 9 2013 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-9
- DRM master and input event devices are used by the TakeDevice API
- Clean up bumblebee policy
More information about the scm-commits
mailing list