[selinux-policy] - Allow mozilla plugin to chat with policykit, needed for spice - Allow gssprozy to change user and
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 6 06:31:33 UTC 2014
commit 9d88e1830593e4ea97534fc504b97353b95c116b
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jan 6 07:31:14 2014 +0100
- Allow mozilla plugin to chat with policykit, needed for spice
- Allow gssprozy to change user and gid, as well as read user keyrings
- Allow sandbox apps to attempt to set and get capabilties
- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
- allow modemmanger to read /dev/urand
- Allow polipo to connect to http_cache_ports
- Allow cron jobs to manage apache var lib content
- Allow yppassword to manage the passwd_file_t
- Allow showall_t to send itself signals
- Allow cobbler to restart dhcpc, dnsmasq and bind services
- Allow rsync_t to manage all non auth files
- Allow certmonger to manage home cert files
- Allow user_mail_domains to write certain files to the /root and ~/ directories
- Allow apcuspd_t to status and start the power unit file
- Allow cgroupdrulesengd to create content in cgoups directories
- Add new access for mythtv
- Allow irc_t to execute shell and bin-t files:
- Allow smbd_t to signull cluster
- Allow sssd to read systemd_login_var_run_t
- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
- Add label for /var/spool/cron.aquota.user
- Allow sandbox_x domains to use work with the mozilla plugin semaphore
- Added new policy for speech-dispatcher
- Added dontaudit rule for insmod_exec_t in rasdaemon policy
- Updated rasdaemon policy
- Allow virt_domains to read cert files
- Allow system_mail_t to transition to postfix_postdrop_t
- Clean up mirrormanager policy
- Allow subscription-manager running as sosreport_t to manage rhsmcertd
- Remove ability to do mount/sys_admin by default in virt_sandbox domains
- New rules required to run docker images within libivrt
- Fixed bumblebee_admin() and mip6d_admin()
- Add log support for sensord
- Add label for ~/.cvsignore
- Change mirrormanager to be run by cron
- Add mirrormanager policy
- Additional fixes for docker.te
- Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot
- Add tftp_write_rw_content/tftp_read_rw_content interfaces
- Allow amanda to do backups over UDP
policy-rawhide-base.patch | 299 +++--
policy-rawhide-contrib.patch | 3647 ++++++++++++++++++++++++++++++------------
selinux-policy.spec | 58 +-
3 files changed, 2877 insertions(+), 1127 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index ac9e806..3a43036 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2631,7 +2631,7 @@ index 99e3903..fa68362 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..7ba0bd8 100644
+index 1d732f1..9647c14 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -2851,7 +2851,7 @@ index 1d732f1..7ba0bd8 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -352,6 +383,13 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +383,14 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2860,12 +2860,13 @@ index 1d732f1..7ba0bd8 100644
+optional_policy(`
+ gnome_exec_keyringd(passwd_t)
+ gnome_manage_cache_home_dir(passwd_t)
++ gnome_manage_generic_cache_sockets(passwd_t)
+ gnome_stream_connect_gkeyringd(passwd_t)
+')
optional_policy(`
nscd_run(passwd_t, passwd_roles)
-@@ -401,9 +439,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +440,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -2878,7 +2879,7 @@ index 1d732f1..7ba0bd8 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +455,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -2886,7 +2887,7 @@ index 1d732f1..7ba0bd8 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,12 +464,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +465,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -2899,7 +2900,7 @@ index 1d732f1..7ba0bd8 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-@@ -446,7 +481,8 @@ optional_policy(`
+@@ -446,7 +482,8 @@ optional_policy(`
# Useradd local policy
#
@@ -2909,7 +2910,7 @@ index 1d732f1..7ba0bd8 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -461,6 +497,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +498,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -2920,7 +2921,7 @@ index 1d732f1..7ba0bd8 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,29 +508,27 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +509,27 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -2959,7 +2960,7 @@ index 1d732f1..7ba0bd8 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
-@@ -498,6 +536,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +537,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -2967,7 +2968,7 @@ index 1d732f1..7ba0bd8 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -508,33 +547,32 @@ init_rw_utmp(useradd_t)
+@@ -508,33 +548,32 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3012,7 +3013,7 @@ index 1d732f1..7ba0bd8 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -549,10 +587,19 @@ optional_policy(`
+@@ -549,10 +588,19 @@ optional_policy(`
')
optional_policy(`
@@ -3032,7 +3033,7 @@ index 1d732f1..7ba0bd8 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +609,12 @@ optional_policy(`
+@@ -562,3 +610,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -8699,7 +8700,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..c47a578 100644
+index cf04cb5..4182845 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8836,7 +8837,7 @@ index cf04cb5..c47a578 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,314 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,318 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8933,6 +8934,10 @@ index cf04cb5..c47a578 100644
+')
+
+optional_policy(`
++ cvs_filetrans_home_content(named_filetrans_domain)
++')
++
++optional_policy(`
+ devicekit_filetrans_named_content(named_filetrans_domain)
+')
+
@@ -9152,7 +9157,7 @@ index cf04cb5..c47a578 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..bd5b58c 100644
+index b876c48..27f60c6 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9353,7 +9358,7 @@ index b876c48..bd5b58c 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +245,24 @@ ifndef(`distro_redhat',`
+@@ -237,11 +245,25 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9371,7 +9376,8 @@ index b876c48..bd5b58c 100644
+/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
-+/var/lib/servicelog/servicelog.db -- gen_context(system_u:object_r:system_db_t,s0)
++/var/lib/servicelog/servicelog\.db -- gen_context(system_u:object_r:system_db_t,s0)
++/var/lib/servicelog/servicelog\.db-journal -- gen_context(system_u:object_r:system_db_t,s0)
+
+/var/lock -d gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
@@ -9379,7 +9385,7 @@ index b876c48..bd5b58c 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -256,12 +277,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +278,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -9394,14 +9400,14 @@ index b876c48..bd5b58c 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -271,3 +294,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +295,5 @@ ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..70fb827 100644
+index f962f76..35cd90c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -12032,7 +12038,7 @@ index f962f76..70fb827 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6519,64 +7762,749 @@ interface(`files_spool_filetrans',`
+@@ -6519,64 +7762,767 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -12639,6 +12645,24 @@ index f962f76..70fb827 100644
+
+########################################
+## <summary>
++## Allow domain to delete to all dirs
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_non_security_dirs',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
++')
++
++########################################
++## <summary>
+## Transition named content in the var_run_t directory
+## </summary>
+## <param name="domain">
@@ -21068,10 +21092,10 @@ index fe0c682..c0413e8 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..f2db99e 100644
+index cc877c7..07f129b 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,64 @@ policy_module(ssh, 2.4.2)
+@@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2)
#
## <desc>
@@ -21128,6 +21152,7 @@ index cc877c7..f2db99e 100644
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
+mls_trusted_object(sshd_t)
++mls_process_write_all_levels(sshd_t)
+
+type sshd_initrc_exec_t;
+init_script_file(sshd_initrc_exec_t)
@@ -21150,7 +21175,7 @@ index cc877c7..f2db99e 100644
type ssh_t;
type ssh_exec_t;
-@@ -73,9 +94,11 @@ type ssh_home_t;
+@@ -73,9 +95,11 @@ type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
@@ -21164,7 +21189,7 @@ index cc877c7..f2db99e 100644
##############################
#
-@@ -86,6 +109,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -86,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -21172,7 +21197,7 @@ index cc877c7..f2db99e 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
-@@ -93,15 +117,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -93,15 +118,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -21189,7 +21214,7 @@ index cc877c7..f2db99e 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -110,33 +130,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -110,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -21237,7 +21262,7 @@ index cc877c7..f2db99e 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -157,40 +186,46 @@ files_read_var_files(ssh_t)
+@@ -157,40 +187,46 @@ files_read_var_files(ssh_t)
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
@@ -21303,7 +21328,7 @@ index cc877c7..f2db99e 100644
')
optional_policy(`
-@@ -198,6 +233,7 @@ optional_policy(`
+@@ -198,6 +234,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -21311,7 +21336,7 @@ index cc877c7..f2db99e 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,6 +245,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -209,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@@ -21319,7 +21344,7 @@ index cc877c7..f2db99e 100644
files_read_etc_files(ssh_keysign_t)
-@@ -226,39 +263,56 @@ optional_policy(`
+@@ -226,39 +264,56 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -21388,7 +21413,7 @@ index cc877c7..f2db99e 100644
')
optional_policy(`
-@@ -266,6 +320,15 @@ optional_policy(`
+@@ -266,6 +321,15 @@ optional_policy(`
')
optional_policy(`
@@ -21404,7 +21429,7 @@ index cc877c7..f2db99e 100644
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')
-@@ -275,6 +338,18 @@ optional_policy(`
+@@ -275,6 +339,18 @@ optional_policy(`
')
optional_policy(`
@@ -21423,7 +21448,7 @@ index cc877c7..f2db99e 100644
oddjob_domtrans_mkhomedir(sshd_t)
')
-@@ -289,13 +364,93 @@ optional_policy(`
+@@ -289,13 +365,93 @@ optional_policy(`
')
optional_policy(`
@@ -21517,7 +21542,7 @@ index cc877c7..f2db99e 100644
########################################
#
# ssh_keygen local policy
-@@ -304,19 +459,29 @@ optional_policy(`
+@@ -304,19 +460,29 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -21548,7 +21573,7 @@ index cc877c7..f2db99e 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -333,6 +498,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -333,6 +499,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -21561,7 +21586,7 @@ index cc877c7..f2db99e 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +512,140 @@ optional_policy(`
+@@ -341,3 +513,140 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -25994,7 +26019,7 @@ index 3efd5b6..08c3e93 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..7345117 100644
+index 09b791d..4f331be 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -26191,7 +26216,7 @@ index 09b791d..7345117 100644
miscfiles_read_generic_certs(pam_console_t)
seutil_read_file_contexts(pam_console_t)
-@@ -341,6 +362,10 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
dev_read_urand(updpwd_t)
files_manage_etc_files(updpwd_t)
@@ -26199,10 +26224,11 @@ index 09b791d..7345117 100644
+
+mls_file_read_all_levels(updpwd_t)
+mls_file_write_all_levels(updpwd_t)
++mls_file_downgrade(updpwd_t)
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +375,7 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t)
logging_send_syslog_msg(updpwd_t)
@@ -26213,7 +26239,7 @@ index 09b791d..7345117 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -380,13 +403,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
@@ -26230,7 +26256,7 @@ index 09b791d..7345117 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -397,19 +422,29 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -26264,7 +26290,7 @@ index 09b791d..7345117 100644
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
-@@ -417,15 +452,21 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
@@ -26288,7 +26314,7 @@ index 09b791d..7345117 100644
ldap_stream_connect(nsswitch_domain)
')
')
-@@ -438,6 +479,7 @@ optional_policy(`
+@@ -438,6 +480,7 @@ optional_policy(`
likewise_stream_connect_lsassd(nsswitch_domain)
')
@@ -26296,7 +26322,7 @@ index 09b791d..7345117 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,6 +498,8 @@ optional_policy(`
+@@ -456,6 +499,8 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -26305,7 +26331,7 @@ index 09b791d..7345117 100644
')
optional_policy(`
-@@ -463,3 +507,134 @@ optional_policy(`
+@@ -463,3 +508,134 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -28404,7 +28430,7 @@ index 79a45f6..edf52ea 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..3ac9985 100644
+index 17eda24..7acba2b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -28648,11 +28674,12 @@ index 17eda24..3ac9985 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +284,209 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +284,210 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
+ fs_manage_tmpfs_files(init_t)
++ fs_manage_tmpfs_symlinks(init_t)
+ fs_manage_tmpfs_sockets(init_t)
+ fs_exec_tmpfs_files(init_t)
fs_read_tmpfs_symlinks(init_t)
@@ -28866,7 +28893,7 @@ index 17eda24..3ac9985 100644
')
optional_policy(`
-@@ -216,7 +494,30 @@ optional_policy(`
+@@ -216,7 +495,30 @@ optional_policy(`
')
optional_policy(`
@@ -28897,7 +28924,7 @@ index 17eda24..3ac9985 100644
')
########################################
-@@ -225,9 +526,9 @@ optional_policy(`
+@@ -225,9 +527,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28909,7 +28936,7 @@ index 17eda24..3ac9985 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +559,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +560,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28926,7 +28953,7 @@ index 17eda24..3ac9985 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +584,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +585,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28969,7 +28996,7 @@ index 17eda24..3ac9985 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +621,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +622,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28981,7 +29008,7 @@ index 17eda24..3ac9985 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +633,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +634,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28992,7 +29019,7 @@ index 17eda24..3ac9985 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +644,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +645,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29002,7 +29029,7 @@ index 17eda24..3ac9985 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +653,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +654,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -29010,7 +29037,7 @@ index 17eda24..3ac9985 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +660,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +661,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -29018,7 +29045,7 @@ index 17eda24..3ac9985 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +668,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +669,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29036,7 +29063,7 @@ index 17eda24..3ac9985 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +686,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +687,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29050,7 +29077,7 @@ index 17eda24..3ac9985 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +701,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +702,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29064,7 +29091,7 @@ index 17eda24..3ac9985 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,6 +714,7 @@ mls_process_read_up(initrc_t)
+@@ -387,6 +715,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -29072,7 +29099,7 @@ index 17eda24..3ac9985 100644
selinux_get_enforce_mode(initrc_t)
-@@ -398,6 +726,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +727,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -29080,7 +29107,7 @@ index 17eda24..3ac9985 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +745,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +746,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -29104,7 +29131,7 @@ index 17eda24..3ac9985 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +778,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +779,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -29112,7 +29139,7 @@ index 17eda24..3ac9985 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +812,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +813,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -29123,7 +29150,7 @@ index 17eda24..3ac9985 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +836,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +837,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29132,7 +29159,7 @@ index 17eda24..3ac9985 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +851,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +852,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -29140,7 +29167,7 @@ index 17eda24..3ac9985 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +872,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +873,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -29148,7 +29175,7 @@ index 17eda24..3ac9985 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +882,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +883,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -29193,7 +29220,7 @@ index 17eda24..3ac9985 100644
')
optional_policy(`
-@@ -559,14 +927,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +928,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -29225,7 +29252,7 @@ index 17eda24..3ac9985 100644
')
')
-@@ -577,6 +962,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +963,39 @@ ifdef(`distro_suse',`
')
')
@@ -29265,7 +29292,7 @@ index 17eda24..3ac9985 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1007,8 @@ optional_policy(`
+@@ -589,6 +1008,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29274,7 +29301,7 @@ index 17eda24..3ac9985 100644
')
optional_policy(`
-@@ -610,6 +1030,7 @@ optional_policy(`
+@@ -610,6 +1031,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -29282,7 +29309,7 @@ index 17eda24..3ac9985 100644
')
optional_policy(`
-@@ -626,6 +1047,17 @@ optional_policy(`
+@@ -626,6 +1048,17 @@ optional_policy(`
')
optional_policy(`
@@ -29300,7 +29327,7 @@ index 17eda24..3ac9985 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1074,13 @@ optional_policy(`
+@@ -642,9 +1075,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29314,7 +29341,7 @@ index 17eda24..3ac9985 100644
')
optional_policy(`
-@@ -657,15 +1093,11 @@ optional_policy(`
+@@ -657,15 +1094,11 @@ optional_policy(`
')
optional_policy(`
@@ -29332,7 +29359,7 @@ index 17eda24..3ac9985 100644
')
optional_policy(`
-@@ -686,6 +1118,15 @@ optional_policy(`
+@@ -686,6 +1119,15 @@ optional_policy(`
')
optional_policy(`
@@ -29348,7 +29375,7 @@ index 17eda24..3ac9985 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1167,7 @@ optional_policy(`
+@@ -726,6 +1168,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -29356,7 +29383,7 @@ index 17eda24..3ac9985 100644
')
optional_policy(`
-@@ -743,7 +1185,13 @@ optional_policy(`
+@@ -743,7 +1186,13 @@ optional_policy(`
')
optional_policy(`
@@ -29371,7 +29398,7 @@ index 17eda24..3ac9985 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1214,10 @@ optional_policy(`
+@@ -766,6 +1215,10 @@ optional_policy(`
')
optional_policy(`
@@ -29382,7 +29409,7 @@ index 17eda24..3ac9985 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1227,20 @@ optional_policy(`
+@@ -775,10 +1228,20 @@ optional_policy(`
')
optional_policy(`
@@ -29403,7 +29430,7 @@ index 17eda24..3ac9985 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1249,10 @@ optional_policy(`
+@@ -787,6 +1250,10 @@ optional_policy(`
')
optional_policy(`
@@ -29414,7 +29441,7 @@ index 17eda24..3ac9985 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1274,6 @@ optional_policy(`
+@@ -808,8 +1275,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29423,7 +29450,7 @@ index 17eda24..3ac9985 100644
')
optional_policy(`
-@@ -818,6 +1282,10 @@ optional_policy(`
+@@ -818,6 +1283,10 @@ optional_policy(`
')
optional_policy(`
@@ -29434,7 +29461,7 @@ index 17eda24..3ac9985 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1295,12 @@ optional_policy(`
+@@ -827,10 +1296,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -29447,7 +29474,7 @@ index 17eda24..3ac9985 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,12 +1327,35 @@ optional_policy(`
+@@ -857,12 +1328,35 @@ optional_policy(`
')
optional_policy(`
@@ -29484,7 +29511,7 @@ index 17eda24..3ac9985 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -872,6 +1365,18 @@ optional_policy(`
+@@ -872,6 +1366,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29503,7 +29530,7 @@ index 17eda24..3ac9985 100644
')
optional_policy(`
-@@ -887,6 +1392,10 @@ optional_policy(`
+@@ -887,6 +1393,10 @@ optional_policy(`
')
optional_policy(`
@@ -29514,7 +29541,7 @@ index 17eda24..3ac9985 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1406,218 @@ optional_policy(`
+@@ -897,3 +1407,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -33153,7 +33180,7 @@ index 9933677..ca14c17 100644
+
+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..6375786 100644
+index 7449974..28cb8a3 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@@ -33210,7 +33237,32 @@ index 7449974..6375786 100644
## Read the configuration options used when
## loading modules.
## </summary>
-@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -208,6 +246,24 @@ interface(`modutils_exec_insmod',`
+ can_exec($1, insmod_exec_t)
+ ')
+
++#######################################
++## <summary>
++## Don't audit execute insmod in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`modutils_dontaudit_exec_insmod',`
++ gen_require(`
++ type insmod_exec_t;
++ ')
++
++ dontaudit $1 insmod_exec_t:file exec_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute depmod in the depmod domain.
+@@ -308,11 +364,18 @@ interface(`modutils_domtrans_update_mods',`
#
interface(`modutils_run_update_mods',`
gen_require(`
@@ -33231,7 +33283,7 @@ index 7449974..6375786 100644
')
########################################
-@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +396,25 @@ interface(`modutils_exec_update_mods',`
corecmd_search_bin($1)
can_exec($1, update_modules_exec_t)
')
@@ -35968,7 +36020,7 @@ index 40edc18..7cc0c8a 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..7bb31c4 100644
+index 2cea692..b324c5c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -36002,6 +36054,15 @@ index 2cea692..7bb31c4 100644
')
########################################
+@@ -231,7 +250,7 @@ interface(`sysnet_rw_dhcp_config',`
+ ')
+
+ files_search_etc($1)
+- allow $1 dhcp_etc_t:file rw_file_perms;
++ rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
+ ')
+
+ ########################################
@@ -269,6 +288,7 @@ interface(`sysnet_read_dhcpc_state',`
type dhcpc_state_t;
')
@@ -36757,10 +36818,10 @@ index 0000000..e9f1096
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..35b4178
+index 0000000..1d9bdfd
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1400 @@
+@@ -0,0 +1,1419 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -38039,6 +38100,25 @@ index 0000000..35b4178
+ allow $1 power_unit_file_t:service start;
+')
+
++########################################
++## <summary>
++## Status power unit files domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`systemd_status_power_services',`
++ gen_require(`
++ type power_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 power_unit_file_t:service status;
++')
++
+#######################################
+## <summary>
+## Start power unit files domain.
@@ -38163,10 +38243,10 @@ index 0000000..35b4178
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..c31945a
+index 0000000..2109915
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,652 @@
+@@ -0,0 +1,653 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -38466,6 +38546,7 @@ index 0000000..c31945a
+files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
+files_delete_boot_flag(systemd_tmpfiles_t)
++files_delete_all_non_security_dirs(systemd_tmpfiles_t)
+files_delete_all_non_security_files(systemd_tmpfiles_t)
+files_delete_all_pid_sockets(systemd_tmpfiles_t)
+files_delete_all_pid_pipes(systemd_tmpfiles_t)
@@ -38778,7 +38859,7 @@ index 0000000..c31945a
+#
+# systemd_sysctl domains local policy
+#
-+allow systemd_sysctl_t self:capability net_admin;
++allow systemd_sysctl_t self:capability { sys_admin net_admin };
+allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
+
+kernel_dgram_send(systemd_sysctl_t)
@@ -39117,7 +39198,7 @@ index 9a1650d..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..ef4c635 100644
+index 39f185f..d3c9fcc 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -39314,7 +39395,7 @@ index 39f185f..ef4c635 100644
')
optional_policy(`
-@@ -249,17 +270,27 @@ optional_policy(`
+@@ -249,17 +270,31 @@ optional_policy(`
dbus_use_system_bus_fds(udev_t)
optional_policy(`
@@ -39336,6 +39417,10 @@ index 39f185f..ef4c635 100644
+
+optional_policy(`
+ gpsd_domtrans(udev_t)
++')
++
++optional_policy(`
++ kdump_systemctl(udev_t)
')
optional_policy(`
@@ -39344,7 +39429,7 @@ index 39f185f..ef4c635 100644
')
optional_policy(`
-@@ -289,6 +320,10 @@ optional_policy(`
+@@ -289,6 +324,10 @@ optional_policy(`
')
optional_policy(`
@@ -39355,7 +39440,7 @@ index 39f185f..ef4c635 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -303,6 +338,15 @@ optional_policy(`
+@@ -303,6 +342,15 @@ optional_policy(`
')
optional_policy(`
@@ -39371,7 +39456,7 @@ index 39f185f..ef4c635 100644
unconfined_signal(udev_t)
')
-@@ -315,6 +359,7 @@ optional_policy(`
+@@ -315,6 +363,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -44699,7 +44784,7 @@ index 9dc60c6..daee32c 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..cf1296e 100644
+index f4ac38d..99c8197 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -44788,7 +44873,7 @@ index f4ac38d..cf1296e 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,366 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,370 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -44968,6 +45053,10 @@ index f4ac38d..cf1296e 100644
+')
+
+optional_policy(`
++ cvs_filetrans_home_content(userdom_filetrans_domain)
++')
++
++optional_policy(`
+ gnome_filetrans_home_content(userdom_filetrans_type)
+')
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index f70931c..6e8596f 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2959,10 +2959,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..082e31e 100644
+index 7caefc3..ad4ec67 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,194 @@
+@@ -1,162 +1,195 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3275,6 +3275,7 @@ index 7caefc3..082e31e 100644
+/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -3297,7 +3298,7 @@ index 7caefc3..082e31e 100644
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
diff --git a/apache.if b/apache.if
-index f6eb485..fac6fe5 100644
+index f6eb485..51b128e 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3313,16 +3314,14 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="prefix">
## <summary>
-@@ -13,118 +13,101 @@
+@@ -13,118 +13,125 @@
#
template(`apache_content_template',`
gen_require(`
- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
-- type httpd_t, httpd_suexec_t;
+ attribute httpd_exec_scripts, httpd_script_exec_type;
-+ type httpd_t, httpd_suexec_t, httpd_log_t;
-+ type httpd_sys_content_t;
+ type httpd_t, httpd_suexec_t;
+ attribute httpd_script_type, httpd_content_type;
')
@@ -3342,75 +3341,48 @@ index f6eb485..fac6fe5 100644
- gen_tunable(allow_httpd_$1_script_anon_write, false)
-
- type httpd_$1_content_t, httpdcontent; # customizable
-+ #This type is for webpages
-+ type httpd_$1_content_t; # customizable;
-+ typeattribute httpd_$1_content_t httpd_content_type;
- typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
- files_type(httpd_$1_content_t)
-
+- typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
+- files_type(httpd_$1_content_t)
+-
- type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
-+ # This type is used for .htaccess files
-+ type httpd_$1_htaccess_t, httpd_content_type; # customizable;
-+ typeattribute httpd_$1_htaccess_t httpd_content_type;
- files_type(httpd_$1_htaccess_t)
-
+- files_type(httpd_$1_htaccess_t)
+-
- type httpd_$1_script_t, httpd_script_domains;
-+ # Type that CGI scripts run as
-+ type httpd_$1_script_t, httpd_script_type;
- domain_type(httpd_$1_script_t)
- role system_r types httpd_$1_script_t;
-
-+ kernel_read_system_state(httpd_$1_script_t)
-+
-+ # This type is used for executable scripts files
- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+- domain_type(httpd_$1_script_t)
+- role system_r types httpd_$1_script_t;
+-
+- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
- corecmd_shell_entry_type(httpd_$1_script_t)
-+ typeattribute httpd_$1_script_exec_t httpd_content_type;
- domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
-
+- domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
+-
- type httpd_$1_rw_content_t, httpdcontent; # customizable
-+ type httpd_$1_rw_content_t; # customizable
-+ typeattribute httpd_$1_rw_content_t httpd_content_type;
- typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
- files_type(httpd_$1_rw_content_t)
-
+- typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
+- files_type(httpd_$1_rw_content_t)
+-
- type httpd_$1_ra_content_t, httpdcontent; # customizable
-+ type httpd_$1_ra_content_t, httpd_content_type; # customizable
-+ typeattribute httpd_$1_ra_content_t httpd_content_type;
- typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
- files_type(httpd_$1_ra_content_t)
-
+- typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
+- files_type(httpd_$1_ra_content_t)
+-
- ########################################
- #
- # Policy
- #
-+ # Allow the script process to search the cgi directory, and users directory
-+ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
-
- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
-+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
-
+-
+- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+-
- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
- allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
- allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
-+ allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
-+ read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-+ append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-+ create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-
+-
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
- allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
-+ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
-+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
-+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
-
- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+-
+- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
-
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
@@ -3420,39 +3392,98 @@ index f6eb485..fac6fe5 100644
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
+-
++ #This type is for webpages
++ type $1_content_t; # customizable;
++ typeattribute $1_content_t httpd_content_type;
++ typealias $1_content_t alias httpd_$1_script_ro_t;
++ files_type($1_content_t)
++
++ # This type is used for .htaccess files
++ type $1_htaccess_t, httpd_content_type; # customizable;
++ typeattribute $1_htaccess_t httpd_content_type;
++ files_type($1_htaccess_t)
++
++ # Type that CGI scripts run as
++ type $1_script_t, httpd_script_type;
++ domain_type($1_script_t)
++ role system_r types $1_script_t;
++
++ kernel_read_system_state($1_script_t)
++
++ # This type is used for executable scripts files
++ type $1_script_exec_t, httpd_script_exec_type; # customizable;
++ typeattribute $1_script_exec_t httpd_content_type;
++ domain_entry_file($1_script_t, $1_script_exec_t)
++
++ type $1_rw_content_t; # customizable
++ typeattribute $1_rw_content_t httpd_content_type;
++ typealias $1_rw_content_t alias { $1_script_rw_t };
++ files_type($1_rw_content_t)
++
++ type $1_ra_content_t, httpd_content_type; # customizable
++ typeattribute $1_ra_content_t httpd_content_type;
++ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
++ files_type($1_ra_content_t)
++
++ # Allow the script process to search the cgi directory, and users directory
++ allow $1_script_t $1_content_t:dir search_dir_perms;
++
++ can_exec($1_script_t, $1_script_exec_t)
++ allow $1_script_t $1_script_exec_t:dir list_dir_perms;
++
++ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
++ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++
++ allow $1_script_t $1_content_t:dir list_dir_perms;
++ read_files_pattern($1_script_t, $1_content_t, $1_content_t)
++ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
++
++ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++
+ # Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-+ rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
++ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
++ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
++ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
++ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
- allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
- allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
- ')
-+ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
-+ read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-+ append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-+ create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-+ read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
++ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
++ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
++ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
++ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
- tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
- can_exec(httpd_t, httpd_$1_rw_content_t)
')
tunable_policy(`httpd_enable_cgi',`
- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
- domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
- ')
++ allow $1_script_t $1_script_exec_t:file entrypoint;
- tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
- can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
- ')
-+ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
++ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
@@ -3460,26 +3491,51 @@ index f6eb485..fac6fe5 100644
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
- ')
+ # privileged users run the script:
-+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
-+
-+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
++ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
++
+ # apache runs the script:
-+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-+ allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
++ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
++ allow httpd_t $1_script_t:unix_dgram_socket sendto;
')
')
########################################
## <summary>
-## Role access for apache.
++## Create a set of derived types for apache
++## web content.
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving new type names.
++## </summary>
++## </param>
++## <param name="oldprefix">
++## <summary>
++## The prefix to be used for deriving old type names.
++## </summary>
++## </param>
++#
++template(`apache_content_alias_template',`
++ typealias $1_htaccess_t alias httpd_$2_htaccess_t;
++ typealias $1_script_t alias httpd_$2_script_t;
++ typealias $1_script_exec_t alias httpd_$2_script_exec_t;
++ typealias $1_content_t alias httpd_$2_content_t;
++ typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
++ typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
++')
++
++########################################
++## <summary>
+## Role access for apache
## </summary>
## <param name="role">
## <summary>
-@@ -133,47 +116,61 @@ template(`apache_content_template',`
+@@ -133,47 +140,61 @@ template(`apache_content_template',`
## </param>
## <param name="domain">
## <summary>
@@ -3570,7 +3626,7 @@ index f6eb485..fac6fe5 100644
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
')
-@@ -184,7 +181,7 @@ interface(`apache_role',`
+@@ -184,7 +205,7 @@ interface(`apache_role',`
########################################
## <summary>
@@ -3579,7 +3635,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',`
+@@ -204,7 +225,7 @@ interface(`apache_read_user_scripts',`
########################################
## <summary>
@@ -3588,7 +3644,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -224,7 +221,7 @@ interface(`apache_read_user_content',`
+@@ -224,7 +245,7 @@ interface(`apache_read_user_content',`
########################################
## <summary>
@@ -3597,7 +3653,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -241,27 +238,47 @@ interface(`apache_domtrans',`
+@@ -241,27 +262,47 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -3652,7 +3708,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,7 +296,7 @@ interface(`apache_signal',`
+@@ -279,7 +320,7 @@ interface(`apache_signal',`
########################################
## <summary>
@@ -3661,7 +3717,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -297,7 +314,7 @@ interface(`apache_signull',`
+@@ -297,7 +338,7 @@ interface(`apache_signull',`
########################################
## <summary>
@@ -3670,7 +3726,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -315,8 +332,7 @@ interface(`apache_sigchld',`
+@@ -315,8 +356,7 @@ interface(`apache_sigchld',`
########################################
## <summary>
@@ -3680,7 +3736,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -334,8 +350,8 @@ interface(`apache_use_fds',`
+@@ -334,8 +374,8 @@ interface(`apache_use_fds',`
########################################
## <summary>
@@ -3691,7 +3747,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -348,13 +388,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -3708,7 +3764,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+@@ -372,8 +412,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
########################################
## <summary>
@@ -3719,7 +3775,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
+@@ -391,8 +431,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
@@ -3729,7 +3785,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',`
+@@ -417,7 +456,8 @@ interface(`apache_manage_all_content',`
########################################
## <summary>
@@ -3739,7 +3795,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',`
+@@ -435,7 +475,8 @@ interface(`apache_setattr_cache_dirs',`
########################################
## <summary>
@@ -3749,7 +3805,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -453,7 +470,8 @@ interface(`apache_list_cache',`
+@@ -453,7 +494,8 @@ interface(`apache_list_cache',`
########################################
## <summary>
@@ -3759,7 +3815,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',`
+@@ -471,7 +513,8 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
@@ -3769,7 +3825,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',`
+@@ -489,7 +532,8 @@ interface(`apache_delete_cache_dirs',`
########################################
## <summary>
@@ -3779,7 +3835,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',`
+@@ -507,49 +551,51 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@@ -3842,7 +3898,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -570,8 +592,8 @@ interface(`apache_manage_config',`
+@@ -570,8 +616,8 @@ interface(`apache_manage_config',`
########################################
## <summary>
@@ -3853,7 +3909,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',`
+@@ -608,16 +654,38 @@ interface(`apache_domtrans_helper',`
#
interface(`apache_run_helper',`
gen_require(`
@@ -3895,7 +3951,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -639,7 +683,8 @@ interface(`apache_read_log',`
+@@ -639,7 +707,8 @@ interface(`apache_read_log',`
########################################
## <summary>
@@ -3905,7 +3961,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -657,10 +702,29 @@ interface(`apache_append_log',`
+@@ -657,10 +726,29 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
@@ -3937,138 +3993,173 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',`
+@@ -678,8 +766,8 @@ interface(`apache_dontaudit_append_log',`
########################################
## <summary>
-## Create, read, write, and delete
-## httpd log files.
+## Allow the specified domain to manage
-+## to apache log files.
++## to apache var lib files.
## </summary>
## <param name="domain">
## <summary>
-@@ -698,47 +762,49 @@ interface(`apache_manage_log',`
- read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+@@ -687,20 +775,21 @@ interface(`apache_dontaudit_append_log',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`apache_manage_log',`
++interface(`apache_manage_lib',`
+ gen_require(`
+- type httpd_log_t;
++ type httpd_var_lib_t;
+ ')
+
+- logging_search_logs($1)
+- manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
+- manage_files_pattern($1, httpd_log_t, httpd_log_t)
+- read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
++ manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
++ read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
')
-#######################################
+########################################
## <summary>
-## Write apache log files.
-+## Do not audit attempts to search Apache
-+## module directories.
++## Allow the specified domain to manage
++## to apache log files.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -708,19 +797,21 @@ interface(`apache_manage_log',`
## </summary>
## </param>
#
-interface(`apache_write_log',`
-+interface(`apache_dontaudit_search_modules',`
++interface(`apache_manage_log',`
gen_require(`
-- type httpd_log_t;
-+ type httpd_modules_t;
+ type httpd_log_t;
')
-- logging_search_logs($1)
+ logging_search_logs($1)
- write_files_pattern($1, httpd_log_t, httpd_log_t)
-+ dontaudit $1 httpd_modules_t:dir search_dir_perms;
++ manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
++ manage_files_pattern($1, httpd_log_t, httpd_log_t)
++ read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
')
########################################
## <summary>
-## Do not audit attempts to search
-## httpd module directories.
++## Do not audit attempts to search Apache
++## module directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -738,7 +829,8 @@ interface(`apache_dontaudit_search_modules',`
+
+ ########################################
+ ## <summary>
+-## List httpd module directories.
+## Allow the specified domain to read
+## the apache module directories.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -746,17 +838,19 @@ interface(`apache_dontaudit_search_modules',`
## </summary>
## </param>
#
--interface(`apache_dontaudit_search_modules',`
+-interface(`apache_list_modules',`
+interface(`apache_read_modules',`
gen_require(`
type httpd_modules_t;
')
-- dontaudit $1 httpd_modules_t:dir search_dir_perms;
+- allow $1 httpd_modules_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
## <summary>
--## List httpd module directories.
+-## Execute httpd module files.
+## Allow the specified domain to list
+## the contents of the apache modules
+## directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -752,11 +818,13 @@ interface(`apache_list_modules',`
+@@ -764,19 +858,19 @@ interface(`apache_list_modules',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`apache_exec_modules',`
++interface(`apache_list_modules',`
+ gen_require(`
+ type httpd_modules_t;
')
allow $1 httpd_modules_t:dir list_dir_perms;
+- allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+- can_exec($1, httpd_modules_t)
+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
## <summary>
--## Execute httpd module files.
+-## Read httpd module files.
+## Allow the specified domain to execute
+## apache modules.
## </summary>
## <param name="domain">
## <summary>
-@@ -776,46 +844,63 @@ interface(`apache_exec_modules',`
-
- ########################################
- ## <summary>
--## Read httpd module files.
-+## Execute a domain transition to run httpd_rotatelogs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain allowed to transition.
+@@ -784,19 +878,19 @@ interface(`apache_exec_modules',`
## </summary>
## </param>
#
-interface(`apache_read_module_files',`
-+interface(`apache_domtrans_rotatelogs',`
++interface(`apache_exec_modules',`
gen_require(`
-- type httpd_modules_t;
-+ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ type httpd_modules_t;
')
- libs_search_lib($1)
- read_files_pattern($1, httpd_modules_t, httpd_modules_t)
-+ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
++ allow $1 httpd_modules_t:dir list_dir_perms;
++ allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
++ can_exec($1, httpd_modules_t)
')
--########################################
-+#######################################
+ ########################################
## <summary>
-## Execute a domain transition to
-## run httpd_rotatelogs.
-+## Execute httpd_rotatelogs in the caller domain.
++## Execute a domain transition to run httpd_rotatelogs.
## </summary>
## <param name="domain">
--## <summary>
--## Domain allowed to transition.
--## </summary>
+ ## <summary>
+@@ -809,13 +903,50 @@ interface(`apache_domtrans_rotatelogs',`
+ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+ ')
+
++#######################################
++## <summary>
++## Execute httpd_rotatelogs in the caller domain.
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
- ## </param>
- #
--interface(`apache_domtrans_rotatelogs',`
++## </param>
++#
+interface(`apache_exec_rotatelogs',`
+ gen_require(`
+ type httpd_rotatelogs_exec_t;
@@ -4088,17 +4179,14 @@ index f6eb485..fac6fe5 100644
+## </param>
+#
+interface(`apache_exec_sys_script',`
- gen_require(`
-- type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
++ gen_require(`
+ type httpd_sys_script_exec_t;
- ')
-
-- corecmd_search_bin($1)
-- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
++ ')
++
+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
+ can_exec($1, httpd_sys_script_exec_t)
- ')
-
++')
++
########################################
## <summary>
-## List httpd system content directories.
@@ -4107,7 +4195,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +960,14 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -4124,7 +4212,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +976,7 @@ interface(`apache_list_sys_content',`
## </param>
## <rolecap/>
#
@@ -4132,7 +4220,7 @@ index f6eb485..fac6fe5 100644
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
-@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +988,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -4239,7 +4327,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1087,17 @@ interface(`apache_manage_sys_rw_content',`
## </summary>
## </param>
#
@@ -4258,7 +4346,7 @@ index f6eb485..fac6fe5 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1107,8 @@ interface(`apache_domtrans_sys_script',`
########################################
## <summary>
@@ -4270,7 +4358,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1146,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
## <summary>
## Execute all user scripts in the user
@@ -4279,7 +4367,7 @@ index f6eb485..fac6fe5 100644
## to the specified role.
## </summary>
## <param name="domain">
-@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1159,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
## </summary>
## </param>
@@ -4287,7 +4375,7 @@ index f6eb485..fac6fe5 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1172,8 @@ interface(`apache_run_all_scripts',`
########################################
## <summary>
@@ -4297,7 +4385,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1186,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -4313,7 +4401,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1210,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
## <summary>
@@ -4322,7 +4410,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1223,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
@@ -4337,7 +4425,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1248,7 @@ interface(`apache_read_sys_content',`
########################################
## <summary>
@@ -4346,7 +4434,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1266,7 @@ interface(`apache_search_sys_scripts',`
########################################
## <summary>
@@ -4356,7 +4444,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1071,18 +1231,21 @@ interface(`apache_search_sys_scripts',`
+@@ -1071,18 +1277,21 @@ interface(`apache_search_sys_scripts',`
#
interface(`apache_manage_all_user_content',`
gen_require(`
@@ -4384,7 +4472,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1100,7 +1263,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1100,7 +1309,8 @@ interface(`apache_search_sys_script_state',`
########################################
## <summary>
@@ -4394,7 +4482,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1117,10 +1281,29 @@ interface(`apache_read_tmp_files',`
+@@ -1117,10 +1327,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -4426,7 +4514,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1133,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1133,7 +1362,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -4435,7 +4523,7 @@ index f6eb485..fac6fe5 100644
')
########################################
-@@ -1142,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1142,6 +1371,9 @@ interface(`apache_dontaudit_write_tmp_files',`
## </summary>
## <desc>
## <p>
@@ -4445,7 +4533,7 @@ index f6eb485..fac6fe5 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1171,8 +1357,30 @@ interface(`apache_cgi_domain',`
+@@ -1171,8 +1403,30 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@@ -4478,7 +4566,7 @@ index f6eb485..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1189,18 +1397,19 @@ interface(`apache_cgi_domain',`
+@@ -1189,18 +1443,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4507,7 +4595,7 @@ index f6eb485..fac6fe5 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1210,10 +1419,10 @@ interface(`apache_admin',`
+@@ -1210,10 +1465,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4521,7 +4609,7 @@ index f6eb485..fac6fe5 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1433,129 @@ interface(`apache_admin',`
+@@ -1224,9 +1479,141 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -4585,7 +4673,19 @@ index f6eb485..fac6fe5 100644
+
+
+ apache_filetrans_home_content($1)
++ files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
++ files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
+ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
@@ -4656,7 +4756,7 @@ index f6eb485..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..0e09bca 100644
+index 6649962..e3e190e 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,317 @@ policy_module(apache, 2.7.2)
@@ -5178,10 +5278,11 @@ index 6649962..0e09bca 100644
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
-+# setup the system domain for system CGI scripts
- apache_content_template(sys)
+-apache_content_template(sys)
-corecmd_shell_entry_type(httpd_sys_script_t)
-typealias httpd_sys_content_t alias ntop_http_content_t;
++# setup the system domain for system CGI scripts
++apache_content_template(httpd_sys)
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
@@ -5196,9 +5297,12 @@ index 6649962..0e09bca 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -326,12 +391,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -324,14 +389,21 @@ files_tmp_file(httpd_tmp_t)
+ type httpd_tmpfs_t;
+ files_tmpfs_file(httpd_tmpfs_t)
- apache_content_template(user)
+-apache_content_template(user)
++apache_content_template(httpd_user)
ubac_constrained(httpd_user_script_t)
+
+typeattribute httpd_user_content_t httpdcontent;
@@ -5715,7 +5819,7 @@ index 6649962..0e09bca 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +813,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,66 +813,56 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5750,16 +5854,27 @@ index 6649962..0e09bca 100644
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
-')
-+optional_policy(`
-+ cobbler_list_config(httpd_t)
-+ cobbler_read_config(httpd_t)
-
+-
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_fusefs_dirs(httpd_t)
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-')
+-
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_t)
+-')
++optional_policy(`
++ cobbler_list_config(httpd_t)
++ cobbler_read_config(httpd_t)
+
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_t)
+- fs_manage_nfs_dirs(httpd_t)
+- fs_manage_nfs_files(httpd_t)
+- fs_manage_nfs_symlinks(httpd_t)
+-')
+ tunable_policy(`httpd_serve_cobbler_files',`
+ cobbler_manage_lib_files(httpd_t)
+',`
@@ -5767,27 +5882,22 @@ index 6649962..0e09bca 100644
+ cobbler_search_lib(httpd_t)
+ ')
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_t)
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_t)
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
--tunable_policy(`httpd_use_nfs',`
-- fs_list_auto_mountpoints(httpd_t)
-- fs_manage_nfs_dirs(httpd_t)
-- fs_manage_nfs_files(httpd_t)
-- fs_manage_nfs_symlinks(httpd_t)
-+optional_policy(`
+ optional_policy(`
+- calamaris_read_www_files(httpd_t)
+ tunable_policy(`httpd_use_sasl',`
+ sasl_connect(httpd_t)
+ ')
')
--tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-- fs_exec_nfs_files(httpd_t)
-+optional_policy(`
+ optional_policy(`
+- ccs_read_config(httpd_t)
+ # Support for ABRT retrace server
+ # mod_wsgi
+ abrt_manage_spool_retrace(httpd_t)
@@ -5796,22 +5906,18 @@ index 6649962..0e09bca 100644
')
optional_policy(`
-@@ -748,14 +865,6 @@ optional_policy(`
- ccs_read_config(httpd_t)
+- clamav_domtrans_clamscan(httpd_t)
++ calamaris_read_www_files(httpd_t)
')
--optional_policy(`
-- clamav_domtrans_clamscan(httpd_t)
--')
--
--optional_policy(`
+ optional_policy(`
- cobbler_read_config(httpd_t)
- cobbler_read_lib_files(httpd_t)
--')
++ ccs_read_config(httpd_t)
+ ')
optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
-@@ -770,6 +879,23 @@ optional_policy(`
+@@ -770,6 +878,23 @@ optional_policy(`
')
optional_policy(`
@@ -5835,7 +5941,7 @@ index 6649962..0e09bca 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -786,35 +912,48 @@ optional_policy(`
+@@ -786,35 +911,53 @@ optional_policy(`
')
optional_policy(`
@@ -5858,6 +5964,11 @@ index 6649962..0e09bca 100644
- ldap_tcp_connect(httpd_t)
- ')
+optional_policy(`
++ mirrormanager_read_lib_files(httpd_t)
++ mirrormanager_read_log(httpd_t)
++')
++
++optional_policy(`
+ jetty_admin(httpd_t)
+')
+
@@ -5897,7 +6008,7 @@ index 6649962..0e09bca 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +961,18 @@ optional_policy(`
+@@ -822,8 +965,18 @@ optional_policy(`
')
optional_policy(`
@@ -5916,7 +6027,7 @@ index 6649962..0e09bca 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +981,7 @@ optional_policy(`
+@@ -832,6 +985,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5924,7 +6035,7 @@ index 6649962..0e09bca 100644
')
optional_policy(`
-@@ -842,20 +992,39 @@ optional_policy(`
+@@ -842,20 +996,39 @@ optional_policy(`
')
optional_policy(`
@@ -5970,7 +6081,7 @@ index 6649962..0e09bca 100644
')
optional_policy(`
-@@ -863,19 +1032,35 @@ optional_policy(`
+@@ -863,19 +1036,35 @@ optional_policy(`
')
optional_policy(`
@@ -6006,7 +6117,7 @@ index 6649962..0e09bca 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1068,173 @@ optional_policy(`
+@@ -883,65 +1072,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6079,11 +6190,10 @@ index 6649962..0e09bca 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache PHP script local policy
+#
+
@@ -6142,10 +6252,11 @@ index 6649962..0e09bca 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache suexec local policy
#
@@ -6202,7 +6313,7 @@ index 6649962..0e09bca 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1243,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1247,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6357,7 +6468,7 @@ index 6649962..0e09bca 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1327,106 @@ optional_policy(`
+@@ -1083,172 +1331,106 @@ optional_policy(`
')
')
@@ -6379,11 +6490,11 @@ index 6649962..0e09bca 100644
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-+allow httpd_sys_script_t self:process getsched;
-
+-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--
++allow httpd_sys_script_t self:process getsched;
+
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6539,8 +6650,7 @@ index 6649962..0e09bca 100644
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
@@ -6556,7 +6666,8 @@ index 6649962..0e09bca 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6594,7 +6705,7 @@ index 6649962..0e09bca 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1434,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1438,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6691,7 +6802,7 @@ index 6649962..0e09bca 100644
########################################
#
-@@ -1321,8 +1509,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1513,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6708,15 +6819,14 @@ index 6649962..0e09bca 100644
')
########################################
-@@ -1330,49 +1525,38 @@ optional_policy(`
+@@ -1330,49 +1529,38 @@ optional_policy(`
# User content local policy
#
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_user_script_t)
-')
-+auth_use_nsswitch(httpd_user_script_t)
-
+-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_cifs_files(httpd_user_script_t)
@@ -6726,7 +6836,8 @@ index 6649962..0e09bca 100644
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_user_script_t)
-')
--
++auth_use_nsswitch(httpd_user_script_t)
+
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_nfs_files(httpd_user_script_t)
@@ -6773,7 +6884,7 @@ index 6649962..0e09bca 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1566,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1570,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -6791,8 +6902,7 @@ index 6649962..0e09bca 100644
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
-
--allow httpd_gpg_t self:process setrlimit;
++
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
@@ -6826,7 +6936,8 @@ index 6649962..0e09bca 100644
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
-+
+
+-allow httpd_gpg_t self:process setrlimit;
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
-allow httpd_gpg_t httpd_t:fd use;
@@ -6842,6 +6953,7 @@ index 6649962..0e09bca 100644
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
++allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
-files_read_usr_files(httpd_gpg_t)
+allow httpd_script_type httpd_t:fd use;
@@ -6894,10 +7006,10 @@ index 6649962..0e09bca 100644
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
')
diff --git a/apcupsd.fc b/apcupsd.fc
-index 5ec0e13..1c37fe1 100644
+index 5ec0e13..274704f 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
-@@ -1,10 +1,13 @@
+@@ -1,18 +1,21 @@
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
@@ -6911,10 +7023,46 @@ index 5ec0e13..1c37fe1 100644
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
+
+ /var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
+-/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
-index f3c0aba..b6afc90 100644
+index f3c0aba..9c06313 100644
--- a/apcupsd.if
+++ b/apcupsd.if
+@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
+ ########################################
+ ## <summary>
+ ## Execute a domain transition to
+-## run httpd_apcupsd_cgi_script.
++## run apcupsd_cgi_script.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -112,11 +112,11 @@ interface(`apcupsd_append_log',`
+ #
+ interface(`apcupsd_cgi_script_domtrans',`
+ gen_require(`
+- type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
++ type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t;
+ ')
+
+ files_search_var($1)
+- domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
++ domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t)
+
+ optional_policy(`
+ apache_search_sys_content($1)
@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',`
########################################
@@ -6993,7 +7141,7 @@ index f3c0aba..b6afc90 100644
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
')
diff --git a/apcupsd.te b/apcupsd.te
-index 080bc4d..b4c43c7 100644
+index 080bc4d..4b86e25 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -7034,7 +7182,7 @@ index 080bc4d..b4c43c7 100644
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +76,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +76,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
@@ -7058,20 +7206,59 @@ index 080bc4d..b4c43c7 100644
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
-+systemd_start_power_services(apcupsd_t)
-+
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
-@@ -112,7 +120,6 @@ optional_policy(`
- allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+@@ -101,6 +107,11 @@ optional_policy(`
+ shutdown_domtrans(apcupsd_t)
+ ')
+
++optional_policy(`
++ systemd_start_power_services(apcupsd_t)
++ systemd_status_power_services(apcupsd_t)
++')
++
+ ########################################
+ #
+ # CGI local policy
+@@ -108,20 +119,20 @@ optional_policy(`
+ optional_policy(`
+ apache_content_template(apcupsd_cgi)
+-
+- allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+- allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+-
- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
- corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
- corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+- corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+- corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+- corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+- corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+- corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t)
+- corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
+- corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+- corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+- corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+-
+- sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
++ apache_content_alias_template(apcupsd_cgi, apcupsd_cgi)
++
++ allow apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
++ allow apcupsd_cgi_script_t self:udp_socket create_socket_perms;
++
++ corenet_all_recvfrom_netlabel(apcupsd_cgi_script_t)
++ corenet_tcp_sendrecv_generic_if(apcupsd_cgi_script_t)
++ corenet_tcp_sendrecv_generic_node(apcupsd_cgi_script_t)
++ corenet_tcp_sendrecv_all_ports(apcupsd_cgi_script_t)
++ corenet_sendrecv_apcupsd_client_packets(apcupsd_cgi_script_t)
++ corenet_tcp_connect_apcupsd_port(apcupsd_cgi_script_t)
++ corenet_udp_sendrecv_generic_if(apcupsd_cgi_script_t)
++ corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t)
++ corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t)
++
++ sysnet_dns_name_resolve(apcupsd_cgi_script_t)
+ ')
diff --git a/apm.fc b/apm.fc
index ce27d2f..d20377e 100644
--- a/apm.fc
@@ -7974,11 +8161,43 @@ index b8355b3..844e45b 100644
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
+diff --git a/awstats.fc b/awstats.fc
+index 11e6d5f..73b4ea4 100644
+--- a/awstats.fc
++++ b/awstats.fc
+@@ -1,5 +1,5 @@
+ /usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0)
+-/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0)
+-/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
++/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:awstats_content_t,s0)
++/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:awstats_script_exec_t,s0)
+
+ /var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0)
diff --git a/awstats.te b/awstats.te
-index c1b16c3..c222135 100644
+index c1b16c3..ffbf2cb 100644
--- a/awstats.te
+++ b/awstats.te
-@@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t)
+@@ -26,6 +26,7 @@ type awstats_var_lib_t;
+ files_type(awstats_var_lib_t)
+
+ apache_content_template(awstats)
++apache_content_alias_template(awstats, awstats)
+
+ ########################################
+ #
+@@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
+
+ manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
+
+-allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms;
++allow awstats_t { awstats_content_t awstats_script_exec_t }:dir search_dir_perms;
+
+-can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t })
++can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t })
+
+ kernel_dontaudit_read_system_state(awstats_t)
+
+@@ -52,8 +53,6 @@ corecmd_exec_shell(awstats_t)
dev_read_urand(awstats_t)
files_dontaudit_search_all_mountpoints(awstats_t)
@@ -7987,7 +8206,7 @@ index c1b16c3..c222135 100644
fs_list_inotifyfs(awstats_t)
-@@ -61,8 +59,6 @@ libs_read_lib_files(awstats_t)
+@@ -61,8 +60,6 @@ libs_read_lib_files(awstats_t)
logging_read_generic_logs(awstats_t)
@@ -7996,22 +8215,24 @@ index c1b16c3..c222135 100644
sysnet_dns_name_resolve(awstats_t)
tunable_policy(`awstats_purge_apache_log_files',`
-@@ -90,9 +86,13 @@ optional_policy(`
+@@ -90,9 +87,13 @@ optional_policy(`
# CGI local policy
#
-+apache_read_log(httpd_awstats_script_t)
+-allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
++apache_read_log(awstats_script_t)
+
-+manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
-+manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
-+files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
-+
- allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
++manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file })
+
+-read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+-files_search_var_lib(httpd_awstats_script_t)
++allow awstats_script_t awstats_var_lib_t:dir list_dir_perms;
- read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
- files_search_var_lib(httpd_awstats_script_t)
--
-apache_read_log(httpd_awstats_script_t)
++read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
++files_search_var_lib(awstats_script_t)
diff --git a/backup.te b/backup.te
index 7811450..d8a8bd6 100644
--- a/backup.te
@@ -9459,21 +9680,48 @@ index c5a9113..6ad8ccb 100644
xen_append_log(brctl_t)
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
diff --git a/bugzilla.fc b/bugzilla.fc
-index fce0b6e..fb6e397 100644
+index fce0b6e..9efceac 100644
--- a/bugzilla.fc
+++ b/bugzilla.fc
@@ -1,4 +1,4 @@
-/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
-/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
-+/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
-+/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
++/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_content_t,s0)
++/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:bugzilla_script_exec_t,s0)
- /var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
+-/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
++/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_rw_content_t,s0)
diff --git a/bugzilla.if b/bugzilla.if
-index 1b22262..bf0cefa 100644
+index 1b22262..d9ea246 100644
--- a/bugzilla.if
+++ b/bugzilla.if
-@@ -48,24 +48,26 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+@@ -12,10 +12,10 @@
+ #
+ interface(`bugzilla_search_content',`
+ gen_require(`
+- type httpd_bugzilla_content_t;
++ type bugzilla_content_t;
+ ')
+
+- allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
++ allow $1 bugzilla_content_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -32,10 +32,10 @@ interface(`bugzilla_search_content',`
+ #
+ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+ gen_require(`
+- type httpd_bugzilla_script_t;
++ type bugzilla_script_t;
+ ')
+
+- dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
++ dontaudit $1 bugzilla_script_t:unix_stream_socket { read write };
+ ')
+
+ ########################################
+@@ -48,33 +48,37 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
## Domain allowed access.
## </summary>
## </param>
@@ -9486,32 +9734,44 @@ index 1b22262..bf0cefa 100644
#
interface(`bugzilla_admin',`
gen_require(`
- type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
+- type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
- type httpd_bugzilla_htaccess_t;
-+ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
++ type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t;
++ type bugzilla_rw_content_t, bugzilla_script_exec_t;
++ type bugzilla_htaccess_t, bugzilla_tmp_t;
++ ')
++
++ allow $1 bugzilla_script_t:process signal_perms;
++ ps_process_pattern($1, bugzilla_script_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bugzilla_script_t:process ptrace;
')
- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
-+ allow $1 httpd_bugzilla_script_t:process signal_perms;
- ps_process_pattern($1, httpd_bugzilla_script_t)
+- ps_process_pattern($1, httpd_bugzilla_script_t)
++ files_list_tmp($1)
++ admin_pattern($1, bugzilla_tmp_t)
- files_search_usr($1)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 httpd_bugzilla_script_t:process ptrace;
-+ ')
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, httpd_bugzilla_tmp_t)
-+
-+ files_list_var_lib(httpd_bugzilla_script_t)
-+
- admin_pattern($1, httpd_bugzilla_script_exec_t)
- admin_pattern($1, httpd_bugzilla_script_t)
- admin_pattern($1, httpd_bugzilla_content_t)
-@@ -76,5 +78,7 @@ interface(`bugzilla_admin',`
+- admin_pattern($1, httpd_bugzilla_script_exec_t)
+- admin_pattern($1, httpd_bugzilla_script_t)
+- admin_pattern($1, httpd_bugzilla_content_t)
+- admin_pattern($1, httpd_bugzilla_htaccess_t)
+- admin_pattern($1, httpd_bugzilla_ra_content_t)
++ files_list_var_lib(bugzilla_script_t)
++
++ admin_pattern($1, bugzilla_script_exec_t)
++ admin_pattern($1, bugzilla_script_t)
++ admin_pattern($1, bugzilla_content_t)
++ admin_pattern($1, bugzilla_htaccess_t)
++ admin_pattern($1, bugzilla_ra_content_t)
+
+ files_search_tmp($1)
files_search_var_lib($1)
- admin_pattern($1, httpd_bugzilla_rw_content_t)
+- admin_pattern($1, httpd_bugzilla_rw_content_t)
++ admin_pattern($1, bugzilla_rw_content_t)
- apache_list_sys_content($1)
+ optional_policy(`
@@ -9519,49 +9779,83 @@ index 1b22262..bf0cefa 100644
+ ')
')
diff --git a/bugzilla.te b/bugzilla.te
-index 18623e3..d9f3061 100644
+index 18623e3..c62f617 100644
--- a/bugzilla.te
+++ b/bugzilla.te
-@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.1.0)
+@@ -6,42 +6,55 @@ policy_module(bugzilla, 1.1.0)
+ #
apache_content_template(bugzilla)
-
-+type httpd_bugzilla_tmp_t;
-+files_tmp_file(httpd_bugzilla_tmp_t)
++apache_content_alias_template(bugzilla, bugzilla)
+
++type bugzilla_tmp_t alias httpd_bugzilla_tmp_t;
++files_tmp_file(bugzilla_tmp_t)
+
########################################
#
# Local policy
-@@ -14,7 +17,6 @@ apache_content_template(bugzilla)
+ #
- allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
+-allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
++allow bugzilla_script_t self:tcp_socket { accept listen };
++
++corenet_all_recvfrom_netlabel(bugzilla_script_t)
++corenet_tcp_sendrecv_generic_if(bugzilla_script_t)
++corenet_tcp_sendrecv_generic_node(bugzilla_script_t)
++
++corenet_sendrecv_http_client_packets(bugzilla_script_t)
++corenet_tcp_connect_http_port(bugzilla_script_t)
++corenet_tcp_sendrecv_http_port(bugzilla_script_t)
++
++corenet_sendrecv_smtp_client_packets(bugzilla_script_t)
++corenet_tcp_connect_smtp_port(bugzilla_script_t)
++corenet_tcp_sendrecv_smtp_port(bugzilla_script_t)
++
++manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
++manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
++files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir })
-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
- corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
- corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
-@@ -27,11 +29,21 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
- corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
- corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
+-corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
++files_search_var_lib(bugzilla_script_t)
-+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
-+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
-+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
-+
- files_search_var_lib(httpd_bugzilla_script_t)
+-corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t)
+-corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t)
++auth_read_passwd(bugzilla_script_t)
+
+-corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
+-corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
++dev_read_sysfs(bugzilla_script_t)
+
+-files_search_var_lib(httpd_bugzilla_script_t)
++sysnet_read_config(bugzilla_script_t)
++sysnet_use_ldap(bugzilla_script_t)
-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
-+auth_read_passwd(httpd_bugzilla_script_t)
-+
-+dev_read_sysfs(httpd_bugzilla_script_t)
-+
-+sysnet_read_config(httpd_bugzilla_script_t)
- sysnet_use_ldap(httpd_bugzilla_script_t)
+-sysnet_use_ldap(httpd_bugzilla_script_t)
++miscfiles_read_certs(bugzilla_script_t)
+
+ optional_policy(`
+- mta_send_mail(httpd_bugzilla_script_t)
++ mta_send_mail(bugzilla_script_t)
+ ')
+
+ optional_policy(`
+- mysql_stream_connect(httpd_bugzilla_script_t)
+- mysql_tcp_connect(httpd_bugzilla_script_t)
++ mysql_stream_connect(bugzilla_script_t)
++ mysql_tcp_connect(bugzilla_script_t)
+ ')
-+miscfiles_read_certs(httpd_bugzilla_script_t)
-+
optional_policy(`
- mta_send_mail(httpd_bugzilla_script_t)
+- postgresql_stream_connect(httpd_bugzilla_script_t)
+- postgresql_tcp_connect(httpd_bugzilla_script_t)
++ postgresql_stream_connect(bugzilla_script_t)
++ postgresql_tcp_connect(bugzilla_script_t)
')
diff --git a/bumblebee.fc b/bumblebee.fc
new file mode 100644
@@ -9578,10 +9872,10 @@ index 0000000..b5ee23b
+/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
-index 0000000..23a4f86
+index 0000000..de66654
--- /dev/null
+++ b/bumblebee.if
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,121 @@
+## <summary>policy for bumblebee</summary>
+
+########################################
@@ -9675,11 +9969,6 @@ index 0000000..23a4f86
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
+## <rolecap/>
+#
+interface(`bumblebee_admin',`
@@ -10323,7 +10612,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..6e8a513 100644
+index 550b287..7124d87 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10390,9 +10679,10 @@ index 550b287..6e8a513 100644
-miscfiles_read_localization(certmonger_t)
miscfiles_manage_generic_cert_files(certmonger_t)
+-userdom_search_user_home_content(certmonger_t)
+systemd_exec_systemctl(certmonger_t)
+
- userdom_search_user_home_content(certmonger_t)
++userdom_manage_home_certs(certmonger_t)
optional_policy(`
- apache_initrc_domtrans(certmonger_t)
@@ -10425,7 +10715,7 @@ index 550b287..6e8a513 100644
+
+optional_policy(`
+ pki_rw_tomcat_cert(certmonger_t)
-+ pki_read_tomcat_lib_files(certmonger_t)
++ pki_read_tomcat_lib_files(certmonger_t)
+')
+
+########################################
@@ -10665,7 +10955,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index 80a88a2..1a33de9 100644
+index 80a88a2..f947039 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -10718,13 +11008,15 @@ index 80a88a2..1a33de9 100644
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
-@@ -99,10 +102,10 @@ domain_setpriority_all_domains(cgred_t)
+@@ -99,10 +102,11 @@ domain_setpriority_all_domains(cgred_t)
files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
-files_read_etc_files(cgred_t)
- fs_write_cgroup_files(cgred_t)
+-fs_write_cgroup_files(cgred_t)
++fs_manage_cgroup_dirs(cgred_t)
++fs_manage_cgroup_files(cgred_t)
+fs_list_inotifyfs(cgred_t)
-logging_send_syslog_msg(cgred_t)
@@ -12406,7 +12698,7 @@ index c223f81..8b567c1 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
-index 5f306dd..9a5087b 100644
+index 5f306dd..e01156f 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -12455,23 +12747,42 @@ index 5f306dd..9a5087b 100644
')
optional_policy(`
-+ apache_domtrans(cobblerd_t)
++ apache_domtrans(cobblerd_t)
apache_search_sys_content(cobblerd_t)
')
-@@ -188,17 +191,25 @@ optional_policy(`
+@@ -170,6 +173,7 @@ optional_policy(`
+ bind_domtrans(cobblerd_t)
+ bind_initrc_domtrans(cobblerd_t)
+ bind_manage_zone(cobblerd_t)
++ bind_systemctl(cobblerd_t)
')
optional_policy(`
-+ libs_exec_ldconfig(cobblerd_t)
+@@ -179,12 +183,22 @@ optional_policy(`
+ optional_policy(`
+ dhcpd_domtrans(cobblerd_t)
+ dhcpd_initrc_domtrans(cobblerd_t)
++ dhcpd_systemctl(cobblerd_t)
+ ')
+
+ optional_policy(`
+ dnsmasq_domtrans(cobblerd_t)
+ dnsmasq_initrc_domtrans(cobblerd_t)
+ dnsmasq_write_config(cobblerd_t)
++ dnsmasq_systemctl(cobblerd_t)
+')
+
+optional_policy(`
-+ mysql_stream_connect(cobblerd_t)
++ libs_exec_ldconfig(cobblerd_t)
+')
+
+optional_policy(`
- rpm_exec(cobblerd_t)
++ mysql_stream_connect(cobblerd_t)
+ ')
+
+ optional_policy(`
+@@ -192,13 +206,13 @@ optional_policy(`
')
optional_policy(`
@@ -12489,10 +12800,10 @@ index 5f306dd..9a5087b 100644
tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
diff --git a/collectd.fc b/collectd.fc
-index 79a3abe..2e7d7ed 100644
+index 79a3abe..8d70290 100644
--- a/collectd.fc
+++ b/collectd.fc
-@@ -1,5 +1,7 @@
+@@ -1,9 +1,11 @@
/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
@@ -12500,6 +12811,11 @@ index 79a3abe..2e7d7ed 100644
/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
+
+ /var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
+
+-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
++/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0)
diff --git a/collectd.if b/collectd.if
index 954309e..f4db2ca 100644
--- a/collectd.if
@@ -12683,10 +12999,10 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..dc0423c 100644
+index 6471fa8..d078b96 100644
--- a/collectd.te
+++ b/collectd.te
-@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
+@@ -26,7 +26,14 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
@@ -12694,14 +13010,14 @@ index 6471fa8..dc0423c 100644
+systemd_unit_file(collectd_unit_file_t)
+
apache_content_template(collectd)
-
-+type httpd_collectd_script_tmp_t;
-+files_tmp_file(httpd_collectd_script_tmp_t)
++apache_content_alias_template(collectd, collectd)
+
++type collectd_script_tmp_t alias httpd_collectd_script_tmp_t;
++files_tmp_file(collectd_script_tmp_t)
+
########################################
#
- # Local policy
-@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal };
+@@ -38,6 +45,9 @@ allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen };
@@ -12711,7 +13027,7 @@ index 6471fa8..dc0423c 100644
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+@@ -46,23 +56,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
files_pid_filetrans(collectd_t, collectd_var_run_t, file)
@@ -12747,7 +13063,7 @@ index 6471fa8..dc0423c 100644
logging_send_syslog_msg(collectd_t)
-@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +90,26 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
@@ -12770,16 +13086,16 @@ index 6471fa8..dc0423c 100644
- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-')
+
-+files_search_var_lib(httpd_collectd_script_t)
-+read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-+list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-+miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
++files_search_var_lib(collectd_script_t)
++read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++miscfiles_setattr_fonts_cache_dirs(collectd_script_t)
+
-+manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
-+manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
-+files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir })
++manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
++manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
++files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir })
+
-+auth_read_passwd(httpd_collectd_script_t)
++auth_read_passwd(collectd_script_t)
diff --git a/colord.fc b/colord.fc
index 71639eb..08ab891 100644
--- a/colord.fc
@@ -16015,7 +16331,7 @@ index 1303b30..72481a7 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 7de3859..c4abac0 100644
+index 7de3859..d8264c4 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,46 @@ gen_require(`
@@ -16662,7 +16978,7 @@ index 7de3859..c4abac0 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +531,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +531,18 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -16671,6 +16987,7 @@ index 7de3859..c4abac0 100644
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
++ apache_manage_lib(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
+')
@@ -16680,7 +16997,7 @@ index 7de3859..c4abac0 100644
')
optional_policy(`
-@@ -551,10 +550,6 @@ optional_policy(`
+@@ -551,10 +551,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -16691,7 +17008,7 @@ index 7de3859..c4abac0 100644
')
optional_policy(`
-@@ -591,6 +586,7 @@ optional_policy(`
+@@ -591,6 +587,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -16699,7 +17016,7 @@ index 7de3859..c4abac0 100644
')
optional_policy(`
-@@ -598,7 +594,19 @@ optional_policy(`
+@@ -598,7 +595,19 @@ optional_policy(`
')
optional_policy(`
@@ -16719,7 +17036,7 @@ index 7de3859..c4abac0 100644
')
optional_policy(`
-@@ -608,6 +616,7 @@ optional_policy(`
+@@ -608,6 +617,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -16727,7 +17044,7 @@ index 7de3859..c4abac0 100644
')
optional_policy(`
-@@ -615,12 +624,24 @@ optional_policy(`
+@@ -615,12 +625,24 @@ optional_policy(`
')
optional_policy(`
@@ -16754,7 +17071,7 @@ index 7de3859..c4abac0 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +649,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +650,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -16788,7 +17105,7 @@ index 7de3859..c4abac0 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +682,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +683,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -18258,8 +18575,31 @@ index c91813c..f31fa44 100644
udev_read_db(ptal_t)
')
+
+diff --git a/cvs.fc b/cvs.fc
+index 75c8be9..4c1a965 100644
+--- a/cvs.fc
++++ b/cvs.fc
+@@ -1,13 +1,16 @@
++HOME_DIR/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
++/root/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
++
+ /etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0)
+
+ /opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+
+ /usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
+
+-/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
++/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
+
+ /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+
+ /var/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0)
+
+-/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
++/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
diff --git a/cvs.if b/cvs.if
-index 64775fd..bff3111 100644
+index 64775fd..91a6056 100644
--- a/cvs.if
+++ b/cvs.if
@@ -1,5 +1,23 @@
@@ -18286,8 +18626,36 @@ index 64775fd..bff3111 100644
########################################
## <summary>
## Read CVS data and metadata content.
-@@ -62,9 +80,14 @@ interface(`cvs_admin',`
+@@ -41,6 +59,24 @@ interface(`cvs_exec',`
+
+ ########################################
+ ## <summary>
++## Transition to cvs named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cvs_filetrans_home_content',`
++ gen_require(`
++ type cvs_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
++')
++
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an cvs environment
+ ## </summary>
+@@ -60,11 +96,17 @@ interface(`cvs_admin',`
+ gen_require(`
+ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
++ type cvs_home_t;
')
- allow $1 cvs_t:process { ptrace signal_perms };
@@ -18302,8 +18670,16 @@ index 64775fd..bff3111 100644
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
+@@ -81,4 +123,7 @@ interface(`cvs_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, cvs_var_run_t)
++
++ userdom_search_user_home_dirs($1)
++ admin_pattern($1, cvs_home_t)
+ ')
diff --git a/cvs.te b/cvs.te
-index 0f77550..f98a932 100644
+index 0f77550..cd608bc 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2)
@@ -18315,7 +18691,32 @@ index 0f77550..f98a932 100644
type cvs_t;
type cvs_exec_t;
-@@ -74,6 +74,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t)
+@@ -34,17 +34,23 @@ files_tmp_file(cvs_tmp_t)
+ type cvs_var_run_t;
+ files_pid_file(cvs_var_run_t)
+
++type cvs_home_t;
++userdom_user_home_content(cvs_home_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow cvs_t self:capability { setuid setgid };
++allow cvs_t self:capability { dac_override dac_read_search setuid setgid };
+ allow cvs_t self:process signal_perms;
+ allow cvs_t self:fifo_file rw_fifo_file_perms;
+ allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+ allow cvs_t self:tcp_socket { accept listen };
+
++userdom_search_user_home_dirs(cvs_t)
++allow cvs_t cvs_home_t:file read_file_perms;
++
+ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+@@ -74,6 +80,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
@@ -18331,7 +18732,7 @@ index 0f77550..f98a932 100644
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
-@@ -86,18 +95,18 @@ auth_use_nsswitch(cvs_t)
+@@ -86,18 +101,16 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
@@ -18344,8 +18745,8 @@ index 0f77550..f98a932 100644
-
mta_send_mail(cvs_t)
- userdom_dontaudit_search_user_home_dirs(cvs_t)
-
+-userdom_dontaudit_search_user_home_dirs(cvs_t)
+-
# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
@@ -18353,11 +18754,19 @@ index 0f77550..f98a932 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
-@@ -120,4 +129,5 @@ optional_policy(`
- read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
- manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
- manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
-+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
+@@ -116,8 +129,10 @@ optional_policy(`
+
+ optional_policy(`
+ apache_content_template(cvs)
++ apache_content_alias_template(cvs, cvs)
+
+- read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+- manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+- manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++ read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t)
++ manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++ manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++ files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir })
')
diff --git a/cyphesis.te b/cyphesis.te
index 77ffc73..86e11f5 100644
@@ -20871,7 +21280,7 @@ index b3b2188..5f91705 100644
miscfiles_read_localization(dirmngr_t)
diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
new file mode 100644
-index 0000000..8c44697
+index 0000000..5e44c5e
--- /dev/null
+++ b/dirsrv-admin.fc
@@ -0,0 +1,15 @@
@@ -20883,8 +21292,8 @@ index 0000000..8c44697
+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
-+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
-+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
@@ -20892,7 +21301,7 @@ index 0000000..8c44697
+/var/lock/subsys/dirsrv-admin -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
diff --git a/dirsrv-admin.if b/dirsrv-admin.if
new file mode 100644
-index 0000000..30416f2
+index 0000000..e360d38
--- /dev/null
+++ b/dirsrv-admin.if
@@ -0,0 +1,133 @@
@@ -20927,13 +21336,13 @@ index 0000000..30416f2
+## </summary>
+## </param>
+#
-+interface(`dirsrvadmin_run_httpd_script_exec',`
++interface(`dirsrvadmin_run_script_exec',`
+ gen_require(`
-+ type httpd_dirsrvadmin_script_exec_t;
++ type dirsrvadmin_script_exec_t;
+ ')
+
-+ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
-+ can_exec($1, httpd_dirsrvadmin_script_exec_t)
++ allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms;
++ can_exec($1, dirsrvadmin_script_exec_t)
+')
+
+########################################
@@ -21031,10 +21440,10 @@ index 0000000..30416f2
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
-index 0000000..021c5ae
+index 0000000..37afbd4
--- /dev/null
+++ b/dirsrv-admin.te
-@@ -0,0 +1,157 @@
+@@ -0,0 +1,158 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -21107,59 +21516,60 @@ index 0000000..021c5ae
+
+optional_policy(`
+ apache_content_template(dirsrvadmin)
++ apache_content_alias_template(dirsrvadmin, dirsrvadmin)
+
-+ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
-+ allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
-+ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
-+ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
-+ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
-+ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
-+ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
++ allow dirsrvadmin_script_t self:process { getsched getpgid };
++ allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++ allow dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
++ allow dirsrvadmin_script_t self:udp_socket create_socket_perms;
++ allow dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
++ allow dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
++ allow dirsrvadmin_script_t self:sem create_sem_perms;
+
+
-+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
-+ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
++ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
++ files_lock_filetrans(dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
+
-+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
++ kernel_read_kernel_sysctls(dirsrvadmin_script_t)
+
+
-+ corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t)
-+ corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t)
-+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
++ corenet_tcp_bind_generic_node(dirsrvadmin_script_t)
++ corenet_udp_bind_generic_node(dirsrvadmin_script_t)
++ corenet_all_recvfrom_netlabel(dirsrvadmin_script_t)
+
-+ corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t)
-+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
-+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
-+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
++ corenet_tcp_bind_http_port(dirsrvadmin_script_t)
++ corenet_tcp_connect_generic_port(dirsrvadmin_script_t)
++ corenet_tcp_connect_ldap_port(dirsrvadmin_script_t)
++ corenet_tcp_connect_http_port(dirsrvadmin_script_t)
+
-+ files_search_var_lib(httpd_dirsrvadmin_script_t)
++ files_search_var_lib(dirsrvadmin_script_t)
+
-+ sysnet_read_config(httpd_dirsrvadmin_script_t)
++ sysnet_read_config(dirsrvadmin_script_t)
+
-+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
++ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ manage_dirs_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ files_tmp_filetrans(dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
+ optional_policy(`
-+ apache_read_modules(httpd_dirsrvadmin_script_t)
-+ apache_read_config(httpd_dirsrvadmin_script_t)
-+ apache_signal(httpd_dirsrvadmin_script_t)
-+ apache_signull(httpd_dirsrvadmin_script_t)
++ apache_read_modules(dirsrvadmin_script_t)
++ apache_read_config(dirsrvadmin_script_t)
++ apache_signal(dirsrvadmin_script_t)
++ apache_signull(dirsrvadmin_script_t)
+ ')
+
+ optional_policy(`
+ # The CGI scripts must be able to manage dirsrv-admin
-+ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
-+ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
-+ dirsrv_domtrans(httpd_dirsrvadmin_script_t)
-+ dirsrv_signal(httpd_dirsrvadmin_script_t)
-+ dirsrv_signull(httpd_dirsrvadmin_script_t)
-+ dirsrv_manage_log(httpd_dirsrvadmin_script_t)
-+ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
-+ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
-+ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
-+ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
-+ dirsrv_read_share(httpd_dirsrvadmin_script_t)
++ dirsrvadmin_run_exec(dirsrvadmin_script_t)
++ dirsrvadmin_manage_config(dirsrvadmin_script_t)
++ dirsrv_domtrans(dirsrvadmin_script_t)
++ dirsrv_signal(dirsrvadmin_script_t)
++ dirsrv_signull(dirsrvadmin_script_t)
++ dirsrv_manage_log(dirsrvadmin_script_t)
++ dirsrv_manage_var_lib(dirsrvadmin_script_t)
++ dirsrv_pid_filetrans(dirsrvadmin_script_t)
++ dirsrv_manage_var_run(dirsrvadmin_script_t)
++ dirsrv_manage_config(dirsrvadmin_script_t)
++ dirsrv_read_share(dirsrvadmin_script_t)
+ ')
+')
+
@@ -22307,10 +22717,10 @@ index 0000000..484dd44
\ No newline at end of file
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..d856375
+index 0000000..543baf1
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,250 @@
+
+## <summary>The open-source application container engine.</summary>
+
@@ -22354,6 +22764,25 @@ index 0000000..d856375
+
+########################################
+## <summary>
++## Execute docker lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`docker_exec_lib',`
++ gen_require(`
++ type docker_var_lib_t;
++ ')
++
++ allow $1 docker_var_lib_t:dir search_dir_perms;
++ can_exec($1, docker_var_lib_t)
++')
++
++########################################
++## <summary>
+## Read docker lib files.
+## </summary>
+## <param name="domain">
@@ -22411,6 +22840,41 @@ index 0000000..d856375
+
+########################################
+## <summary>
++## Create objects in a docker var lib directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`docker_lib_filetrans',`
++ gen_require(`
++ type docker_var_lib_t;
++ ')
++
++ filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
+## Read docker PID files.
+## </summary>
+## <param name="domain">
@@ -23528,11 +23992,15 @@ index f2516cc..8975946 100644
-
sysnet_dns_name_resolve(drbd_t)
diff --git a/dspam.fc b/dspam.fc
-index 5eddac5..3ea0423 100644
+index 5eddac5..b5fcb77 100644
--- a/dspam.fc
+++ b/dspam.fc
-@@ -5,8 +5,13 @@
- /usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
+@@ -2,11 +2,16 @@
+
+ /usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0)
+
+-/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
++/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0)
/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
-/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
@@ -23542,10 +24010,10 @@ index 5eddac5..3ea0423 100644
/var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0)
+
+# web
-+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
-+/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0)
++/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0)
++/var/www/dspam(/.*?) gen_context(system_u:object_r:dspam_content_t,s0)
+
-+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
++/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:dspam_rw_content_t,s0)
diff --git a/dspam.if b/dspam.if
index 18f2452..a446210 100644
--- a/dspam.if
@@ -23822,7 +24290,7 @@ index 18f2452..a446210 100644
+
')
diff --git a/dspam.te b/dspam.te
-index ef62363..37c844b 100644
+index ef62363..1ec4d89 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@@ -23848,7 +24316,7 @@ index ef62363..37c844b 100644
files_search_spool(dspam_t)
-@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
+@@ -64,14 +73,30 @@ auth_use_nsswitch(dspam_t)
logging_send_syslog_msg(dspam_t)
@@ -23856,36 +24324,35 @@ index ef62363..37c844b 100644
-
optional_policy(`
apache_content_template(dspam)
-
-+ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
++ apache_content_alias_template(dspam, dspam)
+
-+ files_search_var_lib(httpd_dspam_script_t)
- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
-- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
-- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
-+ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
-+ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
++ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
+
-+ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t)
++ files_search_var_lib(dspam_script_t)
+
-+ term_dontaudit_search_ptys(httpd_dspam_script_t)
-+ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t)
-+ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t)
++ domain_dontaudit_read_all_domains_state(dspam_script_t)
+
-+ init_read_utmp(httpd_dspam_script_t)
++ term_dontaudit_search_ptys(dspam_script_t)
++ term_dontaudit_getattr_all_ttys(dspam_script_t)
++ term_dontaudit_getattr_all_ptys(dspam_script_t)
+
+- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
+- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
+- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
++ init_read_utmp(dspam_script_t)
+
-+ logging_send_syslog_msg(httpd_dspam_script_t)
++ logging_send_syslog_msg(dspam_script_t)
+
-+ mta_send_mail(httpd_dspam_script_t)
++ mta_send_mail(dspam_script_t)
+
+ optional_policy(`
-+ mysql_tcp_connect(httpd_dspam_script_t)
-+ mysql_stream_connect(httpd_dspam_script_t)
++ mysql_tcp_connect(dspam_script_t)
++ mysql_stream_connect(dspam_script_t)
+ ')
')
optional_policy(`
-@@ -87,3 +114,12 @@ optional_policy(`
+@@ -87,3 +112,12 @@ optional_policy(`
postgresql_tcp_connect(dspam_t)
')
@@ -25315,18 +25782,19 @@ index 5010f04..928215f 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index 92a6479..989f63a 100644
+index 92a6479..064f58e 100644
--- a/fprintd.te
+++ b/fprintd.te
-@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
+@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t)
allow fprintd_t self:capability sys_nice;
allow fprintd_t self:process { getsched setsched signal sigkill };
allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow fprintd_t self:unix_dgram_socket { create_socket_perms sendto };
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t)
+@@ -28,15 +30,14 @@ kernel_read_system_state(fprintd_t)
dev_list_usbfs(fprintd_t)
dev_read_sysfs(fprintd_t)
@@ -25340,11 +25808,11 @@ index 92a6479..989f63a 100644
auth_use_nsswitch(fprintd_t)
-miscfiles_read_localization(fprintd_t)
--
++logging_send_syslog_msg(fprintd_t)
+
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
-
-@@ -54,8 +52,13 @@ optional_policy(`
+@@ -54,8 +55,13 @@ optional_policy(`
')
')
@@ -26185,6 +26653,29 @@ index 8a820fa..996b30c 100644
-')
+userdom_use_inherited_user_terminals(giftd_t)
+userdom_home_manager(gitd_t)
+diff --git a/git.fc b/git.fc
+index 24700f8..6561d56 100644
+--- a/git.fc
++++ b/git.fc
+@@ -2,12 +2,12 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
+
+ /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+
+-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+-/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
++/var/cache/cgit(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0)
++/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0)
+
+ /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
+
+-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+-/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+-/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+-/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:git_script_exec_t,s0)
++/var/www/git(/.*)? gen_context(system_u:object_r:git_content_t,s0)
++/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0)
++/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0)
diff --git a/git.if b/git.if
index 1e29af1..6c64f55 100644
--- a/git.if
@@ -26232,7 +26723,7 @@ index 1e29af1..6c64f55 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index dc49c71..654dbc5 100644
+index dc49c71..72aa729 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -26250,7 +26741,15 @@ index dc49c71..654dbc5 100644
## Determine whether Git system daemon
## can search home directories.
## </p>
-@@ -93,10 +85,10 @@ type git_session_t, git_daemon;
+@@ -83,6 +75,7 @@ attribute git_daemon;
+ attribute_role git_session_roles;
+
+ apache_content_template(git)
++apache_content_alias_template(git, git)
+
+ type git_system_t, git_daemon;
+ type gitd_exec_t;
+@@ -93,10 +86,10 @@ type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;
@@ -26263,7 +26762,7 @@ index dc49c71..654dbc5 100644
userdom_user_home_content(git_user_content_t)
########################################
-@@ -110,6 +102,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+@@ -110,6 +103,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
@@ -26272,7 +26771,7 @@ index dc49c71..654dbc5 100644
corenet_all_recvfrom_netlabel(git_session_t)
corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
-@@ -130,9 +124,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
+@@ -130,9 +125,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_sendrecv_all_ports(git_session_t)
')
@@ -26283,7 +26782,7 @@ index dc49c71..654dbc5 100644
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
-@@ -158,6 +150,9 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -158,6 +151,9 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
@@ -26293,7 +26792,7 @@ index dc49c71..654dbc5 100644
corenet_all_recvfrom_unlabeled(git_system_t)
corenet_all_recvfrom_netlabel(git_system_t)
corenet_tcp_sendrecv_generic_if(git_system_t)
-@@ -176,6 +171,9 @@ logging_send_syslog_msg(git_system_t)
+@@ -176,6 +172,9 @@ logging_send_syslog_msg(git_system_t)
tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
@@ -26303,7 +26802,78 @@ index dc49c71..654dbc5 100644
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -266,12 +264,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -215,48 +214,48 @@ tunable_policy(`git_system_use_nfs',`
+ # CGI policy
+ #
+
+-list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+-read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+-files_search_var_lib(httpd_git_script_t)
++list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
++read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
++files_search_var_lib(git_script_t)
+
+-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
++files_dontaudit_getattr_tmp_dirs(git_script_t)
+
+-auth_use_nsswitch(httpd_git_script_t)
++auth_use_nsswitch(git_script_t)
+
+ tunable_policy(`git_cgi_enable_homedirs',`
+- userdom_search_user_home_dirs(httpd_git_script_t)
++ userdom_search_user_home_dirs(git_script_t)
+ ')
+
+ tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
+- fs_getattr_nfs(httpd_git_script_t)
+- fs_list_nfs(httpd_git_script_t)
+- fs_read_nfs_files(httpd_git_script_t)
++ fs_getattr_nfs(git_script_t)
++ fs_list_nfs(git_script_t)
++ fs_read_nfs_files(git_script_t)
+ ',`
+- fs_dontaudit_read_nfs_files(httpd_git_script_t)
++ fs_dontaudit_read_nfs_files(git_script_t)
+ ')
+
+ tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
+- fs_getattr_cifs(httpd_git_script_t)
+- fs_list_cifs(httpd_git_script_t)
+- fs_read_cifs_files(httpd_git_script_t)
++ fs_getattr_cifs(git_script_t)
++ fs_list_cifs(git_script_t)
++ fs_read_cifs_files(git_script_t)
+ ',`
+- fs_dontaudit_read_cifs_files(httpd_git_script_t)
++ fs_dontaudit_read_cifs_files(git_script_t)
+ ')
+
+ tunable_policy(`git_cgi_use_cifs',`
+- fs_getattr_cifs(httpd_git_script_t)
+- fs_list_cifs(httpd_git_script_t)
+- fs_read_cifs_files(httpd_git_script_t)
++ fs_getattr_cifs(git_script_t)
++ fs_list_cifs(git_script_t)
++ fs_read_cifs_files(git_script_t)
+ ',`
+- fs_dontaudit_read_cifs_files(httpd_git_script_t)
++ fs_dontaudit_read_cifs_files(git_script_t)
+ ')
+
+ tunable_policy(`git_cgi_use_nfs',`
+- fs_getattr_nfs(httpd_git_script_t)
+- fs_list_nfs(httpd_git_script_t)
+- fs_read_nfs_files(httpd_git_script_t)
++ fs_getattr_nfs(git_script_t)
++ fs_list_nfs(git_script_t)
++ fs_read_nfs_files(git_script_t)
+ ',`
+- fs_dontaudit_read_nfs_files(httpd_git_script_t)
++ fs_dontaudit_read_nfs_files(git_script_t)
+ ')
+
+ ########################################
+@@ -266,12 +265,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -26687,10 +27257,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..7b78047
+index 0000000..4b88195
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,199 @@
+@@ -0,0 +1,200 @@
+policy_module(glusterfs, 1.1.2)
+
+## <desc>
@@ -26782,12 +27352,13 @@ index 0000000..7b78047
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-+#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+
+manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
@@ -30718,10 +31289,10 @@ index 0000000..3ce0ac0
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
-index 0000000..5044e7b
+index 0000000..bbd5979
--- /dev/null
+++ b/gssproxy.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,68 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
@@ -30746,6 +31317,7 @@ index 0000000..5044e7b
+#
+# gssproxy local policy
+#
++allow gssproxy_t self:capability { setuid setgid };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
@@ -30776,6 +31348,7 @@ index 0000000..5044e7b
+
+miscfiles_read_localization(gssproxy_t)
+
++userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
@@ -31718,7 +32291,7 @@ index ac00fb0..36ef2e5 100644
+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
-index 2636503..7e29d1d 100644
+index 2636503..5910c59 100644
--- a/irc.te
+++ b/irc.te
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
@@ -31776,23 +32349,27 @@ index 2636503..7e29d1d 100644
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
-@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+@@ -70,7 +86,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_system_state(irc_t)
-corenet_all_recvfrom_unlabeled(irc_t)
++corecmd_exec_shell(irc_t)
++corecmd_exec_bin(irc_t)
++
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
corenet_tcp_sendrecv_generic_node(irc_t)
-@@ -93,7 +108,6 @@ dev_read_rand(irc_t)
+@@ -93,8 +111,6 @@ dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
-files_read_usr_files(irc_t)
-
+-
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
-@@ -106,14 +120,16 @@ auth_use_nsswitch(irc_t)
+
+@@ -106,14 +122,16 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
@@ -31814,7 +32391,7 @@ index 2636503..7e29d1d 100644
tunable_policy(`irc_use_any_tcp_ports',`
allow irc_t self:tcp_socket { accept listen };
-@@ -124,18 +140,69 @@ tunable_policy(`irc_use_any_tcp_ports',`
+@@ -124,18 +142,69 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
@@ -31849,7 +32426,7 @@ index 2636503..7e29d1d 100644
+
+kernel_read_system_state(irssi_t)
+
-+corecmd_search_bin(irssi_t)
++corecmd_exec_shell(irssi_t)
+corecmd_read_bin_symlinks(irssi_t)
+
+corenet_tcp_connect_ircd_port(irssi_t)
@@ -36427,6 +37004,27 @@ index 4c2b111..8915138 100644
kerberos_use(slapd_t)
')
+diff --git a/lightsquid.fc b/lightsquid.fc
+index 044390c..63e2058 100644
+--- a/lightsquid.fc
++++ b/lightsquid.fc
+@@ -1,11 +1,11 @@
+ /etc/cron\.daily/lightsquid -- gen_context(system_u:object_r:lightsquid_exec_t,s0)
+
+-/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
+-/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
++/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:lightsquid_content_t,s0)
++/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
+
+-/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
++/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
+
+ /var/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
+
+-/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
+-/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
++/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_content_t,s0)
++/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_report_content_t,s0)
diff --git a/lightsquid.if b/lightsquid.if
index 33a28b9..33ffe24 100644
--- a/lightsquid.if
@@ -36441,10 +37039,34 @@ index 33a28b9..33ffe24 100644
+ ')
')
diff --git a/lightsquid.te b/lightsquid.te
-index 09c4f27..75854ed 100644
+index 09c4f27..6c7855e 100644
--- a/lightsquid.te
+++ b/lightsquid.te
-@@ -31,11 +31,6 @@ corecmd_exec_shell(lightsquid_t)
+@@ -13,38 +13,34 @@ type lightsquid_exec_t;
+ application_domain(lightsquid_t, lightsquid_exec_t)
+ role lightsquid_roles types lightsquid_t;
+
+-type lightsquid_rw_content_t;
+-files_type(lightsquid_rw_content_t)
++type lightsquid_report_content_t;
++files_type(lightsquid_report_content_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+-manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+-manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+-manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+-files_var_filetrans(lightsquid_t, lightsquid_rw_content_t, dir)
++manage_dirs_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
++manage_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
++manage_lnk_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
++files_var_filetrans(lightsquid_t, lightsquid_report_content_t, dir)
+
+ corecmd_exec_bin(lightsquid_t)
+ corecmd_exec_shell(lightsquid_t)
dev_read_urand(lightsquid_t)
@@ -36456,6 +37078,19 @@ index 09c4f27..75854ed 100644
squid_read_config(lightsquid_t)
squid_read_log(lightsquid_t)
+ optional_policy(`
+ apache_content_template(lightsquid)
++ apache_content_alias_template(lightsquid, lightsquid)
+
+- list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+- read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+- read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
++ list_dirs_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
++ read_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
++ read_lnk_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
+ ')
+
+ optional_policy(`
diff --git a/likewise.if b/likewise.if
index bd20e8c..3393a01 100644
--- a/likewise.if
@@ -37253,7 +37888,7 @@ index be0ab84..8c532a6 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index ab65034..52cbb90 100644
+index ab65034..6f52140 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -6,6 +6,13 @@ policy_module(logwatch, 1.12.2)
@@ -37315,7 +37950,7 @@ index ab65034..52cbb90 100644
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
-@@ -100,23 +115,17 @@ libs_read_lib_files(logwatch_t)
+@@ -100,23 +115,14 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
@@ -37325,9 +37960,8 @@ index ab65034..52cbb90 100644
sysnet_exec_ifconfig(logwatch_t)
- userdom_dontaudit_search_user_home_dirs(logwatch_t)
-+userdom_dontaudit_list_admin_dir(logwatch_t)
-
+-userdom_dontaudit_search_user_home_dirs(logwatch_t)
+-
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
@@ -37340,7 +37974,7 @@ index ab65034..52cbb90 100644
corenet_sendrecv_smtp_client_packets(logwatch_t)
corenet_tcp_connect_smtp_port(logwatch_t)
corenet_tcp_sendrecv_smtp_port(logwatch_t)
-@@ -160,6 +169,12 @@ optional_policy(`
+@@ -160,6 +166,12 @@ optional_policy(`
')
optional_policy(`
@@ -37353,7 +37987,7 @@ index ab65034..52cbb90 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -187,6 +202,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -187,6 +199,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -38424,16 +39058,30 @@ index 6b6e2e1..9889cef 100644
+ spamassassin_read_home_client(mscan_t)
spamassassin_read_lib_files(mscan_t)
')
+diff --git a/man2html.fc b/man2html.fc
+index 82f6255..3686732 100644
+--- a/man2html.fc
++++ b/man2html.fc
+@@ -1,5 +1,5 @@
+-/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
+-/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
+-/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
+
+-/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
++/var/cache/man2html(/.*)? gen_context(system_u:object_r:man2html_rw_content_t,s0)
diff --git a/man2html.if b/man2html.if
-index 54ec04d..fe43dea 100644
+index 54ec04d..53eaf61 100644
--- a/man2html.if
+++ b/man2html.if
-@@ -1 +1,127 @@
+@@ -1 +1,137 @@
## <summary>A Unix manpage-to-HTML converter.</summary>
+
+########################################
+## <summary>
-+## Transition to httpd_man2html_script.
++## Transition to man2html_script.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -38441,18 +39089,18 @@ index 54ec04d..fe43dea 100644
+## </summary>
+## </param>
+#
-+interface(`httpd_man2html_script_domtrans',`
++interface(`man2html_script_domtrans',`
+ gen_require(`
-+ type httpd_man2html_script_t, httpd_man2html_script_exec_t;
++ type man2html_script_t, man2html_script_exec_t;
+ ')
+
+ corecmd_search_bin($1)
-+ domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t)
++ domtrans_pattern($1, man2html_script_exec_t, man2html_script_t)
+')
+
+########################################
+## <summary>
-+## Search httpd_man2html_script cache directories.
++## Search man2html_script content directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -38460,18 +39108,19 @@ index 54ec04d..fe43dea 100644
+## </summary>
+## </param>
+#
-+interface(`httpd_man2html_script_search_cache',`
++interface(`man2html_search_content',`
+ gen_require(`
-+ type httpd_man2html_script_cache_t;
++ type man2html_content_t;
++ type man2html_rw_content_t;
+ ')
+
-+ allow $1 httpd_man2html_script_cache_t:dir search_dir_perms;
++ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+## <summary>
-+## Read httpd_man2html_script cache files.
++## Read man2html cache files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -38479,19 +39128,22 @@ index 54ec04d..fe43dea 100644
+## </summary>
+## </param>
+#
-+interface(`httpd_man2html_script_read_cache_files',`
++interface(`man2html_read_content_files',`
+ gen_require(`
-+ type httpd_man2html_script_cache_t;
++ type man2html_content_t;
++ type man2html_rw_content_t;
+ ')
+
+ files_search_var($1)
-+ read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
++ read_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
++ read_files_pattern($1, man2html_content_t, man2html_content_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
-+## httpd_man2html_script cache files.
++## man2html content files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -38499,18 +39151,21 @@ index 54ec04d..fe43dea 100644
+## </summary>
+## </param>
+#
-+interface(`httpd_man2html_script_manage_cache_files',`
++interface(`man2html_manage_content_files',`
+ gen_require(`
-+ type httpd_man2html_script_cache_t;
++ type man2html_content_t;
++ type man2html_rw_content_t;
+ ')
+
+ files_search_var($1)
-+ manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++ manage_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
++ manage_files_pattern($1, man2html_content_t, man2html_content_t)
+')
+
+########################################
+## <summary>
-+## Manage httpd_man2html_script cache dirs.
++## Create, read, write, and delete
++## man2html content dirs.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -38518,20 +39173,21 @@ index 54ec04d..fe43dea 100644
+## </summary>
+## </param>
+#
-+interface(`httpd_man2html_script_manage_cache_dirs',`
++interface(`man2html_manage_content_dirs',`
+ gen_require(`
-+ type httpd_man2html_script_cache_t;
++ type man2html_content_t;
++ type man2html_rw_content_t;
+ ')
+
+ files_search_var($1)
-+ manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++ manage_dirs_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
++ manage_dirs_pattern($1, man2html_content_t, man2html_content_t)
+')
+
-+
+########################################
+## <summary>
+## All of the rules required to administrate
-+## an httpd_man2html_script environment
++## an man2html environment
+## </summary>
+## <param name="domain">
+## <summary>
@@ -38539,17 +39195,19 @@ index 54ec04d..fe43dea 100644
+## </summary>
+## </param>
+#
-+interface(`httpd_man2html_script_admin',`
++interface(`man2html_admin',`
+ gen_require(`
-+ type httpd_man2html_script_t;
-+ type httpd_man2html_script_cache_t;
++ type man2html_script_t;
++ type man2html_rw_content_t;
++ type man2html_content_t;
+ ')
+
-+ allow $1 httpd_man2html_script_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, httpd_man2html_script_t)
++ allow $1 man2html_script_t:process { ptrace signal_perms };
++ ps_process_pattern($1, man2html_script_t)
+
+ files_search_var($1)
-+ admin_pattern($1, httpd_man2html_script_cache_t)
++ admin_pattern($1, man2html_content_t)
++ admin_pattern($1, man2html_rw_content_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
@@ -38557,22 +39215,22 @@ index 54ec04d..fe43dea 100644
+ ')
+')
diff --git a/man2html.te b/man2html.te
-index e08c55d..9e634bd 100644
+index e08c55d..24b56e9 100644
--- a/man2html.te
+++ b/man2html.te
-@@ -5,22 +5,24 @@ policy_module(man2html, 1.0.0)
+@@ -5,22 +5,18 @@ policy_module(man2html, 1.0.0)
# Declarations
#
-apache_content_template(man2html)
-
- type httpd_man2html_script_cache_t;
- files_type(httpd_man2html_script_cache_t)
+-
+-type httpd_man2html_script_cache_t;
+-files_type(httpd_man2html_script_cache_t)
########################################
#
-# Local policy
-+# httpd_man2html_script local policy
++# man2html_script local policy
#
-manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
@@ -38580,19 +39238,16 @@ index e08c55d..9e634bd 100644
-manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir)
+optional_policy(`
++ apache_content_template(man2html)
++ apache_content_alias_template(man2html, man2html)
-files_read_etc_files(httpd_man2html_script_t)
-+ apache_content_template(man2html)
++ allow man2html_script_t self:process fork;
-miscfiles_read_localization(httpd_man2html_script_t)
-miscfiles_read_man_pages(httpd_man2html_script_t)
-+ allow httpd_man2html_script_t self:process { fork };
-+
-+ manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-+ manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-+ manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-+ files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file })
-+
++ typealias man2html_rw_content_t alias man2html_script_cache_t;
++ files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file })
+')
diff --git a/mandb.fc b/mandb.fc
index 8ae78b5..16e55cd 100644
@@ -39148,8 +39803,27 @@ index 0000000..a04dd6b
+
+domain_use_interactive_fds(mcollective_t)
+
+diff --git a/mediawiki.fc b/mediawiki.fc
+index 99f7c41..93ec6db 100644
+--- a/mediawiki.fc
++++ b/mediawiki.fc
+@@ -1,8 +1,8 @@
+-/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+-/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+-/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
++/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
++/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
++/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
+
+-/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
++/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0)
+
+-/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
+-/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
++/var/www/wiki(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
++/var/www/wiki/.*\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0)
diff --git a/mediawiki.if b/mediawiki.if
-index 9771b4b..1c1d012 100644
+index 9771b4b..9b183e6 100644
--- a/mediawiki.if
+++ b/mediawiki.if
@@ -1 +1,40 @@
@@ -39169,12 +39843,12 @@ index 9771b4b..1c1d012 100644
+#
+interface(`mediawiki_read_tmp_files',`
+ gen_require(`
-+ type httpd_mediawiki_tmp_t;
++ type mediawiki_tmp_t;
+ ')
+
+ files_search_tmp($1)
-+ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
-+ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++ read_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
++ read_lnk_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+')
+
+#######################################
@@ -39189,23 +39863,22 @@ index 9771b4b..1c1d012 100644
+#
+interface(`mediawiki_delete_tmp_files',`
+ gen_require(`
-+ type httpd_mediawiki_tmp_t;
++ type mediawiki_tmp_t;
+ ')
+
-+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++ delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+')
diff --git a/mediawiki.te b/mediawiki.te
-index c528b9f..212712c 100644
+index c528b9f..fcbc191 100644
--- a/mediawiki.te
+++ b/mediawiki.te
-@@ -5,13 +5,16 @@ policy_module(mediawiki, 1.0.0)
+@@ -5,13 +5,26 @@ policy_module(mediawiki, 1.0.0)
# Declarations
#
-apache_content_template(mediawiki)
-+optional_policy(`
-+
-+ apache_content_template(mediawiki)
++type mediawiki_tmp_t;
++files_tmp_file(mediawiki_tmp_t)
########################################
#
@@ -39213,10 +39886,21 @@ index c528b9f..212712c 100644
#
-files_search_var_lib(httpd_mediawiki_script_t)
-+ files_search_var_lib(httpd_mediawiki_script_t)
++optional_policy(`
-miscfiles_read_tetex_data(httpd_mediawiki_script_t)
-+ miscfiles_read_tetex_data(httpd_mediawiki_script_t)
++ apache_content_template(mediawiki)
++ apache_content_alias_template(mediawiki, mediawiki)
++
++ manage_dirs_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
++ manage_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
++ manage_sock_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
++ manage_lnk_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
++ files_tmp_filetrans(mediawiki_script_t, mediawiki_tmp_t, { file dir lnk_file })
++
++ files_search_var_lib(mediawiki_script_t)
++
++ miscfiles_read_tetex_data(mediawiki_script_t)
+')
diff --git a/memcached.if b/memcached.if
index 1d4eb19..650014e 100644
@@ -39778,10 +40462,10 @@ index 0000000..767bbad
+/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0)
diff --git a/mip6d.if b/mip6d.if
new file mode 100644
-index 0000000..9e2bf1b
+index 0000000..8169129
--- /dev/null
+++ b/mip6d.if
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,79 @@
+
+## <summary>Mobile IPv6 and NEMO Basic Support implementation</summary>
+
@@ -39820,7 +40504,7 @@ index 0000000..9e2bf1b
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 mip6d_unit_file_t:file read_file_perms;
+ allow $1 mip6d_unit_file_t:service manage_service_perms;
+
@@ -39838,22 +40522,21 @@ index 0000000..9e2bf1b
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
+## <rolecap/>
+#
+interface(`mip6d_admin',`
+ gen_require(`
+ type mip6d_t;
-+ type mip6d_unit_file_t;
++ type mip6d_unit_file_t;
+ ')
+
-+ allow $1 mip6d_t:process { ptrace signal_perms };
++ allow $1 mip6d_t:process { signal_perms };
+ ps_process_pattern($1, mip6d_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mip6d_t:process ptrace;
++ ')
++
+ mip6d_systemctl($1)
+ admin_pattern($1, mip6d_unit_file_t)
+ allow $1 mip6d_unit_file_t:service all_service_perms;
@@ -39901,6 +40584,298 @@ index 0000000..1d34063
+
+logging_send_syslog_msg(mip6d_t)
+
+diff --git a/mirrormanager.fc b/mirrormanager.fc
+new file mode 100644
+index 0000000..c713b27
+--- /dev/null
++++ b/mirrormanager.fc
+@@ -0,0 +1,7 @@
++/usr/share/mirrormanager/server/mirrormanager -- gen_context(system_u:object_r:mirrormanager_exec_t,s0)
++
++/var/lib/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_lib_t,s0)
++
++/var/log/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_log_t,s0)
++
++/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
+diff --git a/mirrormanager.if b/mirrormanager.if
+new file mode 100644
+index 0000000..dd049c7
+--- /dev/null
++++ b/mirrormanager.if
+@@ -0,0 +1,224 @@
++
++## <summary>policy for mirrormanager</summary>
++
++########################################
++## <summary>
++## Execute mirrormanager in the mirrormanager domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_domtrans',`
++ gen_require(`
++ type mirrormanager_t, mirrormanager_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t)
++')
++
++########################################
++## <summary>
++## Read mirrormanager's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mirrormanager_read_log',`
++ gen_require(`
++ type mirrormanager_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++')
++
++########################################
++## <summary>
++## Append to mirrormanager log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_append_log',`
++ gen_require(`
++ type mirrormanager_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++')
++
++########################################
++## <summary>
++## Manage mirrormanager log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_manage_log',`
++ gen_require(`
++ type mirrormanager_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++ manage_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++ manage_lnk_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++')
++
++########################################
++## <summary>
++## Search mirrormanager lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_search_lib',`
++ gen_require(`
++ type mirrormanager_var_lib_t;
++ ')
++
++ allow $1 mirrormanager_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read mirrormanager lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_read_lib_files',`
++ gen_require(`
++ type mirrormanager_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage mirrormanager lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_manage_lib_files',`
++ gen_require(`
++ type mirrormanager_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage mirrormanager lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_manage_lib_dirs',`
++ gen_require(`
++ type mirrormanager_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read mirrormanager PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_read_pid_files',`
++ gen_require(`
++ type mirrormanager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an mirrormanager environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mirrormanager_admin',`
++ gen_require(`
++ type mirrormanager_t;
++ type mirrormanager_log_t;
++ type mirrormanager_var_lib_t;
++ type mirrormanager_var_run_t;
++ ')
++
++ allow $1 mirrormanager_t:process { signal_perms };
++ ps_process_pattern($1, mirrormanager_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mirrormanager_t:process ptrace;
++ ')
++
++ logging_search_logs($1)
++ admin_pattern($1, mirrormanager_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, mirrormanager_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, mirrormanager_var_run_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/mirrormanager.te b/mirrormanager.te
+new file mode 100644
+index 0000000..841b732
+--- /dev/null
++++ b/mirrormanager.te
+@@ -0,0 +1,43 @@
++policy_module(mirrormanager, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mirrormanager_t;
++type mirrormanager_exec_t;
++cron_system_entry(mirrormanager_t, mirrormanager_exec_t)
++
++type mirrormanager_log_t;
++logging_log_file(mirrormanager_log_t)
++
++type mirrormanager_var_lib_t;
++files_type(mirrormanager_var_lib_t)
++
++type mirrormanager_var_run_t;
++files_pid_file(mirrormanager_var_run_t)
++
++########################################
++#
++# mirrormanager local policy
++#
++
++allow mirrormanager_t self:fifo_file rw_fifo_file_perms;
++allow mirrormanager_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
++manage_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
++logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir })
++
++manage_dirs_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++manage_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir })
++
++manage_dirs_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
++manage_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
++files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir })
++
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 0000000..8d0e473
@@ -40586,7 +41561,7 @@ index b1ac8b5..9b22bea 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..a0dae5e 100644
+index d15eb5b..66a422b 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -40599,12 +41574,15 @@ index d15eb5b..a0dae5e 100644
########################################
#
# Local policy
-@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t)
+@@ -25,14 +28,14 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+ kernel_read_system_state(modemmanager_t)
+
dev_read_sysfs(modemmanager_t)
++dev_read_urand(modemmanager_t)
dev_rw_modem(modemmanager_t)
-files_read_etc_files(modemmanager_t)
-
+-
term_use_generic_ptys(modemmanager_t)
term_use_unallocated_ttys(modemmanager_t)
+term_use_usb_ttys(modemmanager_t)
@@ -40614,6 +41592,19 @@ index d15eb5b..a0dae5e 100644
logging_send_syslog_msg(modemmanager_t)
+diff --git a/mojomojo.fc b/mojomojo.fc
+index 7b827ca..5ee8a0f 100644
+--- a/mojomojo.fc
++++ b/mojomojo.fc
+@@ -1,5 +1,5 @@
+-/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
++/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:mojomojo_script_exec_t,s0)
+
+-/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0)
++/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:mojomojo_content_t,s0)
+
+-/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
++/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:mojomojo_rw_content_t,s0)
diff --git a/mojomojo.if b/mojomojo.if
index 73952f4..b19a6ee 100644
--- a/mojomojo.if
@@ -40627,16 +41618,16 @@ index 73952f4..b19a6ee 100644
interface(`mojomojo_admin',`
refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.')
diff --git a/mojomojo.te b/mojomojo.te
-index b94102e..9556487 100644
+index b94102e..25d1d33 100644
--- a/mojomojo.te
+++ b/mojomojo.te
-@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.1.0)
+@@ -5,21 +5,40 @@ policy_module(mojomojo, 1.1.0)
# Declarations
#
-apache_content_template(mojomojo)
-+type httpd_mojomojo_tmp_t;
-+files_tmp_file(httpd_mojomojo_tmp_t)
++type mojomojo_tmp_t alias httpd_mojomojo_tmp_t;
++files_tmp_file(mojomojo_tmp_t)
########################################
#
@@ -40646,38 +41637,37 @@ index b94102e..9556487 100644
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+optional_policy(`
+ apache_content_template(mojomojo)
++ apache_content_alias_template(mojomojo, mojomojo)
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
-corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
-+ allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
++ manage_dirs_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
++ manage_files_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
++ files_tmp_filetrans(mojomojo_script_t, mojomojo_tmp_t, { file dir })
-files_search_var_lib(httpd_mojomojo_script_t)
-+ manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
-+ manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
-+ files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
++ corenet_tcp_connect_postgresql_port(mojomojo_script_t)
++ corenet_tcp_connect_mysqld_port(mojomojo_script_t)
++ corenet_tcp_connect_smtp_port(mojomojo_script_t)
++ corenet_sendrecv_postgresql_client_packets(mojomojo_script_t)
++ corenet_sendrecv_mysqld_client_packets(mojomojo_script_t)
++ corenet_sendrecv_smtp_client_packets(mojomojo_script_t)
-sysnet_dns_name_resolve(httpd_mojomojo_script_t)
-+ corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
-+ corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
-+ corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
-+ corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
-+ corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
-+ corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
++ files_search_var_lib(mojomojo_script_t)
-mta_send_mail(httpd_mojomojo_script_t)
-+ files_search_var_lib(httpd_mojomojo_script_t)
++ sysnet_dns_name_resolve(mojomojo_script_t)
+
-+ sysnet_dns_name_resolve(httpd_mojomojo_script_t)
-+
-+ mta_send_mail(httpd_mojomojo_script_t)
++ mta_send_mail(mojomojo_script_t)
+
+ optional_policy(`
-+ mysql_stream_connect(httpd_mojomojo_script_t)
++ mysql_stream_connect(mojomojo_script_t)
+ ')
+
+ optional_policy(`
-+ postgresql_stream_connect(httpd_mojomojo_script_t)
++ postgresql_stream_connect(mojomojo_script_t)
+ ')
+')
diff --git a/mongodb.te b/mongodb.te
@@ -41143,7 +42133,7 @@ index 6ffaba2..cb1e8b0 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..7fbb9e7 100644
+index 6194b80..b8952a1 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -41275,7 +42265,8 @@ index 6194b80..7fbb9e7 100644
- mozilla_run_plugin($2, $1)
- mozilla_run_plugin_config($2, $1)
--
++ mozilla_filetrans_home_content($2)
+
- allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
-
@@ -41297,8 +42288,7 @@ index 6194b80..7fbb9e7 100644
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
-+ mozilla_filetrans_home_content($2)
-
+-
- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
@@ -41653,7 +42643,7 @@ index 6194b80..7fbb9e7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +353,144 @@ interface(`mozilla_dbus_chat',`
## </summary>
## </param>
#
@@ -41756,7 +42746,25 @@ index 6194b80..7fbb9e7 100644
+ type mozilla_plugin_t;
+ ')
+
-+ allow $1 mozilla_plugin_t:sem { unix_read unix_write };
++ dontaudit $1 mozilla_plugin_t:sem { associate unix_read unix_write };
++')
++
++#######################################
++## <summary>
++## Allow generict ipc read/write to a mozilla_plugin
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`mozilla_plugin_rw_sem',`
++ gen_require(`
++ type mozilla_plugin_t;
++ ')
++
++ allow $1 mozilla_plugin_t:sem { associate unix_read unix_write };
')
########################################
@@ -41809,7 +42817,7 @@ index 6194b80..7fbb9e7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +498,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
## </summary>
## </param>
#
@@ -41834,7 +42842,7 @@ index 6194b80..7fbb9e7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +499,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +517,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -41916,7 +42924,7 @@ index 6194b80..7fbb9e7 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..5c6fae9 100644
+index 11ac8e4..058f834 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@@ -42184,12 +43192,12 @@ index 11ac8e4..5c6fae9 100644
-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -42438,12 +43446,12 @@ index 11ac8e4..5c6fae9 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -42644,26 +43652,26 @@ index 11ac8e4..5c6fae9 100644
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
- fs_read_dos_files(mozilla_plugin_t)
+-
+- fs_search_removable(mozilla_plugin_t)
+- fs_read_removable_files(mozilla_plugin_t)
+- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
+userdom_exec_user_tmp_files(mozilla_plugin_t)
-- fs_search_removable(mozilla_plugin_t)
-- fs_read_removable_files(mozilla_plugin_t)
-- fs_read_removable_symlinks(mozilla_plugin_t)
+- fs_read_iso9660_files(mozilla_plugin_t)
+-')
+userdom_home_manager(mozilla_plugin_t)
-- fs_read_iso9660_files(mozilla_plugin_t)
+-tunable_policy(`allow_execmem',`
+- allow mozilla_plugin_t self:process execmem;
+tunable_policy(`mozilla_plugin_can_network_connect',`
+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
')
--tunable_policy(`allow_execmem',`
-- allow mozilla_plugin_t self:process execmem;
--')
--
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_t self:process { execmem execstack };
+optional_policy(`
@@ -42745,16 +43753,20 @@ index 11ac8e4..5c6fae9 100644
')
optional_policy(`
-@@ -560,7 +566,7 @@ optional_policy(`
+@@ -560,7 +566,11 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
++ policykit_dbus_chat(mozilla_plugin_t)
++')
++
++optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
')
optional_policy(`
-@@ -568,108 +574,130 @@ optional_policy(`
+@@ -568,108 +578,130 @@ optional_policy(`
')
optional_policy(`
@@ -43342,7 +44354,7 @@ index f42896c..cb2791a 100644
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..e3840c1 100644
+index ed81cac..26c97cd 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -43408,7 +44420,7 @@ index ed81cac..e3840c1 100644
+ kernel_read_system_state($1_mail_t)
+
-+ corenet_all_recvfrom_netlabel($1_mail_t)
++ corenet_all_recvfrom_netlabel($1_mail_t)
+
auth_use_nsswitch($1_mail_t)
@@ -44459,7 +45471,7 @@ index ed81cac..e3840c1 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c..4bf6d3b 100644
+index ff1d68c..2305a28 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -44496,7 +45508,16 @@ index ff1d68c..4bf6d3b 100644
userdom_user_tmp_file(user_mail_tmp_t)
########################################
-@@ -79,12 +77,10 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
+@@ -66,8 +64,6 @@ allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms };
+ manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
+ manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
+-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir")
+-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir")
+
+ read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t })
+
+@@ -79,12 +75,10 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
kernel_read_crypto_sysctls(user_mail_domain)
@@ -44509,7 +45530,7 @@ index ff1d68c..4bf6d3b 100644
corenet_tcp_sendrecv_generic_if(user_mail_domain)
corenet_tcp_sendrecv_generic_node(user_mail_domain)
-@@ -107,10 +103,6 @@ fs_getattr_all_fs(user_mail_domain)
+@@ -107,10 +101,6 @@ fs_getattr_all_fs(user_mail_domain)
init_dontaudit_rw_utmp(user_mail_domain)
@@ -44520,7 +45541,7 @@ index ff1d68c..4bf6d3b 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(user_mail_domain)
fs_manage_cifs_files(user_mail_domain)
-@@ -124,6 +116,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -124,6 +114,11 @@ tunable_policy(`use_nfs_home_dirs',`
')
optional_policy(`
@@ -44532,7 +45553,7 @@ index ff1d68c..4bf6d3b 100644
courier_manage_spool_dirs(user_mail_domain)
courier_manage_spool_files(user_mail_domain)
courier_rw_spool_pipes(user_mail_domain)
-@@ -150,6 +147,11 @@ optional_policy(`
+@@ -150,6 +145,11 @@ optional_policy(`
')
optional_policy(`
@@ -44544,7 +45565,15 @@ index ff1d68c..4bf6d3b 100644
procmail_exec(user_mail_domain)
')
-@@ -171,52 +173,69 @@ optional_policy(`
+@@ -166,57 +166,76 @@ optional_policy(`
+ uucp_manage_spool(user_mail_domain)
+ ')
+
++mta_filetrans_admin_home_content(user_mail_domain)
++mta_filetrans_home_content(user_mail_domain)
++
+ ########################################
+ #
# System local policy
#
@@ -44595,7 +45624,6 @@ index ff1d68c..4bf6d3b 100644
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
-+
+logging_append_all_logs(system_mail_t)
+
+logging_send_syslog_msg(system_mail_t)
@@ -44680,7 +45708,7 @@ index ff1d68c..4bf6d3b 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -272,6 +301,15 @@ optional_policy(`
+@@ -272,6 +301,19 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -44689,6 +45717,10 @@ index ff1d68c..4bf6d3b 100644
+')
+
+optional_policy(`
++ postfix_domtrans_postdrop(system_mail_t)
++')
++
++optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
+ qmail_manage_spool_dirs(system_mail_t)
+ qmail_manage_spool_files(system_mail_t)
@@ -44696,7 +45728,7 @@ index ff1d68c..4bf6d3b 100644
')
optional_policy(`
-@@ -287,42 +325,36 @@ optional_policy(`
+@@ -287,42 +329,36 @@ optional_policy(`
')
optional_policy(`
@@ -44749,7 +45781,7 @@ index ff1d68c..4bf6d3b 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -331,40 +363,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -331,40 +367,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -44798,7 +45830,7 @@ index ff1d68c..4bf6d3b 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -372,6 +390,13 @@ optional_policy(`
+@@ -372,6 +394,13 @@ optional_policy(`
')
optional_policy(`
@@ -44812,7 +45844,7 @@ index ff1d68c..4bf6d3b 100644
postfix_rw_inherited_master_pipes(mailserver_delivery)
')
-@@ -381,24 +406,49 @@ optional_policy(`
+@@ -381,24 +410,49 @@ optional_policy(`
########################################
#
@@ -44870,7 +45902,7 @@ index ff1d68c..4bf6d3b 100644
+
+
diff --git a/munin.fc b/munin.fc
-index eb4b72a..4968324 100644
+index eb4b72a..af28bb5 100644
--- a/munin.fc
+++ b/munin.fc
@@ -1,77 +1,79 @@
@@ -44991,14 +46023,15 @@ index eb4b72a..4968324 100644
-/var/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0)
-
-/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+-/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
+/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
-+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
- /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
-+/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
-+/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/www/html/munin(/.*)? gen_context(system_u:object_r:munin_content_t,s0)
++/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:munin_script_exec_t,s0)
++/var/www/html/cgi/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
++/var/www/cgi-bin/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
diff --git a/munin.if b/munin.if
-index b744fe3..4c1b6a8 100644
+index b744fe3..900d083 100644
--- a/munin.if
+++ b/munin.if
@@ -1,12 +1,13 @@
@@ -45145,8 +46178,12 @@ index b744fe3..4c1b6a8 100644
## </summary>
## </param>
## <rolecap/>
-@@ -170,8 +212,12 @@ interface(`munin_admin',`
- type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
+@@ -167,11 +209,15 @@ interface(`munin_admin',`
+ attribute munin_plugin_domain, munin_plugin_tmp_content;
+ type munin_t, munin_etc_t, munin_tmp_t;
+ type munin_log_t, munin_var_lib_t, munin_var_run_t;
+- type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
++ type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
')
- allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
@@ -45160,16 +46197,23 @@ index b744fe3..4c1b6a8 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
+@@ -193,5 +239,5 @@ interface(`munin_admin',`
+ files_list_pids($1)
+ admin_pattern($1, munin_var_run_t)
+
+- admin_pattern($1, httpd_munin_content_t)
++ admin_pattern($1, munin_content_t)
+ ')
diff --git a/munin.te b/munin.te
-index b708708..cead88c 100644
+index b708708..16b96d0 100644
--- a/munin.te
+++ b/munin.te
@@ -44,12 +44,15 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
munin_plugin_template(system)
munin_plugin_template(unconfined)
-+type httpd_munin_script_tmp_t;
-+files_tmp_file(httpd_munin_script_tmp_t)
++type munin_script_tmp_t alias httpd_munin_script_tmp_t;
++files_tmp_file(munin_script_tmp_t)
+
################################
#
@@ -45371,7 +46415,7 @@ index b708708..cead88c 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +427,31 @@ optional_policy(`
+@@ -421,3 +427,32 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -45383,22 +46427,23 @@ index b708708..cead88c 100644
+#
+
+apache_content_template(munin)
++apache_content_alias_template(munin, munin)
+
-+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
-+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
++manage_dirs_pattern(munin_t, munin_content_t, munin_content_t)
++manage_files_pattern(munin_t, munin_content_t, munin_content_t)
+
-+manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t)
-+manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t)
++manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t)
++manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t)
+
-+read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
-+read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
++read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t)
++read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t)
+
-+read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
-+append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
++read_files_pattern(munin_script_t, munin_log_t, munin_log_t)
++append_files_pattern(munin_script_t, munin_log_t, munin_log_t)
+
-+files_search_var_lib(httpd_munin_script_t)
++files_search_var_lib(munin_script_t)
+
-+auth_read_passwd(httpd_munin_script_t)
++auth_read_passwd(munin_script_t)
+
+optional_policy(`
+ apache_search_sys_content(munin_t)
@@ -46295,31 +47340,31 @@ index 7584bbe..2d683f1 100644
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
diff --git a/mythtv.fc b/mythtv.fc
new file mode 100644
-index 0000000..3a1c423
+index 0000000..d62cf88
--- /dev/null
+++ b/mythtv.fc
@@ -0,0 +1,9 @@
-+/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
++/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:mythtv_script_exec_t,s0)
+
+/var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0)
+
+/var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0)
+
-+/usr/share/mythtv(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
-+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
-+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
++/usr/share/mythtv(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0)
++/usr/share/mythweb(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0)
++/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:mythtv_script_exec_t,s0)
diff --git a/mythtv.if b/mythtv.if
new file mode 100644
-index 0000000..171f666
+index 0000000..e2403dd
--- /dev/null
+++ b/mythtv.if
@@ -0,0 +1,152 @@
+
-+## <summary>policy for httpd_mythtv_script</summary>
++## <summary>policy for mythtv_script</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the httpd_mythtv_script domin.
++## Execute TEMPLATE in the mythtv_script domin.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -46327,13 +47372,13 @@ index 0000000..171f666
+## </summary>
+## </param>
+#
-+interface(`httpd_mythtv_script_domtrans',`
++interface(`mythtv_script_domtrans',`
+ gen_require(`
-+ type httpd_mythtv_script_t, httpd_mythtv_script_exec_t;
++ type mythtv_script_t, mythtv_script_exec_t;
+ ')
+
+ corecmd_search_bin($1)
-+ domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t)
++ domtrans_pattern($1, mythtv_script_exec_t, mythtv_script_t)
+')
+
+#######################################
@@ -46449,15 +47494,15 @@ index 0000000..171f666
+#
+interface(`mythtv_admin',`
+ gen_require(`
-+ type httpd_mythtv_script_t, mythtv_var_lib_t;
++ type mythtv_script_t, mythtv_var_lib_t;
+ type mythtv_var_log_t;
+ ')
+
-+ allow $1 httpd_mythtv_script_t:process signal_perms;
-+ ps_process_pattern($1, httpd_mythtv_script_t)
++ allow $1 mythtv_script_t:process signal_perms;
++ ps_process_pattern($1, mythtv_script_t)
+
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 httpd_mythtv_script_t:process ptrace;
++ allow $1 mythtv_script_t:process ptrace;
+ ')
+
+ logging_list_logs($1)
@@ -46468,10 +47513,10 @@ index 0000000..171f666
+')
diff --git a/mythtv.te b/mythtv.te
new file mode 100644
-index 0000000..90129ac
+index 0000000..0e585e3
--- /dev/null
+++ b/mythtv.te
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,47 @@
+policy_module(mythtv, 1.0.0)
+
+########################################
@@ -46480,6 +47525,7 @@ index 0000000..90129ac
+#
+
+apache_content_template(mythtv)
++apache_content_alias_template(mythtv, mythtv)
+
+type mythtv_var_lib_t;
+files_type(mythtv_var_lib_t)
@@ -46489,32 +47535,37 @@ index 0000000..90129ac
+
+########################################
+#
-+# httpd_mythtv_script local policy
++# mythtv_script local policy
+#
++#============= httpd_mythtv_script_t ==============
++allow httpd_mythtv_script_t self:process setpgid;
++dev_list_sysfs(httpd_mythtv_script_t)
++
++manage_files_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
++manage_dirs_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
++files_var_lib_filetrans(mythtv_script_t, mythtv_var_lib_t, { dir file })
+
-+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
-+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
-+files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file })
++manage_files_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
++manage_dirs_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
++logging_log_filetrans(mythtv_script_t, mythtv_var_log_t, file )
+
-+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
-+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
-+logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file )
++domain_use_interactive_fds(mythtv_script_t)
+
-+domain_use_interactive_fds(httpd_mythtv_script_t)
++files_read_etc_files(mythtv_script_t)
+
-+files_read_etc_files(httpd_mythtv_script_t)
++fs_read_nfs_files(mythtv_script_t)
+
-+fs_read_nfs_files(httpd_mythtv_script_t)
++auth_read_passwd(httpd_mythtv_script_t)
+
+miscfiles_read_localization(httpd_mythtv_script_t)
+
+optional_policy(`
-+ mysql_read_config(httpd_mythtv_script_t)
-+ mysql_stream_connect(httpd_mythtv_script_t)
-+ mysql_tcp_connect(httpd_mythtv_script_t)
++ mysql_read_config(mythtv_script_t)
++ mysql_stream_connect(mythtv_script_t)
++ mysql_tcp_connect(mythtv_script_t)
+')
diff --git a/nagios.fc b/nagios.fc
-index d78dfc3..a00cc2d 100644
+index d78dfc3..24a2dec 100644
--- a/nagios.fc
+++ b/nagios.fc
@@ -1,88 +1,97 @@
@@ -46532,8 +47583,8 @@ index d78dfc3..a00cc2d 100644
-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
@@ -46552,8 +47603,8 @@ index d78dfc3..a00cc2d 100644
+ifdef(`distro_debian',`
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+')
-+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
+# admin plugins
/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
@@ -46905,7 +47956,7 @@ index 0641e97..d7d9a79 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 7b3e682..f565a0e 100644
+index 7b3e682..1726e88 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -47018,15 +48069,63 @@ index 7b3e682..f565a0e 100644
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
-@@ -178,6 +183,7 @@ optional_policy(`
+@@ -178,35 +183,37 @@ optional_policy(`
#
# CGI local policy
#
+
optional_policy(`
apache_content_template(nagios)
- typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -229,9 +235,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+- typealias httpd_nagios_script_t alias nagios_cgi_t;
+- typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
++ apache_content_alias_template(nagios, nagios)
++ typealias nagios_script_t alias nagios_cgi_t;
++ typealias nagios_script_exec_t alias nagios_cgi_exec_t;
+
+- allow httpd_nagios_script_t self:process signal_perms;
++ allow nagios_script_t self:process signal_perms;
+
+- read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+- read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
++ read_files_pattern(nagios_script_t, nagios_t, nagios_t)
++ read_lnk_files_pattern(nagios_script_t, nagios_t, nagios_t)
+
+- allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+- allow httpd_nagios_script_t nagios_etc_t:file read_file_perms;
+- allow httpd_nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
++ allow nagios_script_t nagios_etc_t:dir list_dir_perms;
++ allow nagios_script_t nagios_etc_t:file read_file_perms;
++ allow nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
+
+- files_search_spool(httpd_nagios_script_t)
+- rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
++ files_search_spool(nagios_script_t)
++ rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
+
+- allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+- read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+- read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
++ allow nagios_script_t nagios_log_t:dir list_dir_perms;
++ read_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
++ read_lnk_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
+
+- kernel_read_system_state(httpd_nagios_script_t)
++ kernel_read_system_state(nagios_script_t)
+
+- domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
++ domain_dontaudit_read_all_domains_state(nagios_script_t)
+
+- files_read_etc_runtime_files(httpd_nagios_script_t)
+- files_read_kernel_symbol_table(httpd_nagios_script_t)
++ files_read_etc_runtime_files(nagios_script_t)
++ files_read_kernel_symbol_table(nagios_script_t)
+
+- logging_send_syslog_msg(httpd_nagios_script_t)
++ logging_send_syslog_msg(nagios_script_t)
+ ')
+
+ ########################################
+@@ -229,9 +236,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
@@ -47037,7 +48136,7 @@ index 7b3e682..f565a0e 100644
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
-@@ -252,8 +258,8 @@ dev_read_urand(nrpe_t)
+@@ -252,8 +259,8 @@ dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
@@ -47047,7 +48146,7 @@ index 7b3e682..f565a0e 100644
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -262,8 +268,6 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,8 +269,6 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
@@ -47056,7 +48155,7 @@ index 7b3e682..f565a0e 100644
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
-@@ -310,15 +314,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +315,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -47075,7 +48174,7 @@ index 7b3e682..f565a0e 100644
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +349,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,6 +350,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
@@ -47085,7 +48184,7 @@ index 7b3e682..f565a0e 100644
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
-@@ -357,9 +364,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +365,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
@@ -47099,7 +48198,7 @@ index 7b3e682..f565a0e 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -391,6 +400,11 @@ optional_policy(`
+@@ -391,6 +401,11 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
@@ -47111,7 +48210,7 @@ index 7b3e682..f565a0e 100644
')
optional_policy(`
-@@ -411,6 +425,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -411,6 +426,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -47119,7 +48218,7 @@ index 7b3e682..f565a0e 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +435,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,10 +436,10 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
@@ -47132,7 +48231,7 @@ index 7b3e682..f565a0e 100644
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
-@@ -442,11 +457,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,11 +458,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -48679,7 +49778,7 @@ index 46e55c3..6e4e061 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index 3a6b035..1a181ad 100644
+index 3a6b035..b9887c1 100644
--- a/nis.te
+++ b/nis.te
@@ -5,8 +5,6 @@ policy_module(nis, 1.12.0)
@@ -48845,11 +49944,12 @@ index 3a6b035..1a181ad 100644
dev_read_sysfs(yppasswdd_t)
fs_getattr_all_fs(yppasswdd_t)
-@@ -203,11 +192,19 @@ selinux_get_fs_mount(yppasswdd_t)
+@@ -202,12 +191,20 @@ fs_search_auto_mountpoints(yppasswdd_t)
+ selinux_get_fs_mount(yppasswdd_t)
auth_manage_shadow(yppasswdd_t)
++auth_manage_passwd(yppasswdd_t)
auth_relabel_shadow(yppasswdd_t)
-+auth_read_passwd(yppasswdd_t)
auth_etc_filetrans_shadow(yppasswdd_t)
+corecmd_exec_bin(yppasswdd_t)
@@ -51694,7 +52794,7 @@ index b0a1be4..239f27a 100644
+ virt_ptrace(numad_t)
+')
diff --git a/nut.fc b/nut.fc
-index 379af96..41ff159 100644
+index 379af96..fac7d7b 100644
--- a/nut.fc
+++ b/nut.fc
@@ -1,23 +1,16 @@
@@ -51725,9 +52825,9 @@ index 379af96..41ff159 100644
-/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
index 57c0161..54bd4d7 100644
--- a/nut.if
@@ -51788,7 +52888,7 @@ index 57c0161..54bd4d7 100644
+ ps_process_pattern($1, swift_t)
')
diff --git a/nut.te b/nut.te
-index 5b2cb0d..1701352 100644
+index 5b2cb0d..249224e 100644
--- a/nut.te
+++ b/nut.te
@@ -22,116 +22,126 @@ type nut_upsdrvctl_t, nut_domain;
@@ -51973,7 +53073,7 @@ index 5b2cb0d..1701352 100644
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
-@@ -139,22 +149,34 @@ dev_read_urand(nut_upsdrvctl_t)
+@@ -139,22 +149,35 @@ dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
@@ -51995,22 +53095,24 @@ index 5b2cb0d..1701352 100644
optional_policy(`
apache_content_template(nutups_cgi)
++ apache_content_alias_template(nutups_cgi,nutups_cgi)
++
++ read_files_pattern(nutups_cgi_script_t, nut_conf_t, nut_conf_t)
- allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms;
- allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms;
- allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms;
-+ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
-+
-+ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
-+ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
-+ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
-+ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
-+ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
-+ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
-+ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
-+ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
-
- sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
++ corenet_all_recvfrom_netlabel(nutups_cgi_script_t)
++ corenet_tcp_sendrecv_generic_if(nutups_cgi_script_t)
++ corenet_tcp_sendrecv_generic_node(nutups_cgi_script_t)
++ corenet_tcp_sendrecv_all_ports(nutups_cgi_script_t)
++ corenet_tcp_connect_ups_port(nutups_cgi_script_t)
++ corenet_udp_sendrecv_generic_if(nutups_cgi_script_t)
++ corenet_udp_sendrecv_generic_node(nutups_cgi_script_t)
++ corenet_udp_sendrecv_all_ports(nutups_cgi_script_t)
+
+- sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
++ sysnet_dns_name_resolve(nutups_cgi_script_t)
')
diff --git a/nx.if b/nx.if
index 251d681..50ae2a9 100644
@@ -52939,7 +54041,7 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..0dc672f
+index 0000000..a7905db
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,27 @@
@@ -52964,7 +54066,7 @@ index 0000000..0dc672f
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
+/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:openshift_script_exec_t,s0)
+/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
@@ -53680,10 +54782,10 @@ index 0000000..cf03270
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..3c4beaf
+index 0000000..e40e9d5
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,558 @@
+@@ -0,0 +1,559 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -53982,13 +55084,14 @@ index 0000000..3c4beaf
+ # openshift cgi script policy
+ #
+ apache_content_template(openshift)
-+ domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
++ apache_content_alias_template(openshift, openshift)
++ domtrans_pattern(openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
+
+ optional_policy(`
-+ dbus_system_bus_client(httpd_openshift_script_t)
++ dbus_system_bus_client(openshift_script_t)
+
+ optional_policy(`
-+ oddjob_dbus_chat(httpd_openshift_script_t)
++ oddjob_dbus_chat(openshift_script_t)
+ oddjob_dontaudit_rw_fifo_file(openshift_domain)
+ ')
+ ')
@@ -57639,10 +58742,10 @@ index 0000000..726d992
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..b975b85
+index 0000000..798efb6
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,294 @@
+@@ -0,0 +1,287 @@
+
+## <summary>policy for pki</summary>
+
@@ -57779,13 +58882,6 @@ index 0000000..b975b85
+
+ # need to resolve addresses?
+ auth_use_nsswitch($1_t)
-+
-+ #pki_apache_domain_signal(httpd_t)
-+ #pki_apache_domain_signal(httpd_t)
-+ #pki_manage_apache_run(httpd_t)
-+ #pki_manage_apache_config_files(httpd_t)
-+ #pki_manage_apache_log_files(httpd_t)
-+ #pki_manage_apache_lib(httpd_t)
+')
+
+#######################################
@@ -57939,10 +59035,10 @@ index 0000000..b975b85
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..17f5d18
+index 0000000..d656f71
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,284 @@
+@@ -0,0 +1,271 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -57988,7 +59084,6 @@ index 0000000..17f5d18
+typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
+typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
+typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
-+# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
+
+
+# pki policy types
@@ -58071,10 +59166,6 @@ index 0000000..17f5d18
+userdom_manage_user_tmp_dirs(pki_tomcat_t)
+userdom_manage_user_tmp_files(pki_tomcat_t)
+
-+# forward proxy
-+# need to define ports to fix this
-+#corenet_tcp_connect_pki_tomcat_port(httpd_t)
-+
+# for crl publishing
+allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
+
@@ -58111,9 +59202,6 @@ index 0000000..17f5d18
+
+files_exec_usr_files(pki_tps_t)
+
-+# why do I need to add this?
-+#allow httpd_t httpd_config_t:file execute;
-+
+######################################
+#
+# ra local policy
@@ -58213,13 +59301,8 @@ index 0000000..17f5d18
+ apache_list_modules(pki_apache_domain)
+ apache_read_config(pki_apache_domain)
+ apache_exec(pki_apache_domain)
-+ apache_exec_suexec(pki_apache_domain)
++ apache_exec_suexec(pki_apache_domain)
+ apache_entrypoint(pki_apache_domain)
-+
-+ # should be started using a script which will execute httpd
-+ # start up httpd in pki_apache_domain mode
-+ #can_exec(pki_apache_domain, httpd_config_t)
-+ #can_exec(pki_apache_domain, httpd_suexec_exec_t)
+')
+
+# allow rpm -q in init scripts
@@ -59594,7 +60677,7 @@ index ae27bb7..d00f6ba 100644
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
-index 9764bfe..2d8d495 100644
+index 9764bfe..96dadf3 100644
--- a/polipo.te
+++ b/polipo.te
@@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1)
@@ -59664,7 +60747,7 @@ index 9764bfe..2d8d495 100644
type polipo_cache_t;
files_type(polipo_cache_t)
-@@ -56,116 +63,102 @@ files_type(polipo_cache_t)
+@@ -56,116 +63,103 @@ files_type(polipo_cache_t)
type polipo_log_t;
logging_log_file(polipo_log_t)
@@ -59717,6 +60800,7 @@ index 9764bfe..2d8d495 100644
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
++corenet_tcp_connect_http_cache_port(polipo_daemon)
+corenet_tcp_connect_tor_port(polipo_daemon)
+corenet_tcp_connect_flash_port(polipo_daemon)
@@ -63305,6 +64389,19 @@ index 8e26216..d59dc50 100644
+ dbus_read_config(prelink_t)
+ ')
+')
+diff --git a/prelude.fc b/prelude.fc
+index 8dbc763..b580f85 100644
+--- a/prelude.fc
++++ b/prelude.fc
+@@ -12,7 +12,7 @@
+
+ /usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+
+-/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
++/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:prewikka_script_exec_t,s0)
+
+ /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
+
diff --git a/prelude.if b/prelude.if
index c83a838..f41a4f7 100644
--- a/prelude.if
@@ -63467,7 +64564,7 @@ index c83a838..f41a4f7 100644
admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/prelude.te b/prelude.te
-index 8f44609..509fd0a 100644
+index 8f44609..e1f4f70 100644
--- a/prelude.te
+++ b/prelude.te
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
@@ -63569,6 +64666,46 @@ index 8f44609..509fd0a 100644
userdom_read_all_users_state(prelude_lml_t)
optional_policy(`
+@@ -278,27 +265,28 @@ optional_policy(`
+
+ optional_policy(`
+ apache_content_template(prewikka)
++ apache_content_alias_template(prewikka, prewikka)
+
+- can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
++ can_exec(prewikka_script_t, prewikka_script_exec_t)
+
+- files_search_tmp(httpd_prewikka_script_t)
++ files_search_tmp(prewikka_script_t)
+
+- kernel_read_sysctl(httpd_prewikka_script_t)
+- kernel_search_network_sysctl(httpd_prewikka_script_t)
++ kernel_read_sysctl(prewikka_script_t)
++ kernel_search_network_sysctl(prewikka_script_t)
+
+- auth_use_nsswitch(httpd_prewikka_script_t)
++ auth_use_nsswitch(prewikka_script_t)
+
+- logging_send_syslog_msg(httpd_prewikka_script_t)
++ logging_send_syslog_msg(prewikka_script_t)
+
+- apache_search_sys_content(httpd_prewikka_script_t)
++ apache_search_sys_content(prewikka_script_t)
+
+ optional_policy(`
+- mysql_stream_connect(httpd_prewikka_script_t)
+- mysql_tcp_connect(httpd_prewikka_script_t)
++ mysql_stream_connect(prewikka_script_t)
++ mysql_tcp_connect(prewikka_script_t)
+ ')
+
+ optional_policy(`
+- postgresql_stream_connect(httpd_prewikka_script_t)
+- postgresql_tcp_connect(httpd_prewikka_script_t)
++ postgresql_stream_connect(prewikka_script_t)
++ postgresql_tcp_connect(prewikka_script_t)
+ ')
+ ')
diff --git a/privoxy.if b/privoxy.if
index bdcee30..34f3143 100644
--- a/privoxy.if
@@ -68718,7 +69855,7 @@ index 8644d8b..b744b5d 100644
+ sudo_exec(neutron_t)
')
diff --git a/quota.fc b/quota.fc
-index cadabe3..0ee2489 100644
+index cadabe3..54ba01d 100644
--- a/quota.fc
+++ b/quota.fc
@@ -1,6 +1,5 @@
@@ -68729,7 +69866,7 @@ index cadabe3..0ee2489 100644
/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-@@ -8,24 +7,23 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+@@ -8,24 +7,24 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
@@ -68745,6 +69882,7 @@ index cadabe3..0ee2489 100644
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
++/var/spool/cron/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
@@ -70044,10 +71182,10 @@ index 0000000..a073efd
+')
diff --git a/rasdaemon.te b/rasdaemon.te
new file mode 100644
-index 0000000..8651ca4
+index 0000000..7b1fa9e
--- /dev/null
+++ b/rasdaemon.te
-@@ -0,0 +1,35 @@
+@@ -0,0 +1,45 @@
+policy_module(rasdaemon, 1.0.0)
+
+########################################
@@ -70079,10 +71217,20 @@ index 0000000..8651ca4
+kernel_read_system_state(rasdaemon_t)
+kernel_manage_debugfs(rasdaemon_t)
+
++auth_use_nsswitch(rasdaemon_t)
++
++dev_read_raw_memory(rasdaemon_t)
+dev_read_sysfs(rasdaemon_t)
++dev_read_urand(rasdaemon_t)
+
+logging_send_syslog_msg(rasdaemon_t)
+
++modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
++
++optional_policy(`
++ dmidecode_exec(rasdaemon_t)
++')
++
diff --git a/razor.fc b/razor.fc
index 6723f4d..6e26673 100644
--- a/razor.fc
@@ -72213,7 +73361,7 @@ index 47de2d6..98a4280 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..2e4d698 100644
+index c8bdea2..f1ee87e 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -72462,8 +73610,10 @@ index c8bdea2..2e4d698 100644
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Read and write all cluster domains
+-## shared memory.
+## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
@@ -72483,10 +73633,8 @@ index c8bdea2..2e4d698 100644
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
- ########################################
- ## <summary>
--## Read and write all cluster domains
--## shared memory.
++########################################
++## <summary>
+## Read and write to group shared memory.
## </summary>
## <param name="domain">
@@ -72514,7 +73662,7 @@ index c8bdea2..2e4d698 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -393,20 +423,44 @@ interface(`rhcs_rw_cluster_semaphores',`
## </summary>
## </param>
#
@@ -72526,49 +73674,65 @@ index c8bdea2..2e4d698 100644
')
- allow $1 groupd_t:sem { rw_sem_perms destroy };
--
-- fs_search_tmpfs($1)
-- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
- ')
++')
--########################################
+- fs_search_tmpfs($1)
+- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+#####################################
- ## <summary>
--## Read and write groupd shared memory.
++## <summary>
+## Connect to cluster domains over a unix domain
+## stream socket.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++#
++interface(`rhcs_stream_connect_cluster_to',`
++ gen_require(`
++ attribute cluster_domain;
++ attribute cluster_pid;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write groupd shared memory.
++## Send a null signal to cluster.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -414,15 +468,12 @@ interface(`rhcs_rw_groupd_semaphores',`
+ ## </summary>
+ ## </param>
#
-interface(`rhcs_rw_groupd_shm',`
-+interface(`rhcs_stream_connect_cluster_to',`
++interface(`rhcs_signull_cluster',`
gen_require(`
- type groupd_t, groupd_tmpfs_t;
-+ attribute cluster_domain;
-+ attribute cluster_pid;
++ type cluster_t;
')
- allow $1 groupd_t:shm { rw_shm_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-+ files_search_pids($1)
-+ stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
++ allow $1 cluster_t:process signull;
')
######################################
-@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +497,360 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
## <summary>
@@ -72619,7 +73783,11 @@ index c8bdea2..2e4d698 100644
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-+
+
+- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+- allow $2 system_r;
+#####################################
+## <summary>
+## Allow domain to manage cluster lib files
@@ -72635,16 +73803,14 @@ index c8bdea2..2e4d698 100644
+ type cluster_var_lib_t;
+ ')
-- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
-- domain_system_change_exemption($1)
-- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
-- allow $2 system_r;
+- files_search_pids($1)
+- admin_pattern($1, cluster_pid)
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-- files_search_pids($1)
-- admin_pattern($1, cluster_pid)
+- files_search_locks($1)
+- admin_pattern($1, fenced_lock_t)
+####################################
+## <summary>
+## Allow domain to relabel cluster lib files
@@ -72665,8 +73831,8 @@ index c8bdea2..2e4d698 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-- files_search_locks($1)
-- admin_pattern($1, fenced_lock_t)
+- files_search_tmp($1)
+- admin_pattern($1, fenced_tmp_t)
+######################################
+## <summary>
+## Execute a domain transition to run cluster administrative domain.
@@ -72682,14 +73848,14 @@ index c8bdea2..2e4d698 100644
+ type cluster_t, cluster_exec_t;
+ ')
-- files_search_tmp($1)
-- admin_pattern($1, fenced_tmp_t)
+- files_search_var_lib($1)
+- admin_pattern($1, qdiskd_var_lib_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
-- files_search_var_lib($1)
-- admin_pattern($1, qdiskd_var_lib_t)
+- fs_search_tmpfs($1)
+- admin_pattern($1, cluster_tmpfs)
+#######################################
+## <summary>
+## Execute cluster init scripts in
@@ -72705,9 +73871,7 @@ index c8bdea2..2e4d698 100644
+ gen_require(`
+ type cluster_initrc_exec_t;
+ ')
-
-- fs_search_tmpfs($1)
-- admin_pattern($1, cluster_tmpfs)
++
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
+
@@ -77525,7 +78689,7 @@ index f1140ef..642e062 100644
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
')
diff --git a/rsync.te b/rsync.te
-index abeb302..382a1bf 100644
+index abeb302..61b21d2 100644
--- a/rsync.te
+++ b/rsync.te
@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0)
@@ -77646,7 +78810,7 @@ index abeb302..382a1bf 100644
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +96,78 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -77712,9 +78876,7 @@ index abeb302..382a1bf 100644
+
+tunable_policy(`rsync_full_access',`
+ allow rsync_t self:capability { dac_override dac_read_search };
-+ files_manage_non_security_dirs(rsync_t)
-+ files_manage_non_security_files(rsync_t)
-+ #files_relabel_non_security_files(rsync_t)
++ files_manage_non_auth_files(rsync_t)
')
tunable_policy(`rsync_export_all_ro',`
@@ -79029,7 +80191,7 @@ index 50d07fb..bada62f 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..1912f75 100644
+index 2b7c441..a96f064 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -79335,10 +80497,10 @@ index 2b7c441..1912f75 100644
+allow smbd_t self:udp_socket create_socket_perms;
+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+
-+allow smbd_t nmbd_t:process { signal signull };
-allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull };
++allow smbd_t nmbd_t:process { signal signull };
++
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
@@ -79582,7 +80744,18 @@ index 2b7c441..1912f75 100644
lpd_exec_lpr(smbd_t)
')
-@@ -499,9 +491,33 @@ optional_policy(`
+@@ -488,6 +480,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rhcs_signull_cluster(smbd_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(smbd_t)
+ ')
+
+@@ -499,9 +495,33 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -79617,7 +80790,7 @@ index 2b7c441..1912f75 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +528,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +532,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -79632,7 +80805,7 @@ index 2b7c441..1912f75 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +544,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +548,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -79656,7 +80829,7 @@ index 2b7c441..1912f75 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -548,52 +561,41 @@ kernel_read_network_state(nmbd_t)
+@@ -548,52 +565,41 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -79705,14 +80878,14 @@ index 2b7c441..1912f75 100644
-
userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
-+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-
+-
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_list_non_auth_dirs(nmbd_t)
- files_read_non_auth_files(nmbd_t)
-')
--
++userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_manage_non_auth_files(nmbd_t)
@@ -79722,7 +80895,7 @@ index 2b7c441..1912f75 100644
')
optional_policy(`
-@@ -606,16 +608,22 @@ optional_policy(`
+@@ -606,16 +612,22 @@ optional_policy(`
########################################
#
@@ -79749,7 +80922,7 @@ index 2b7c441..1912f75 100644
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -627,16 +635,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +639,11 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -79767,7 +80940,7 @@ index 2b7c441..1912f75 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +647,23 @@ optional_policy(`
+@@ -644,22 +651,23 @@ optional_policy(`
########################################
#
@@ -79799,7 +80972,7 @@ index 2b7c441..1912f75 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +672,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +676,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -79835,7 +81008,7 @@ index 2b7c441..1912f75 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +699,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +703,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -79927,7 +81100,7 @@ index 2b7c441..1912f75 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +778,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +782,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -79951,7 +81124,7 @@ index 2b7c441..1912f75 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +792,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +796,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -79994,7 +81167,7 @@ index 2b7c441..1912f75 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +822,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +826,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -80008,7 +81181,7 @@ index 2b7c441..1912f75 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +845,20 @@ optional_policy(`
+@@ -840,17 +849,20 @@ optional_policy(`
# Winbind local policy
#
@@ -80034,7 +81207,7 @@ index 2b7c441..1912f75 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +868,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +872,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -80045,7 +81218,7 @@ index 2b7c441..1912f75 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,23 +879,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,23 +883,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -80075,7 +81248,7 @@ index 2b7c441..1912f75 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -898,13 +902,17 @@ kernel_read_system_state(winbind_t)
+@@ -898,13 +906,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -80096,7 +81269,7 @@ index 2b7c441..1912f75 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,10 +920,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,10 +924,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -80107,7 +81280,7 @@ index 2b7c441..1912f75 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -924,26 +928,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -924,26 +932,39 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -80149,7 +81322,7 @@ index 2b7c441..1912f75 100644
')
optional_policy(`
-@@ -959,31 +976,29 @@ optional_policy(`
+@@ -959,31 +980,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -80187,7 +81360,7 @@ index 2b7c441..1912f75 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1012,38 @@ optional_policy(`
+@@ -997,25 +1016,38 @@ optional_policy(`
########################################
#
@@ -80450,10 +81623,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..5da5bff
+index 0000000..e45c73a
--- /dev/null
+++ b/sandboxX.if
-@@ -0,0 +1,392 @@
+@@ -0,0 +1,393 @@
+
+## <summary>policy for sandboxX </summary>
+
@@ -80577,6 +81750,7 @@ index 0000000..5da5bff
+
+ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
+ domain_entry_file($1_client_t, sandbox_exec_t)
++ allow $1_client_t $1_t:shm { unix_read unix_write };
+
+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
+ ps_process_pattern(sandbox_xserver_t, $1_t)
@@ -80848,10 +82022,10 @@ index 0000000..5da5bff
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..710df6b
+index 0000000..9ba5803
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,483 @@
+@@ -0,0 +1,488 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -80976,7 +82150,7 @@ index 0000000..710df6b
+#
+# sandbox_x_domain local policy
+#
-+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap };
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_x_domain self:process execmem;
+')
@@ -81277,6 +82451,14 @@ index 0000000..710df6b
+')
+
+optional_policy(`
++ mozilla_plugin_rw_sem(sandbox_web_type)
++')
++
++optional_policy(`
++ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
++')
++
++optional_policy(`
+ nsplugin_manage_rw(sandbox_web_type)
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
@@ -81298,10 +82480,6 @@ index 0000000..710df6b
+')
+
+optional_policy(`
-+ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
-+')
-+
-+optional_policy(`
+ udev_read_state(sandbox_web_type)
+')
+
@@ -81331,10 +82509,11 @@ index 0000000..710df6b
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
-+ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
++ mozilla_plugin_rw_sem(sandbox_x_domain)
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
++
diff --git a/sanlock.fc b/sanlock.fc
index 3df2a0f..9059165 100644
--- a/sanlock.fc
@@ -82960,20 +84139,24 @@ index 12700b4..fde3c8d 100644
+ unconfined_domain(unconfined_sendmail_t)
')
diff --git a/sensord.fc b/sensord.fc
-index 8185d5a..719ac47 100644
+index 8185d5a..97926d2 100644
--- a/sensord.fc
+++ b/sensord.fc
-@@ -1,3 +1,5 @@
+@@ -1,5 +1,9 @@
+/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0)
+
/etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0)
/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
+
++/var/log/sensord\.rrd -- gen_context(system_u:object_r:sensord_log_t,s0)
++
+ /var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/sensord.if b/sensord.if
-index d204752..5eba5fd 100644
+index d204752..31cc6e6 100644
--- a/sensord.if
+++ b/sensord.if
-@@ -1,35 +1,75 @@
+@@ -1,35 +1,80 @@
-## <summary>Sensor information logging daemon.</summary>
+
+## <summary>Sensor information logging daemon</summary>
@@ -83041,7 +84224,9 @@ index d204752..5eba5fd 100644
gen_require(`
- type sensord_t, sensord_initrc_exec_t, sensord_var_run_t;
+ type sensord_t;
-+ type sensord_unit_file_t;
++ type sensord_unit_file_t;
++ type sensord_log_t;
++ type sensord_var_run_t;
')
allow $1 sensord_t:process { ptrace signal_perms };
@@ -83056,17 +84241,19 @@ index d204752..5eba5fd 100644
+ allow $1 sensord_unit_file_t:service all_service_perms;
- files_search_pids($1)
-- admin_pattern($1, sensord_var_run_t)
++ admin_pattern($1, sensord_log_t)
+ admin_pattern($1, sensord_var_run_t)
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/sensord.te b/sensord.te
-index 5e82fd6..fa352d8 100644
+index 5e82fd6..f3e5808 100644
--- a/sensord.te
+++ b/sensord.te
-@@ -9,6 +9,9 @@ type sensord_t;
+@@ -9,12 +9,18 @@ type sensord_t;
type sensord_exec_t;
init_daemon_domain(sensord_t, sensord_exec_t)
@@ -83076,7 +84263,24 @@ index 5e82fd6..fa352d8 100644
type sensord_initrc_exec_t;
init_script_file(sensord_initrc_exec_t)
-@@ -28,8 +31,5 @@ files_pid_filetrans(sensord_t, sensord_var_run_t, file)
+ type sensord_var_run_t;
+ files_pid_file(sensord_var_run_t)
+
++type sensord_log_t;
++logging_log_file(sensord_log_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -23,13 +29,13 @@ files_pid_file(sensord_var_run_t)
+ allow sensord_t self:fifo_file rw_fifo_file_perms;
+ allow sensord_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(sensord_t, sensord_log_t, sensord_log_t)
++logging_log_filetrans(sensord_t, sensord_log_t, file)
++
+ manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t)
+ files_pid_filetrans(sensord_t, sensord_var_run_t, file)
dev_read_sysfs(sensord_t)
@@ -83854,10 +85058,18 @@ index 1aeef8a..d5ce40a 100644
admin_pattern($1, shorewall_etc_t)
diff --git a/shorewall.te b/shorewall.te
-index 7710b9f..76a2c97 100644
+index 7710b9f..6195392 100644
--- a/shorewall.te
+++ b/shorewall.te
-@@ -44,9 +44,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
+@@ -34,6 +34,7 @@ logging_log_file(shorewall_log_t)
+
+ allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
+ dontaudit shorewall_t self:capability sys_tty_config;
++allow shorewall_t self:process signal_perms;
+ allow shorewall_t self:fifo_file rw_fifo_file_perms;
+ allow shorewall_t self:netlink_socket create_socket_perms;
+
+@@ -44,9 +45,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
@@ -83868,7 +85080,7 @@ index 7710b9f..76a2c97 100644
logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
-@@ -57,6 +55,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+@@ -57,6 +56,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
@@ -83878,7 +85090,7 @@ index 7710b9f..76a2c97 100644
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
-@@ -74,7 +75,6 @@ dev_read_urand(shorewall_t)
+@@ -74,7 +76,6 @@ dev_read_urand(shorewall_t)
domain_read_all_domains_state(shorewall_t)
files_getattr_kernel_modules(shorewall_t)
@@ -83886,7 +85098,7 @@ index 7710b9f..76a2c97 100644
files_search_kernel_modules(shorewall_t)
fs_getattr_all_fs(shorewall_t)
-@@ -86,12 +86,11 @@ init_rw_utmp(shorewall_t)
+@@ -86,12 +87,11 @@ init_rw_utmp(shorewall_t)
logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
@@ -84324,6 +85536,19 @@ index 9cf6582..bc33dd7 100644
- udev_read_db(fsdaemon_t)
+ virt_read_images(fsdaemon_t)
')
+diff --git a/smokeping.fc b/smokeping.fc
+index 3359819..a231ecb 100644
+--- a/smokeping.fc
++++ b/smokeping.fc
+@@ -2,7 +2,7 @@
+
+ /usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0)
+
+-/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
++/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:smokeping_cgi_script_exec_t,s0)
+
+ /var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0)
+
diff --git a/smokeping.if b/smokeping.if
index 1fa51c1..82e111c 100644
--- a/smokeping.if
@@ -84342,7 +85567,7 @@ index 1fa51c1..82e111c 100644
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/smokeping.te b/smokeping.te
-index ec031a0..ebf575f 100644
+index ec031a0..26b6da1 100644
--- a/smokeping.te
+++ b/smokeping.te
@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t)
@@ -84370,15 +85595,35 @@ index ec031a0..ebf575f 100644
mta_send_mail(smokeping_t)
netutils_domtrans_ping(smokeping_t)
-@@ -70,6 +68,8 @@ optional_policy(`
- files_search_tmp(httpd_smokeping_cgi_script_t)
- files_search_var_lib(httpd_smokeping_cgi_script_t)
+@@ -60,17 +58,20 @@ netutils_domtrans_ping(smokeping_t)
-+ auth_read_passwd(httpd_smokeping_cgi_script_t)
+ optional_policy(`
+ apache_content_template(smokeping_cgi)
++ apache_content_alias_template(smokeping_cgi, smokeping_cgi)
+
- sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
++ manage_dirs_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
++ manage_files_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+
+- manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+- manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
++ getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
+
+- getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
++ files_read_etc_files(smokeping_cgi_script_t)
++ files_search_tmp(smokeping_cgi_script_t)
++ files_search_var_lib(smokeping_cgi_script_t)
+
+- files_read_etc_files(httpd_smokeping_cgi_script_t)
+- files_search_tmp(httpd_smokeping_cgi_script_t)
+- files_search_var_lib(httpd_smokeping_cgi_script_t)
++ auth_read_passwd(smokeping_cgi_script_t)
- netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
+- sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
++ sysnet_dns_name_resolve(smokeping_cgi_script_t)
+
+- netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
++ netutils_domtrans_ping(smokeping_cgi_script_t)
+ ')
diff --git a/smoltclient.te b/smoltclient.te
index b3f2c6f..dccac2a 100644
--- a/smoltclient.te
@@ -85258,7 +86503,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index f2f507d..de22c9c 100644
+index f2f507d..10b5705 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@@ -85419,13 +86664,17 @@ index f2f507d..de22c9c 100644
')
optional_policy(`
-@@ -151,9 +198,21 @@ optional_policy(`
+@@ -151,9 +198,25 @@ optional_policy(`
')
optional_policy(`
- rpm_exec(sosreport_t)
- rpm_dontaudit_manage_db(sosreport_t)
- rpm_read_db(sosreport_t)
++ rhsmcertd_manage_lib_files(sosreport_t)
++')
++
++optional_policy(`
+ rpm_dontaudit_manage_db(sosreport_t)
+ rpm_manage_cache(sosreport_t)
+ rpm_manage_log(sosreport_t)
@@ -86775,6 +88024,221 @@ index cc58e35..ecd30f3 100644
+ gpg_manage_home_content(spamd_update_t)
')
+
+diff --git a/speech-dispatcher.fc b/speech-dispatcher.fc
+new file mode 100644
+index 0000000..545f682
+--- /dev/null
++++ b/speech-dispatcher.fc
+@@ -0,0 +1,5 @@
++/usr/bin/speech-dispatcher -- gen_context(system_u:object_r:speech-dispatcher_exec_t,s0)
++
++/usr/lib/systemd/system/speech-dispatcherd.service -- gen_context(system_u:object_r:speech-dispatcher_unit_file_t,s0)
++
++/var/log/speech-dispatcher(/.*)? gen_context(system_u:object_r:speech-dispatcher_log_t,s0)
+diff --git a/speech-dispatcher.if b/speech-dispatcher.if
+new file mode 100644
+index 0000000..ddfed09
+--- /dev/null
++++ b/speech-dispatcher.if
+@@ -0,0 +1,142 @@
++
++## <summary>speech-dispatcher - server process managing speech requests in Speech Dispatcher</summary>
++
++########################################
++## <summary>
++## Execute speech-dispatcher in the speech-dispatcher domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`speech-dispatcher_domtrans',`
++ gen_require(`
++ type speech-dispatcher_t, speech-dispatcher_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, speech-dispatcher_exec_t, speech-dispatcher_t)
++')
++########################################
++## <summary>
++## Read speech-dispatcher's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`speech-dispatcher_read_log',`
++ gen_require(`
++ type speech-dispatcher_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++')
++
++########################################
++## <summary>
++## Append to speech-dispatcher log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`speech-dispatcher_append_log',`
++ gen_require(`
++ type speech-dispatcher_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++')
++
++########################################
++## <summary>
++## Manage speech-dispatcher log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`speech-dispatcher_manage_log',`
++ gen_require(`
++ type speech-dispatcher_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++ manage_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++ manage_lnk_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++')
++########################################
++## <summary>
++## Execute speech-dispatcher server in the speech-dispatcher domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`speech-dispatcher_systemctl',`
++ gen_require(`
++ type speech-dispatcher_t;
++ type speech-dispatcher_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 speech-dispatcher_unit_file_t:file read_file_perms;
++ allow $1 speech-dispatcher_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, speech-dispatcher_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an speech-dispatcher environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`speech-dispatcher_admin',`
++ gen_require(`
++ type speech-dispatcher_t;
++ type speech-dispatcher_log_t;
++ type speech-dispatcher_unit_file_t;
++ ')
++
++ allow $1 speech-dispatcher_t:process { signal_perms };
++ ps_process_pattern($1, speech-dispatcher_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 speech-dispatcher_t:process ptrace;
++ ')
++
++ logging_search_logs($1)
++ admin_pattern($1, speech-dispatcher_log_t)
++
++ speech-dispatcher_systemctl($1)
++ admin_pattern($1, speech-dispatcher_unit_file_t)
++ allow $1 speech-dispatcher_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/speech-dispatcher.te b/speech-dispatcher.te
+new file mode 100644
+index 0000000..57372d0
+--- /dev/null
++++ b/speech-dispatcher.te
+@@ -0,0 +1,50 @@
++policy_module(speech-dispatcher, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type speech-dispatcher_t;
++type speech-dispatcher_exec_t;
++init_daemon_domain(speech-dispatcher_t, speech-dispatcher_exec_t)
++
++type speech-dispatcher_log_t;
++logging_log_file(speech-dispatcher_log_t)
++
++type speech-dispatcher_unit_file_t;
++systemd_unit_file(speech-dispatcher_unit_file_t)
++
++type speech-dispatcher_tmp_t;
++files_tmp_file(speech-dispatcher_tmp_t)
++
++type speech-dispatcher_tmpfs_t;
++files_tmpfs_file(speech-dispatcher_tmpfs_t)
++
++########################################
++#
++# speech-dispatcher local policy
++#
++allow speech-dispatcher_t self:process { fork signal_perms };
++allow speech-dispatcher_t self:fifo_file rw_fifo_file_perms;
++allow speech-dispatcher_t self:unix_stream_socket create_stream_socket_perms;
++allow speech-dispatcher_t self:tcp_socket create_socket_perms;
++
++manage_dirs_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t)
++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t)
++logging_log_filetrans(speech-dispatcher_t, speech-dispatcher_log_t, { dir })
++
++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmp_t, speech-dispatcher_tmp_t)
++files_tmp_filetrans(speech-dispatcher_t, speech-dispatcher_tmp_t, { file })
++
++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmpfs_t, speech-dispatcher_tmpfs_t)
++fs_tmpfs_filetrans(speech-dispatcher_t, speech-dispatcher_tmpfs_t, { file })
++
++kernel_read_system_state(speech-dispatcher_t)
++
++auth_read_passwd(speech-dispatcher_t)
++
++corenet_tcp_connect_pdps_port(speech-dispatcher_t)
++
++dev_read_urand(speech-dispatcher_t)
++
diff --git a/speedtouch.te b/speedtouch.te
index b38b8b1..eb36653 100644
--- a/speedtouch.te
@@ -86797,25 +88261,25 @@ index b38b8b1..eb36653 100644
userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
diff --git a/squid.fc b/squid.fc
-index 0a8b0f7..ebbec17 100644
+index 0a8b0f7..5b066d3 100644
--- a/squid.fc
+++ b/squid.fc
@@ -1,12 +1,15 @@
-/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
--
--/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
- /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+-/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
++/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:squid_script_exec_t,s0)
+-/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0)
-+
+
/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
-+/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
++/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:squid_script_exec_t,s0)
/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
@@ -86866,7 +88330,7 @@ index 5e1f053..e7820bc 100644
domain_system_change_exemption($1)
role_transition $2 squid_initrc_exec_t system_r;
diff --git a/squid.te b/squid.te
-index 03472ed..7cb8bec 100644
+index 03472ed..4ade5f1 100644
--- a/squid.te
+++ b/squid.te
@@ -29,7 +29,7 @@ type squid_cache_t;
@@ -86952,30 +88416,41 @@ index 03472ed..7cb8bec 100644
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -198,6 +202,8 @@ tunable_policy(`squid_use_tproxy',`
+@@ -197,28 +201,31 @@ tunable_policy(`squid_use_tproxy',`
+
optional_policy(`
apache_content_template(squid)
-
-+ allow httpd_squid_script_t self:tcp_socket create_socket_perms;
-+
- corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
- corenet_all_recvfrom_netlabel(httpd_squid_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
-@@ -207,18 +213,18 @@ optional_policy(`
- corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
- corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
++ apache_content_alias_template(squid, squid)
+
+- corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+- corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+- corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
+- corenet_tcp_sendrecv_generic_node(httpd_squid_script_t)
++ allow squid_script_t self:tcp_socket create_socket_perms;
+
+- corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t)
+- corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+- corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
++ corenet_all_recvfrom_unlabeled(squid_script_t)
++ corenet_all_recvfrom_netlabel(squid_script_t)
++ corenet_tcp_sendrecv_generic_if(squid_script_t)
++ corenet_tcp_sendrecv_generic_node(squid_script_t)
- sysnet_dns_name_resolve(httpd_squid_script_t)
-+ corenet_tcp_connect_squid_port(httpd_squid_script_t)
++ corenet_sendrecv_http_cache_client_packets(squid_script_t)
++ corenet_tcp_connect_http_cache_port(squid_script_t)
++ corenet_tcp_sendrecv_http_cache_port(squid_script_t)
- squid_read_config(httpd_squid_script_t)
-')
-+ sysnet_dns_name_resolve(httpd_squid_script_t)
++ corenet_tcp_connect_squid_port(squid_script_t)
-optional_policy(`
- cron_system_entry(squid_t, squid_exec_t)
++ sysnet_dns_name_resolve(squid_script_t)
++
+ optional_policy(`
-+ squid_read_config(httpd_squid_script_t)
++ squid_read_config(squid_script_t)
+ ')
')
@@ -86987,7 +88462,7 @@ index 03472ed..7cb8bec 100644
')
optional_policy(`
-@@ -236,3 +242,24 @@ optional_policy(`
+@@ -236,3 +243,24 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -87416,7 +88891,7 @@ index a240455..16a04bf 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..290807b 100644
+index 2d8db1f..fb9841f 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -87501,7 +88976,7 @@ index 2d8db1f..290807b 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +106,32 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +106,34 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -87512,6 +88987,7 @@ index 2d8db1f..290807b 100644
+userdom_manage_tmp_role(system_r, sssd_t)
+userdom_manage_all_users_keys(sssd_t)
++userdom_home_reader(sssd_t)
+
optional_policy(`
dbus_system_bus_client(sssd_t)
@@ -87528,15 +89004,16 @@ index 2d8db1f..290807b 100644
+
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
- ')
++')
+
+optional_policy(`
+ ldap_stream_connect(sssd_t)
-+ ldap_read_certs(sssd_t)
++ ldap_read_certs(sssd_t)
+')
+
-+userdom_home_reader(sssd_t)
-+
++optional_policy(`
++ systemd_login_read_pid_files(sssd_t)
+ ')
diff --git a/stapserver.fc b/stapserver.fc
new file mode 100644
index 0000000..0ccce59
@@ -95206,10 +96683,10 @@ index facdee8..43128c6 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..6771aec 100644
+index f03dcf5..eeb0c89 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,150 +1,190 @@
+@@ -1,150 +1,197 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
@@ -95347,6 +96824,8 @@ index f03dcf5..6771aec 100644
-attribute virt_image_type;
-attribute virt_tmp_type;
-attribute virt_tmpfs_type;
+-
+-attribute svirt_lxc_domain;
+## <desc>
+## <p>
+## Allow confined virtual guests to use usb devices
@@ -95354,14 +96833,6 @@ index f03dcf5..6771aec 100644
+## </desc>
+gen_tunable(virt_use_usb, true)
--attribute svirt_lxc_domain;
-+## <desc>
-+## <p>
-+## Allow sandbox containers to use netlink system calls
-+## </p>
-+## </desc>
-+gen_tunable(virt_sandbox_use_netlink, false)
-
-attribute_role virt_domain_roles;
-roleattribute system_r virt_domain_roles;
+## <desc>
@@ -95373,20 +96844,33 @@ index f03dcf5..6771aec 100644
-attribute_role virt_bridgehelper_roles;
-roleattribute system_r virt_bridgehelper_roles;
-+virt_domain_template(svirt)
-+role system_r types svirt_t;
-+typealias svirt_t alias qemu_t;
++## <desc>
++## <p>
++## Allow sandbox containers to use netlink system calls
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_netlink, false)
-attribute_role svirt_lxc_domain_roles;
-roleattribute system_r svirt_lxc_domain_roles;
-+virt_domain_template(svirt_tcg)
-+role system_r types svirt_tcg_t;
++## <desc>
++## <p>
++## Allow sandbox containers to use sys_admin system calls, for example mount
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_sys_admin, false)
--virt_domain_template(svirt)
+ virt_domain_template(svirt)
-virt_domain_template(svirt_prot_exec)
-+type qemu_exec_t, virt_file_type;
++role system_r types svirt_t;
++typealias svirt_t alias qemu_t;
++
++virt_domain_template(svirt_tcg)
++role system_r types svirt_tcg_t;
-type virt_cache_t alias svirt_cache_t;
++type qemu_exec_t, virt_file_type;
++
+type virt_cache_t alias svirt_cache_t, virt_file_type;
files_type(virt_cache_t)
@@ -95471,7 +96955,7 @@ index f03dcf5..6771aec 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -153,299 +193,144 @@ ifdef(`enable_mls',`
+@@ -153,299 +200,132 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -95665,27 +97149,18 @@ index f03dcf5..6771aec 100644
- fs_manage_nfs_named_sockets(virt_domain)
- fs_read_nfs_symlinks(virt_domain)
-')
-+type virtd_lxc_t, virt_system_domain;
-+type virtd_lxc_exec_t, virt_file_type;
-+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-
+-
-tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs(virt_domain)
- fs_manage_cifs_files(virt_domain)
- fs_manage_cifs_named_sockets(virt_domain)
- fs_read_cifs_symlinks(virt_domain)
-')
-+type virt_lxc_var_run_t, virt_file_type;
-+files_pid_file(virt_lxc_var_run_t)
-+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-
+-
-tunable_policy(`virt_use_sysfs',`
- dev_rw_sysfs(virt_domain)
-')
-+# virt lxc container files
-+type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
-+files_mountpoint(svirt_sandbox_file_t)
-
+-
-tunable_policy(`virt_use_usb',`
- dev_rw_usbfs(virt_domain)
- dev_read_sysfs(virt_domain)
@@ -95693,53 +97168,42 @@ index f03dcf5..6771aec 100644
- fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain)
-')
-+########################################
-+#
-+# svirt local policy
-+#
-
+-
-optional_policy(`
- tunable_policy(`virt_use_xserver',`
- xserver_read_xdm_pid(virt_domain)
- xserver_stream_connect(virt_domain)
- ')
-')
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
-+corenet_udp_sendrecv_generic_if(svirt_t)
-+corenet_udp_sendrecv_generic_node(svirt_t)
-+corenet_udp_sendrecv_all_ports(svirt_t)
-+corenet_udp_bind_generic_node(svirt_t)
-+corenet_udp_bind_all_ports(svirt_t)
-+corenet_tcp_bind_all_ports(svirt_t)
-+corenet_tcp_connect_all_ports(svirt_t)
-
+-
-optional_policy(`
- nscd_use(virt_domain)
-')
-+miscfiles_read_generic_certs(svirt_t)
++type virtd_lxc_t, virt_system_domain;
++type virtd_lxc_exec_t, virt_file_type;
++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
- optional_policy(`
+-optional_policy(`
- samba_domtrans_smbd(virt_domain)
-+ nscd_dontaudit_write_sock_file(svirt_t)
- ')
+-')
++type virt_lxc_var_run_t, virt_file_type;
++files_pid_file(virt_lxc_var_run_t)
++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
- optional_policy(`
+-optional_policy(`
- xen_rw_image_files(virt_domain)
-+ sssd_dontaudit_stream_connect(svirt_t)
-+ sssd_dontaudit_read_lib(svirt_t)
-+ sssd_dontaudit_read_public_files(svirt_t)
- ')
+-')
++# virt lxc container files
++type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
++files_mountpoint(svirt_sandbox_file_t)
--########################################
-+#######################################
+ ########################################
#
--# svirt local policy
-+# svirt_prot_exec local policy
+ # svirt local policy
#
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -95761,26 +97225,35 @@ index f03dcf5..6771aec 100644
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
--corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_tcp_sendrecv_generic_node(svirt_t)
--corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_tcp_sendrecv_all_ports(svirt_t)
--corenet_udp_sendrecv_all_ports(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_tcp_bind_generic_node(svirt_t)
--corenet_udp_bind_generic_node(svirt_t)
+ corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
--corenet_udp_bind_all_ports(svirt_t)
--corenet_tcp_bind_all_ports(svirt_t)
+ corenet_udp_bind_all_ports(svirt_t)
+ corenet_tcp_bind_all_ports(svirt_t)
+-
+-corenet_sendrecv_all_client_packets(svirt_t)
+ corenet_tcp_connect_all_ports(svirt_t)
+
++#######################################
++#
++# svirt_prot_exec local policy
++#
++
+allow svirt_tcg_t self:process { execmem execstack };
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
--corenet_sendrecv_all_client_packets(svirt_t)
--corenet_tcp_connect_all_ports(svirt_t)
++
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
+corenet_udp_sendrecv_all_ports(svirt_tcg_t)
@@ -95788,7 +97261,7 @@ index f03dcf5..6771aec 100644
+corenet_udp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_connect_all_ports(svirt_tcg_t)
-
++
########################################
#
# virtd local policy
@@ -95857,7 +97330,7 @@ index f03dcf5..6771aec 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +340,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +335,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -95904,29 +97377,29 @@ index f03dcf5..6771aec 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,16 +375,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,16 +370,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -520,6 +388,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -520,6 +383,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -95934,7 +97407,7 @@ index f03dcf5..6771aec 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +396,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +391,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -95962,7 +97435,7 @@ index f03dcf5..6771aec 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,22 +416,27 @@ dev_rw_vhost(virtd_t)
+@@ -555,22 +411,27 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -95995,7 +97468,7 @@ index f03dcf5..6771aec 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -601,15 +467,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +462,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -96015,7 +97488,7 @@ index f03dcf5..6771aec 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +489,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +484,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -96052,7 +97525,7 @@ index f03dcf5..6771aec 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +517,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +512,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -96061,7 +97534,7 @@ index f03dcf5..6771aec 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +542,12 @@ optional_policy(`
+@@ -665,20 +537,12 @@ optional_policy(`
')
optional_policy(`
@@ -96082,7 +97555,7 @@ index f03dcf5..6771aec 100644
')
optional_policy(`
-@@ -691,20 +560,26 @@ optional_policy(`
+@@ -691,20 +555,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -96113,7 +97586,7 @@ index f03dcf5..6771aec 100644
')
optional_policy(`
-@@ -712,11 +587,13 @@ optional_policy(`
+@@ -712,11 +582,13 @@ optional_policy(`
')
optional_policy(`
@@ -96127,7 +97600,7 @@ index f03dcf5..6771aec 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,10 +604,18 @@ optional_policy(`
+@@ -727,10 +599,18 @@ optional_policy(`
')
optional_policy(`
@@ -96146,7 +97619,7 @@ index f03dcf5..6771aec 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +631,264 @@ optional_policy(`
+@@ -746,44 +626,276 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -96246,7 +97719,7 @@ index f03dcf5..6771aec 100644
-can_exec(virsh_t, virsh_exec_t)
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-
++
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@@ -96290,6 +97763,8 @@ index f03dcf5..6771aec 100644
+
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
++miscfiles_read_generic_certs(virt_domain)
++
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
@@ -96308,6 +97783,10 @@ index f03dcf5..6771aec 100644
+')
+
+optional_policy(`
++ nscd_dontaudit_write_sock_file(virt_domain)
++')
++
++optional_policy(`
+ ptchown_domtrans(virt_domain)
+')
+
@@ -96316,6 +97795,12 @@ index f03dcf5..6771aec 100644
+')
+
+optional_policy(`
++ sssd_dontaudit_stream_connect(virt_domain)
++ sssd_dontaudit_read_lib(virt_domain)
++ sssd_dontaudit_read_public_files(virt_domain)
++')
++
++optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
@@ -96332,7 +97817,7 @@ index f03dcf5..6771aec 100644
+ term_use_unallocated_ttys(virt_domain)
+ dev_rw_printer(virt_domain)
+')
-+
+
+tunable_policy(`virt_use_fusefs',`
+ fs_manage_fusefs_dirs(virt_domain)
+ fs_manage_fusefs_files(virt_domain)
@@ -96433,7 +97918,7 @@ index f03dcf5..6771aec 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +899,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +906,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -96460,7 +97945,7 @@ index f03dcf5..6771aec 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +919,23 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +926,23 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -96493,7 +97978,7 @@ index f03dcf5..6771aec 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +954,20 @@ optional_policy(`
+@@ -856,14 +961,20 @@ optional_policy(`
')
optional_policy(`
@@ -96515,7 +98000,7 @@ index f03dcf5..6771aec 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +992,65 @@ optional_policy(`
+@@ -888,49 +999,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -96555,7 +98040,7 @@ index f03dcf5..6771aec 100644
manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
-+allow virtd_t virtd_lxc_t:process { getattr signal signull sigkill };
++allow virtd_t virtd_lxc_t:process { getattr noatsecure signal_perms };
+
allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
-manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
@@ -96599,7 +98084,7 @@ index f03dcf5..6771aec 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1062,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1069,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -96619,7 +98104,7 @@ index f03dcf5..6771aec 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1083,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1090,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -96643,7 +98128,7 @@ index f03dcf5..6771aec 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1108,256 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1115,271 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -96670,14 +98155,18 @@ index f03dcf5..6771aec 100644
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
++ docker_exec_lib(virtd_lxc_t)
++')
++
++optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -96770,6 +98259,11 @@ index f03dcf5..6771aec 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
++
++optional_policy(`
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
++')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -96854,22 +98348,22 @@ index f03dcf5..6771aec 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ apache_exec_modules(svirt_sandbox_domain)
-+ apache_read_sys_content(svirt_sandbox_domain)
++ docker_read_lib_files(svirt_sandbox_domain)
++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++ ssh_use_ptys(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
-+ ssh_use_ptys(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
+
@@ -96886,7 +98380,7 @@ index f03dcf5..6771aec 100644
+typeattribute svirt_lxc_net_t sandbox_net_domain;
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap };
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
@@ -96901,6 +98395,10 @@ index f03dcf5..6771aec 100644
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
+allow svirt_lxc_net_t self:process { execstack execmem };
++
++tunable_policy(`virt_sandbox_use_sys_admin',`
++ allow svirt_lxc_net_t self:capability sys_admin;
++')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -96916,6 +98414,8 @@ index f03dcf5..6771aec 100644
+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+ allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++', `
++ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
+')
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
@@ -96991,7 +98491,8 @@ index f03dcf5..6771aec 100644
+dev_rw_kvm(svirt_qemu_net_t)
+
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+
@@ -97003,8 +98504,7 @@ index f03dcf5..6771aec 100644
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
+dev_read_urand(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+files_read_kernel_modules(svirt_qemu_net_t)
+
+fs_noxattr_type(svirt_sandbox_file_t)
@@ -97038,7 +98538,7 @@ index f03dcf5..6771aec 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1370,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1392,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -97053,7 +98553,7 @@ index f03dcf5..6771aec 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1388,8 @@ optional_policy(`
+@@ -1192,9 +1410,8 @@ optional_policy(`
########################################
#
@@ -97064,7 +98564,7 @@ index f03dcf5..6771aec 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1402,198 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1424,198 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -97806,6 +99306,68 @@ index 95b26d1..55557cb 100644
-optional_policy(`
- seutil_use_newrole_fds(vpnc_t)
-')
+diff --git a/w3c.fc b/w3c.fc
+index 463c799..227feaf 100644
+--- a/w3c.fc
++++ b/w3c.fc
+@@ -1,4 +1,4 @@
+-/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
++/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:w3c_validator_script_exec_t,s0)
+
+-/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+-/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
++/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:w3c_validator_content_t,s0)
++/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:w3c_validator_script_exec_t,s0)
+diff --git a/w3c.te b/w3c.te
+index b14d6a9..ac1944e 100644
+--- a/w3c.te
++++ b/w3c.te
+@@ -6,29 +6,30 @@ policy_module(w3c, 1.1.0)
+ #
+
+ apache_content_template(w3c_validator)
++apache_content_alias_template(w3c_validator, w3c_validator)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+-corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t)
+-corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_generic_if(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_generic_node(httpd_w3c_validator_script_t)
++corenet_all_recvfrom_unlabeled(w3c_validator_script_t)
++corenet_all_recvfrom_netlabel(w3c_validator_script_t)
++corenet_tcp_sendrecv_generic_if(w3c_validator_script_t)
++corenet_tcp_sendrecv_generic_node(w3c_validator_script_t)
+
+-corenet_sendrecv_ftp_client_packets(httpd_w3c_validator_script_t)
+-corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
++corenet_sendrecv_ftp_client_packets(w3c_validator_script_t)
++corenet_tcp_connect_ftp_port(w3c_validator_script_t)
++corenet_tcp_sendrecv_ftp_port(w3c_validator_script_t)
+
+-corenet_sendrecv_http_client_packets(httpd_w3c_validator_script_t)
+-corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
++corenet_sendrecv_http_client_packets(w3c_validator_script_t)
++corenet_tcp_connect_http_port(w3c_validator_script_t)
++corenet_tcp_sendrecv_http_port(w3c_validator_script_t)
+
+-corenet_sendrecv_http_cache_client_packets(httpd_w3c_validator_script_t)
+-corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
++corenet_sendrecv_http_cache_client_packets(w3c_validator_script_t)
++corenet_tcp_connect_http_cache_port(w3c_validator_script_t)
++corenet_tcp_sendrecv_http_cache_port(w3c_validator_script_t)
+
+-miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
++miscfiles_read_generic_certs(w3c_validator_script_t)
+
+-sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
++sysnet_dns_name_resolve(w3c_validator_script_t)
diff --git a/watchdog.fc b/watchdog.fc
index eecd0e0..8df2e8c 100644
--- a/watchdog.fc
@@ -98153,11 +99715,21 @@ index 2a6cae7..6d0a2a1 100644
tunable_policy(`webadm_manage_user_files',`
userdom_manage_user_home_content_files(webadm_t)
+diff --git a/webalizer.fc b/webalizer.fc
+index 64baf67..76c753b 100644
+--- a/webalizer.fc
++++ b/webalizer.fc
+@@ -6,4 +6,4 @@
+
+ /var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0)
+
+-/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0)
++/var/www/usage(/.*)? gen_context(system_u:object_r:webalizer_rw_content_t,s0)
diff --git a/webalizer.te b/webalizer.te
-index ae919b9..e0b1983 100644
+index ae919b9..32cbf8c 100644
--- a/webalizer.te
+++ b/webalizer.te
-@@ -55,27 +55,35 @@ can_exec(webalizer_t, webalizer_exec_t)
+@@ -55,29 +55,36 @@ can_exec(webalizer_t, webalizer_exec_t)
kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
@@ -98193,10 +99765,13 @@ index ae919b9..e0b1983 100644
optional_policy(`
apache_read_log(webalizer_t)
apache_content_template(webalizer)
+- manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
+- manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
++ apache_content_alias_template(webalizer, webalizer)
+ apache_manage_sys_content(webalizer_t)
- manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
- manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
')
+
+ optional_policy(`
diff --git a/wine.if b/wine.if
index fd2b6cc..938c4a7 100644
--- a/wine.if
@@ -100156,10 +101731,10 @@ index 2695db2..123c042 100644
userdom_search_user_home_dirs(yam_t)
diff --git a/zabbix.fc b/zabbix.fc
-index c3b5a81..7d8b570 100644
+index c3b5a81..52c1586 100644
--- a/zabbix.fc
+++ b/zabbix.fc
-@@ -4,11 +4,15 @@
+@@ -4,12 +4,17 @@
/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
@@ -100174,8 +101749,10 @@ index c3b5a81..7d8b570 100644
+/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++/var/lib/zabbixsrv(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0)
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
+ /var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0)
diff --git a/zabbix.if b/zabbix.if
index dd63de0..38ce620 100644
--- a/zabbix.if
@@ -100339,10 +101916,10 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..922b7e0 100644
+index 7f496c6..f24bf4b 100644
--- a/zabbix.te
+++ b/zabbix.te
-@@ -6,21 +6,23 @@ policy_module(zabbix, 1.6.0)
+@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
#
## <desc>
@@ -100369,7 +101946,24 @@ index 7f496c6..922b7e0 100644
type zabbix_agent_exec_t;
init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
-@@ -41,22 +43,40 @@ files_pid_file(zabbix_var_run_t)
+ type zabbix_agent_initrc_exec_t;
+ init_script_file(zabbix_agent_initrc_exec_t)
+
++type zabbixd_var_lib_t;
++files_type(zabbixd_var_lib_t)
++
+ type zabbix_log_t;
+ logging_log_file(zabbix_log_t)
+
+@@ -36,27 +41,53 @@ files_tmp_file(zabbix_tmp_t)
+ type zabbix_tmpfs_t;
+ files_tmpfs_file(zabbix_tmpfs_t)
+
++type zabbix_var_lib_t;
++files_type(zabbix_var_lib_t)
++
+ type zabbix_var_run_t;
+ files_pid_file(zabbix_var_run_t)
########################################
#
@@ -100409,6 +102003,11 @@ index 7f496c6..922b7e0 100644
-allow zabbix_t self:shm create_shm_perms;
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
+allow zabbix_t self:capability { dac_read_search dac_override };
++
++manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
@@ -100422,7 +102021,7 @@ index 7f496c6..922b7e0 100644
manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-@@ -70,13 +90,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -70,13 +101,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
kernel_read_system_state(zabbix_t)
@@ -100436,7 +102035,13 @@ index 7f496c6..922b7e0 100644
corenet_sendrecv_ftp_client_packets(zabbix_t)
corenet_tcp_connect_ftp_port(zabbix_t)
-@@ -90,17 +106,8 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t)
+@@ -85,22 +112,14 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
+ corenet_sendrecv_http_client_packets(zabbix_t)
+ corenet_tcp_connect_http_port(zabbix_t)
+ corenet_tcp_sendrecv_http_port(zabbix_t)
++corenet_tcp_connect_smtp_port(zabbix_t)
+
+ corenet_sendrecv_zabbix_server_packets(zabbix_t)
corenet_tcp_bind_zabbix_port(zabbix_t)
corenet_tcp_sendrecv_zabbix_port(zabbix_t)
@@ -100454,7 +102059,7 @@ index 7f496c6..922b7e0 100644
zabbix_agent_tcp_connect(zabbix_t)
tunable_policy(`zabbix_can_network',`
-@@ -110,12 +117,11 @@ tunable_policy(`zabbix_can_network',`
+@@ -110,12 +129,11 @@ tunable_policy(`zabbix_can_network',`
')
optional_policy(`
@@ -100469,7 +102074,7 @@ index 7f496c6..922b7e0 100644
')
optional_policy(`
-@@ -125,6 +131,7 @@ optional_policy(`
+@@ -125,6 +143,7 @@ optional_policy(`
optional_policy(`
snmp_read_snmp_var_lib_files(zabbix_t)
@@ -100477,7 +102082,7 @@ index 7f496c6..922b7e0 100644
')
########################################
-@@ -132,18 +139,7 @@ optional_policy(`
+@@ -132,18 +151,7 @@ optional_policy(`
# Agent local policy
#
@@ -100497,7 +102102,7 @@ index 7f496c6..922b7e0 100644
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -151,16 +147,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+@@ -151,16 +159,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
@@ -100516,7 +102121,7 @@ index 7f496c6..922b7e0 100644
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -177,12 +169,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,12 +181,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t)
@@ -100530,7 +102135,7 @@ index 7f496c6..922b7e0 100644
fs_getattr_all_fs(zabbix_agent_t)
-@@ -190,8 +181,14 @@ init_read_utmp(zabbix_agent_t)
+@@ -190,8 +193,14 @@ init_read_utmp(zabbix_agent_t)
logging_search_logs(zabbix_agent_t)
@@ -101340,7 +102945,7 @@ index 2e80d04..3a76167 100644
+')
diff --git a/zoneminder.fc b/zoneminder.fc
new file mode 100644
-index 0000000..8c61505
+index 0000000..ceaa219
--- /dev/null
+++ b/zoneminder.fc
@@ -0,0 +1,13 @@
@@ -101350,7 +102955,7 @@ index 0000000..8c61505
+
+/usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0)
+
-+/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0)
++/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:zoneminder_script_exec_t,s0)
+
+/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
+
@@ -101739,7 +103344,7 @@ index 0000000..d02a6f4
+
diff --git a/zoneminder.te b/zoneminder.te
new file mode 100644
-index 0000000..add28f7
+index 0000000..b66e76d
--- /dev/null
+++ b/zoneminder.te
@@ -0,0 +1,187 @@
@@ -101909,26 +103514,26 @@ index 0000000..add28f7
+
+optional_policy(`
+ apache_content_template(zoneminder)
++ apache_content_alias_template(zoneminder, zoneminder)
+
+ # need more testing
-+ #allow httpd_zoneminder_script_t self:shm create_shm_perms;
++ #allow zoneminder_script_t self:shm create_shm_perms;
+
-+ manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++ manage_sock_files_pattern(zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+
-+ rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++ rw_files_pattern(zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+
-+ zoneminder_stream_connect(httpd_zoneminder_script_t)
++ zoneminder_stream_connect(zoneminder_script_t)
+
-+ can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
++ can_exec(zoneminder_t, zoneminder_script_exec_t)
+
-+ files_search_var_lib(httpd_zoneminder_script_t)
++ files_search_var_lib(zoneminder_script_t)
+
-+ logging_send_syslog_msg(httpd_zoneminder_script_t)
++ logging_send_syslog_msg(zoneminder_script_t)
+
+ optional_policy(`
-+ mysql_stream_connect(httpd_zoneminder_script_t)
++ mysql_stream_connect(zoneminder_script_t)
+ ')
-+
+')
diff --git a/zosremote.if b/zosremote.if
index b14698c..16e1581 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 61c0aa9..cc10110 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -576,6 +576,62 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jan 6 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-11
+- passwd to create gnome-keyring passwd socket
+- systemd_systemctl needs sys_admin capability
+- Allow cobbler to search dhcp_etc_t directory
+- Allow sytemd_tmpfiles_t to delete all directories
+- allow sshd to write to all process levels in order to change passwd when running at a level
+- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range
+- Allow apcuspd_t to status and start the power unit file
+- Allow udev to manage kdump unit file
+- Added new interface modutils_dontaudit_exec_insmod
+- Add labeling for /var/lib/servicelog/servicelog.db-journal
+- Allow init_t to create tmpfs_t lnk_file
+- Add label for ~/.cvsignore
+- Allow fprintd_t to send syslog messages
+- Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port
+- Allow mozilla plugin to chat with policykit, needed for spice
+- Allow gssprozy to change user and gid, as well as read user keyrings
+- Allow sandbox apps to attempt to set and get capabilties
+- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
+- allow modemmanger to read /dev/urand
+- Allow polipo to connect to http_cache_ports
+- Allow cron jobs to manage apache var lib content
+- Allow yppassword to manage the passwd_file_t
+- Allow showall_t to send itself signals
+- Allow cobbler to restart dhcpc, dnsmasq and bind services
+- Allow rsync_t to manage all non auth files
+- Allow certmonger to manage home cert files
+- Allow user_mail_domains to write certain files to the /root and ~/ directories
+- Allow apcuspd_t to status and start the power unit file
+- Allow cgroupdrulesengd to create content in cgoups directories
+- Add new access for mythtv
+- Allow irc_t to execute shell and bin-t files:
+- Allow smbd_t to signull cluster
+- Allow sssd to read systemd_login_var_run_t
+- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
+- Add label for /var/spool/cron.aquota.user
+- Allow sandbox_x domains to use work with the mozilla plugin semaphore
+- Added new policy for speech-dispatcher
+- Added dontaudit rule for insmod_exec_t in rasdaemon policy
+- Updated rasdaemon policy
+- Allow virt_domains to read cert files
+- Allow system_mail_t to transition to postfix_postdrop_t
+- Clean up mirrormanager policy
+- Allow subscription-manager running as sosreport_t to manage rhsmcertd
+- Remove ability to do mount/sys_admin by default in virt_sandbox domains
+- New rules required to run docker images within libivrt
+- Fixed bumblebee_admin() and mip6d_admin()
+- Add log support for sensord
+- Add label for ~/.cvsignore
+- Change mirrormanager to be run by cron
+- Add mirrormanager policy
+- Additional fixes for docker.te
+- Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot
+- Add tftp_write_rw_content/tftp_read_rw_content interfaces
+- Allow amanda to do backups over UDP
+
* Thu Dec 13 2013 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-10
- Allow freeipmi_ipmidetectd_t to use freeipmi port
- Update freeipmi_domain_template()
More information about the scm-commits
mailing list