[selinux-policy/f20] - Add default lvm_var_run_t label for /var/run/multipathd - Fix log labeling to have correct default
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jan 10 13:52:22 UTC 2014
commit dde27fefb43e752610f2d25fd07f2ff4e5024e2d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jan 10 14:52:14 2014 +0100
- Add default lvm_var_run_t label for /var/run/multipathd
- Fix log labeling to have correct default label for them after logrotate
- Add files_write_root_dirs
- Add new openflow port label for 6653/tcp and 6633/tcp
- Add xserver_manage_xkb_libs()
- Label tcp/8891 as milter por
- Allow gnome_manage_generic_cache_files also create cache_home_t files
- Fix aide.log labeling
- Fix log labeling to have correct default label for them after logrotate
- Allow mysqld-safe write access on /root to make mysqld working
- Allow sosreport domtrans to prelikn
- Allow OpenvSwitch to connec to openflow ports
- Allow NM send dgram to lldpad
- Allow hyperv domains to execute shell
- Allow lsmd plugins stream connect to lsmd/init
- Allow sblim domains to create /run/gather with correct labeling
- Allow httpd to read ldap certs
- Allow cupsd to send dbus msgs to process with different MLS level
- Allow bumblebee to stream connect to apmd
- Allow bumblebee to run xkbcomp
- Additional allow rules to get libvirt-lxc containers working with docker
- Additional allow rules to get libvirt-lxc containers working with docker
- Allow docker to getattr on itself
- Additional rules needed for sandbox apps
- Allow mozilla_plugin to set attributes on usb device if use_spice boolean enable
- httpd should be able to send signal/signull to httpd_suexec_t
- Add more fixes for neturon. Domtrans to dnsmasq, iptables.
policy-f20-base.patch | 473 ++++++++++++++++----------------
policy-f20-contrib.patch | 685 +++++++++++++++++++++++++++-------------------
selinux-policy.spec | 31 ++-
3 files changed, 661 insertions(+), 528 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 4718a40..076f179 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -5586,7 +5586,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..e9c2c94 100644
+index 4edc40d..1279fd8 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5783,7 +5783,7 @@ index 4edc40d..e9c2c94 100644
network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
-network_port(milter) # no defined portcon
-+network_port(milter, tcp, 8891, s0, tcp, 8893, s0) # no defined portcon
++network_port(milter, tcp, 8890,s0, tcp, 8891,s0, tcp, 8893,s0) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
network_port(monopd, tcp,1234,s0)
@@ -5794,7 +5794,7 @@ index 4edc40d..e9c2c94 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +224,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +224,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5813,6 +5813,7 @@ index 4edc40d..e9c2c94 100644
network_port(oa_system, tcp,8022,s0, udp,8022,s0)
-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
++network_port(openflow, tcp,6633,s0, tcp,6653,s0)
network_port(openhpid, tcp,4743,s0, udp,4743,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+network_port(osapi_compute, tcp, 8774, s0)
@@ -5833,7 +5834,7 @@ index 4edc40d..e9c2c94 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +261,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +262,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5886,7 +5887,7 @@ index 4edc40d..e9c2c94 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +311,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +312,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5897,7 +5898,7 @@ index 4edc40d..e9c2c94 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +323,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +324,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5910,7 +5911,7 @@ index 4edc40d..e9c2c94 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -285,19 +340,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -285,19 +341,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5937,7 +5938,7 @@ index 4edc40d..e9c2c94 100644
########################################
#
-@@ -330,6 +389,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +390,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5946,7 +5947,7 @@ index 4edc40d..e9c2c94 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +403,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +404,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -9584,7 +9585,7 @@ index c2c6e05..2282452 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..32d36ba 100644
+index 64ff4d7..75437fb 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10283,7 +10284,31 @@ index 64ff4d7..32d36ba 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1747,6 +2171,26 @@ interface(`files_dontaudit_rw_root_dir',`
+@@ -1707,6 +2131,23 @@ interface(`files_list_root',`
+ allow $1 root_t:dir list_dir_perms;
+ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ')
++########################################
++## <summary>
++## Do not audit attempts to write to / dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_write_root_dirs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:dir write;
++')
+
+ ########################################
+ ## <summary>
+@@ -1747,6 +2188,26 @@ interface(`files_dontaudit_rw_root_dir',`
########################################
## <summary>
@@ -10310,7 +10335,7 @@ index 64ff4d7..32d36ba 100644
## Create an object in the root directory, with a private
## type using a type transition.
## </summary>
-@@ -1874,25 +2318,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2335,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -10342,7 +10367,7 @@ index 64ff4d7..32d36ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1905,7 +2349,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2366,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -10351,7 +10376,7 @@ index 64ff4d7..32d36ba 100644
')
########################################
-@@ -1928,6 +2372,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2389,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -10376,7 +10401,7 @@ index 64ff4d7..32d36ba 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2163,6 +2625,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2163,6 +2642,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10401,7 +10426,7 @@ index 64ff4d7..32d36ba 100644
######################################
## <summary>
## Read symbolic links in the /boot directory.
-@@ -2627,6 +3107,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3124,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10426,7 +10451,7 @@ index 64ff4d7..32d36ba 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +3196,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3213,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10434,7 +10459,7 @@ index 64ff4d7..32d36ba 100644
')
########################################
-@@ -2706,7 +3205,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3222,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10443,7 +10468,7 @@ index 64ff4d7..32d36ba 100644
## </summary>
## </param>
#
-@@ -2762,6 +3261,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3278,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -10469,7 +10494,7 @@ index 64ff4d7..32d36ba 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2780,6 +3298,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3315,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10494,7 +10519,7 @@ index 64ff4d7..32d36ba 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2945,24 +3481,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3498,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -10519,7 +10544,7 @@ index 64ff4d7..32d36ba 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3521,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3538,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -10530,7 +10555,7 @@ index 64ff4d7..32d36ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3529,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3546,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -10552,19 +10577,22 @@ index 64ff4d7..32d36ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,6 +3557,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,15 +3574,35 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
+-## Read and write files in /etc that are dynamically
+## Do not audit attempts to read files
+## in /etc that are dynamically
-+## created on boot, such as mtab.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## created on boot, such as mtab.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+#
+interface(`files_dontaudit_read_etc_runtime_files',`
+ gen_require(`
@@ -10576,10 +10604,19 @@ index 64ff4d7..32d36ba 100644
+
+########################################
+## <summary>
- ## Read and write files in /etc that are dynamically
- ## created on boot, such as mtab.
- ## </summary>
-@@ -3059,6 +3594,7 @@ interface(`files_rw_etc_runtime_files',`
++## Read and write files in /etc that are dynamically
++## created on boot, such as mtab.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
+ #
+ interface(`files_rw_etc_runtime_files',`
+ gen_require(`
+@@ -3059,6 +3611,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10587,7 +10624,7 @@ index 64ff4d7..32d36ba 100644
')
########################################
-@@ -3080,6 +3616,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3633,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10595,7 +10632,7 @@ index 64ff4d7..32d36ba 100644
')
########################################
-@@ -3132,6 +3669,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3686,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -10621,7 +10658,7 @@ index 64ff4d7..32d36ba 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3205,6 +3761,62 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3205,6 +3778,62 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
@@ -10684,7 +10721,7 @@ index 64ff4d7..32d36ba 100644
########################################
## <summary>
-@@ -3455,6 +4067,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +4084,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -10710,7 +10747,7 @@ index 64ff4d7..32d36ba 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4427,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4444,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10754,7 +10791,7 @@ index 64ff4d7..32d36ba 100644
')
########################################
-@@ -4199,6 +4848,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,6 +4865,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -10927,7 +10964,7 @@ index 64ff4d7..32d36ba 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4221,6 +5036,26 @@ interface(`files_associate_tmp',`
+@@ -4221,6 +5053,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -10954,7 +10991,7 @@ index 64ff4d7..32d36ba 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4234,17 +5069,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4234,17 +5086,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -10993,7 +11030,7 @@ index 64ff4d7..32d36ba 100644
## </summary>
## </param>
#
-@@ -4271,6 +5126,7 @@ interface(`files_search_tmp',`
+@@ -4271,6 +5143,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -11001,7 +11038,7 @@ index 64ff4d7..32d36ba 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4307,6 +5163,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +5180,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -11009,7 +11046,7 @@ index 64ff4d7..32d36ba 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +5173,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +5190,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -11018,7 +11055,7 @@ index 64ff4d7..32d36ba 100644
## </summary>
## </param>
#
-@@ -4328,6 +5185,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +5202,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -11044,7 +11081,7 @@ index 64ff4d7..32d36ba 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4343,6 +5219,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +5236,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -11052,7 +11089,7 @@ index 64ff4d7..32d36ba 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4384,6 +5261,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,6 +5278,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -11085,101 +11122,30 @@ index 64ff4d7..32d36ba 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4438,7 +5341,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4438,7 +5358,43 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
-## Set the attributes of all tmp directories.
+## Relabel a dir from the type used in /tmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4446,17 +5349,17 @@ interface(`files_rw_generic_tmp_sockets',`
- ## </summary>
- ## </param>
- #
--interface(`files_setattr_all_tmp_dirs',`
-+interface(`files_relabelfrom_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir { search_dir_perms setattr };
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ## <summary>
--## List all tmp directories.
-+## Relabel a file from the type used in /tmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4464,44 +5367,134 @@ interface(`files_setattr_all_tmp_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_all_tmp',`
-+interface(`files_relabelfrom_tmp_files',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Relabel to and from all temporary
--## directory types.
-+## Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_relabel_all_tmp_dirs',`
-+interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
- attribute tmpfile;
-- type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp files.
-+## Allow caller to read inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_read_inherited_tmp_files',`
++interface(`files_relabelfrom_tmp_dirs',`
+ gen_require(`
-+ attribute tmpfile;
++ type tmp_t;
+ ')
+
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
-+## Allow caller to append inherited tmp files.
++## Relabel a file from the type used in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11187,17 +11153,25 @@ index 64ff4d7..32d36ba 100644
+## </summary>
+## </param>
+#
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_relabelfrom_tmp_files',`
+ gen_require(`
-+ attribute tmpfile;
++ type tmp_t;
+ ')
+
-+ allow $1 tmpfile:file append_inherited_file_perms;
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
-+## Allow caller to read and write inherited tmp files.
++## Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4456,6 +5412,60 @@ interface(`files_setattr_all_tmp_dirs',`
+
+ ########################################
+ ## <summary>
++## Allow caller to read inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11205,17 +11179,17 @@ index 64ff4d7..32d36ba 100644
+## </summary>
+## </param>
+#
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_read_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
++ allow $1 tmpfile:file { append read_inherited_file_perms };
+')
+
+########################################
+## <summary>
-+## List all tmp directories.
++## Allow caller to append inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11223,48 +11197,47 @@ index 64ff4d7..32d36ba 100644
+## </summary>
+## </param>
+#
-+interface(`files_list_all_tmp',`
++interface(`files_append_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:dir list_dir_perms;
++ allow $1 tmpfile:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Relabel to and from all temporary
-+## directory types.
++## Allow caller to read and write inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_tmp_dirs',`
++interface(`files_rw_inherited_tmp_file',`
+ gen_require(`
+ attribute tmpfile;
-+ type var_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4501,7 +5511,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
-@@ -4561,7 +5554,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4561,7 +5571,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -11273,7 +11246,7 @@ index 64ff4d7..32d36ba 100644
## </summary>
## </param>
#
-@@ -4593,6 +5586,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4593,6 +5603,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@@ -11318,7 +11291,7 @@ index 64ff4d7..32d36ba 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
-@@ -4646,6 +5677,16 @@ interface(`files_purge_tmp',`
+@@ -4646,6 +5694,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11335,7 +11308,7 @@ index 64ff4d7..32d36ba 100644
')
########################################
-@@ -5223,6 +6264,24 @@ interface(`files_list_var',`
+@@ -5223,6 +6281,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -11360,7 +11333,7 @@ index 64ff4d7..32d36ba 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5578,6 +6637,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5578,6 +6654,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11386,7 +11359,7 @@ index 64ff4d7..32d36ba 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5623,7 +6701,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6718,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11395,7 +11368,7 @@ index 64ff4d7..32d36ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5631,12 +6709,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6726,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11411,7 +11384,7 @@ index 64ff4d7..32d36ba 100644
')
########################################
-@@ -5654,6 +6733,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6750,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11419,7 +11392,7 @@ index 64ff4d7..32d36ba 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6760,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6777,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11447,7 +11420,7 @@ index 64ff4d7..32d36ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,13 +6787,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6804,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11464,7 +11437,7 @@ index 64ff4d7..32d36ba 100644
')
########################################
-@@ -5713,7 +6811,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6828,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11473,7 +11446,7 @@ index 64ff4d7..32d36ba 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +6844,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6861,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11481,7 +11454,7 @@ index 64ff4d7..32d36ba 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5761,7 +6858,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5761,7 +6875,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11490,7 +11463,7 @@ index 64ff4d7..32d36ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5769,13 +6866,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,13 +6883,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11525,7 +11498,7 @@ index 64ff4d7..32d36ba 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6908,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6925,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11543,7 +11516,7 @@ index 64ff4d7..32d36ba 100644
')
########################################
-@@ -5816,9 +6932,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6949,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11554,7 +11527,7 @@ index 64ff4d7..32d36ba 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +6974,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6991,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11564,7 +11537,7 @@ index 64ff4d7..32d36ba 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6996,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +7013,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11574,7 +11547,7 @@ index 64ff4d7..32d36ba 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +7033,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +7050,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11584,7 +11557,7 @@ index 64ff4d7..32d36ba 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +7072,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +7089,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11593,7 +11566,7 @@ index 64ff4d7..32d36ba 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,10 +7092,48 @@ interface(`files_search_pids',`
+@@ -5981,10 +7109,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11642,7 +11615,7 @@ index 64ff4d7..32d36ba 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6007,6 +7156,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +7173,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11668,7 +11641,7 @@ index 64ff4d7..32d36ba 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6021,7 +7189,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7206,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11677,7 +11650,7 @@ index 64ff4d7..32d36ba 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6040,7 +7208,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7225,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11686,7 +11659,7 @@ index 64ff4d7..32d36ba 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7228,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7245,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11695,7 +11668,7 @@ index 64ff4d7..32d36ba 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7290,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7307,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11703,35 +11676,11 @@ index 64ff4d7..32d36ba 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6151,7 +7318,7 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6151,6 +7335,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
--## Read and write generic process ID files.
+## rw generic pid files inherited from another process
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6159,14 +7326,32 @@ interface(`files_pid_filetrans_lock_dir',`
- ## </summary>
- ## </param>
- #
--interface(`files_rw_generic_pids',`
-+interface(`files_rw_inherited_generic_pid_files',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- rw_files_pattern($1, var_run_t, var_run_t)
-+ allow $1 var_run_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read and write generic process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11739,28 +11688,41 @@ index 64ff4d7..32d36ba 100644
+## </summary>
+## </param>
+#
-+interface(`files_rw_generic_pids',`
++interface(`files_rw_inherited_generic_pid_files',`
+ gen_require(`
-+ type var_t, var_run_t;
++ type var_run_t;
+ ')
+
++ allow $1 var_run_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
+ ## Read and write generic process ID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -6164,7 +7366,7 @@ interface(`files_rw_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ rw_files_pattern($1, var_run_t, var_run_t)
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
')
-
- ########################################
-@@ -6231,6 +7416,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,24 +7433,208 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
+-## Read all process ID files.
+## Relable all pid directories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+#
+interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
@@ -11864,10 +11826,15 @@ index 64ff4d7..32d36ba 100644
+
+########################################
+## <summary>
- ## Read all process ID files.
- ## </summary>
- ## <param name="domain">
-@@ -6243,12 +7538,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
++## Read all process ID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
+ #
interface(`files_read_all_pids',`
gen_require(`
attribute pidfile;
@@ -11956,7 +11923,7 @@ index 64ff4d7..32d36ba 100644
')
########################################
-@@ -6268,8 +7637,8 @@ interface(`files_delete_all_pids',`
+@@ -6268,8 +7654,8 @@ interface(`files_delete_all_pids',`
type var_t, var_run_t;
')
@@ -11966,7 +11933,7 @@ index 64ff4d7..32d36ba 100644
allow $1 var_run_t:dir rmdir;
allow $1 var_run_t:lnk_file delete_lnk_file_perms;
delete_files_pattern($1, pidfile, pidfile)
-@@ -6293,36 +7662,80 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6293,36 +7679,80 @@ interface(`files_delete_all_pid_dirs',`
type var_t, var_run_t;
')
@@ -12058,7 +12025,7 @@ index 64ff4d7..32d36ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,12 +7743,33 @@ interface(`files_manage_all_pids',`
+@@ -6330,12 +7760,33 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -12095,7 +12062,7 @@ index 64ff4d7..32d36ba 100644
')
########################################
-@@ -6562,3 +7996,514 @@ interface(`files_unconfined',`
+@@ -6562,3 +8013,514 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -21479,7 +21446,7 @@ index 5fc0391..3b3225a 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..9a5dab5 100644
+index d1f64a0..3fe692c 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -21604,7 +21571,7 @@ index d1f64a0..9a5dab5 100644
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/mdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -21639,7 +21606,7 @@ index d1f64a0..9a5dab5 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..5a7e2a4 100644
+index 6bf0ecc..115c533 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -22374,10 +22341,30 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1230,84 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
++## Manage X keyboard extension libraries.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_manage_xkb_libs',`
++ gen_require(`
++ type xkb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 xkb_var_lib_t:dir list_dir_perms;
++ manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
++')
++
++########################################
++## <summary>
+## dontaudit access checks X keyboard extension libraries.
+## </summary>
+## <param name="domain">
@@ -22439,7 +22426,7 @@ index 6bf0ecc..5a7e2a4 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1321,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -22448,7 +22435,7 @@ index 6bf0ecc..5a7e2a4 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1383,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -22491,7 +22478,7 @@ index 6bf0ecc..5a7e2a4 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1433,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -22500,7 +22487,7 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1451,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -22512,7 +22499,7 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1552,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
## <summary>
@@ -22538,7 +22525,7 @@ index 6bf0ecc..5a7e2a4 100644
## Connect to the X server over a unix domain
## stream socket.
## </summary>
-@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1587,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -22565,7 +22552,7 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1632,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -22574,7 +22561,7 @@ index 6bf0ecc..5a7e2a4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1261,13 +1622,27 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1642,27 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -22603,7 +22590,7 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1284,10 +1659,624 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1679,624 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -29515,7 +29502,7 @@ index dd3be8d..8b457a1 100644
+ ')
+ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..32fad12 100644
+index 662e79b..05d25b0 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -1,14 +1,23 @@
@@ -29557,7 +29544,8 @@ index 662e79b..32fad12 100644
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
- /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
+-/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
++/var/log/pluto\.log.* -- gen_context(system_u:object_r:ipsec_log_t,s0)
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -31149,7 +31137,7 @@ index c04ac46..4f4ee1d 100644
- nscd_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..2faaaf2 100644
+index b50c5fe..e55a556 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -2,10 +2,13 @@
@@ -31193,7 +31181,7 @@ index b50c5fe..2faaaf2 100644
/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,13 +54,13 @@ ifdef(`distro_suse', `
+@@ -38,21 +54,22 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -31208,8 +31196,10 @@ index b50c5fe..2faaaf2 100644
+/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
ifndef(`distro_gentoo',`
- /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -53,6 +69,7 @@ ifndef(`distro_gentoo',`
+-/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
++/var/log/audit\.log.* -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+ ')
+
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -32093,7 +32083,7 @@ index 39ea221..e2be79a 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..b250b3e 100644
+index 879bb1e..633e449 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
@@ -32208,12 +32198,13 @@ index 879bb1e..b250b3e 100644
#
# /var
-@@ -97,5 +168,8 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +168,9 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/run/multipathd(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 34c8553..49f98ce 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -1584,6 +1584,16 @@ index 72c33c2..6e4206c 100644
optional_policy(`
modutils_domtrans_insmod(aiccu_t)
+diff --git a/aide.fc b/aide.fc
+index df6e4d0..4b99c25 100644
+--- a/aide.fc
++++ b/aide.fc
+@@ -3,4 +3,4 @@
+ /var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+
+ /var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+-/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
++/var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --git a/aide.if b/aide.if
index 01cbb67..94a4a24 100644
--- a/aide.if
@@ -4781,7 +4791,7 @@ index 83e899c..64beed7 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..9a065a0 100644
+index 1a82e29..b192ed8 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5449,7 +5459,7 @@ index 1a82e29..9a065a0 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,14 +507,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5458,8 +5468,10 @@ index 1a82e29..9a065a0 100644
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
++allow httpd_t httpd_suexec_exec_t:process { signal signull };
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
@@ -5469,7 +5481,7 @@ index 1a82e29..9a065a0 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +552,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5702,7 +5714,7 @@ index 1a82e29..9a065a0 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +722,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +723,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5762,7 +5774,7 @@ index 1a82e29..9a065a0 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +774,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +775,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5853,7 +5865,7 @@ index 1a82e29..9a065a0 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,66 +821,56 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,66 +822,56 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5951,7 +5963,7 @@ index 1a82e29..9a065a0 100644
')
optional_policy(`
-@@ -765,6 +886,23 @@ optional_policy(`
+@@ -765,6 +887,23 @@ optional_policy(`
')
optional_policy(`
@@ -5975,7 +5987,7 @@ index 1a82e29..9a065a0 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +919,51 @@ optional_policy(`
+@@ -781,34 +920,52 @@ optional_policy(`
')
optional_policy(`
@@ -6013,6 +6025,7 @@ index 1a82e29..9a065a0 100644
- tunable_policy(`httpd_can_network_connect_ldap',`
- ldap_tcp_connect(httpd_t)
- ')
++ ldap_read_certs(httpd_t)
')
optional_policy(`
@@ -6038,7 +6051,7 @@ index 1a82e29..9a065a0 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +971,18 @@ optional_policy(`
+@@ -816,8 +973,18 @@ optional_policy(`
')
optional_policy(`
@@ -6057,7 +6070,7 @@ index 1a82e29..9a065a0 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +991,7 @@ optional_policy(`
+@@ -826,6 +993,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6065,7 +6078,7 @@ index 1a82e29..9a065a0 100644
')
optional_policy(`
-@@ -836,20 +1002,39 @@ optional_policy(`
+@@ -836,20 +1004,39 @@ optional_policy(`
')
optional_policy(`
@@ -6091,7 +6104,7 @@ index 1a82e29..9a065a0 100644
+ pki_manage_apache_lib(httpd_t)
+ pki_manage_apache_log_files(httpd_t)
+ pki_manage_apache_run(httpd_t)
-+ pki_read_tomcat_cert(httpd_t)
++ pki_read_tomcat_cert(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
@@ -6111,7 +6124,7 @@ index 1a82e29..9a065a0 100644
')
optional_policy(`
-@@ -857,19 +1042,35 @@ optional_policy(`
+@@ -857,19 +1044,35 @@ optional_policy(`
')
optional_policy(`
@@ -6147,7 +6160,7 @@ index 1a82e29..9a065a0 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1078,173 @@ optional_policy(`
+@@ -877,65 +1080,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6343,7 +6356,7 @@ index 1a82e29..9a065a0 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1253,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1255,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6498,7 +6511,7 @@ index 1a82e29..9a065a0 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1337,106 @@ optional_policy(`
+@@ -1077,172 +1339,106 @@ optional_policy(`
')
')
@@ -6735,7 +6748,7 @@ index 1a82e29..9a065a0 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1444,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1446,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6832,7 +6845,7 @@ index 1a82e29..9a065a0 100644
########################################
#
-@@ -1315,8 +1519,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1521,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6849,7 +6862,7 @@ index 1a82e29..9a065a0 100644
')
########################################
-@@ -1324,49 +1535,38 @@ optional_policy(`
+@@ -1324,49 +1537,38 @@ optional_policy(`
# User content local policy
#
@@ -6914,7 +6927,7 @@ index 1a82e29..9a065a0 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1576,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1578,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -9943,10 +9956,10 @@ index 0000000..de66654
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..f94a10e
+index 0000000..b3aa772
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,54 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -9996,6 +10009,11 @@ index 0000000..f94a10e
+sysnet_dns_name_resolve(bumblebee_t)
+
+xserver_domtrans(bumblebee_t)
++xserver_manage_xkb_libs(bumblebee_t)
++
++optional_policy(`
++ apm_stream_connect(bumblebee_t)
++')
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
--- a/cachefilesd.fc
@@ -12134,7 +12152,7 @@ index 29782b8..685edff 100644
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
-index 0000000..3a0de96
+index 0000000..51990d0
--- /dev/null
+++ b/cloudform.fc
@@ -0,0 +1,27 @@
@@ -12153,7 +12171,7 @@ index 0000000..3a0de96
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
-+/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0)
++/var/log/cloud-init\.log.* -- gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
+
@@ -17844,7 +17862,7 @@ index 06da9a0..c7834c8 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..5997cc2 100644
+index 9f34c2e..0663b64 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -18085,7 +18103,7 @@ index 9f34c2e..5997cc2 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +243,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,17 +243,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -18103,9 +18121,11 @@ index 9f34c2e..5997cc2 100644
+fs_rw_anon_inodefs_files(cupsd_t)
+fs_rw_inherited_tmpfs_files(cupsd_t)
++mls_dbus_send_all_levels(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t)
+ mls_file_write_all_levels(cupsd_t)
+@@ -235,6 +265,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -18114,7 +18134,7 @@ index 9f34c2e..5997cc2 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +278,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +279,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -18141,7 +18161,7 @@ index 9f34c2e..5997cc2 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +306,8 @@ optional_policy(`
+@@ -275,6 +307,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -18150,7 +18170,7 @@ index 9f34c2e..5997cc2 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +318,10 @@ optional_policy(`
+@@ -285,8 +319,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -18161,7 +18181,7 @@ index 9f34c2e..5997cc2 100644
')
')
-@@ -299,8 +334,8 @@ optional_policy(`
+@@ -299,8 +335,8 @@ optional_policy(`
')
optional_policy(`
@@ -18171,7 +18191,7 @@ index 9f34c2e..5997cc2 100644
')
optional_policy(`
-@@ -309,7 +344,6 @@ optional_policy(`
+@@ -309,7 +345,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -18179,7 +18199,7 @@ index 9f34c2e..5997cc2 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +371,11 @@ optional_policy(`
+@@ -337,7 +372,11 @@ optional_policy(`
')
optional_policy(`
@@ -18192,7 +18212,7 @@ index 9f34c2e..5997cc2 100644
')
########################################
-@@ -345,12 +383,11 @@ optional_policy(`
+@@ -345,12 +384,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -18208,7 +18228,7 @@ index 9f34c2e..5997cc2 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +412,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +413,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -18229,7 +18249,7 @@ index 9f34c2e..5997cc2 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +430,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +431,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -18250,7 +18270,7 @@ index 9f34c2e..5997cc2 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +447,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +448,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -18262,7 +18282,7 @@ index 9f34c2e..5997cc2 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +474,12 @@ optional_policy(`
+@@ -452,9 +475,12 @@ optional_policy(`
')
optional_policy(`
@@ -18276,7 +18296,7 @@ index 9f34c2e..5997cc2 100644
')
optional_policy(`
-@@ -490,10 +515,6 @@ optional_policy(`
+@@ -490,10 +516,6 @@ optional_policy(`
# Lpd local policy
#
@@ -18287,7 +18307,7 @@ index 9f34c2e..5997cc2 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +532,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +533,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -18321,7 +18341,7 @@ index 9f34c2e..5997cc2 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +559,6 @@ optional_policy(`
+@@ -546,7 +560,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -18329,7 +18349,7 @@ index 9f34c2e..5997cc2 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +574,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +575,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -18481,7 +18501,7 @@ index 9f34c2e..5997cc2 100644
########################################
#
-@@ -731,7 +618,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +619,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -18489,7 +18509,7 @@ index 9f34c2e..5997cc2 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +627,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +628,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -18503,7 +18523,7 @@ index 9f34c2e..5997cc2 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +639,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +640,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -18512,7 +18532,7 @@ index 9f34c2e..5997cc2 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +651,4 @@ optional_policy(`
+@@ -769,3 +652,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -22833,10 +22853,10 @@ index 0000000..543baf1
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..b744b8c
+index 0000000..5c6eaab
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,152 @@
+@@ -0,0 +1,157 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -22868,7 +22888,7 @@ index 0000000..b744b8c
+# docker local policy
+#
+allow docker_t self:capability { chown fowner fsetid mknod net_admin };
-+allow docker_t self:process signal_perms;
++allow docker_t self:process { getattr signal_perms };
+allow docker_t self:fifo_file rw_fifo_file_perms;
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
+allow docker_t self:capability2 block_suspend;
@@ -22974,6 +22994,7 @@ index 0000000..b744b8c
+fs_remount_all_fs(docker_t)
+fs_manage_cgroup_dirs(docker_t)
+fs_manage_cgroup_files(docker_t)
++fs_relabelfrom_xattr_fs(docker_t)
+
+term_use_generic_ptys(docker_t)
+term_use_ptmx(docker_t)
@@ -22988,6 +23009,10 @@ index 0000000..b744b8c
+optional_policy(`
+ virt_read_config(docker_t)
+ virt_exec(docker_t)
++ virt_stream_connect(docker_t)
++ virt_stream_connect_sandbox(docker_t)
++ virt_manage_sandbox_files(docker_t)
++ virt_relabel_sandbox_filesystem(docker_t)
+')
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
@@ -27528,7 +27553,7 @@ index e39de43..4c8113b 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..0e04529 100644
+index d03fd43..89a7bb92 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,157 @@
@@ -28242,58 +28267,92 @@ index d03fd43..0e04529 100644
## <summary>
-## Create, read, write, and delete
-## generic gconf home content.
-+## Manage a sock_file in the generic cache home files (.cache)
++## write to generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
-@@ -473,82 +519,73 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -473,22 +519,18 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary>
## </param>
#
-interface(`gnome_manage_generic_gconf_home_content',`
-+interface(`gnome_manage_generic_cache_sockets',`
++interface(`gnome_manage_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
++ manage_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir manage_dir_perms;
- allow $1 gconf_home_t:file manage_file_perms;
- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gconf_home_t:sock_file manage_sock_file_perms;
-+ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
')
########################################
## <summary>
-## Search generic gconf home directories.
++## Manage a sock_file in the generic cache home files (.cache)
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -496,79 +538,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_search_generic_gconf_home',`
++interface(`gnome_manage_generic_cache_sockets',`
+ gen_require(`
+- type gconf_home_t;
++ type cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+- allow $1 gconf_home_t:dir search_dir_perms;
++ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in user home
+-## directories with the generic gconf
+-## home type.
+## Dontaudit read/write to generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+## Domain to not audit.
## </summary>
## </param>
#
--interface(`gnome_search_generic_gconf_home',`
+-interface(`gnome_home_filetrans_gconf_home',`
+interface(`gnome_dontaudit_rw_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
-- userdom_search_user_home_dirs($1)
-- allow $1 gconf_home_t:dir search_dir_perms;
+- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Create objects in user home
--## directories with the generic gconf
+-## directories with the generic gnome
-## home type.
+## read gnome homedir content (.config)
## </summary>
@@ -28313,14 +28372,14 @@ index d03fd43..0e04529 100644
-## </summary>
-## </param>
#
--interface(`gnome_home_filetrans_gconf_home',`
+-interface(`gnome_home_filetrans_gnome_home',`
+interface(`gnome_read_config',`
gen_require(`
-- type gconf_home_t;
+- type gnome_home_t;
+ attribute gnome_home_type;
')
-- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
@@ -28329,23 +28388,22 @@ index d03fd43..0e04529 100644
########################################
## <summary>
--## Create objects in user home
--## directories with the generic gnome
--## home type.
+-## Create objects in gnome gconf home
+-## directories with a private type.
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
+## a specified private type.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
- ## </summary>
+@@ -577,12 +599,12 @@ interface(`gnome_home_filetrans_gnome_home',`
## </param>
-+## <param name="private_type">
-+## <summary>
+ ## <param name="private_type">
+ ## <summary>
+-## Private file type.
+## The type of the object to create.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
## <param name="object_class">
## <summary>
-## Class of the object being created.
@@ -28353,18 +28411,19 @@ index d03fd43..0e04529 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -557,52 +594,77 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -591,18 +613,18 @@ interface(`gnome_home_filetrans_gnome_home',`
## </summary>
## </param>
#
--interface(`gnome_home_filetrans_gnome_home',`
+-interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_data_filetrans',`
gen_require(`
-- type gnome_home_t;
+- type gconf_home_t;
+ type data_home_t;
')
-- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+- userdom_search_user_home_dirs($1)
+- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
+ gnome_search_gconf($1)
')
@@ -28372,44 +28431,40 @@ index d03fd43..0e04529 100644
-########################################
+#######################################
## <summary>
--## Create objects in gnome gconf home
--## directories with a private type.
+-## Read generic gnome keyring home files.
+## Read generic data home files.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -610,46 +632,80 @@ interface(`gnome_gconf_home_filetrans',`
## </summary>
## </param>
--## <param name="private_type">
--## <summary>
--## Private file type.
--## </summary>
--## </param>
--## <param name="object_class">
--## <summary>
--## Class of the object being created.
--## </summary>
-+#
+ #
+-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_read_generic_data_home_files',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t, gnome_keyring_home_t;
+ type data_home_t, gconf_home_t;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_dirs($1)
+- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+ read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Send and receive messages from
+-## gnome keyring daemon over dbus.
+## Read generic data home dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
--## <param name="name" optional="true">
++## </param>
+#
+interface(`gnome_read_generic_data_home_dirs',`
+ gen_require(`
@@ -28422,49 +28477,49 @@ index d03fd43..0e04529 100644
+#######################################
+## <summary>
+## Manage gconf data home files
-+## </summary>
+ ## </summary>
+-## <param name="role_prefix">
+## <param name="domain">
## <summary>
--## The name of the object being created.
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+## Domain allowed access.
## </summary>
## </param>
- #
--interface(`gnome_gconf_home_filetrans',`
++#
+interface(`gnome_manage_data',`
- gen_require(`
++ gen_require(`
+ type data_home_t;
- type gconf_home_t;
- ')
-
-- userdom_search_user_home_dirs($1)
-- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
++ type gconf_home_t;
++ ')
++
+ allow $1 gconf_home_t:dir search_dir_perms;
+ manage_dirs_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
- ')
-
- ########################################
- ## <summary>
--## Read generic gnome keyring home files.
++')
++
++########################################
++## <summary>
+## Read icc data home content.
- ## </summary>
++## </summary>
## <param name="domain">
## <summary>
-@@ -610,93 +672,126 @@ interface(`gnome_gconf_home_filetrans',`
+ ## Domain allowed access.
## </summary>
## </param>
#
--interface(`gnome_read_keyring_home_files',`
+-interface(`gnome_dbus_chat_gkeyringd',`
+interface(`gnome_read_home_icc_data_content',`
gen_require(`
-- type gnome_home_t, gnome_keyring_home_t;
+- type $1_gkeyringd_t;
+- class dbus send_msg;
+ type icc_data_home_t, gconf_home_t, data_home_t;
')
- userdom_search_user_home_dirs($1)
-- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+- allow $2 $1_gkeyringd_t:dbus send_msg;
+- allow $1_gkeyringd_t $2:dbus send_msg;
++ userdom_search_user_home_dirs($1)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
@@ -28473,106 +28528,76 @@ index d03fd43..0e04529 100644
########################################
## <summary>
--## Send and receive messages from
+-## Send and receive messages from all
-## gnome keyring daemon over dbus.
+## Read inherited icc data home files.
## </summary>
--## <param name="role_prefix">
--## <summary>
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
--## </summary>
--## </param>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -657,46 +713,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
## </summary>
## </param>
#
--interface(`gnome_dbus_chat_gkeyringd',`
+-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_read_inherited_home_icc_data_files',`
gen_require(`
-- type $1_gkeyringd_t;
+- attribute gkeyringd_domain;
- class dbus send_msg;
+ type icc_data_home_t;
')
-- allow $2 $1_gkeyringd_t:dbus send_msg;
-- allow $1_gkeyringd_t $2:dbus send_msg;
+- allow $1 gkeyringd_domain:dbus send_msg;
+- allow gkeyringd_domain $1:dbus send_msg;
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
')
########################################
## <summary>
--## Send and receive messages from all
--## gnome keyring daemon over dbus.
+-## Connect to gnome keyring daemon
+-## with a unix stream socket.
+## Create gconf_home_t objects in the /root directory
## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <param name="object_class">
+-## <param name="role_prefix">
++## <param name="domain">
+## <summary>
-+## The class of the object to be created.
++## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="name" optional="true">
++## <param name="object_class">
+## <summary>
-+## The name of the object being created.
++## The class of the object to be created.
+## </summary>
+## </param>
- #
--interface(`gnome_dbus_chat_all_gkeyringd',`
-+interface(`gnome_admin_home_gconf_filetrans',`
- gen_require(`
-- attribute gkeyringd_domain;
-- class dbus send_msg;
-+ type gconf_home_t;
- ')
-
-- allow $1 gkeyringd_domain:dbus send_msg;
-- allow gkeyringd_domain $1:dbus send_msg;
-+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
- ')
-
- ########################################
- ## <summary>
--## Connect to gnome keyring daemon
--## with a unix stream socket.
-+## Do not audit attempts to read
-+## inherited gconf config files.
- ## </summary>
--## <param name="role_prefix">
-+## <param name="domain">
++## <param name="name" optional="true">
## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-+## Domain to not audit.
++## The name of the object being created.
## </summary>
## </param>
+#
-+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
++interface(`gnome_admin_home_gconf_filetrans',`
+ gen_require(`
-+ type gconf_etc_t;
++ type gconf_home_t;
+ ')
+
-+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
++ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
+')
+
+########################################
+## <summary>
-+## read gconf config files
++## Do not audit attempts to read
++## inherited gconf config files.
+## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`gnome_stream_connect_gkeyringd',`
-+interface(`gnome_read_gconf_config',`
++interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ type gconf_etc_t;
@@ -28580,6 +28605,31 @@ index d03fd43..0e04529 100644
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
++ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to all gnome keyring daemon
+-## with a unix stream socket.
++## read gconf config files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -704,12 +778,912 @@ interface(`gnome_stream_connect_gkeyringd',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_stream_connect_all_gkeyringd',`
++interface(`gnome_read_gconf_config',`
+ gen_require(`
+- attribute gkeyringd_domain;
+- type gnome_keyring_tmp_t;
++ type gconf_etc_t;
+ ')
+
+- files_search_tmp($1)
+- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
@@ -28602,22 +28652,19 @@ index d03fd43..0e04529 100644
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
- ')
-
- ########################################
- ## <summary>
--## Connect to all gnome keyring daemon
--## with a unix stream socket.
++')
++
++########################################
++## <summary>
+## Execute gconf programs in
+## in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -704,12 +799,872 @@ interface(`gnome_stream_connect_gkeyringd',`
- ## </summary>
- ## </param>
- #
--interface(`gnome_stream_connect_all_gkeyringd',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
@@ -29212,14 +29259,11 @@ index d03fd43..0e04529 100644
+## </param>
+#
+interface(`gnome_dbus_chat_gkeyringd',`
- gen_require(`
- attribute gkeyringd_domain;
-- type gnome_keyring_tmp_t;
++ gen_require(`
++ attribute gkeyringd_domain;
+ class dbus send_msg;
- ')
-
-- files_search_tmp($1)
-- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
++ ')
++
+ allow $1 gkeyringd_domain:dbus send_msg;
+ allow gkeyringd_domain $1:dbus send_msg;
+')
@@ -29491,7 +29535,7 @@ index d03fd43..0e04529 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 20f726b..c6ff2a1 100644
+index 20f726b..2af3f4b 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
@@ -29535,7 +29579,7 @@ index 20f726b..c6ff2a1 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,226 @@ type gconfd_exec_t;
+@@ -29,107 +47,225 @@ type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -29797,8 +29841,7 @@ index 20f726b..c6ff2a1 100644
optional_policy(`
- telepathy_mission_control_read_state(gkeyringd_domain)
+ gnome_read_home_config(gkeyringd_domain)
-+ gnome_read_generic_cache_files(gkeyringd_domain)
-+ gnome_write_generic_cache_files(gkeyringd_domain)
++ gnome_manage_generic_cache_files(gkeyringd_domain)
+ gnome_manage_cache_home_dir(gkeyringd_domain)
+ gnome_manage_generic_cache_sockets(gkeyringd_domain)
')
@@ -31485,10 +31528,10 @@ index 0000000..17c3627
+')
diff --git a/hypervkvp.te b/hypervkvp.te
new file mode 100644
-index 0000000..88bd0b2
+index 0000000..3543847
--- /dev/null
+++ b/hypervkvp.te
-@@ -0,0 +1,63 @@
+@@ -0,0 +1,65 @@
+policy_module(hypervkvp, 1.0.0)
+
+########################################
@@ -31529,6 +31572,8 @@ index 0000000..88bd0b2
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
++corecmd_exec_shell(hyperv_domain)
++
+dev_read_sysfs(hyperv_domain)
+
+########################################
@@ -38388,10 +38433,10 @@ index 0000000..da30c5d
+')
diff --git a/lsm.te b/lsm.te
new file mode 100644
-index 0000000..a174f4b
+index 0000000..ba791e5
--- /dev/null
+++ b/lsm.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,70 @@
+policy_module(lsm, 1.0.0)
+
+########################################
@@ -38440,9 +38485,12 @@ index 0000000..a174f4b
+# Local lsmd plugin policy
+#
+
++allow lsmd_plugin_t self:udp_socket create_socket_perms;
++
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+
+allow lsmd_t lsmd_plugin_exec_t:file read_file_perms;
++stream_connect_pattern(lsmd_plugin_t, lsmd_var_run_t, lsmd_var_run_t, lsmd_t)
+
+manage_files_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
@@ -38454,6 +38502,8 @@ index 0000000..a174f4b
+
+corecmd_exec_bin(lsmd_plugin_t)
+
++init_stream_connect(lsmd_plugin_t)
++
+logging_send_syslog_msg(lsmd_plugin_t)
+
+sysnet_read_config(lsmd_plugin_t)
@@ -42811,7 +42861,7 @@ index 6194b80..b8952a1 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..bf3015e 100644
+index 6a306ee..055286f 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -43661,7 +43711,7 @@ index 6a306ee..bf3015e 100644
')
optional_policy(`
-@@ -568,108 +580,130 @@ optional_policy(`
+@@ -568,108 +580,131 @@ optional_policy(`
')
optional_policy(`
@@ -43842,6 +43892,7 @@ index 6a306ee..bf3015e 100644
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
++ dev_setattr_generic_usb_dev(mozilla_plugin_t)
+ corenet_tcp_bind_vnc_port(mozilla_plugin_t)
')
@@ -47128,7 +47179,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..6337dad 100644
+index 9f6179e..c75403e 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -47339,7 +47390,7 @@ index 9f6179e..6337dad 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +185,28 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +185,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -47355,8 +47406,9 @@ index 9f6179e..6337dad 100644
+files_dontaudit_access_check_root(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-+files_dontaudit_write_root_dirs(mysqld_safe_t)
++files_write_root_dirs(mysqld_safe_t)
++
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
logging_send_syslog_msg(mysqld_safe_t)
@@ -47374,7 +47426,7 @@ index 9f6179e..6337dad 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +214,7 @@ optional_policy(`
+@@ -205,7 +215,7 @@ optional_policy(`
########################################
#
@@ -47383,7 +47435,7 @@ index 9f6179e..6337dad 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +223,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +224,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -47401,7 +47453,7 @@ index 9f6179e..6337dad 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +236,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +237,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -49039,7 +49091,7 @@ index 0e8508c..ee2e3de 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..8350f85 100644
+index 0b48a30..bcaf742 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -49299,24 +49351,24 @@ index 0b48a30..8350f85 100644
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
+ dnsmasq_systemctl(NetworkManager_t)
++')
++
++optional_policy(`
++ hal_write_log(NetworkManager_t)
')
optional_policy(`
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
-+ hal_write_log(NetworkManager_t)
++ howl_signal(NetworkManager_t)
')
optional_policy(`
- hal_write_log(NetworkManager_t)
-+ howl_signal(NetworkManager_t)
++ gnome_dontaudit_search_config(NetworkManager_t)
')
optional_policy(`
- howl_signal(NetworkManager_t)
-+ gnome_dontaudit_search_config(NetworkManager_t)
-+')
-+
-+optional_policy(`
+ iodined_domtrans(NetworkManager_t)
')
@@ -49332,15 +49384,11 @@ index 0b48a30..8350f85 100644
')
optional_policy(`
-@@ -257,11 +290,10 @@ optional_policy(`
+@@ -257,11 +290,14 @@ optional_policy(`
')
optional_policy(`
- libs_exec_ldconfig(NetworkManager_t)
--')
--
--optional_policy(`
-- modutils_domtrans_insmod(NetworkManager_t)
+ l2tpd_domtrans(NetworkManager_t)
+ l2tpd_sigkill(NetworkManager_t)
+ l2tpd_signal(NetworkManager_t)
@@ -49348,7 +49396,12 @@ index 0b48a30..8350f85 100644
')
optional_policy(`
-@@ -274,10 +306,17 @@ optional_policy(`
+- modutils_domtrans_insmod(NetworkManager_t)
++ lldpad_dgram_send(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -274,10 +310,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -49366,7 +49419,7 @@ index 0b48a30..8350f85 100644
')
optional_policy(`
-@@ -289,6 +328,7 @@ optional_policy(`
+@@ -289,6 +332,7 @@ optional_policy(`
')
optional_policy(`
@@ -49374,7 +49427,7 @@ index 0b48a30..8350f85 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +336,7 @@ optional_policy(`
+@@ -296,7 +340,7 @@ optional_policy(`
')
optional_policy(`
@@ -49383,7 +49436,7 @@ index 0b48a30..8350f85 100644
')
optional_policy(`
-@@ -307,6 +347,7 @@ optional_policy(`
+@@ -307,6 +351,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -49391,7 +49444,7 @@ index 0b48a30..8350f85 100644
')
optional_policy(`
-@@ -320,13 +361,19 @@ optional_policy(`
+@@ -320,13 +365,19 @@ optional_policy(`
')
optional_policy(`
@@ -49401,21 +49454,21 @@ index 0b48a30..8350f85 100644
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
+ systemd_hostnamed_read_config(NetworkManager_t)
-+')
-+
-+optional_policy(`
-+ ssh_exec(NetworkManager_t)
')
optional_policy(`
- # unconfined_dgram_send(NetworkManager_t)
- unconfined_stream_connect(NetworkManager_t)
++ ssh_exec(NetworkManager_t)
++')
++
++optional_policy(`
+ udev_exec(NetworkManager_t)
+ udev_read_db(NetworkManager_t)
')
optional_policy(`
-@@ -356,6 +403,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +407,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -54168,7 +54221,7 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..0dc672f
+index 0000000..79aa756
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,27 @@
@@ -54187,7 +54240,7 @@ index 0000000..0dc672f
+/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+
-+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
++/var/log/mcollective\.log.* -- gen_context(system_u:object_r:openshift_log_t,s0)
+/var/log/openshift(/.*)? gen_context(system_u:object_r:openshift_log_t,s0)
+
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
@@ -56302,7 +56355,7 @@ index 9b15730..eedd136 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..a499612 100644
+index 508fedf..dd3be82 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
@@ -56367,7 +56420,7 @@ index 508fedf..a499612 100644
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,45 +52,53 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,45 +52,55 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -56393,12 +56446,13 @@ index 508fedf..a499612 100644
-
kernel_read_network_state(openvswitch_t)
kernel_read_system_state(openvswitch_t)
--
++kernel_request_load_module(openvswitch_t)
+
-corenet_all_recvfrom_unlabeled(openvswitch_t)
-corenet_all_recvfrom_netlabel(openvswitch_t)
-corenet_raw_sendrecv_generic_if(openvswitch_t)
-corenet_raw_sendrecv_generic_node(openvswitch_t)
-+kernel_request_load_module(openvswitch_t)
++corenet_tcp_connect_openflow_port(openvswitch_t)
corecmd_exec_bin(openvswitch_t)
+corecmd_exec_shell(openvswitch_t)
@@ -79722,7 +79776,7 @@ index e3e7c96..d7db2d9 100644
')
diff --git a/rtas.fc b/rtas.fc
new file mode 100644
-index 0000000..25d96cb
+index 0000000..4552e91
--- /dev/null
+++ b/rtas.fc
@@ -0,0 +1,13 @@
@@ -79734,8 +79788,8 @@ index 0000000..25d96cb
+/var/lock/.*librtas -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
+
+/var/log/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_log_t)
-+/var/log/platform -- gen_context(system_u:object_r:rtas_errd_log_t)
-+/var/log/epow_status -- gen_context(system_u:object_r:rtas_errd_log_t)
++/var/log/platform.* -- gen_context(system_u:object_r:rtas_errd_log_t)
++/var/log/epow_status.* -- gen_context(system_u:object_r:rtas_errd_log_t)
+
+/var/run/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_var_run_t,s0)
+
@@ -82285,10 +82339,10 @@ index 0000000..b7db254
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..577dfa7
+index 0000000..8a6ad19
--- /dev/null
+++ b/sandbox.if
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,56 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -82319,6 +82373,7 @@ index 0000000..577dfa7
+ allow sandbox_domain $1:process { sigchld signull };
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit sandbox_domain $1:process signal;
++ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+')
+
+########################################
@@ -82821,10 +82876,10 @@ index 0000000..e45c73a
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..9ba5803
+index 0000000..4566e9b
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,488 @@
+@@ -0,0 +1,498 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -83059,6 +83114,8 @@ index 0000000..9ba5803
+
+optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
++ gnome_dontaudit_rw_inherited_config(sandbox_x_domain)
++ gnome_dontaudit_rw_inherited_config(sandbox_xserver_t)
+')
+
+optional_policy(`
@@ -83127,6 +83184,10 @@ index 0000000..9ba5803
+logging_send_syslog_msg(sandbox_x_client_t)
+
+optional_policy(`
++ avahi_dbus_chat(sandbox_x_client_t)
++')
++
++optional_policy(`
+ colord_dbus_chat(sandbox_x_client_t)
+')
+
@@ -83238,6 +83299,10 @@ index 0000000..9ba5803
+')
+
+optional_policy(`
++ avahi_dbus_chat(sandbox_web_type)
++')
++
++optional_policy(`
+ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
+')
+
@@ -83906,7 +83971,7 @@ index 98c9e0a..df51942 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 4a23d84..f149aad 100644
+index 4a23d84..bcf1556 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
@@ -83943,10 +84008,12 @@ index 4a23d84..f149aad 100644
######################################
#
# Common sblim domain local policy
-@@ -32,31 +39,36 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+@@ -31,32 +38,38 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms;
+ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
-
++files_pid_filetrans(sblim_domain, sblim_var_run_t,dir,"gather")
++
+manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
@@ -83956,7 +84023,7 @@ index 4a23d84..f149aad 100644
+manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file})
-+
+
kernel_read_network_state(sblim_domain)
-kernel_read_system_state(sblim_domain)
@@ -83990,7 +84057,7 @@ index 4a23d84..f149aad 100644
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
-@@ -84,6 +96,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
+@@ -84,6 +97,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
init_read_utmp(sblim_gatherd_t)
@@ -83999,7 +84066,7 @@ index 4a23d84..f149aad 100644
sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +117,9 @@ optional_policy(`
+@@ -103,8 +118,9 @@ optional_policy(`
')
optional_policy(`
@@ -84010,7 +84077,7 @@ index 4a23d84..f149aad 100644
')
optional_policy(`
-@@ -117,6 +132,32 @@ optional_policy(`
+@@ -117,6 +133,32 @@ optional_policy(`
# Reposd local policy
#
@@ -87361,7 +87428,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..678439a 100644
+index 703efa3..46a794b 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
@@ -87524,7 +87591,15 @@ index 703efa3..678439a 100644
')
optional_policy(`
-@@ -135,9 +194,25 @@ optional_policy(`
+@@ -131,13 +190,33 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ prelink_domtrans(sosreport_t)
++')
++
++optional_policy(`
+ pulseaudio_run(sosreport_t, sosreport_roles)
')
optional_policy(`
@@ -95711,7 +95786,7 @@ index 0be8535..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index c30da4c..9bad8b9 100644
+index c30da4c..6351bcb 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,52 +1,92 @@
@@ -95844,10 +95919,10 @@ index c30da4c..9bad8b9 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+
-+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
++/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..43128c6 100644
+index 9dec06c..3ad56e3 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -96862,7 +96937,7 @@ index 9dec06c..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +658,189 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +658,227 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -96936,12 +97011,10 @@ index 9dec06c..43128c6 100644
+## Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
- ## <summary>
--## The type of the object to be created.
++## <summary>
+## Domain allowed to transition.
- ## </summary>
- ## </param>
--## <param name="object">
++## </summary>
++## </param>
+#
+interface(`virt_systemctl',`
+ gen_require(`
@@ -96962,11 +97035,11 @@ index 9dec06c..43128c6 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The object class of the object being created.
+-## The type of the object to be created.
+## Domain allowed to transition.
## </summary>
## </param>
--## <param name="name" optional="true">
+-## <param name="object">
+#
+interface(`virt_ptrace',`
+ gen_require(`
@@ -96978,7 +97051,29 @@ index 9dec06c..43128c6 100644
+
+#######################################
+## <summary>
-+## Connect to virt over a unix domain stream socket.
++## Manage Sandbox Files
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The object class of the object being created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
++#
++interface(`virt_manage_sandbox_files',`
++ gen_require(`
++ type svirt_sandbox_file_t;
++ ')
++
++ manage_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ manage_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++')
++
++#######################################
++## <summary>
++## Relabel Sandbox File systems
+## </summary>
+## <param name="domain">
## <summary>
@@ -96989,9 +97084,27 @@ index 9dec06c..43128c6 100644
-## <infoflow type="write" weight="10"/>
#
-interface(`virt_pid_filetrans',`
-+interface(`virt_stream_connect_sandbox',`
++interface(`virt_relabel_sandbox_filesystem',`
gen_require(`
- type virt_var_run_t;
++ type svirt_sandbox_file_t;
++ ')
++
++ allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto };
++')
++
++#######################################
++## <summary>
++## Connect to virt over a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_stream_connect_sandbox',`
++ gen_require(`
+ attribute svirt_sandbox_domain;
+ type svirt_sandbox_file_t;
')
@@ -97047,11 +97160,10 @@ index 9dec06c..43128c6 100644
+ optional_policy(`
+ ptchown_run(virt_domain, $2)
+ ')
- ')
-
- ########################################
- ## <summary>
--## Append virt log files.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to write virt daemon unnamed pipes.
+## </summary>
+## <param name="domain">
@@ -97067,15 +97179,16 @@ index 9dec06c..43128c6 100644
+
+ dontaudit $1 virtd_t:fd use;
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Append virt log files.
+## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -935,19 +848,17 @@ interface(`virt_read_log',`
+@@ -935,19 +886,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@@ -97099,7 +97212,7 @@ index 9dec06c..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +866,17 @@ interface(`virt_append_log',`
+@@ -955,20 +904,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@@ -97124,7 +97237,7 @@ index 9dec06c..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +884,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +922,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -97147,7 +97260,7 @@ index 9dec06c..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +902,57 @@ interface(`virt_search_images',`
+@@ -995,36 +940,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -97224,7 +97337,7 @@ index 9dec06c..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +960,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +998,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -97260,7 +97373,7 @@ index 9dec06c..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,37 +989,129 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1027,129 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -97404,7 +97517,7 @@ index 9dec06c..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1119,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1157,54 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -97478,7 +97591,7 @@ index 9dec06c..43128c6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1182,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1220,36 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -97526,11 +97639,11 @@ index 9dec06c..43128c6 100644
-
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++ allow $1 virt_domain:process signal_perms;
+
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
-
@@ -97551,7 +97664,7 @@ index 9dec06c..43128c6 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..4f24986 100644
+index 1f22fba..e3c644e 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,194 @@
@@ -99235,7 +99348,7 @@ index 1f22fba..4f24986 100644
+typeattribute svirt_lxc_net_t sandbox_net_domain;
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap };
++allow svirt_lxc_net_t self:capability { kill setuid setgid setfcap sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap };
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a4c39e7..2cec8af 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 113%{?dist}
+Release: 114%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -576,6 +576,35 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jan 10 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-114
+- Add default lvm_var_run_t label for /var/run/multipathd
+- Fix log labeling to have correct default label for them after logrotate
+- Add files_write_root_dirs
+- Add new openflow port label for 6653/tcp and 6633/tcp
+- Add xserver_manage_xkb_libs()
+- Label tcp/8891 as milter por
+- Allow gnome_manage_generic_cache_files also create cache_home_t files
+- Fix aide.log labeling
+- Fix log labeling to have correct default label for them after logrotate
+- Allow mysqld-safe write access on /root to make mysqld working
+- Allow sosreport domtrans to prelikn
+- Allow OpenvSwitch to connec to openflow ports
+- Allow NM send dgram to lldpad
+- Allow hyperv domains to execute shell
+- Allow lsmd plugins stream connect to lsmd/init
+- Allow sblim domains to create /run/gather with correct labeling
+- Allow httpd to read ldap certs
+- Allow cupsd to send dbus msgs to process with different MLS level
+- Allow bumblebee to stream connect to apmd
+- Allow bumblebee to run xkbcomp
+- Additional allow rules to get libvirt-lxc containers working with docker
+- Additional allow rules to get libvirt-lxc containers working with docker
+- Allow docker to getattr on itself
+- Additional rules needed for sandbox apps
+- Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled
+- httpd should be able to send signal/signull to httpd_suexec_t
+- Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain.
+
* Wed Jan 8 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-113
- Add neutron fixes
More information about the scm-commits
mailing list