[selinux-policy] - init calling needs to be optional in domain.te - Allow docker and mount on devpts chr_file - Allow
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jan 23 10:03:28 UTC 2014
commit 254b1593d0df2fb3e311569670c1eec4d35e660d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jan 23 11:03:30 2014 +0100
- init calling needs to be optional in domain.te
- Allow docker and mount on devpts chr_file
- Allow docker to transition to unconfined_t if boolean set
- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
- Fix type in docker.te
- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-contai
- Allow docker to use the network and build images
- Allow docker to read selinux files for labeling, and mount on devpts
- Allow domains that transition to svirt_sandbox to send it signals
- Allow docker to transition to unconfined_t if boolean set
policy-rawhide-base.patch | 1120 +++++++++++++++---------------------------
policy-rawhide-contrib.patch | 89 +++-
selinux-policy.spec | 14 +-
3 files changed, 465 insertions(+), 758 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 928ee6c..862c780 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5819,7 +5819,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..53df7ae 100644
+index b31c054..5d200ef 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -5867,7 +5867,7 @@ index b31c054..53df7ae 100644
')
+/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-+/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0)
++/dev/vfio/(vfio)?[0-9]+ -c gen_context(system_u:object_r:vfio_device_t,s0)
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -8705,7 +8705,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..dfb34a3 100644
+index cf04cb5..628d039 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8822,7 +8822,7 @@ index cf04cb5..dfb34a3 100644
')
########################################
-@@ -147,12 +206,21 @@ optional_policy(`
+@@ -147,12 +206,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -8833,9 +8833,6 @@ index cf04cb5..dfb34a3 100644
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
-+# Allow manage transient unit files
-+allow unconfined_domain_type self:service manage_service_perms;
-+
# Act upon any other process.
-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
@@ -8845,7 +8842,7 @@ index cf04cb5..dfb34a3 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +234,318 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,330 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8896,6 +8893,14 @@ index cf04cb5..dfb34a3 100644
+ init_filetrans_named_content(named_filetrans_domain)
+')
+
++# Allow manage transient unit files
++optional_policy(`
++ init_start_transient_unit(unconfined_domain_type)
++ init_stop_transient_unit(unconfined_domain_type)
++ init_status_transient_unit(unconfined_domain_type)
++ init_reload_transient_unit(unconfined_domain_type)
++')
++
+optional_policy(`
+ auth_filetrans_named_content(named_filetrans_domain)
+ auth_filetrans_admin_home_content(named_filetrans_domain)
@@ -8950,6 +8955,10 @@ index cf04cb5..dfb34a3 100644
+')
+
+optional_policy(`
++ docker_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
+ dnsmasq_filetrans_named_content(named_filetrans_domain)
+')
+
@@ -9415,7 +9424,7 @@ index b876c48..27f60c6 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..68d8f79 100644
+index f962f76..1a11674 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10578,20 +10587,39 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3256,10 +3867,10 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +3867,29 @@ interface(`files_manage_isid_type_dirs',`
#
interface(`files_mounton_isid_type_dirs',`
gen_require(`
- type file_t;
+ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir { search_dir_perms mounton };
++')
++
++########################################
++## <summary>
++## Mount a filesystem on a new chr_file
++## that has not yet been labeled.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_mounton_isid_type_chr_file',`
++ gen_require(`
++ type unlabeled_t;
')
- allow $1 file_t:dir { search_dir_perms mounton };
-+ allow $1 unlabeled_t:dir { search_dir_perms mounton };
++ allow $1 unlabeled_t:chr_file mounton;
')
########################################
-@@ -3275,10 +3886,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +3905,10 @@ interface(`files_mounton_isid_type_dirs',`
#
interface(`files_read_isid_type_files',`
gen_require(`
@@ -10604,7 +10632,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3294,10 +3905,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +3924,10 @@ interface(`files_read_isid_type_files',`
#
interface(`files_delete_isid_type_files',`
gen_require(`
@@ -10617,7 +10645,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3313,10 +3924,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +3943,10 @@ interface(`files_delete_isid_type_files',`
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
@@ -10630,7 +10658,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3332,10 +3943,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +3962,10 @@ interface(`files_delete_isid_type_symlinks',`
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
@@ -10643,7 +10671,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3351,10 +3962,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +3981,10 @@ interface(`files_delete_isid_type_fifo_files',`
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
@@ -10656,7 +10684,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3370,10 +3981,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4000,10 @@ interface(`files_delete_isid_type_sock_files',`
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
@@ -10669,7 +10697,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3389,10 +4000,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4019,10 @@ interface(`files_delete_isid_type_blk_files',`
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
@@ -10682,7 +10710,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3408,10 +4019,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4038,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
@@ -10695,7 +10723,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3427,10 +4038,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4057,10 @@ interface(`files_delete_isid_type_chr_files',`
#
interface(`files_manage_isid_type_files',`
gen_require(`
@@ -10708,7 +10736,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3446,10 +4057,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4076,10 @@ interface(`files_manage_isid_type_files',`
#
interface(`files_manage_isid_type_symlinks',`
gen_require(`
@@ -10721,7 +10749,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3465,10 +4076,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4095,29 @@ interface(`files_manage_isid_type_symlinks',`
#
interface(`files_rw_isid_type_blk_files',`
gen_require(`
@@ -10753,7 +10781,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3484,10 +4114,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4133,10 @@ interface(`files_rw_isid_type_blk_files',`
#
interface(`files_manage_isid_type_blk_files',`
gen_require(`
@@ -10766,7 +10794,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3503,10 +4133,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4152,10 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
@@ -10779,7 +10807,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -3814,20 +4444,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4463,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10823,7 +10851,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -4217,6 +4865,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +4884,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -10996,7 +11024,7 @@ index f962f76..68d8f79 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4239,6 +5053,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5072,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -11023,7 +11051,7 @@ index f962f76..68d8f79 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4252,17 +5086,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5105,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -11062,7 +11090,7 @@ index f962f76..68d8f79 100644
## </summary>
## </param>
#
-@@ -4289,6 +5143,7 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5162,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -11070,7 +11098,7 @@ index f962f76..68d8f79 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5180,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5199,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -11078,7 +11106,7 @@ index f962f76..68d8f79 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5190,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5209,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -11087,7 +11115,7 @@ index f962f76..68d8f79 100644
## </summary>
## </param>
#
-@@ -4346,6 +5202,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,6 +5221,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -11113,7 +11141,7 @@ index f962f76..68d8f79 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4361,6 +5236,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5255,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -11121,7 +11149,7 @@ index f962f76..68d8f79 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5278,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5297,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -11154,7 +11182,7 @@ index f962f76..68d8f79 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4456,7 +5358,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,7 +5377,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -11163,7 +11191,7 @@ index f962f76..68d8f79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4464,17 +5366,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4464,17 +5385,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -11185,7 +11213,7 @@ index f962f76..68d8f79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4482,59 +5384,149 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4482,18 +5403,108 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -11205,54 +11233,6 @@ index f962f76..68d8f79 100644
-## Relabel to and from all temporary
-## directory types.
+## Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_relabel_all_tmp_dirs',`
-+interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
- attribute tmpfile;
-- type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp files.
-+## Allow caller to read inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
-+interface(`files_read_inherited_tmp_files',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- dontaudit $1 tmpfile:file getattr;
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
- ')
-
- ########################################
- ## <summary>
--## Allow attempts to get the attributes
--## of all tmp files.
-+## Allow caller to append inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11260,17 +11240,17 @@ index f962f76..68d8f79 100644
+## </summary>
+## </param>
+#
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:file append_inherited_file_perms;
++ allow $1 tmpfile:dir { search_dir_perms setattr };
+')
+
+########################################
+## <summary>
-+## Allow caller to read and write inherited tmp files.
++## Allow caller to read inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11278,17 +11258,17 @@ index f962f76..68d8f79 100644
+## </summary>
+## </param>
+#
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_read_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
++ allow $1 tmpfile:file { append read_inherited_file_perms };
+')
+
+########################################
+## <summary>
-+## List all tmp directories.
++## Allow caller to append inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11296,63 +11276,58 @@ index f962f76..68d8f79 100644
+## </summary>
+## </param>
+#
-+interface(`files_list_all_tmp',`
++interface(`files_append_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:dir list_dir_perms;
++ allow $1 tmpfile:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Relabel to and from all temporary
-+## directory types.
++## Allow caller to read and write inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_tmp_dirs',`
++interface(`files_rw_inherited_tmp_file',`
+ gen_require(`
+ attribute tmpfile;
-+ type var_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
++## List all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_list_all_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ dontaudit $1 tmpfile:file getattr;
++ allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
-+## Allow attempts to get the attributes
-+## of all tmp files.
++## Relabel to and from all temporary
++## directory types.
## </summary>
## <param name="domain">
## <summary>
-@@ -4579,7 +5571,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4519,7 +5530,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -11361,7 +11336,16 @@ index f962f76..68d8f79 100644
## </summary>
## </param>
#
-@@ -4611,6 +5603,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4579,7 +5590,7 @@ interface(`files_relabel_all_tmp_files',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+@@ -4611,6 +5622,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@@ -11406,7 +11390,7 @@ index f962f76..68d8f79 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
-@@ -4664,6 +5694,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5713,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11423,7 +11407,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -5241,6 +6281,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6300,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -11448,7 +11432,7 @@ index f962f76..68d8f79 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5527,6 +6585,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6604,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
## <summary>
@@ -11474,7 +11458,7 @@ index f962f76..68d8f79 100644
## Create objects in the /var/lib directory
## </summary>
## <param name="domain">
-@@ -5596,6 +6673,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6692,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11500,7 +11484,7 @@ index f962f76..68d8f79 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6737,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6756,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11509,7 +11493,7 @@ index f962f76..68d8f79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5649,12 +6745,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6764,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11525,7 +11509,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -5672,6 +6769,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6788,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11533,7 +11517,7 @@ index f962f76..68d8f79 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6796,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6815,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11561,7 +11545,7 @@ index f962f76..68d8f79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5706,13 +6823,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6842,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11578,7 +11562,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -5731,7 +6847,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +6866,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11587,7 +11571,7 @@ index f962f76..68d8f79 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +6880,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +6899,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11595,7 +11579,7 @@ index f962f76..68d8f79 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +6894,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +6913,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11604,7 +11588,7 @@ index f962f76..68d8f79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5787,13 +6902,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +6921,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11639,7 +11623,7 @@ index f962f76..68d8f79 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +6944,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +6963,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11657,7 +11641,7 @@ index f962f76..68d8f79 100644
')
########################################
-@@ -5834,9 +6968,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +6987,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11668,7 +11652,7 @@ index f962f76..68d8f79 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7010,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7029,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11678,7 +11662,7 @@ index f962f76..68d8f79 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7032,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7051,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11688,7 +11672,7 @@ index f962f76..68d8f79 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7069,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7088,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11698,7 +11682,7 @@ index f962f76..68d8f79 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7108,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7127,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11707,7 +11691,7 @@ index f962f76..68d8f79 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7128,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7147,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11756,7 +11740,7 @@ index f962f76..68d8f79 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6025,21 +7192,40 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,27 +7211,27 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11780,13 +11764,36 @@ index f962f76..68d8f79 100644
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+ dontaudit $1 pidfile:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic process ID files.
++## List the contents of the runtime process
++## ID directories (/var/run).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6053,12 +7239,31 @@ interface(`files_list_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_pids',`
++interface(`files_list_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
++ list_dirs_pattern($1, var_t, var_run_t)
+')
+
+########################################
+## <summary>
-+## List the contents of the runtime process
-+## ID directories (/var/run).
++## Read generic process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11794,25 +11801,16 @@ index f962f76..68d8f79 100644
+## </summary>
+## </param>
+#
-+interface(`files_list_pids',`
++interface(`files_read_generic_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ files_search_pids($1)
list_dirs_pattern($1, var_t, var_run_t)
- ')
-
-@@ -6058,7 +7244,7 @@ interface(`files_read_generic_pids',`
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7264,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7283,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11821,7 +11819,7 @@ index f962f76..68d8f79 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7326,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7345,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11829,7 +11827,7 @@ index f962f76..68d8f79 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7354,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7373,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@@ -11854,506 +11852,38 @@ index f962f76..68d8f79 100644
## Read and write generic process ID files.
## </summary>
## <param name="domain">
-@@ -6182,7 +7385,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7404,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
- rw_files_pattern($1, var_run_t, var_run_t)
- ')
-@@ -6249,55 +7452,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
-
- ########################################
- ## <summary>
--## Read all process ID files.
-+## Relable all pid directories
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_read_all_pids',`
-+interface(`files_relabel_all_pid_dirs',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
-+ relabel_dirs_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Delete all process IDs.
-+## Delete all pid sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_delete_all_pids',`
-+interface(`files_delete_all_pid_sockets',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+ allow $1 pidfile:sock_file delete_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Delete all process ID directories.
-+## Create all pid sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6305,42 +7496,35 @@ interface(`files_delete_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_delete_all_pid_dirs',`
-+interface(`files_create_all_pid_sockets',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
-+ allow $1 pidfile:sock_file create_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write and delete all
--## var_run (pid) content
-+## Create all pid named pipes
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain alloed access.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
-+interface(`files_create_all_pid_pipes',`
- gen_require(`
- attribute pidfile;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
-+ allow $1 pidfile:fifo_file create_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
-+## Delete all pid named pipes
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6348,18 +7532,18 @@ interface(`files_manage_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
-+interface(`files_delete_all_pid_pipes',`
- gen_require(`
-- attribute polymember;
-+ attribute pidfile;
- ')
-
-- allow $1 polymember:dir mounton;
-+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Search the contents of generic spool
--## directories (/var/spool).
-+## manage all pidfile directories
-+## in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6367,37 +7551,40 @@ interface(`files_mounton_all_poly_members',`
- ## </summary>
- ## </param>
- #
--interface(`files_search_spool',`
-+interface(`files_manage_all_pid_dirs',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
- ')
-
-- search_dirs_pattern($1, var_t, var_spool_t)
-+ manage_dirs_pattern($1,pidfile,pidfile)
- ')
-
-+
- ########################################
- ## <summary>
--## Do not audit attempts to search generic
--## spool directories.
-+## Read all process ID files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`files_dontaudit_search_spool',`
-+interface(`files_read_all_pids',`
- gen_require(`
-- type var_spool_t;
-+ attribute pidfile;
-+ type var_t;
- ')
-
-- dontaudit $1 var_spool_t:dir search_dir_perms;
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
-+ read_lnk_files_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## List the contents of generic spool
--## (/var/spool) directories.
-+## Relable all pid files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6405,18 +7592,17 @@ interface(`files_dontaudit_search_spool',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_spool',`
-+interface(`files_relabel_all_pid_files',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-+ relabel_files_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
-+## Execute generic programs in /var/run in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6424,18 +7610,18 @@ interface(`files_list_spool',`
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_spool_dirs',`
-+interface(`files_exec_generic_pid_files',`
- gen_require(`
-- type var_t, var_spool_t;
-+ type var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+ exec_files_pattern($1, var_run_t, var_run_t)
- ')
-
- ########################################
- ## <summary>
--## Read generic spool files.
-+## manage all pidfiles
-+## in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6443,19 +7629,18 @@ interface(`files_manage_generic_spool_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_generic_spool',`
-+interface(`files_manage_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
-+ manage_files_pattern($1,pidfile,pidfile)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete generic
--## spool files.
-+## Mount filesystems on all polyinstantiation
-+## member directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6463,55 +7648,130 @@ interface(`files_read_generic_spool',`
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_spool',`
-+interface(`files_mounton_all_poly_members',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute polymember;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
-+ allow $1 polymember:dir mounton;
- ')
-
- ########################################
- ## <summary>
--## Create objects in the spool directory
--## with a private type with a type transition.
-+## Delete all process IDs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="file">
-+## <rolecap/>
-+#
-+interface(`files_delete_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+## <summary>
-+## Delete all process ID directories.
-+## </summary>
-+## <param name="domain">
- ## <summary>
--## Type to which the created node will be transitioned.
-+## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="class">
-+#
-+interface(`files_delete_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+## Make the specified type a file
-+## used for spool files.
-+## </summary>
-+## <desc>
-+## <p>
-+## Make the specified type usable for spool files.
-+## This will also make the type usable for files, making
-+## calls to files_type() redundant. Failure to use this interface
-+## for a spool file may result in problems with
-+## purging spool files.
-+## </p>
-+## <p>
-+## Related interfaces:
-+## </p>
-+## <ul>
-+## <li>files_spool_filetrans()</li>
-+## </ul>
-+## <p>
-+## Example usage with a domain that can create and
-+## write its spool file in the system spool file
-+## directories (/var/spool):
-+## </p>
-+## <p>
-+## type myspoolfile_t;
-+## files_spool_file(myfile_spool_t)
-+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+## </p>
-+## </desc>
-+## <param name="file_type">
- ## <summary>
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
-+## Type of the file to be used as a
-+## spool file.
- ## </summary>
- ## </param>
--## <param name="name" optional="true">
-+## <infoflow type="none"/>
-+#
-+interface(`files_spool_file',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ files_type($1)
-+ typeattribute $1 spoolfile;
-+')
-+
-+########################################
-+## <summary>
-+## Create all spool sockets
-+## </summary>
-+## <param name="domain">
- ## <summary>
--## The name of the object being created.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_spool_filetrans',`
-+interface(`files_create_all_spool_sockets',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute spoolfile;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Allow access to manage all polyinstantiated
--## directories on the system.
-+## Delete all spool sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6519,64 +7779,767 @@ interface(`files_spool_filetrans',`
- ## </summary>
- ## </param>
- #
--interface(`files_polyinstantiate_all',`
-+interface(`files_delete_all_spool_sockets',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
-+ attribute spoolfile;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
--
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
-- ')
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
')
+@@ -6249,6 +7471,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
--## Unconfined access to files.
-+## Relabel to and from all spool
-+## directory types.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`files_unconfined',`
-+interface(`files_relabel_all_spool_dirs',`
- gen_require(`
-- attribute files_unconfined_type;
-+ attribute spoolfile;
-+ type var_t;
- ')
-
-- typeattribute $1 files_unconfined_type;
-+ relabel_dirs_pattern($1, spoolfile, spoolfile)
++## Relable all pid directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabel_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ relabel_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
-+## Search the contents of generic spool
-+## directories (/var/spool).
++## Delete all pid sockets
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12361,37 +11891,35 @@ index f962f76..68d8f79 100644
+## </summary>
+## </param>
+#
-+interface(`files_search_spool',`
++interface(`files_delete_all_pid_sockets',`
+ gen_require(`
-+ type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
-+ search_dirs_pattern($1, var_t, var_spool_t)
++ allow $1 pidfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to search generic
-+## spool directories.
++## Create all pid sockets
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_search_spool',`
++interface(`files_create_all_pid_sockets',`
+ gen_require(`
-+ type var_spool_t;
++ attribute pidfile;
+ ')
+
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
++ allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## List the contents of generic spool
-+## (/var/spool) directories.
++## Create all pid named pipes
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12399,18 +11927,17 @@ index f962f76..68d8f79 100644
+## </summary>
+## </param>
+#
-+interface(`files_list_spool',`
++interface(`files_create_all_pid_pipes',`
+ gen_require(`
-+ type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
-+ list_dirs_pattern($1, var_t, var_spool_t)
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
++## Delete all pid named pipes
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12418,18 +11945,18 @@ index f962f76..68d8f79 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_generic_spool_dirs',`
++interface(`files_delete_all_pid_pipes',`
+ gen_require(`
-+ type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Read generic spool files.
++## manage all pidfile directories
++## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12437,19 +11964,37 @@ index f962f76..68d8f79 100644
+## </summary>
+## </param>
+#
-+interface(`files_read_generic_spool',`
++interface(`files_manage_all_pid_dirs',`
+ gen_require(`
-+ type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
++ manage_dirs_pattern($1,pidfile,pidfile)
++')
++
++
++########################################
++## <summary>
+ ## Read all process ID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -6261,12 +7593,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
+ interface(`files_read_all_pids',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
++ type var_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete generic
-+## spool files.
++## Relable all pid files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12457,55 +12002,55 @@ index f962f76..68d8f79 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_generic_spool',`
++interface(`files_relabel_all_pid_files',`
+ gen_require(`
-+ type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_spool_t, var_spool_t)
++ relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
-+## Create objects in the spool directory
-+## with a private type with a type transition.
++## Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="file">
-+## <summary>
-+## Type to which the created node will be transitioned.
-+## </summary>
-+## </param>
-+## <param name="class">
-+## <summary>
-+## Object class(es) (single or set including {}) for which this
-+## the transition will occur.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
++#
++interface(`files_exec_generic_pid_files',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ exec_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++## manage all pidfiles
++## in the /var/run directory.
++## </summary>
++## <param name="domain">
+## <summary>
-+## The name of the object being created.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_spool_filetrans',`
++interface(`files_manage_all_pids',`
+ gen_require(`
-+ type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ manage_files_pattern($1,pidfile,pidfile)
+')
+
+########################################
+## <summary>
-+## Allow access to manage all polyinstantiated
-+## directories on the system.
++## Mount filesystems on all polyinstantiation
++## member directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12513,67 +12058,158 @@ index f962f76..68d8f79 100644
+## </summary>
+## </param>
+#
-+interface(`files_polyinstantiate_all',`
++interface(`files_mounton_all_poly_members',`
+ gen_require(`
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
++ attribute polymember;
+ ')
+
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
-+ allow $1 polyparent:dir { getattr mounton };
-+
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
-+ allow $1 polydir: dir { write add_name open };
-+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+
-+ # Default type for mountpoints
-+ allow $1 poly_t:dir { create mounton };
-+ fs_unmount_xattr_fs($1)
++ allow $1 polymember:dir mounton;
+ ')
+
+ ########################################
+@@ -6286,8 +7692,8 @@ interface(`files_delete_all_pids',`
+ type var_t, var_run_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+@@ -6311,36 +7717,80 @@ interface(`files_delete_all_pid_dirs',`
+ type var_t, var_run_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write and delete all
+-## var_run (pid) content
++## Make the specified type a file
++## used for spool files.
++## </summary>
++## <desc>
++## <p>
++## Make the specified type usable for spool files.
++## This will also make the type usable for files, making
++## calls to files_type() redundant. Failure to use this interface
++## for a spool file may result in problems with
++## purging spool files.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>files_spool_filetrans()</li>
++## </ul>
++## <p>
++## Example usage with a domain that can create and
++## write its spool file in the system spool file
++## directories (/var/spool):
++## </p>
++## <p>
++## type myspoolfile_t;
++## files_spool_file(myfile_spool_t)
++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++## </p>
++## </desc>
++## <param name="file_type">
++## <summary>
++## Type of the file to be used as a
++## spool file.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`files_spool_file',`
++ gen_require(`
++ attribute spoolfile;
++ ')
+
-+ fs_mount_tmpfs($1)
-+ fs_unmount_tmpfs($1)
++ files_type($1)
++ typeattribute $1 spoolfile;
++')
+
-+ ifdef(`distro_redhat',`
-+ # namespace.init
-+ files_search_tmp($1)
-+ files_search_home($1)
-+ corecmd_exec_bin($1)
-+ seutil_domtrans_setfiles($1)
-+ ')
++########################################
++## <summary>
++## Create all spool sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain alloed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
++interface(`files_create_all_spool_sockets',`
+ gen_require(`
+- attribute pidfile;
++ attribute spoolfile;
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
++ allow $1 spoolfile:sock_file create_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
++## Delete all spool sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6348,12 +7798,33 @@ interface(`files_manage_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_spool_sockets',`
+ gen_require(`
+- attribute polymember;
++ attribute spoolfile;
+ ')
+
+- allow $1 polymember:dir mounton;
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## Unconfined access to files.
++## Relabel to and from all spool
++## directory types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_unconfined',`
++interface(`files_relabel_all_spool_dirs',`
+ gen_require(`
-+ attribute files_unconfined_type;
++ attribute spoolfile;
++ type var_t;
+ ')
+
-+ typeattribute $1 files_unconfined_type;
-+')
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
+ ')
+
+ ########################################
+@@ -6580,3 +8051,514 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
+
+########################################
+## <summary>
@@ -13084,7 +12720,7 @@ index f962f76..68d8f79 100644
+ ')
+
+ allow $1 etc_t:service status;
- ')
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abd..dfcd2ad 100644
--- a/policy/modules/kernel/files.te
@@ -19278,11 +18914,11 @@ index 0000000..0e8654b
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
-index 0000000..cf6582f
+index 0000000..b1163a6
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,613 @@
-+## <summary>Unconfiend user role</summary>
+@@ -0,0 +1,637 @@
++## <summary>Unconfined user role</summary>
+
+########################################
+## <summary>
@@ -19895,6 +19531,30 @@ index 0000000..cf6582f
+ allow $1 self:tun_socket relabelto;
+')
+
++########################################
++## <summary>
++## Allow domain to transition to unconfined_t user
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="entrypoint">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_transition',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ domtrans_pattern($1,$2,unconfined_t)
++ allow unconfined_t $2:file entrypoint;
++ allow $1 unconfined_t:process signal_perms;
++')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
index 0000000..dbb8afa
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 2af1904..589f30d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -23192,20 +23192,28 @@ index 0000000..3061ae5
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..fa972c0
+index 0000000..236e417
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,218 @@
+policy_module(docker, 1.0.0)
+
+########################################
+#
+# Declarations
+#
++## <desc>
++## <p>
++## Allow docker to transition to unconfined conateiners
++## </p>
++## </desc>
++gen_tunable(docker_transition_unconfined, false)
+
+type docker_t;
+type docker_exec_t;
+init_daemon_domain(docker_t, docker_exec_t)
++domain_subj_id_change_exemption(docker_t)
++domain_role_change_exemption(docker_t)
+
+type docker_var_lib_t;
+files_type(docker_var_lib_t)
@@ -23235,10 +23243,12 @@ index 0000000..fa972c0
+#
+# docker local policy
+#
-+allow docker_t self:capability { chown fowner fsetid mknod net_admin };
++allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service };
+allow docker_t self:process { getattr signal_perms };
+allow docker_t self:fifo_file rw_fifo_file_perms;
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
++allow docker_t self:tcp_socket create_stream_socket_perms;
++allow docker_t self:udp_socket create_socket_perms;
+allow docker_t self:capability2 block_suspend;
+
+manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
@@ -23287,7 +23297,16 @@ index 0000000..fa972c0
+corecmd_exec_shell(docker_t)
+
+corenet_tcp_bind_generic_node(docker_t)
++corenet_tcp_sendrecv_generic_if(docker_t)
++corenet_tcp_sendrecv_generic_node(docker_t)
++corenet_tcp_sendrecv_generic_port(docker_t)
++corenet_tcp_bind_all_ports(docker_t)
+corenet_tcp_connect_http_port(docker_t)
++corenet_udp_sendrecv_generic_if(docker_t)
++corenet_udp_sendrecv_generic_node(docker_t)
++corenet_udp_sendrecv_all_ports(docker_t)
++corenet_udp_bind_generic_node(docker_t)
++corenet_udp_bind_all_ports(docker_t)
+
+files_read_etc_files(docker_t)
+
@@ -23306,6 +23325,8 @@ index 0000000..fa972c0
+
+mount_domtrans(docker_t)
+
++seutil_read_default_contexts(docker_t)
++
+sysnet_dns_name_resolve(docker_t)
+sysnet_exec_ifconfig(docker_t)
+
@@ -23345,17 +23366,21 @@ index 0000000..fa972c0
+dev_rw_loop_control(docker_t)
+dev_rw_lvm_control(docker_t)
+
++files_getattr_isid_type_dirs(docker_t)
+files_manage_isid_type_dirs(docker_t)
+files_manage_isid_type_files(docker_t)
+files_manage_isid_type_symlinks(docker_t)
+files_manage_isid_type_chr_files(docker_t)
++files_manage_isid_type_blk_files(docker_t)
+files_exec_isid_files(docker_t)
+files_mounton_isid(docker_t)
+files_mounton_non_security(docker_t)
++files_mounton_isid_type_chr_file(docker_t)
+
+fs_mount_all_fs(docker_t)
+fs_unmount_all_fs(docker_t)
+fs_remount_all_fs(docker_t)
++files_mounton_isid(docker_t)
+fs_manage_cgroup_dirs(docker_t)
+fs_manage_cgroup_files(docker_t)
+fs_relabelfrom_xattr_fs(docker_t)
@@ -23384,6 +23409,11 @@ index 0000000..fa972c0
+ virt_transition_svirt_sandbox(docker_t, system_r)
+ virt_mounton_sandbox_file(docker_t)
+')
++
++tunable_policy(`docker_transition_unconfined',`
++ unconfined_transition(docker_t, docker_share_t)
++ unconfined_transition(docker_t, docker_var_lib_t)
++')
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
--- a/dovecot.fc
@@ -42195,7 +42225,7 @@ index b1ac8b5..9b22bea 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..66a422b 100644
+index d15eb5b..6af07aa 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -42208,9 +42238,12 @@ index d15eb5b..66a422b 100644
########################################
#
# Local policy
-@@ -25,14 +28,14 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -24,15 +27,17 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+
kernel_read_system_state(modemmanager_t)
++corecmd_exec_bin(modemmanager_t)
++
dev_read_sysfs(modemmanager_t)
+dev_read_urand(modemmanager_t)
dev_rw_modem(modemmanager_t)
@@ -42666,10 +42699,10 @@ index 0000000..b694afc
+')
+
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..cb1e8b0 100644
+index 6ffaba2..7995fce 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,67 @@
+@@ -1,38 +1,68 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -42762,6 +42795,7 @@ index 6ffaba2..cb1e8b0 100644
+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
@@ -81260,7 +81294,7 @@ index 50d07fb..bada62f 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..a96f064 100644
+index 2b7c441..d06a165 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -81898,7 +81932,7 @@ index 2b7c441..a96f064 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -548,52 +565,41 @@ kernel_read_network_state(nmbd_t)
+@@ -548,52 +565,42 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -81961,10 +81995,11 @@ index 2b7c441..a96f064 100644
+optional_policy(`
+ ctdbd_stream_connect(nmbd_t)
+ ctdbd_manage_var_files(nmbd_t)
++ ctdbd_manage_lib_files(nmbd_t)
')
optional_policy(`
-@@ -606,16 +612,22 @@ optional_policy(`
+@@ -606,16 +613,22 @@ optional_policy(`
########################################
#
@@ -81991,7 +82026,7 @@ index 2b7c441..a96f064 100644
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -627,16 +639,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +640,11 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -82009,7 +82044,7 @@ index 2b7c441..a96f064 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +651,23 @@ optional_policy(`
+@@ -644,22 +652,23 @@ optional_policy(`
########################################
#
@@ -82041,7 +82076,7 @@ index 2b7c441..a96f064 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +676,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +677,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -82077,7 +82112,7 @@ index 2b7c441..a96f064 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +703,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +704,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -82169,7 +82204,7 @@ index 2b7c441..a96f064 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +782,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +783,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -82193,7 +82228,7 @@ index 2b7c441..a96f064 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +796,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +797,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -82236,7 +82271,7 @@ index 2b7c441..a96f064 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +826,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +827,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -82250,7 +82285,7 @@ index 2b7c441..a96f064 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +849,20 @@ optional_policy(`
+@@ -840,17 +850,20 @@ optional_policy(`
# Winbind local policy
#
@@ -82276,7 +82311,7 @@ index 2b7c441..a96f064 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +872,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +873,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -82287,7 +82322,7 @@ index 2b7c441..a96f064 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,23 +883,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,23 +884,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -82317,7 +82352,7 @@ index 2b7c441..a96f064 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -898,13 +906,17 @@ kernel_read_system_state(winbind_t)
+@@ -898,13 +907,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -82338,7 +82373,7 @@ index 2b7c441..a96f064 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,10 +924,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,10 +925,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -82349,7 +82384,7 @@ index 2b7c441..a96f064 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -924,26 +932,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -924,26 +933,39 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -82391,7 +82426,7 @@ index 2b7c441..a96f064 100644
')
optional_policy(`
-@@ -959,31 +980,29 @@ optional_policy(`
+@@ -959,31 +981,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -82429,7 +82464,7 @@ index 2b7c441..a96f064 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1016,38 @@ optional_policy(`
+@@ -997,25 +1017,38 @@ optional_policy(`
########################################
#
@@ -96104,7 +96139,7 @@ index a4f20bc..6351bcb 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..fc7901b 100644
+index facdee8..15562ad 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -97721,7 +97756,7 @@ index facdee8..fc7901b 100644
+ attribute svirt_sandbox_domain;
+ ')
+
-+ allow $1 svirt_sandbox_domain:process transition;
++ allow $1 svirt_sandbox_domain:process { transition signal_perms };
+ role $2 types svirt_sandbox_domain;
+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 68d432b..38141db 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 16%{?dist}
+Release: 17%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -578,6 +578,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jan 23 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-17
+- init calling needs to be optional in domain.te
+- Allow docker and mount on devpts chr_file
+- Allow docker to transition to unconfined_t if boolean set
+- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
+- Fix type in docker.te
+- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container
+- Allow docker to use the network and build images
+- Allow docker to read selinux files for labeling, and mount on devpts chr_file
+- Allow domains that transition to svirt_sandbox to send it signals
+- Allow docker to transition to unconfined_t if boolean set
+
* Wed Jan 22 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-16
- New access needed to allow docker + lxc +SELinux to work together
- Allow apache to write to the owncloud data directory in /var/www/html...
More information about the scm-commits
mailing list