[selinux-policy] - Add haproxy_connect_any boolean - Allow haproxy also to use http cache port by default - Fix /usr/
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jan 24 16:52:39 UTC 2014
commit f8d85476fd3018bd87c353247f72564e4c00c31b
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jan 24 17:52:42 2014 +0100
- Add haproxy_connect_any boolean
- Allow haproxy also to use http cache port by default
- Fix /usr/lib/firefox/plugin-container decl
- Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications
- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
- Fix type in docker.te
- Fix bs_filetrans_named_content() to have support for /usr/lib/debug directory
- Adding a new service script to enable setcheckreqprot
- Add interface to getattr on an isid_type for any type of file
- Allow initrc_t domtrans to authconfig if unconfined is enabled
type in docker.te
- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container
policy-rawhide-base.patch | 1250 ++++++++++++++++++++++++++++--------------
policy-rawhide-contrib.patch | 63 ++-
selinux-policy.spec | 16 +-
3 files changed, 887 insertions(+), 442 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 862c780..2d6e729 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -9424,7 +9424,7 @@ index b876c48..27f60c6 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..1a11674 100644
+index f962f76..fa8cdcb 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10434,7 +10434,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3142,10 +3678,29 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,10 +3678,48 @@ interface(`files_etc_filetrans_etc_runtime',`
#
interface(`files_getattr_isid_type_dirs',`
gen_require(`
@@ -10447,7 +10447,7 @@ index f962f76..1a11674 100644
+
+########################################
+## <summary>
-+## Setattr of directories on new filesystems
++## Getattr all file opbjects on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
@@ -10456,17 +10456,36 @@ index f962f76..1a11674 100644
+## </summary>
+## </param>
+#
-+interface(`files_setattr_isid_type_dirs',`
++interface(`files_getattr_isid_type',`
+ gen_require(`
+ type unlabeled_t;
')
- allow $1 file_t:dir getattr;
++ allow $1 unlabeled_t:dir_file_class_set getattr;
++')
++
++########################################
++## <summary>
++## Setattr of directories on new filesystems
++## that have not yet been labeled.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_setattr_isid_type_dirs',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
+ allow $1 unlabeled_t:dir setattr;
')
########################################
-@@ -3161,10 +3716,10 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3161,10 +3735,10 @@ interface(`files_getattr_isid_type_dirs',`
#
interface(`files_dontaudit_search_isid_type_dirs',`
gen_require(`
@@ -10479,7 +10498,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3180,10 +3735,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3180,10 +3754,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
#
interface(`files_list_isid_type_dirs',`
gen_require(`
@@ -10492,7 +10511,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3199,10 +3754,10 @@ interface(`files_list_isid_type_dirs',`
+@@ -3199,10 +3773,10 @@ interface(`files_list_isid_type_dirs',`
#
interface(`files_rw_isid_type_dirs',`
gen_require(`
@@ -10505,7 +10524,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3218,10 +3773,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3792,66 @@ interface(`files_rw_isid_type_dirs',`
#
interface(`files_delete_isid_type_dirs',`
gen_require(`
@@ -10574,7 +10593,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3237,10 +3848,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +3867,10 @@ interface(`files_delete_isid_type_dirs',`
#
interface(`files_manage_isid_type_dirs',`
gen_require(`
@@ -10587,7 +10606,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3256,10 +3867,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +3886,29 @@ interface(`files_manage_isid_type_dirs',`
#
interface(`files_mounton_isid_type_dirs',`
gen_require(`
@@ -10619,7 +10638,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3275,10 +3905,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +3924,10 @@ interface(`files_mounton_isid_type_dirs',`
#
interface(`files_read_isid_type_files',`
gen_require(`
@@ -10632,7 +10651,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3294,10 +3924,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +3943,10 @@ interface(`files_read_isid_type_files',`
#
interface(`files_delete_isid_type_files',`
gen_require(`
@@ -10645,7 +10664,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3313,10 +3943,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +3962,10 @@ interface(`files_delete_isid_type_files',`
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
@@ -10658,7 +10677,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3332,10 +3962,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +3981,10 @@ interface(`files_delete_isid_type_symlinks',`
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
@@ -10671,7 +10690,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3351,10 +3981,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4000,10 @@ interface(`files_delete_isid_type_fifo_files',`
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
@@ -10684,7 +10703,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3370,10 +4000,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4019,10 @@ interface(`files_delete_isid_type_sock_files',`
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
@@ -10697,7 +10716,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3389,10 +4019,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4038,10 @@ interface(`files_delete_isid_type_blk_files',`
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
@@ -10710,7 +10729,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3408,10 +4038,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4057,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
@@ -10723,7 +10742,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3427,10 +4057,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4076,10 @@ interface(`files_delete_isid_type_chr_files',`
#
interface(`files_manage_isid_type_files',`
gen_require(`
@@ -10736,7 +10755,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3446,10 +4076,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4095,10 @@ interface(`files_manage_isid_type_files',`
#
interface(`files_manage_isid_type_symlinks',`
gen_require(`
@@ -10749,7 +10768,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3465,10 +4095,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4114,29 @@ interface(`files_manage_isid_type_symlinks',`
#
interface(`files_rw_isid_type_blk_files',`
gen_require(`
@@ -10781,7 +10800,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3484,10 +4133,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4152,10 @@ interface(`files_rw_isid_type_blk_files',`
#
interface(`files_manage_isid_type_blk_files',`
gen_require(`
@@ -10794,7 +10813,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3503,10 +4152,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4171,10 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
@@ -10807,7 +10826,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -3814,20 +4463,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4482,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10851,7 +10870,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -4217,6 +4884,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +4903,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -11024,7 +11043,7 @@ index f962f76..1a11674 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4239,6 +5072,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5091,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -11051,7 +11070,7 @@ index f962f76..1a11674 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4252,17 +5105,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5124,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -11090,7 +11109,7 @@ index f962f76..1a11674 100644
## </summary>
## </param>
#
-@@ -4289,6 +5162,7 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5181,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -11098,7 +11117,7 @@ index f962f76..1a11674 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5199,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5218,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -11106,7 +11125,7 @@ index f962f76..1a11674 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5209,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5228,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -11115,7 +11134,7 @@ index f962f76..1a11674 100644
## </summary>
## </param>
#
-@@ -4346,6 +5221,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,6 +5240,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -11141,7 +11160,7 @@ index f962f76..1a11674 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4361,6 +5255,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5274,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -11149,12 +11168,13 @@ index f962f76..1a11674 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5297,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,25 +5316,33 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
+-## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
-+## </summary>
+ ## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
@@ -11163,76 +11183,48 @@ index f962f76..1a11674 100644
+## This is added to support java policy.
+## </p>
+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_execmod_tmp',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:file execmod;
-+')
-+
-+########################################
-+## <summary>
- ## Manage temporary files and directories in /tmp.
- ## </summary>
- ## <param name="domain">
-@@ -4456,7 +5377,7 @@ interface(`files_rw_generic_tmp_sockets',`
-
- ########################################
- ## <summary>
--## Set the attributes of all tmp directories.
-+## Relabel a dir from the type used in /tmp.
- ## </summary>
## <param name="domain">
## <summary>
-@@ -4464,17 +5385,17 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## Domain allowed access.
## </summary>
## </param>
#
--interface(`files_setattr_all_tmp_dirs',`
-+interface(`files_relabelfrom_tmp_dirs',`
+-interface(`files_manage_generic_tmp_files',`
++interface(`files_execmod_tmp',`
gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+- type tmp_t;
++ attribute tmpfile;
')
-- allow $1 tmpfile:dir { search_dir_perms setattr };
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+- manage_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:file execmod;
')
########################################
## <summary>
--## List all tmp directories.
-+## Relabel a file from the type used in /tmp.
+-## Read symbolic links in the tmp directory (/tmp).
++## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
## <summary>
-@@ -4482,18 +5403,108 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4428,17 +5350,35 @@ interface(`files_manage_generic_tmp_files',`
## </summary>
## </param>
#
--interface(`files_list_all_tmp',`
-+interface(`files_relabelfrom_tmp_files',`
+-interface(`files_read_generic_tmp_symlinks',`
++interface(`files_manage_generic_tmp_files',`
gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+ type tmp_t;
')
-- allow $1 tmpfile:dir list_dir_perms;
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+- read_lnk_files_pattern($1, tmp_t, tmp_t)
++ manage_files_pattern($1, tmp_t, tmp_t)
')
########################################
## <summary>
--## Relabel to and from all temporary
--## directory types.
-+## Set the attributes of all tmp directories.
+-## Read and write generic named sockets in the tmp directory (/tmp).
++## Read symbolic links in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11240,17 +11232,25 @@ index f962f76..1a11674 100644
+## </summary>
+## </param>
+#
-+interface(`files_setattr_all_tmp_dirs',`
++interface(`files_read_generic_tmp_symlinks',`
+ gen_require(`
-+ attribute tmpfile;
++ type tmp_t;
+ ')
+
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
-+## Allow caller to read inherited tmp files.
++## Read and write generic named sockets in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4456,6 +5396,42 @@ interface(`files_rw_generic_tmp_sockets',`
+
+ ########################################
+ ## <summary>
++## Relabel a dir from the type used in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11258,17 +11258,17 @@ index f962f76..1a11674 100644
+## </summary>
+## </param>
+#
-+interface(`files_read_inherited_tmp_files',`
++interface(`files_relabelfrom_tmp_dirs',`
+ gen_require(`
-+ attribute tmpfile;
++ type tmp_t;
+ ')
+
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
-+## Allow caller to append inherited tmp files.
++## Relabel a file from the type used in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11276,17 +11276,42 @@ index f962f76..1a11674 100644
+## </summary>
+## </param>
+#
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_relabelfrom_tmp_files',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++## <summary>
+ ## Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4474,6 +5450,60 @@ interface(`files_setattr_all_tmp_dirs',`
+
+ ########################################
+ ## <summary>
++## Allow caller to read inherited tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:file append_inherited_file_perms;
++ allow $1 tmpfile:file { append read_inherited_file_perms };
+')
+
+########################################
+## <summary>
-+## Allow caller to read and write inherited tmp files.
++## Allow caller to append inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11294,17 +11319,17 @@ index f962f76..1a11674 100644
+## </summary>
+## </param>
+#
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_append_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
++ allow $1 tmpfile:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## List all tmp directories.
++## Allow caller to read and write inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11312,22 +11337,20 @@ index f962f76..1a11674 100644
+## </summary>
+## </param>
+#
-+interface(`files_list_all_tmp',`
++interface(`files_rw_inherited_tmp_file',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:dir list_dir_perms;
++ allow $1 tmpfile:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Relabel to and from all temporary
-+## directory types.
+ ## List all tmp directories.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -4519,7 +5530,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5549,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -11336,7 +11359,7 @@ index f962f76..1a11674 100644
## </summary>
## </param>
#
-@@ -4579,7 +5590,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5609,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -11345,7 +11368,7 @@ index f962f76..1a11674 100644
## </summary>
## </param>
#
-@@ -4611,6 +5622,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5641,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@@ -11390,7 +11413,7 @@ index f962f76..1a11674 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
-@@ -4664,6 +5713,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5732,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11407,7 +11430,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -5241,6 +6300,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6319,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -11432,7 +11455,7 @@ index f962f76..1a11674 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5527,6 +6604,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6623,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
## <summary>
@@ -11458,7 +11481,7 @@ index f962f76..1a11674 100644
## Create objects in the /var/lib directory
## </summary>
## <param name="domain">
-@@ -5596,6 +6692,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6711,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11484,7 +11507,7 @@ index f962f76..1a11674 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6756,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6775,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11493,7 +11516,7 @@ index f962f76..1a11674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5649,12 +6764,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6783,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11509,7 +11532,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -5672,6 +6788,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6807,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11517,7 +11540,7 @@ index f962f76..1a11674 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6815,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6834,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11545,7 +11568,7 @@ index f962f76..1a11674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5706,13 +6842,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6861,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11562,7 +11585,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -5731,7 +6866,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +6885,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11571,7 +11594,7 @@ index f962f76..1a11674 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +6899,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +6918,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11579,7 +11602,7 @@ index f962f76..1a11674 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +6913,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +6932,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11588,7 +11611,7 @@ index f962f76..1a11674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5787,13 +6921,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +6940,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11623,7 +11646,7 @@ index f962f76..1a11674 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +6963,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +6982,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11641,7 +11664,7 @@ index f962f76..1a11674 100644
')
########################################
-@@ -5834,9 +6987,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7006,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11652,7 +11675,7 @@ index f962f76..1a11674 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7029,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7048,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11662,7 +11685,7 @@ index f962f76..1a11674 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7051,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7070,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11672,7 +11695,7 @@ index f962f76..1a11674 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7088,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7107,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11682,7 +11705,7 @@ index f962f76..1a11674 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7127,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7146,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11691,7 +11714,7 @@ index f962f76..1a11674 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7147,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7166,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11740,7 +11763,7 @@ index f962f76..1a11674 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6025,27 +7211,27 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,12 +7230,31 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11753,64 +11776,47 @@ index f962f76..1a11674 100644
## <summary>
-## Domain allowed access.
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_list_pids',`
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_search_all_pids',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ attribute pidfile;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
++ ')
++
+ dontaudit $1 pidfile:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Read generic process ID files.
++')
++
++########################################
++## <summary>
+## List the contents of the runtime process
+## ID directories (/var/run).
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6053,12 +7239,31 @@ interface(`files_list_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`files_read_generic_pids',`
-+interface(`files_list_pids',`
- gen_require(`
+@@ -6039,7 +7263,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read generic process ID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_read_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
+ list_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+@@ -6058,7 +7282,7 @@ interface(`files_read_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7283,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7302,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11819,7 +11825,7 @@ index f962f76..1a11674 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7345,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7364,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11827,7 +11833,7 @@ index f962f76..1a11674 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7373,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7392,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@@ -11852,7 +11858,7 @@ index f962f76..1a11674 100644
## Read and write generic process ID files.
## </summary>
## <param name="domain">
-@@ -6182,7 +7404,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7423,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -11861,29 +11867,497 @@ index f962f76..1a11674 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,6 +7471,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7490,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+
+ ########################################
+ ## <summary>
+-## Read all process ID files.
++## Relable all pid directories
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_read_all_pids',`
++interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
++ relabel_dirs_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process IDs.
++## Delete all pid sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
++interface(`files_delete_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ allow $1 pidfile:sock_file delete_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process ID directories.
++## Create all pid sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6305,42 +7534,35 @@ interface(`files_delete_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
++interface(`files_create_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:sock_file create_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write and delete all
+-## var_run (pid) content
++## Create all pid named pipes
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain alloed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
++interface(`files_create_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
++## Delete all pid named pipes
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6348,18 +7570,18 @@ interface(`files_manage_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_pid_pipes',`
+ gen_require(`
+- attribute polymember;
++ attribute pidfile;
+ ')
+
+- allow $1 polymember:dir mounton;
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of generic spool
+-## directories (/var/spool).
++## manage all pidfile directories
++## in the /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6367,37 +7589,40 @@ interface(`files_mounton_all_poly_members',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
++interface(`files_manage_all_pid_dirs',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
++ manage_dirs_pattern($1,pidfile,pidfile)
+ ')
+
++
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search generic
+-## spool directories.
++## Read all process ID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_search_spool',`
++interface(`files_read_all_pids',`
+ gen_require(`
+- type var_spool_t;
++ attribute pidfile;
++ type var_t;
+ ')
+
+- dontaudit $1 var_spool_t:dir search_dir_perms;
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of generic spool
+-## (/var/spool) directories.
++## Relable all pid files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6405,18 +7630,17 @@ interface(`files_dontaudit_search_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
++interface(`files_relabel_all_pid_files',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
++ relabel_files_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
++## Execute generic programs in /var/run in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6424,18 +7648,18 @@ interface(`files_list_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
++interface(`files_exec_generic_pid_files',`
+ gen_require(`
+- type var_t, var_spool_t;
++ type var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ exec_files_pattern($1, var_run_t, var_run_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic spool files.
++## manage all pidfiles
++## in the /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6443,19 +7667,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
++interface(`files_manage_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
++ manage_files_pattern($1,pidfile,pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool files.
++## Mount filesystems on all polyinstantiation
++## member directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6463,55 +7686,130 @@ interface(`files_read_generic_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool',`
++interface(`files_mounton_all_poly_members',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute polymember;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
++ allow $1 polymember:dir mounton;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the spool directory
+-## with a private type with a type transition.
++## Delete all process IDs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file">
++## <rolecap/>
++#
++interface(`files_delete_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_t, var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++## Delete all process ID directories.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## Type to which the created node will be transitioned.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="class">
++#
++interface(`files_delete_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ type var_t, var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++## Make the specified type a file
++## used for spool files.
++## </summary>
++## <desc>
++## <p>
++## Make the specified type usable for spool files.
++## This will also make the type usable for files, making
++## calls to files_type() redundant. Failure to use this interface
++## for a spool file may result in problems with
++## purging spool files.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>files_spool_filetrans()</li>
++## </ul>
++## <p>
++## Example usage with a domain that can create and
++## write its spool file in the system spool file
++## directories (/var/spool):
++## </p>
++## <p>
++## type myspoolfile_t;
++## files_spool_file(myfile_spool_t)
++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++## </p>
++## </desc>
++## <param name="file_type">
+ ## <summary>
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
++## Type of the file to be used as a
++## spool file.
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
++## <infoflow type="none"/>
++#
++interface(`files_spool_file',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
++ files_type($1)
++ typeattribute $1 spoolfile;
++')
++
++########################################
++## <summary>
++## Create all spool sockets
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The name of the object being created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_spool_filetrans',`
++interface(`files_create_all_spool_sockets',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute spoolfile;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ allow $1 spoolfile:sock_file create_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
++## Delete all spool sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6519,64 +7817,767 @@ interface(`files_spool_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_polyinstantiate_all',`
++interface(`files_delete_all_spool_sockets',`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
++ attribute spoolfile;
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+-
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+- ')
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Unconfined access to files.
++## Relabel to and from all spool
++## directory types.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_unconfined',`
++interface(`files_relabel_all_spool_dirs',`
+ gen_require(`
+- attribute files_unconfined_type;
++ attribute spoolfile;
++ type var_t;
+ ')
- ########################################
- ## <summary>
-+## Relable all pid directories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_relabel_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ relabel_dirs_pattern($1, pidfile, pidfile)
+- typeattribute $1 files_unconfined_type;
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
+')
+
+########################################
+## <summary>
-+## Delete all pid sockets
++## Search the contents of generic spool
++## directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11891,35 +12365,37 @@ index f962f76..1a11674 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_all_pid_sockets',`
++interface(`files_search_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ allow $1 pidfile:sock_file delete_sock_file_perms;
++ search_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Create all pid sockets
++## Do not audit attempts to search generic
++## spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`files_create_all_pid_sockets',`
++interface(`files_dontaudit_search_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_spool_t;
+ ')
+
-+ allow $1 pidfile:sock_file create_sock_file_perms;
++ dontaudit $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## Create all pid named pipes
++## List the contents of generic spool
++## (/var/spool) directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11927,17 +12403,18 @@ index f962f76..1a11674 100644
+## </summary>
+## </param>
+#
-+interface(`files_create_all_pid_pipes',`
++interface(`files_list_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ allow $1 pidfile:fifo_file create_fifo_file_perms;
++ list_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Delete all pid named pipes
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11945,18 +12422,18 @@ index f962f76..1a11674 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_all_pid_pipes',`
++interface(`files_manage_generic_spool_dirs',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## manage all pidfile directories
-+## in the /var/run directory.
++## Read generic spool files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11964,37 +12441,19 @@ index f962f76..1a11674 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_all_pid_dirs',`
++interface(`files_read_generic_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
-+
-+########################################
-+## <summary>
- ## Read all process ID files.
- ## </summary>
- ## <param name="domain">
-@@ -6261,12 +7593,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
- interface(`files_read_all_pids',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
-+ type var_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, pidfile)
- read_files_pattern($1, pidfile, pidfile)
-+ read_lnk_files_pattern($1, pidfile, pidfile)
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Relable all pid files
++## Create, read, write, and delete generic
++## spool files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12002,55 +12461,55 @@ index f962f76..1a11674 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabel_all_pid_files',`
++interface(`files_manage_generic_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ relabel_files_pattern($1, pidfile, pidfile)
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Execute generic programs in /var/run in the caller domain.
++## Create objects in the spool directory
++## with a private type with a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+#
-+interface(`files_exec_generic_pid_files',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## manage all pidfiles
-+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
++## <param name="file">
+## <summary>
-+## Domain allowed access.
++## Type to which the created node will be transitioned.
++## </summary>
++## </param>
++## <param name="class">
++## <summary>
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
+## </summary>
+## </param>
+#
-+interface(`files_manage_all_pids',`
++interface(`files_spool_filetrans',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ manage_files_pattern($1,pidfile,pidfile)
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
-+## Mount filesystems on all polyinstantiation
-+## member directories.
++## Allow access to manage all polyinstantiated
++## directories on the system.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12058,158 +12517,67 @@ index f962f76..1a11674 100644
+## </summary>
+## </param>
+#
-+interface(`files_mounton_all_poly_members',`
++interface(`files_polyinstantiate_all',`
+ gen_require(`
-+ attribute polymember;
++ attribute polydir, polymember, polyparent;
++ type poly_t;
+ ')
+
-+ allow $1 polymember:dir mounton;
- ')
-
- ########################################
-@@ -6286,8 +7692,8 @@ interface(`files_delete_all_pids',`
- type var_t, var_run_t;
- ')
-
-+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:dir rmdir;
- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
- delete_files_pattern($1, pidfile, pidfile)
-@@ -6311,36 +7717,80 @@ interface(`files_delete_all_pid_dirs',`
- type var_t, var_run_t;
- ')
-
-+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- delete_dirs_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write and delete all
--## var_run (pid) content
-+## Make the specified type a file
-+## used for spool files.
-+## </summary>
-+## <desc>
-+## <p>
-+## Make the specified type usable for spool files.
-+## This will also make the type usable for files, making
-+## calls to files_type() redundant. Failure to use this interface
-+## for a spool file may result in problems with
-+## purging spool files.
-+## </p>
-+## <p>
-+## Related interfaces:
-+## </p>
-+## <ul>
-+## <li>files_spool_filetrans()</li>
-+## </ul>
-+## <p>
-+## Example usage with a domain that can create and
-+## write its spool file in the system spool file
-+## directories (/var/spool):
-+## </p>
-+## <p>
-+## type myspoolfile_t;
-+## files_spool_file(myfile_spool_t)
-+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+## </p>
-+## </desc>
-+## <param name="file_type">
-+## <summary>
-+## Type of the file to be used as a
-+## spool file.
-+## </summary>
-+## </param>
-+## <infoflow type="none"/>
-+#
-+interface(`files_spool_file',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
+
-+ files_type($1)
-+ typeattribute $1 spoolfile;
-+')
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
+
-+########################################
-+## <summary>
-+## Create all spool sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain alloed access.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
-+interface(`files_create_all_spool_sockets',`
- gen_require(`
-- attribute pidfile;
-+ attribute spoolfile;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
-+## Delete all spool sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6348,12 +7798,33 @@ interface(`files_manage_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
-+interface(`files_delete_all_spool_sockets',`
- gen_require(`
-- attribute polymember;
-+ attribute spoolfile;
- ')
-
-- allow $1 polymember:dir mounton;
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
++ allow $1 polyparent:dir { getattr mounton };
++
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
+')
+
+########################################
+## <summary>
-+## Relabel to and from all spool
-+## directory types.
++## Unconfined access to files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_spool_dirs',`
++interface(`files_unconfined',`
+ gen_require(`
-+ attribute spoolfile;
-+ type var_t;
++ attribute files_unconfined_type;
+ ')
+
-+ relabel_dirs_pattern($1, spoolfile, spoolfile)
- ')
-
- ########################################
-@@ -6580,3 +8051,514 @@ interface(`files_unconfined',`
-
- typeattribute $1 files_unconfined_type;
- ')
++ typeattribute $1 files_unconfined_type;
++')
+
+########################################
+## <summary>
@@ -12720,7 +13088,7 @@ index f962f76..1a11674 100644
+ ')
+
+ allow $1 etc_t:service status;
-+')
+ ')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abd..dfcd2ad 100644
--- a/policy/modules/kernel/files.te
@@ -15922,7 +16290,7 @@ index 7be4ddf..4d4c577 100644
-# This module currently does not have any file contexts.
+/selinux -l gen_context(system_u:object_r:security_t,s0)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 6d0811d..6947c0a 100644
+index 6d0811d..f67bd8f 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
@@ -16216,7 +16584,37 @@ index 6d0811d..6947c0a 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
-@@ -690,7 +711,9 @@ interface(`selinux_compute_user_contexts',`
+@@ -677,6 +698,29 @@ interface(`selinux_compute_relabel_context',`
+
+ ########################################
+ ## <summary>
++## Allows caller to setcheckreqprot
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`selinux_setcheckreqprot',`
++ gen_require(`
++ type security_t;
++ ')
++
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
++ allow $1 security_t:dir list_dir_perms;
++ allow $1 security_t:file rw_file_perms;
++ allow $1 security_t:security setcheckreqprot;
++')
++
++########################################
++## <summary>
+ ## Allows caller to compute possible contexts for a user.
+ ## </summary>
+ ## <param name="domain">
+@@ -690,7 +734,9 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
@@ -16226,7 +16624,7 @@ index 6d0811d..6947c0a 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
-@@ -712,4 +735,29 @@ interface(`selinux_unconfined',`
+@@ -712,4 +758,28 @@ interface(`selinux_unconfined',`
')
typeattribute $1 selinux_unconfined_type;
@@ -16255,7 +16653,6 @@ index 6d0811d..6947c0a 100644
+ fs_type($1)
+ mls_trusted_object($1)
')
-+
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index e0a973b..0fcd621 100644
--- a/policy/modules/kernel/selinux.te
@@ -28866,7 +29263,7 @@ index 79a45f6..9a14d49 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..a627baf 100644
+index 17eda24..fdd335a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -29533,15 +29930,18 @@ index 17eda24..a627baf 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,6 +719,7 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +719,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
+mls_socket_write_to_clearance(initrc_t)
selinux_get_enforce_mode(initrc_t)
++selinux_setcheckreqprot(initrc_t)
-@@ -398,6 +731,7 @@ term_use_all_terms(initrc_t)
+ storage_getattr_fixed_disk_dev(initrc_t)
+ storage_setattr_fixed_disk_dev(initrc_t)
+@@ -398,6 +732,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -29549,7 +29949,7 @@ index 17eda24..a627baf 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +750,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +751,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -29573,7 +29973,7 @@ index 17eda24..a627baf 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +783,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +784,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -29581,7 +29981,7 @@ index 17eda24..a627baf 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +817,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +818,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -29592,7 +29992,7 @@ index 17eda24..a627baf 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +841,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +842,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29601,7 +30001,7 @@ index 17eda24..a627baf 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +856,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +857,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -29609,7 +30009,7 @@ index 17eda24..a627baf 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +877,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +878,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -29617,7 +30017,7 @@ index 17eda24..a627baf 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +887,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +888,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -29662,7 +30062,7 @@ index 17eda24..a627baf 100644
')
optional_policy(`
-@@ -559,14 +932,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +933,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -29694,7 +30094,7 @@ index 17eda24..a627baf 100644
')
')
-@@ -577,6 +967,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +968,39 @@ ifdef(`distro_suse',`
')
')
@@ -29734,7 +30134,7 @@ index 17eda24..a627baf 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1012,8 @@ optional_policy(`
+@@ -589,6 +1013,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29743,7 +30143,7 @@ index 17eda24..a627baf 100644
')
optional_policy(`
-@@ -610,6 +1035,7 @@ optional_policy(`
+@@ -610,6 +1036,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -29751,7 +30151,7 @@ index 17eda24..a627baf 100644
')
optional_policy(`
-@@ -626,6 +1052,17 @@ optional_policy(`
+@@ -626,6 +1053,17 @@ optional_policy(`
')
optional_policy(`
@@ -29769,7 +30169,7 @@ index 17eda24..a627baf 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1079,13 @@ optional_policy(`
+@@ -642,9 +1080,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29783,7 +30183,7 @@ index 17eda24..a627baf 100644
')
optional_policy(`
-@@ -657,15 +1098,11 @@ optional_policy(`
+@@ -657,15 +1099,11 @@ optional_policy(`
')
optional_policy(`
@@ -29801,7 +30201,7 @@ index 17eda24..a627baf 100644
')
optional_policy(`
-@@ -686,6 +1123,15 @@ optional_policy(`
+@@ -686,6 +1124,15 @@ optional_policy(`
')
optional_policy(`
@@ -29817,7 +30217,7 @@ index 17eda24..a627baf 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1172,7 @@ optional_policy(`
+@@ -726,6 +1173,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -29825,7 +30225,7 @@ index 17eda24..a627baf 100644
')
optional_policy(`
-@@ -743,7 +1190,13 @@ optional_policy(`
+@@ -743,7 +1191,13 @@ optional_policy(`
')
optional_policy(`
@@ -29840,7 +30240,7 @@ index 17eda24..a627baf 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1219,10 @@ optional_policy(`
+@@ -766,6 +1220,10 @@ optional_policy(`
')
optional_policy(`
@@ -29851,7 +30251,7 @@ index 17eda24..a627baf 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1232,20 @@ optional_policy(`
+@@ -775,10 +1233,20 @@ optional_policy(`
')
optional_policy(`
@@ -29872,7 +30272,7 @@ index 17eda24..a627baf 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1254,10 @@ optional_policy(`
+@@ -787,6 +1255,10 @@ optional_policy(`
')
optional_policy(`
@@ -29883,7 +30283,7 @@ index 17eda24..a627baf 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1279,6 @@ optional_policy(`
+@@ -808,8 +1280,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29892,7 +30292,7 @@ index 17eda24..a627baf 100644
')
optional_policy(`
-@@ -818,6 +1287,10 @@ optional_policy(`
+@@ -818,6 +1288,10 @@ optional_policy(`
')
optional_policy(`
@@ -29903,7 +30303,7 @@ index 17eda24..a627baf 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1300,12 @@ optional_policy(`
+@@ -827,10 +1301,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -29916,7 +30316,7 @@ index 17eda24..a627baf 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,12 +1332,35 @@ optional_policy(`
+@@ -857,21 +1333,60 @@ optional_policy(`
')
optional_policy(`
@@ -29953,7 +30353,13 @@ index 17eda24..a627baf 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -872,6 +1370,18 @@ optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
+ ')
+
++ optional_policy(`
++ authconfig_domtrans(initrc_t)
++ ')
++
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29972,7 +30378,7 @@ index 17eda24..a627baf 100644
')
optional_policy(`
-@@ -887,6 +1397,10 @@ optional_policy(`
+@@ -887,6 +1402,10 @@ optional_policy(`
')
optional_policy(`
@@ -29983,7 +30389,7 @@ index 17eda24..a627baf 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1411,218 @@ optional_policy(`
+@@ -897,3 +1416,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31294,7 +31700,7 @@ index 73bb3c0..5b9420f 100644
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..9d8f729 100644
+index 808ba93..57a68da 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
@@ -31430,7 +31836,7 @@ index 808ba93..9d8f729 100644
')
########################################
-@@ -534,3 +558,26 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +558,28 @@ interface(`lib_filetrans_shared_lib',`
interface(`files_lib_filetrans_shared_lib',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -31447,10 +31853,12 @@ index 808ba93..9d8f729 100644
+#
+interface(`libs_filetrans_named_content',`
+ gen_require(`
++ type lib_t;
+ type ld_so_cache_t;
+ type ldconfig_cache_t;
+ ')
+
++ files_var_lib_filetrans($1,ldconfig_cache_t, dir, "debug")
+ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 589f30d..3c2bcc4 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -42699,10 +42699,10 @@ index 0000000..b694afc
+')
+
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..7995fce 100644
+index 6ffaba2..7128926 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,68 @@
+@@ -1,38 +1,71 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -42760,7 +42760,7 @@ index 6ffaba2..7995fce 100644
-/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-
+-
-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -42771,6 +42771,7 @@ index 6ffaba2..7995fce 100644
-/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
-/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++
+ifdef(`distro_redhat',`
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
@@ -42795,12 +42796,15 @@ index 6ffaba2..7995fce 100644
+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-+/usr/lib/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
++/usr/lib/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
++
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
+
++/usr/libexec/WebKitPluginProcess -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
++
+ifdef(`distro_redhat',`
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
@@ -75168,10 +75172,10 @@ index c8bdea2..1337d42 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..8ee9185 100644
+index 6cf79c4..e7fe8c7 100644
--- a/rhcs.te
+++ b/rhcs.te
-@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
+@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
## </desc>
gen_tunable(fenced_can_ssh, false)
@@ -75196,10 +75200,18 @@ index 6cf79c4..8ee9185 100644
+## </desc>
+gen_tunable(cluster_use_execmem, false)
+
++## <desc>
++## <p>
++## Determine whether haproxy can
++## connect to all TCP ports.
++## </p>
++## </desc>
++gen_tunable(haproxy_connect_any, false)
++
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
-@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t;
init_script_file(foghorn_initrc_exec_t)
rhcs_domain_template(gfs_controld)
@@ -75487,7 +75499,7 @@ index 6cf79c4..8ee9185 100644
')
#####################################
-@@ -79,9 +349,11 @@ optional_policy(`
+@@ -79,9 +357,11 @@ optional_policy(`
# dlm_controld local policy
#
@@ -75500,7 +75512,7 @@ index 6cf79c4..8ee9185 100644
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-@@ -98,16 +370,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -75533,7 +75545,7 @@ index 6cf79c4..8ee9185 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +404,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -75544,7 +75556,7 @@ index 6cf79c4..8ee9185 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -140,6 +425,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
corenet_sendrecv_zented_server_packets(fenced_t)
corenet_tcp_bind_zented_port(fenced_t)
@@ -75553,7 +75565,7 @@ index 6cf79c4..8ee9185 100644
corenet_tcp_sendrecv_zented_port(fenced_t)
corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +435,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +443,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -75564,7 +75576,7 @@ index 6cf79c4..8ee9185 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +445,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +453,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -75573,7 +75585,7 @@ index 6cf79c4..8ee9185 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +467,8 @@ optional_policy(`
+@@ -182,7 +475,8 @@ optional_policy(`
')
optional_policy(`
@@ -75583,7 +75595,7 @@ index 6cf79c4..8ee9185 100644
')
optional_policy(`
-@@ -190,12 +476,12 @@ optional_policy(`
+@@ -190,12 +484,12 @@ optional_policy(`
')
optional_policy(`
@@ -75599,7 +75611,7 @@ index 6cf79c4..8ee9185 100644
')
optional_policy(`
-@@ -203,6 +489,13 @@ optional_policy(`
+@@ -203,6 +497,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -75613,7 +75625,7 @@ index 6cf79c4..8ee9185 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +514,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +522,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -75634,7 +75646,7 @@ index 6cf79c4..8ee9185 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +552,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +560,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -75643,7 +75655,7 @@ index 6cf79c4..8ee9185 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +572,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +580,50 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -75676,16 +75688,27 @@ index 6cf79c4..8ee9185 100644
+corenet_tcp_connect_commplex_link_port(haproxy_t)
+corenet_tcp_connect_commplex_main_port(haproxy_t)
+corenet_tcp_bind_commplex_main_port(haproxy_t)
++corenet_tcp_bind_http_port(haproxy_t)
++corenet_tcp_bind_http_cache_port(haproxy_t)
+
+corenet_tcp_connect_fmpro_internal_port(haproxy_t)
++corenet_tcp_connect_http_port(haproxy_t)
++corenet_tcp_connect_http_cache_port(haproxy_t)
+corenet_tcp_connect_rtp_media_port(haproxy_t)
+
+sysnet_dns_name_resolve(haproxy_t)
+
++tunable_policy(`haproxy_connect_any',`
++ corenet_tcp_connect_all_ports(haproxy_t)
++ corenet_tcp_bind_all_ports(haproxy_t)
++ corenet_sendrecv_all_packets(haproxy_t)
++ corenet_tcp_sendrecv_all_ports(haproxy_t)
++')
++
######################################
#
# qdiskd local policy
-@@ -321,6 +647,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +666,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 38141db..4b20053 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -578,6 +578,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jan 24 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-18
+- Add haproxy_connect_any boolean
+- Allow haproxy also to use http cache port by default
+- Fix /usr/lib/firefox/plugin-container decl
+- Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications
+- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
+- Fix type in docker.te
+- Fix bs_filetrans_named_content() to have support for /usr/lib/debug directory
+- Adding a new service script to enable setcheckreqprot
+- Add interface to getattr on an isid_type for any type of file
+- Allow initrc_t domtrans to authconfig if unconfined is enabled
+type in docker.te
+- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container
+
* Thu Jan 23 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-17
- init calling needs to be optional in domain.te
- Allow docker and mount on devpts chr_file
More information about the scm-commits
mailing list