[selinux-policy] - Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi - Add support
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Feb 5 07:51:47 UTC 2014
commit fc059db54d3cc7cf37a350463959f52dfbe9c35a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Feb 5 08:52:08 2014 +0100
- Add kernel_mounton_messages() interface
- init wants to manage lock files for iscsi
- Add support for dey_sapi port
- Fixes needed for docker
- Allow epmd to manage /var/log/rabbitmq/startup_err file
- Allow beam.smp connect to amqp port
- drbdadm executes drbdmeta
- Added osad policy
- Allow postfix to deliver to procmail
- Allow vmtools to execute /usr/bin/lsb_release
- Allow geoclue to read /etc/passwd
- Allow docker to write system net ctrls
- Add support for rhnsd unit file
- Add dbus_chat_session_bus() interface
- Add dbus_stream_connect_session_bus() interface
- Fix pcp.te
- Fix logrotate_use_nfs boolean
- Add lot of pcp fixes found in RHEL7
- fix labeling for pmie for pcp pkg
- Change thumb_t to be allowed to chat/connect with session bus type
- Add logrotate_use_nfs boolean
- Allow setroubleshootd to read rpc sysctl
policy-rawhide-base.patch | 226 +++++---
policy-rawhide-contrib.patch | 1314 +++++++++++++++++++++++++++++-------------
selinux-policy.spec | 26 +-
3 files changed, 1085 insertions(+), 481 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index f75f5e3..7b7b458 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..51daa72 100644
+index b191055..b60c687 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5497,7 +5497,7 @@ index b191055..51daa72 100644
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
-@@ -96,19 +119,20 @@ network_port(boinc, tcp,31416,s0)
+@@ -96,43 +119,53 @@ network_port(boinc, tcp,31416,s0)
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
@@ -5521,7 +5521,11 @@ index b191055..51daa72 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -119,20 +143,28 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+ network_port(dbskkd, tcp,1178,s0)
+ network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dccm, tcp,5679,s0, udp,5679,s0)
++network_port(dey_sapi, tcp,4330,s0)
+ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -5552,7 +5556,7 @@ index b191055..51daa72 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +172,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +173,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5619,7 +5623,7 @@ index b191055..51daa72 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +225,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +226,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5659,7 +5663,7 @@ index b191055..51daa72 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -215,39 +263,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -215,39 +264,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5712,7 +5716,7 @@ index b191055..51daa72 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -259,8 +313,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -259,8 +314,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5723,7 +5727,7 @@ index b191055..51daa72 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
-@@ -271,10 +326,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -271,10 +327,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5736,7 +5740,7 @@ index b191055..51daa72 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +343,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +344,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5763,7 +5767,7 @@ index b191055..51daa72 100644
########################################
#
-@@ -333,6 +392,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +393,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5772,7 +5776,7 @@ index b191055..51daa72 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +406,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +407,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -14917,7 +14921,7 @@ index 7be4ddf..d5ef507 100644
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..6f745f0 100644
+index e100d88..ee4c057 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -15031,7 +15035,33 @@ index e100d88..6f745f0 100644
## Do not audit attempts by caller to
## read system state information in proc.
## </summary>
-@@ -1477,6 +1529,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1208,6 +1260,25 @@ interface(`kernel_read_messages',`
+
+ ########################################
+ ## <summary>
++## Allow caller to read kernel messages
++## using the /proc/kmsg interface.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_mounton_messages',`
++ gen_require(`
++ type proc_kmsg_t, proc_t;
++ ')
++
++ allow $1 proc_kmsg_t:dir mounton;
++')
++
++########################################
++## <summary>
+ ## Allow caller to get the attributes of kernel message
+ ## interface (/proc/kmsg).
+ ## </summary>
+@@ -1477,6 +1548,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@@ -15056,7 +15086,7 @@ index e100d88..6f745f0 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -1750,16 +1820,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1839,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15074,7 +15104,7 @@ index e100d88..6f745f0 100644
')
########################################
-@@ -1771,16 +1834,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1853,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15092,7 +15122,7 @@ index e100d88..6f745f0 100644
')
########################################
-@@ -1792,16 +1848,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1867,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15110,7 +15140,7 @@ index e100d88..6f745f0 100644
')
########################################
-@@ -1813,16 +1862,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1881,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15128,7 +15158,7 @@ index e100d88..6f745f0 100644
')
########################################
-@@ -2085,7 +2127,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2146,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -15137,7 +15167,7 @@ index e100d88..6f745f0 100644
')
########################################
-@@ -2282,6 +2324,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2343,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -15163,7 +15193,7 @@ index e100d88..6f745f0 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2367,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2386,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -15172,7 +15202,7 @@ index e100d88..6f745f0 100644
## </summary>
## </param>
#
-@@ -2488,6 +2549,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2568,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -15197,7 +15227,7 @@ index e100d88..6f745f0 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2525,6 +2604,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2623,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -15222,7 +15252,7 @@ index e100d88..6f745f0 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2667,6 +2764,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2783,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -15247,7 +15277,7 @@ index e100d88..6f745f0 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2694,6 +2809,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2828,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -15273,7 +15303,7 @@ index e100d88..6f745f0 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2803,6 +2937,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +2956,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -15307,7 +15337,7 @@ index e100d88..6f745f0 100644
########################################
## <summary>
-@@ -2958,6 +3119,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3138,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -15332,7 +15362,7 @@ index e100d88..6f745f0 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2972,5 +3151,565 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3170,565 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -29278,7 +29308,7 @@ index 79a45f6..9a14d49 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..fdd335a 100644
+index 17eda24..17932ac 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -29526,7 +29556,7 @@ index 17eda24..fdd335a 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +286,212 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +286,213 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -29571,6 +29601,7 @@ index 17eda24..fdd335a 100644
+
+optional_policy(`
+ iscsi_read_lib_files(init_t)
++ iscsi_manage_lock(init_t)
+')
+
+optional_policy(`
@@ -29747,7 +29778,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
-@@ -216,7 +499,30 @@ optional_policy(`
+@@ -216,7 +500,30 @@ optional_policy(`
')
optional_policy(`
@@ -29778,7 +29809,7 @@ index 17eda24..fdd335a 100644
')
########################################
-@@ -225,9 +531,9 @@ optional_policy(`
+@@ -225,9 +532,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29790,7 +29821,7 @@ index 17eda24..fdd335a 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +564,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +565,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29807,7 +29838,7 @@ index 17eda24..fdd335a 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +589,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +590,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29850,7 +29881,7 @@ index 17eda24..fdd335a 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +626,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +627,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -29862,7 +29893,7 @@ index 17eda24..fdd335a 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +638,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +639,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -29873,7 +29904,7 @@ index 17eda24..fdd335a 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +649,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +650,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29883,7 +29914,7 @@ index 17eda24..fdd335a 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +658,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +659,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -29891,7 +29922,7 @@ index 17eda24..fdd335a 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +665,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +666,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -29899,7 +29930,7 @@ index 17eda24..fdd335a 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +673,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +674,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29917,7 +29948,7 @@ index 17eda24..fdd335a 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +691,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +692,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29931,7 +29962,7 @@ index 17eda24..fdd335a 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +706,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +707,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29945,7 +29976,7 @@ index 17eda24..fdd335a 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +719,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +720,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -29956,7 +29987,7 @@ index 17eda24..fdd335a 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +732,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +733,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -29964,7 +29995,7 @@ index 17eda24..fdd335a 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +751,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +752,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -29988,7 +30019,7 @@ index 17eda24..fdd335a 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +784,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +785,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -29996,7 +30027,7 @@ index 17eda24..fdd335a 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +818,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +819,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -30007,7 +30038,7 @@ index 17eda24..fdd335a 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +842,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +843,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30016,7 +30047,7 @@ index 17eda24..fdd335a 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +857,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +858,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -30024,7 +30055,7 @@ index 17eda24..fdd335a 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +878,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +879,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -30032,7 +30063,7 @@ index 17eda24..fdd335a 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +888,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +889,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -30077,7 +30108,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
-@@ -559,14 +933,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +934,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30109,7 +30140,7 @@ index 17eda24..fdd335a 100644
')
')
-@@ -577,6 +968,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +969,39 @@ ifdef(`distro_suse',`
')
')
@@ -30149,7 +30180,7 @@ index 17eda24..fdd335a 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1013,8 @@ optional_policy(`
+@@ -589,6 +1014,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30158,7 +30189,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
-@@ -610,6 +1036,7 @@ optional_policy(`
+@@ -610,6 +1037,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -30166,7 +30197,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
-@@ -626,6 +1053,17 @@ optional_policy(`
+@@ -626,6 +1054,17 @@ optional_policy(`
')
optional_policy(`
@@ -30184,7 +30215,7 @@ index 17eda24..fdd335a 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1080,13 @@ optional_policy(`
+@@ -642,9 +1081,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30198,7 +30229,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
-@@ -657,15 +1099,11 @@ optional_policy(`
+@@ -657,15 +1100,11 @@ optional_policy(`
')
optional_policy(`
@@ -30216,7 +30247,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
-@@ -686,6 +1124,15 @@ optional_policy(`
+@@ -686,6 +1125,15 @@ optional_policy(`
')
optional_policy(`
@@ -30232,7 +30263,7 @@ index 17eda24..fdd335a 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1173,7 @@ optional_policy(`
+@@ -726,6 +1174,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -30240,7 +30271,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
-@@ -743,7 +1191,13 @@ optional_policy(`
+@@ -743,7 +1192,13 @@ optional_policy(`
')
optional_policy(`
@@ -30255,7 +30286,7 @@ index 17eda24..fdd335a 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1220,10 @@ optional_policy(`
+@@ -766,6 +1221,10 @@ optional_policy(`
')
optional_policy(`
@@ -30266,7 +30297,7 @@ index 17eda24..fdd335a 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1233,20 @@ optional_policy(`
+@@ -775,10 +1234,20 @@ optional_policy(`
')
optional_policy(`
@@ -30287,7 +30318,7 @@ index 17eda24..fdd335a 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1255,10 @@ optional_policy(`
+@@ -787,6 +1256,10 @@ optional_policy(`
')
optional_policy(`
@@ -30298,7 +30329,7 @@ index 17eda24..fdd335a 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1280,6 @@ optional_policy(`
+@@ -808,8 +1281,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30307,7 +30338,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
-@@ -818,6 +1288,10 @@ optional_policy(`
+@@ -818,6 +1289,10 @@ optional_policy(`
')
optional_policy(`
@@ -30318,7 +30349,7 @@ index 17eda24..fdd335a 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1301,12 @@ optional_policy(`
+@@ -827,10 +1302,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -30331,7 +30362,7 @@ index 17eda24..fdd335a 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1333,60 @@ optional_policy(`
+@@ -857,21 +1334,60 @@ optional_policy(`
')
optional_policy(`
@@ -30393,7 +30424,7 @@ index 17eda24..fdd335a 100644
')
optional_policy(`
-@@ -887,6 +1402,10 @@ optional_policy(`
+@@ -887,6 +1403,10 @@ optional_policy(`
')
optional_policy(`
@@ -30404,7 +30435,7 @@ index 17eda24..fdd335a 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1416,218 @@ optional_policy(`
+@@ -897,3 +1417,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -32364,7 +32395,7 @@ index b50c5fe..e55a556 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..6118015 100644
+index 4e94884..b144ffe 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -32516,12 +32547,19 @@ index 4e94884..6118015 100644
+interface(`logging_read_syslog_pid',`
+ gen_require(`
+ type syslogd_var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 devlog_t:lnk_file read_lnk_file_perms;
+- allow $1 devlog_t:sock_file write_sock_file_perms;
+ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+')
-+
+
+- # the type of socket depends on the syslog daemon
+- allow $1 syslogd_t:unix_dgram_socket sendto;
+- allow $1 syslogd_t:unix_stream_socket connectto;
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 self:unix_stream_socket create_socket_perms;
+########################################
+## <summary>
+## Relabel the syslog pid sock_file.
@@ -32535,18 +32573,15 @@ index 4e94884..6118015 100644
+interface(`logging_relabel_syslog_pid_socket',`
+ gen_require(`
+ type syslogd_var_run_t;
- ')
++ ')
-- allow $1 devlog_t:lnk_file read_lnk_file_perms;
-- allow $1 devlog_t:sock_file write_sock_file_perms;
+- # If syslog is down, the glibc syslog() function
+- # will write to the console.
+- term_write_console($1)
+- term_dontaudit_read_console($1)
+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
+')
-
-- # the type of socket depends on the syslog daemon
-- allow $1 syslogd_t:unix_dgram_socket sendto;
-- allow $1 syslogd_t:unix_stream_socket connectto;
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 self:unix_stream_socket create_socket_perms;
++
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
@@ -32561,11 +32596,7 @@ index 4e94884..6118015 100644
+ gen_require(`
+ type syslogd_t, syslogd_var_run_t;
+ ')
-
-- # If syslog is down, the glibc syslog() function
-- # will write to the console.
-- term_write_console($1)
-- term_dontaudit_read_console($1)
++
+ files_search_pids($1)
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
')
@@ -32808,13 +32839,32 @@ index 4e94884..6118015 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1380,35 @@ interface(`logging_admin',`
+@@ -1085,3 +1380,54 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
+
+########################################
+## <summary>
++## Transition to syslog.conf
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_filetrans_named_conf',`
++ gen_require(`
++ type syslog_conf_t;
++ ')
++
++ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
++ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
++')
++
++########################################
++## <summary>
+## Transition to logging named content
+## </summary>
+## <param name="domain">
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 47a5a74..bb62aba 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -8322,6 +8322,18 @@ index 7811450..d8a8bd6 100644
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
+diff --git a/bacula.if b/bacula.if
+index dcd774e..c240ffa 100644
+--- a/bacula.if
++++ b/bacula.if
+@@ -69,6 +69,7 @@ interface(`bacula_admin',`
+ type bacula_t, bacula_etc_t, bacula_log_t;
+ type bacula_spool_t, bacula_var_lib_t;
+ type bacula_var_run_t, bacula_initrc_exec_t;
++ attribute_role bacula_admin_roles;
+ ')
+
+ allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
index f16b000..ed47057 100644
--- a/bacula.te
@@ -10390,6 +10402,19 @@ index a3760bc..a570048 100644
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
+diff --git a/calamaris.if b/calamaris.if
+index cd9c528..9de38c4 100644
+--- a/calamaris.if
++++ b/calamaris.if
+@@ -42,7 +42,7 @@ interface(`calamaris_run',`
+ attribute_role calamaris_roles;
+ ')
+
+- lightsquid_domtrans($1)
++ clamd_domtrans($1)
+ roleattribute $2 calamaris_roles;
+ ')
+
diff --git a/calamaris.te b/calamaris.te
index 7e57460..b0cf254 100644
--- a/calamaris.te
@@ -13418,7 +13443,7 @@ index ad2b696..28d1af0 100644
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
diff --git a/condor.if b/condor.if
-index 881d92f..eb35613 100644
+index 881d92f..4998ee9 100644
--- a/condor.if
+++ b/condor.if
@@ -1,75 +1,390 @@
@@ -13476,13 +13501,13 @@ index 881d92f..eb35613 100644
+## </summary>
+## </param>
+#
-+interface(`condor_domtrans',`
++interface(`condor_domtrans_master',`
+ gen_require(`
-+ type condor_t, condor_exec_t;
++ type condor_master_t, condor_master_exec_t;
+ ')
+
+ corecmd_search_bin($1)
-+ domtrans_pattern($1, condor_exec_t, condor_t)
++ domtrans_pattern($1, condor_master_exec_t, condor_master_t)
+')
+
+#######################################
@@ -13662,15 +13687,10 @@ index 881d92f..eb35613 100644
#
-interface(`condor_admin',`
+interface(`condor_read_lib_files',`
- gen_require(`
-- attribute condor_domain;
-- type condor_initrc_exec_config_t, condor_log_t;
-- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
-- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
++ gen_require(`
+ type condor_var_lib_t;
- ')
-
-- allow $1 condor_domain:process { ptrace signal_perms };
++ ')
++
+ files_search_var_lib($1)
+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
@@ -13743,10 +13763,15 @@ index 881d92f..eb35613 100644
+## </param>
+#
+interface(`condor_read_pid_files',`
-+ gen_require(`
+ gen_require(`
+- attribute condor_domain;
+- type condor_initrc_exec_config_t, condor_log_t;
+- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
+ type condor_var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 condor_domain:process { ptrace signal_perms };
+ files_search_pids($1)
+ allow $1 condor_var_run_t:file read_file_perms;
+')
@@ -13763,7 +13788,7 @@ index 881d92f..eb35613 100644
+#
+interface(`condor_systemctl',`
+ gen_require(`
-+ type condor_t;
++ type condor_domain;
+ type condor_unit_file_t;
+ ')
+
@@ -13772,7 +13797,7 @@ index 881d92f..eb35613 100644
+ allow $1 condor_unit_file_t:file read_file_perms;
+ allow $1 condor_unit_file_t:service manage_service_perms;
+
-+ ps_process_pattern($1, condor_t)
+ ps_process_pattern($1, condor_domain)
+')
+
+#######################################
@@ -13789,7 +13814,11 @@ index 881d92f..eb35613 100644
+ gen_require(`
+ type condor_startd_t;
+ ')
-+
+
+- init_labeled_script_domtrans($1, condor_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 condor_initrc_exec_t system_r;
+- allow $2 system_r;
+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
@@ -13837,12 +13866,8 @@ index 881d92f..eb35613 100644
+ ')
+
+ allow $1 condor_domain:process { signal_perms };
- ps_process_pattern($1, condor_domain)
-
-- init_labeled_script_domtrans($1, condor_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 condor_initrc_exec_t system_r;
-- allow $2 system_r;
++ ps_process_pattern($1, condor_domain)
++
+ init_labeled_script_domtrans($1, condor_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 condor_initrc_exec_t system_r;
@@ -19231,7 +19256,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index 62d22cb..4d3ed7b 100644
+index 62d22cb..ff0c9da 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -19356,7 +19381,7 @@ index 62d22cb..4d3ed7b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -103,65 +129,29 @@ template(`dbus_role_template',`
+@@ -103,91 +129,82 @@ template(`dbus_role_template',`
#
interface(`dbus_system_bus_client',`
gen_require(`
@@ -19390,12 +19415,17 @@ index 62d22cb..4d3ed7b 100644
## <summary>
-## Acquire service on DBUS
-## session bus.
--## </summary>
++## Creating connections to specified
++## DBUS sessions.
+ ## </summary>
-## <param name="domain">
--## <summary>
++## <param name="role_prefix">
+ ## <summary>
-## Domain allowed access.
--## </summary>
--## </param>
++## The prefix of the user role (e.g., user
++## is the prefix for user_r).
+ ## </summary>
+ ## </param>
-#
-interface(`dbus_connect_session_bus',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.')
@@ -19407,207 +19437,337 @@ index 62d22cb..4d3ed7b 100644
-## Acquire service on all DBUS
-## session busses.
-## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
-interface(`dbus_connect_all_session_bus',`
-- gen_require(`
++interface(`dbus_session_client',`
+ gen_require(`
- attribute session_bus_type;
- class dbus acquire_svc;
-- ')
--
++ class dbus send_msg;
++ type $1_dbusd_t;
+ ')
+
- allow $1 session_bus_type:dbus acquire_svc;
--')
--
--#######################################
--## <summary>
++ allow $2 $1_dbusd_t:fd use;
++ allow $2 { $1_dbusd_t self }:dbus send_msg;
++ allow $2 $1_dbusd_t:unix_stream_socket connectto;
+ ')
+
+ #######################################
+ ## <summary>
-## Acquire service on specified
-## DBUS session bus.
-+## Creating connections to specified
-+## DBUS sessions.
++## Template for creating connections to
++## a user DBUS.
## </summary>
- ## <param name="role_prefix">
+-## <param name="role_prefix">
+-## <summary>
+-## The prefix of the user role (e.g., user
+-## is the prefix for user_r).
+-## </summary>
+-## </param>
+ ## <param name="domain">
## <summary>
-@@ -175,19 +165,21 @@ interface(`dbus_connect_all_session_bus',`
+ ## Domain allowed access.
## </summary>
## </param>
#
-interface(`dbus_connect_spec_session_bus',`
-+interface(`dbus_session_client',`
++interface(`dbus_session_bus_client',`
gen_require(`
-+ class dbus send_msg;
- type $1_dbusd_t;
+- type $1_dbusd_t;
- class dbus acquire_svc;
++ attribute session_bus_type;
++ class dbus send_msg;
')
- allow $2 $1_dbusd_t:dbus acquire_svc;
-+ allow $2 $1_dbusd_t:fd use;
-+ allow $2 { $1_dbusd_t self }:dbus send_msg;
-+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
++ # SE-DBus specific permissions
++ allow $1 { session_bus_type self }:dbus send_msg;
++
++ # For connecting to the bus
++ allow $1 session_bus_type:unix_stream_socket connectto;
++
++ allow session_bus_type $1:process sigkill;
')
- #######################################
+-#######################################
++########################################
## <summary>
-## Creating connections to DBUS
-## session bus.
-+## Template for creating connections to
-+## a user DBUS.
++## Send a message the session DBUS.
## </summary>
## <param name="domain">
## <summary>
-@@ -196,72 +188,23 @@ interface(`dbus_connect_spec_session_bus',`
+@@ -195,15 +212,18 @@ interface(`dbus_connect_spec_session_bus',`
+ ## </summary>
## </param>
#
- interface(`dbus_session_bus_client',`
+-interface(`dbus_session_bus_client',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.')
- dbus_all_session_bus_client($1)
--')
--
++interface(`dbus_send_session_bus',`
++ gen_require(`
++ attribute session_bus_type;
++ class dbus send_msg;
++ ')
++
++ allow $1 session_bus_type:dbus send_msg;
+ ')
+
-#######################################
--## <summary>
++########################################
+ ## <summary>
-## Creating connections to all
-## DBUS session busses.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## Read dbus configuration.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -211,57 +231,39 @@ interface(`dbus_session_bus_client',`
+ ## </summary>
+ ## </param>
+ #
-interface(`dbus_all_session_bus_client',`
++interface(`dbus_read_config',`
gen_require(`
- attribute session_bus_type, dbusd_session_bus_client;
-+ attribute session_bus_type;
- class dbus send_msg;
+- class dbus send_msg;
++ type dbusd_etc_t;
')
- typeattribute $1 dbusd_session_bus_client;
-
-+ # SE-DBus specific permissions
- allow $1 { session_bus_type self }:dbus send_msg;
+- allow $1 { session_bus_type self }:dbus send_msg;
- allow session_bus_type $1:dbus send_msg;
-
- allow $1 session_bus_type:unix_stream_socket connectto;
- allow $1 session_bus_type:fd use;
--')
++ allow $1 dbusd_etc_t:dir list_dir_perms;
++ allow $1 dbusd_etc_t:file read_file_perms;
+ ')
-#######################################
--## <summary>
++########################################
+ ## <summary>
-## Creating connections to specified
-## DBUS session bus.
--## </summary>
++## Read system dbus lib files.
+ ## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-## </summary>
-## </param>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
-interface(`dbus_spec_session_bus_client',`
-- gen_require(`
++interface(`dbus_read_lib_files',`
+ gen_require(`
- attribute dbusd_session_bus_client;
- type $1_dbusd_t;
- class dbus send_msg;
-- ')
--
++ type system_dbusd_var_lib_t;
+ ')
+
- typeattribute $2 dbusd_session_bus_client;
-
- allow $2 { $1_dbusd_t self }:dbus send_msg;
- allow $1_dbusd_t $2:dbus send_msg;
-+ # For connecting to the bus
-+ allow $1 session_bus_type:unix_stream_socket connectto;
-
+-
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
- allow $2 $1_dbusd_t:fd use;
-+ allow session_bus_type $1:process sigkill;
++ files_search_var_lib($1)
++ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
++ read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
-#######################################
+########################################
## <summary>
-## Send messages to DBUS session bus.
-+## Send a message the session DBUS.
++## Create, read, write, and delete
++## system dbus lib files.
## </summary>
## <param name="domain">
## <summary>
-@@ -270,59 +213,17 @@ interface(`dbus_spec_session_bus_client',`
+@@ -269,15 +271,19 @@ interface(`dbus_spec_session_bus_client',`
+ ## </summary>
## </param>
#
- interface(`dbus_send_session_bus',`
+-interface(`dbus_send_session_bus',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.')
- dbus_send_all_session_bus($1)
--')
--
++interface(`dbus_manage_lib_files',`
++ gen_require(`
++ type system_dbusd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ ')
+
-#######################################
--## <summary>
++########################################
+ ## <summary>
-## Send messages to all DBUS
-## session busses.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## Connect to the system DBUS
++## for service (acquire_svc).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -285,44 +291,52 @@ interface(`dbus_send_session_bus',`
+ ## </summary>
+ ## </param>
+ #
-interface(`dbus_send_all_session_bus',`
++interface(`dbus_connect_session_bus',`
gen_require(`
attribute session_bus_type;
- class dbus send_msg;
+- class dbus send_msg;
++ class dbus acquire_svc;
')
- allow $1 dbus_session_bus_type:dbus send_msg;
--')
--
++ allow $1 session_bus_type:dbus acquire_svc;
+ ')
+
-#######################################
--## <summary>
++########################################
+ ## <summary>
-## Send messages to specified
-## DBUS session busses.
--## </summary>
++## Allow a application domain to be started
++## by the session dbus.
+ ## </summary>
-## <param name="role_prefix">
--## <summary>
++## <param name="domain_prefix">
+ ## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
--## </summary>
--## </param>
--## <param name="domain">
--## <summary>
++## User domain prefix to be used.
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
-## Domain allowed access.
--## </summary>
--## </param>
--#
++## Type to be used as a domain.
++## </summary>
++## </param>
++## <param name="entry_point">
++## <summary>
++## Type of the program to be used as an
++## entry point to this domain.
+ ## </summary>
+ ## </param>
+ #
-interface(`dbus_send_spec_session_bus',`
-- gen_require(`
-- type $1_dbusd_t;
++interface(`dbus_session_domain',`
+ gen_require(`
+ type $1_dbusd_t;
- class dbus send_msg;
-- ')
--
+ ')
+
- allow $2 $1_dbusd_t:dbus send_msg;
-+ allow $1 session_bus_type:dbus send_msg;
++ domtrans_pattern($1_dbusd_t, $2, $3)
++
++ dbus_session_bus_client($3)
++ dbus_connect_session_bus($3)
')
########################################
## <summary>
-## Read dbus configuration content.
-+## Read dbus configuration.
++## Connect to the system DBUS
++## for service (acquire_svc).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -330,18 +344,18 @@ interface(`dbus_send_spec_session_bus',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_read_config',`
++interface(`dbus_connect_system_bus',`
+ gen_require(`
+- type dbusd_etc_t;
++ type system_dbusd_t;
++ class dbus acquire_svc;
+ ')
+
+- allow $1 dbusd_etc_t:dir list_dir_perms;
+- allow $1 dbusd_etc_t:file read_file_perms;
++ allow $1 system_dbusd_t:dbus acquire_svc;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read system dbus lib files.
++## Send a message on the system DBUS.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -349,20 +363,18 @@ interface(`dbus_read_config',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_read_lib_files',`
++interface(`dbus_send_system_bus',`
+ gen_require(`
+- type system_dbusd_var_lib_t;
++ type system_dbusd_t;
++ class dbus send_msg;
+ ')
+
+- files_search_var_lib($1)
+- read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+- read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
++ allow $1 system_dbusd_t:dbus send_msg;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## system dbus lib files.
++## Allow unconfined access to the system DBUS.
## </summary>
## <param name="domain">
## <summary>
-@@ -381,69 +282,32 @@ interface(`dbus_manage_lib_files',`
+@@ -370,26 +382,20 @@ interface(`dbus_read_lib_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_manage_lib_files',`
++interface(`dbus_system_bus_unconfined',`
+ gen_require(`
+- type system_dbusd_var_lib_t;
++ type system_dbusd_t;
++ class dbus all_dbus_perms;
+ ')
+
+- files_search_var_lib($1)
+- manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
++ allow $1 system_dbusd_t:dbus *;
+ ')
########################################
## <summary>
-## Allow a application domain to be
-## started by the specified session bus.
-+## Connect to the system DBUS
-+## for service (acquire_svc).
++## Create a domain for processes
++## which can be started by the system dbus
## </summary>
-## <param name="role_prefix">
-## <summary>
@@ -19617,28 +19777,45 @@ index 62d22cb..4d3ed7b 100644
-## </param>
## <param name="domain">
## <summary>
--## Type to be used as a domain.
--## </summary>
--## </param>
--## <param name="entry_point">
--## <summary>
+ ## Type to be used as a domain.
+@@ -397,81 +403,66 @@ interface(`dbus_manage_lib_files',`
+ ## </param>
+ ## <param name="entry_point">
+ ## <summary>
-## Type of the program to be used as an
-## entry point to this domain.
--## </summary>
--## </param>
--#
++## Type of the program to be used as an entry point to this domain.
+ ## </summary>
+ ## </param>
+ #
-interface(`dbus_session_domain',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.')
- dbus_all_session_domain($1, $2)
--')
--
--########################################
--## <summary>
++interface(`dbus_system_domain',`
++ gen_require(`
++ attribute system_bus_type;
++ type system_dbusd_t;
++ role system_r;
++ ')
++ typeattribute $1 system_bus_type;
++
++ domain_type($1)
++ domain_entry_file($1, $2)
++
++ domtrans_pattern(system_dbusd_t, $2, $1)
++
++ ps_process_pattern($1, system_dbusd_t)
++
+ ')
+
+ ########################################
+ ## <summary>
-## Allow a application domain to be
-## started by the specified session bus.
--## </summary>
--## <param name="domain">
--## <summary>
++## Use and inherit system DBUS file descriptors.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
-## Type to be used as a domain.
-## </summary>
-## </param>
@@ -19651,254 +19828,254 @@ index 62d22cb..4d3ed7b 100644
## </param>
#
-interface(`dbus_all_session_domain',`
-+interface(`dbus_connect_session_bus',`
++interface(`dbus_use_system_bus_fds',`
gen_require(`
- type session_bus_type;
-+ attribute session_bus_type;
-+ class dbus acquire_svc;
++ type system_dbusd_t;
')
- domtrans_pattern(session_bus_type, $2, $1)
-
- dbus_all_session_bus_client($1)
- dbus_connect_all_session_bus($1)
-+ allow $1 session_bus_type:dbus acquire_svc;
++ allow $1 system_dbusd_t:fd use;
')
########################################
## <summary>
-## Allow a application domain to be
-## started by the specified session bus.
-+## Allow a application domain to be started
-+## by the session dbus.
++## Allow unconfined access to the system DBUS.
## </summary>
-## <param name="role_prefix">
-+## <param name="domain_prefix">
- ## <summary>
+-## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-+## User domain prefix to be used.
- ## </summary>
- ## </param>
+-## </summary>
+-## </param>
## <param name="domain">
-@@ -458,20 +322,21 @@ interface(`dbus_all_session_domain',`
+ ## <summary>
+-## Type to be used as a domain.
+-## </summary>
+-## </param>
+-## <param name="entry_point">
+-## <summary>
+-## Type of the program to be used as an
+-## entry point to this domain.
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`dbus_spec_session_domain',`
-+interface(`dbus_session_domain',`
++interface(`dbus_unconfined',`
gen_require(`
- type $1_dbusd_t;
+- type $1_dbusd_t;
++ attribute dbusd_unconfined;
')
- domtrans_pattern($1_dbusd_t, $2, $3)
-
+- domtrans_pattern($1_dbusd_t, $2, $3)
+-
- dbus_spec_session_bus_client($1, $2)
- dbus_connect_spec_session_bus($1, $2)
-+ dbus_session_bus_client($3)
-+ dbus_connect_session_bus($3)
++ typeattribute $1 dbusd_unconfined;
')
########################################
## <summary>
-## Acquire service on the DBUS system bus.
-+## Connect to the system DBUS
-+## for service (acquire_svc).
++## Delete all dbus pid files
## </summary>
## <param name="domain">
## <summary>
-@@ -490,7 +355,7 @@ interface(`dbus_connect_system_bus',`
+@@ -479,18 +470,18 @@ interface(`dbus_spec_session_domain',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_connect_system_bus',`
++interface(`dbus_delete_pid_files',`
+ gen_require(`
+- type system_dbusd_t;
+- class dbus acquire_svc;
++ type system_dbusd_var_run_t;
+ ')
+
+- allow $1 system_dbusd_t:dbus acquire_svc;
++ files_search_pids($1)
++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ ')
########################################
## <summary>
-## Send messages to the DBUS system bus.
-+## Send a message on the system DBUS.
++## Read all dbus pid files
## </summary>
## <param name="domain">
## <summary>
-@@ -509,7 +374,7 @@ interface(`dbus_send_system_bus',`
+@@ -498,98 +489,80 @@ interface(`dbus_connect_system_bus',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_send_system_bus',`
++interface(`dbus_read_pid_files',`
+ gen_require(`
+- type system_dbusd_t;
+- class dbus send_msg;
++ type system_dbusd_var_run_t;
+ ')
+
+- allow $1 system_dbusd_t:dbus send_msg;
++ files_search_pids($1)
++ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ ')
########################################
## <summary>
-## Unconfined access to DBUS system bus.
-+## Allow unconfined access to the system DBUS.
++## Do not audit attempts to connect to
++## session bus types with a unix
++## stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -528,8 +393,8 @@ interface(`dbus_system_bus_unconfined',`
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_system_bus_unconfined',`
++interface(`dbus_dontaudit_stream_connect_session_bus',`
+ gen_require(`
+- type system_dbusd_t;
+- class dbus all_dbus_perms;
++ attribute session_bus_type;
+ ')
+
+- allow $1 system_dbusd_t:dbus *;
++ dontaudit $1 session_bus_type:unix_stream_socket connectto;
+ ')
########################################
## <summary>
-## Create a domain for processes which
-## can be started by the DBUS system bus.
-+## Create a domain for processes
-+## which can be started by the system dbus
++## Allow attempts to connect to
++## session bus types with a unix
++## stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -544,33 +409,24 @@ interface(`dbus_system_bus_unconfined',`
+-## Type to be used as a domain.
+-## </summary>
+-## </param>
+-## <param name="entry_point">
+-## <summary>
+-## Type of the program to be used as an entry point to this domain.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
#
- interface(`dbus_system_domain',`
+-interface(`dbus_system_domain',`
++interface(`dbus_stream_connect_session_bus',`
gen_require(`
-+ attribute system_bus_type;
- type system_dbusd_t;
- role system_r;
+- type system_dbusd_t;
+- role system_r;
++ attribute session_bus_type;
')
-+ typeattribute $1 system_bus_type;
-
- domain_type($1)
- domain_entry_file($1, $2)
+- domain_type($1)
+- domain_entry_file($1, $2)
+-
- role system_r types $1;
-
- domtrans_pattern(system_dbusd_t, $2, $1)
-
+- domtrans_pattern(system_dbusd_t, $2, $1)
+-
- dbus_system_bus_client($1)
- dbus_connect_system_bus($1)
-
- ps_process_pattern(system_dbusd_t, $1)
-
- userdom_read_all_users_state($1)
-+ ps_process_pattern($1, system_dbusd_t)
-
+-
- ifdef(`hide_broken_symptoms', `
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
- ')
++ allow $1 session_bus_type:unix_stream_socket connectto;
')
########################################
## <summary>
-## Use and inherit DBUS system bus
-## file descriptors.
-+## Use and inherit system DBUS file descriptors.
++## Do not audit attempts to send dbus
++## messages to session bus types.
## </summary>
## <param name="domain">
## <summary>
-@@ -588,26 +444,25 @@ interface(`dbus_use_system_bus_fds',`
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_use_system_bus_fds',`
++interface(`dbus_chat_session_bus',`
+ gen_require(`
+- type system_dbusd_t;
++ attribute session_bus_type;
++ class dbus send_msg;
+ ')
+
+- allow $1 system_dbusd_t:fd use;
++ allow $1 session_bus_type:dbus send_msg;
++ allow session_bus_type $1:dbus send_msg;
+ ')
########################################
## <summary>
-## Do not audit attempts to read and
-## write DBUS system bus TCP sockets.
-+## Allow unconfined access to the system DBUS.
++## Do not audit attempts to send dbus
++## messages to session bus types.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -597,28 +570,32 @@ interface(`dbus_use_system_bus_fds',`
## </summary>
## </param>
#
-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
-+interface(`dbus_unconfined',`
++interface(`dbus_dontaudit_chat_session_bus',`
gen_require(`
- type system_dbusd_t;
-+ attribute dbusd_unconfined;
++ attribute session_bus_type;
++ class dbus send_msg;
')
- dontaudit $1 system_dbusd_t:tcp_socket { read write };
-+ typeattribute $1 dbusd_unconfined;
++ dontaudit $1 session_bus_type:dbus send_msg;
')
########################################
## <summary>
-## Unconfined access to DBUS.
-+## Delete all dbus pid files
++## Do not audit attempts to send dbus
++## messages to system bus types.
## </summary>
## <param name="domain">
## <summary>
-@@ -615,10 +470,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`dbus_unconfined',`
-+interface(`dbus_delete_pid_files',`
++interface(`dbus_dontaudit_chat_system_bus',`
gen_require(`
- attribute dbusd_unconfined;
-+ type system_dbusd_var_run_t;
++ attribute system_bus_type;
++ class dbus send_msg;
')
- typeattribute $1 dbusd_unconfined;
-+ files_search_pids($1)
-+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read all dbus pid files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_read_pid_files',`
-+ gen_require(`
-+ type system_dbusd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to connect to
-+## session bus types with a unix
-+## stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_dontaudit_stream_connect_session_bus',`
-+ gen_require(`
-+ attribute session_bus_type;
-+ ')
-+
-+ dontaudit $1 session_bus_type:unix_stream_socket connectto;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to send dbus
-+## messages to session bus types.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_dontaudit_chat_session_bus',`
-+ gen_require(`
-+ attribute session_bus_type;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 session_bus_type:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to send dbus
-+## messages to system bus types.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_dontaudit_chat_system_bus',`
-+ gen_require(`
-+ attribute system_bus_type;
-+ class dbus send_msg;
-+ ')
-+
+ dontaudit $1 system_bus_type:dbus send_msg;
+ dontaudit system_bus_type $1:dbus send_msg;
')
@@ -22896,7 +23073,7 @@ index 0000000..1c4ac02
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..3061ae5
+index 0000000..cc6846a
--- /dev/null
+++ b/docker.if
@@ -0,0 +1,323 @@
@@ -23147,7 +23324,7 @@ index 0000000..3061ae5
+ type docker_devpts_t;
+ ')
+
-+ allow $1 docker_devpts_t:chr_file rw_inherited_term_perms;
++ allow $1 docker_devpts_t:chr_file rw_term_perms;
+')
+
+#######################################
@@ -23225,10 +23402,10 @@ index 0000000..3061ae5
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..236e417
+index 0000000..18e4ef8
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,218 @@
+@@ -0,0 +1,236 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -23260,6 +23437,9 @@ index 0000000..236e417
+type docker_tmp_t;
+files_tmp_file(docker_tmp_t)
+
++type docker_tmpfs_t;
++files_tmpfs_file(docker_tmpfs_t)
++
+type docker_var_run_t;
+files_pid_file(docker_var_run_t)
+
@@ -23298,6 +23478,13 @@ index 0000000..236e417
+manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
+files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
+
++manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
++
+manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
+manage_files_pattern(docker_t, docker_share_t, docker_share_t)
+manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
@@ -23323,6 +23510,7 @@ index 0000000..236e417
+kernel_read_system_state(docker_t)
+kernel_read_network_state(docker_t)
+kernel_read_all_sysctls(docker_t)
++kernel_rw_net_sysctls(docker_t)
+
+domain_use_interactive_fds(docker_t)
+
@@ -23375,12 +23563,13 @@ index 0000000..236e417
+# lxc rules
+#
+
-+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
++allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
++
+allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
+
+allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
+allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
-+allow docker_t self:unix_dgram_socket create_socket_perms;
++allow docker_t self:unix_dgram_socket { create_socket_perms sendto };
+allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow docker_t docker_var_lib_t:dir mounton;
@@ -23390,6 +23579,7 @@ index 0000000..236e417
+kernel_setsched(docker_t)
+kernel_get_sysvipc_info(docker_t)
+kernel_request_load_module(docker_t)
++kernel_mounton_messages(docker_t)
+
+dev_getattr_all_blk_files(docker_t)
+dev_getattr_sysfs_fs(docker_t)
@@ -23427,6 +23617,11 @@ index 0000000..236e417
+modutils_domtrans_insmod(docker_t)
+
+optional_policy(`
++ dbus_system_bus_client(docker_t)
++ init_dbus_chat(docker_t)
++')
++
++optional_policy(`
+ udev_read_db(docker_t)
+')
+
@@ -24293,7 +24488,7 @@ index 9a21639..26c5986 100644
')
+
diff --git a/drbd.te b/drbd.te
-index f2516cc..8975946 100644
+index f2516cc..2b307a8 100644
--- a/drbd.te
+++ b/drbd.te
@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config;
@@ -24305,7 +24500,13 @@ index f2516cc..8975946 100644
manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-@@ -46,10 +46,6 @@ dev_read_rand(drbd_t)
+@@ -42,14 +42,12 @@ can_exec(drbd_t, drbd_exec_t)
+
+ kernel_read_system_state(drbd_t)
+
++corecmd_exec_bin(drbd_t)
++
+ dev_read_rand(drbd_t)
dev_read_sysfs(drbd_t)
dev_read_urand(drbd_t)
@@ -25590,7 +25791,7 @@ index 21d7b84..0e272bd 100644
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
-index c62c567..0fc685b 100644
+index c62c567..1893f7f 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,7 +2,7 @@
@@ -25693,7 +25894,12 @@ index c62c567..0fc685b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -83,10 +124,14 @@ interface(`firewalld_admin',`
+@@ -79,14 +120,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
+ interface(`firewalld_admin',`
+ gen_require(`
+ type firewalld_t, firewalld_initrc_exec_t;
+- type firewall_etc_rw_t, firewalld_var_run_t;
++ type firewalld_etc_rw_t, firewalld_var_run_t;
type firewalld_var_log_t;
')
@@ -25715,7 +25921,8 @@ index c62c567..0fc685b 100644
admin_pattern($1, firewalld_var_log_t)
- files_search_etc($1)
- admin_pattern($1, firewall_etc_rw_t)
+- admin_pattern($1, firewall_etc_rw_t)
++ admin_pattern($1, firewalld_etc_rw_t)
+
+ admin_pattern($1, firewalld_unit_file_t)
+ firewalld_systemctl($1)
@@ -27118,10 +27325,10 @@ index 0000000..9e17d3e
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
-index 0000000..9b199ec
+index 0000000..95c3a2b
--- /dev/null
+++ b/geoclue.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,47 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@@ -27154,6 +27361,8 @@ index 0000000..9b199ec
+manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
+
++auth_read_passwd(geoclue_t)
++
+corenet_tcp_connect_http_port(geoclue_t)
+
+corecmd_exec_bin(geoclue_t)
@@ -37058,7 +37267,7 @@ index d5d1572..82267a7 100644
/var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tp.if b/l2tp.if
-index 73e2803..2fc7570 100644
+index 73e2803..34ca3aa 100644
--- a/l2tp.if
+++ b/l2tp.if
@@ -1,9 +1,45 @@
@@ -37262,7 +37471,7 @@ index 73e2803..2fc7570 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',`
+@@ -77,16 +224,20 @@ interface(`l2tpd_stream_connect',`
## </param>
## <rolecap/>
#
@@ -37270,8 +37479,7 @@ index 73e2803..2fc7570 100644
+interface(`l2tpd_admin',`
gen_require(`
type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
-- type l2tp_conf_t, l2tpd_tmp_t;
-+ type l2tp_etc_t, l2tpd_tmp_t;
+ type l2tp_conf_t, l2tpd_tmp_t;
')
- allow $1 l2tpd_t:process { ptrace signal_perms };
@@ -37287,13 +37495,6 @@ index 73e2803..2fc7570 100644
domain_system_change_exemption($1)
role_transition $2 l2tpd_initrc_exec_t system_r;
allow $2 system_r;
-
- files_search_etc($1)
-- admin_pattern($1, l2tp_conf_t)
-+ admin_pattern($1, l2tp_etc_t)
-
- files_search_pids($1)
- admin_pattern($1, l2tpd_var_run_t)
diff --git a/l2tp.te b/l2tp.te
index bb06a7f..5546de2 100644
--- a/l2tp.te
@@ -38321,16 +38522,23 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index be0ab84..e4d6e6f 100644
+index be0ab84..1859690 100644
--- a/logrotate.te
+++ b/logrotate.te
-@@ -5,16 +5,14 @@ policy_module(logrotate, 1.15.0)
+@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
# Declarations
#
-attribute_role logrotate_roles;
-roleattribute system_r logrotate_roles;
--
++## <desc>
++## <p>
++## Allow logrotate to manage nfs files
++## </p>
++## </desc>
++gen_tunable(logrotate_use_nfs, false)
++
+
type logrotate_t;
-type logrotate_exec_t;
domain_type(logrotate_t)
@@ -38344,7 +38552,7 @@ index be0ab84..e4d6e6f 100644
type logrotate_lock_t;
files_lock_file(logrotate_lock_t)
-@@ -25,21 +23,27 @@ files_tmp_file(logrotate_tmp_t)
+@@ -25,21 +31,27 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
@@ -38378,7 +38586,7 @@ index be0ab84..e4d6e6f 100644
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +52,52 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +60,52 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
@@ -38436,7 +38644,7 @@ index be0ab84..e4d6e6f 100644
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
-@@ -103,24 +123,34 @@ init_all_labeled_script_domtrans(logrotate_t)
+@@ -103,24 +131,39 @@ init_all_labeled_script_domtrans(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
@@ -38462,7 +38670,11 @@ index be0ab84..e4d6e6f 100644
+userdom_dontaudit_getattr_user_home_content(logrotate_t)
-mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
--
++tunable_policy(`logrotate_use_nfs',`
++ fs_read_nfs_files(logrotate_t)
++ fs_read_nfs_symlinks(logrotate_t)
++')
+
-ifdef(`distro_debian',`
+ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
@@ -38478,7 +38690,7 @@ index be0ab84..e4d6e6f 100644
')
optional_policy(`
-@@ -135,16 +165,17 @@ optional_policy(`
+@@ -135,16 +178,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
@@ -38498,7 +38710,7 @@ index be0ab84..e4d6e6f 100644
')
optional_policy(`
-@@ -170,6 +201,10 @@ optional_policy(`
+@@ -170,6 +214,10 @@ optional_policy(`
')
optional_policy(`
@@ -38509,7 +38721,7 @@ index be0ab84..e4d6e6f 100644
fail2ban_stream_connect(logrotate_t)
')
-@@ -178,7 +213,7 @@ optional_policy(`
+@@ -178,7 +226,7 @@ optional_policy(`
')
optional_policy(`
@@ -38518,7 +38730,7 @@ index be0ab84..e4d6e6f 100644
')
optional_policy(`
-@@ -198,21 +233,26 @@ optional_policy(`
+@@ -198,21 +246,26 @@ optional_policy(`
')
optional_policy(`
@@ -38549,7 +38761,7 @@ index be0ab84..e4d6e6f 100644
')
optional_policy(`
-@@ -228,10 +268,21 @@ optional_policy(`
+@@ -228,10 +281,21 @@ optional_policy(`
')
optional_policy(`
@@ -38571,7 +38783,7 @@ index be0ab84..e4d6e6f 100644
su_exec(logrotate_t)
')
-@@ -241,13 +292,11 @@ optional_policy(`
+@@ -241,13 +305,11 @@ optional_policy(`
#######################################
#
@@ -57379,6 +57591,234 @@ index 0000000..0493b99
+optional_policy(`
+ modutils_domtrans_insmod(oracleasm_t)
+')
+diff --git a/osad.fc b/osad.fc
+new file mode 100644
+index 0000000..1e1eceb
+--- /dev/null
++++ b/osad.fc
+@@ -0,0 +1,7 @@
++/etc/rc\.d/init\.d/osad -- gen_context(system_u:object_r:osad_initrc_exec_t,s0)
++
++/usr/sbin/osad -- gen_context(system_u:object_r:osad_exec_t,s0)
++
++/var/log/osad -- gen_context(system_u:object_r:osad_log_t,s0)
++
++/var/run/osad.* -- gen_context(system_u:object_r:osad_var_run_t,s0)
+diff --git a/osad.if b/osad.if
+new file mode 100644
+index 0000000..05648bd
+--- /dev/null
++++ b/osad.if
+@@ -0,0 +1,165 @@
++
++## <summary>Client-side service written in Python that responds to pings and runs rhn_check when told to by osa-dispatcher. </summary>
++
++########################################
++## <summary>
++## Execute osad in the osad domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`osad_domtrans',`
++ gen_require(`
++ type osad_t, osad_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, osad_exec_t, osad_t)
++')
++
++########################################
++## <summary>
++## Execute osad server in the osad domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`osad_initrc_domtrans',`
++ gen_require(`
++ type osad_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, osad_initrc_exec_t)
++')
++########################################
++## <summary>
++## Read osad's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`osad_read_log',`
++ gen_require(`
++ type osad_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, osad_log_t, osad_log_t)
++')
++
++########################################
++## <summary>
++## Append to osad log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`osad_append_log',`
++ gen_require(`
++ type osad_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, osad_log_t, osad_log_t)
++')
++
++########################################
++## <summary>
++## Manage osad log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`osad_manage_log',`
++ gen_require(`
++ type osad_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, osad_log_t, osad_log_t)
++ manage_files_pattern($1, osad_log_t, osad_log_t)
++ manage_lnk_files_pattern($1, osad_log_t, osad_log_t)
++')
++########################################
++## <summary>
++## Read osad PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`osad_read_pid_files',`
++ gen_require(`
++ type osad_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, osad_var_run_t, osad_var_run_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an osad environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`osad_admin',`
++ gen_require(`
++ type osad_t;
++ type osad_initrc_exec_t;
++ type osad_log_t;
++ type osad_var_run_t;
++ ')
++
++ allow $1 osad_t:process { signal_perms };
++ ps_process_pattern($1, osad_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 osad_t:process ptrace;
++ ')
++
++ osad_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 osad_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, osad_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, osad_var_run_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/osad.te b/osad.te
+new file mode 100644
+index 0000000..ac767bc
+--- /dev/null
++++ b/osad.te
+@@ -0,0 +1,38 @@
++policy_module(osad, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type osad_t;
++type osad_exec_t;
++init_daemon_domain(osad_t, osad_exec_t)
++
++type osad_initrc_exec_t;
++init_script_file(osad_initrc_exec_t)
++
++type osad_log_t;
++logging_log_file(osad_log_t)
++
++type osad_var_run_t;
++files_pid_file(osad_var_run_t)
++
++########################################
++#
++# osad local policy
++#
++allow osad_t self:process setpgid;
++
++manage_files_pattern(osad_t, osad_log_t, osad_log_t)
++logging_log_filetrans(osad_t, osad_log_t, { file })
++
++manage_files_pattern(osad_t, osad_var_run_t, osad_var_run_t)
++files_pid_filetrans(osad_t, osad_var_run_t, { file})
++
++kernel_read_system_state(osad_t)
++
++auth_read_passwd(osad_t)
++
++dev_read_urand(osad_t)
++
diff --git a/pacemaker.fc b/pacemaker.fc
index 2f0ad56..d4da0b8 100644
--- a/pacemaker.fc
@@ -58076,17 +58516,19 @@ index 8176e4a..2df1789 100644
diff --git a/pcp.fc b/pcp.fc
new file mode 100644
-index 0000000..59d23a4
+index 0000000..ceecf91
--- /dev/null
+++ b/pcp.fc
-@@ -0,0 +1,20 @@
+@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/pmwie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pmie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0)
+
++/usr/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
++
+/usr/libexec/pcp/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
+/usr/libexec/pcp/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+/usr/libexec/pcp/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
@@ -58099,7 +58541,7 @@ index 0000000..59d23a4
+/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0)
+
+/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0)
-+
++/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
index 0000000..9ca6d26
@@ -58188,10 +58630,10 @@ index 0000000..9ca6d26
+')
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..51d765d
+index 0000000..6493b00
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,150 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -58229,6 +58671,9 @@ index 0000000..51d765d
+#
+
+allow pcp_domain self:capability { setuid setgid dac_override };
++allow pcp_domain self:process signal_perms;
++allow pcp_domain self:tcp_socket create_stream_socket_perms;
++allow pcp_domain self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t)
+manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t)
@@ -58242,7 +58687,7 @@ index 0000000..51d765d
+manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
-+files_pid_filetrans(pcp_domain, pcp_var_run_t, { file })
++files_pid_filetrans(pcp_domain, pcp_var_run_t, { file sock_file })
+
+manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
@@ -58254,6 +58699,8 @@ index 0000000..51d765d
+
+dev_read_urand(pcp_domain)
+
++fs_getattr_all_fs(pcp_domain)
++
+auth_read_passwd(pcp_domain)
+
+miscfiles_read_generic_certs(pcp_domain)
@@ -58265,16 +58712,15 @@ index 0000000..51d765d
+# pcp_pmcd local policy
+#
+
-+allow pcp_pmcd_t self:process { setsched signal };
++allow pcp_pmcd_t self:process { setsched };
+allow pcp_pmcd_t self:netlink_route_socket create_socket_perms;
-+allow pcp_pmcd_t self:tcp_socket create_socket_perms;
-+allow pcp_pmcd_t self:tcp_socket listen;
-+allow pcp_pmcd_t self:udp_socket create_socket_perms;
+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;;
+
-+kernel_read_system_state(pcp_pmcd_t)
+kernel_read_network_state(pcp_pmcd_t)
++kernel_read_system_state(pcp_pmcd_t)
+kernel_read_state(pcp_pmcd_t)
++kernel_read_fs_sysctls(pcp_pmcd_t)
++kernel_read_rpc_sysctls(pcp_pmcd_t)
+
+corecmd_exec_bin(pcp_pmcd_t)
+
@@ -58282,6 +58728,17 @@ index 0000000..51d765d
+
+domain_read_all_domains_state(pcp_pmcd_t)
+
++dev_getattr_all_blk_files(pcp_pmcd_t)
++dev_getattr_all_chr_files(pcp_pmcd_t)
++dev_read_sysfs(pcp_pmcd_t)
++dev_read_urand(pcp_pmcd_t)
++
++fs_getattr_all_fs(pcp_pmcd_t)
++fs_getattr_all_dirs(pcp_pmcd_t)
++fs_list_cgroup_dirs(pcp_pmcd_t)
++
++storage_getattr_fixed_disk_dev(pcp_pmcd_t)
++
+auth_use_nsswitch(pcp_pmcd_t)
+
+optional_policy(`
@@ -58298,10 +58755,7 @@ index 0000000..51d765d
+#
+
+allow pcp_pmproxy_t self:process setsched;
-+allow pcp_pmproxy_t self:tcp_socket listen;
+allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms;
-+allow pcp_pmproxy_t self:tcp_socket create_socket_perms;
-+allow pcp_pmproxy_t self:udp_socket create_socket_perms;
+
+auth_use_nsswitch(pcp_pmproxy_t)
+
@@ -58310,9 +58764,6 @@ index 0000000..51d765d
+# pcp_pmwebd local policy
+#
+
-+allow pcp_pmwebd_t self:tcp_socket listen;
-+allow pcp_pmwebd_t self:tcp_socket create_socket_perms;
-+
+corenet_tcp_bind_generic_node(pcp_pmwebd_t)
+
+########################################
@@ -58320,10 +58771,16 @@ index 0000000..51d765d
+# pcp_pmmgr local policy
+#
+
-+allow pcp_pmmgr_t self:process { setpgid signal signull };
++allow pcp_pmmgr_t self:process { setpgid };
++
++allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto;
+
+kernel_read_system_state(pcp_pmmgr_t)
+
++corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
++
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t)
++
+corecmd_exec_bin(pcp_pmmgr_t)
+
+auth_use_nsswitch(pcp_pmmgr_t)
@@ -58393,10 +58850,10 @@ index 1fb1964..c5ec0c4 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..fabf59e 100644
+index dfd46e4..d40433a 100644
--- a/pegasus.fc
+++ b/pegasus.fc
-@@ -1,15 +1,30 @@
+@@ -1,15 +1,32 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
@@ -58405,23 +58862,25 @@ index dfd46e4..fabf59e 100644
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-+
-+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
-+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
++/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
++/var/run/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_var_run_t,s0)
++
++/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
++
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
@@ -58536,7 +58995,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 608f454..7ba84e6 100644
+index 608f454..192f5c5 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -58555,7 +59014,7 @@ index 608f454..7ba84e6 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,297 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,304 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -58578,6 +59037,9 @@ index 608f454..7ba84e6 100644
+type pegasus_openlmi_storage_lib_t;
+files_type(pegasus_openlmi_storage_lib_t)
+
++type pegasus_openlmi_storage_var_run_t;
++files_pid_file(pegasus_openlmi_storage_var_run_t)
++
+pegasus_openlmi_domain_template(system)
+typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t;
+pegasus_openlmi_domain_template(unconfined)
@@ -58771,6 +59233,10 @@ index 608f454..7ba84e6 100644
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
+
++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
++manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
++files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
++
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
+kernel_request_load_module(pegasus_openlmi_storage_t)
@@ -58858,7 +59324,7 @@ index 608f454..7ba84e6 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +330,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +337,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -58889,7 +59355,7 @@ index 608f454..7ba84e6 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +356,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +363,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -58922,7 +59388,7 @@ index 608f454..7ba84e6 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +384,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +391,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -58934,7 +59400,7 @@ index 608f454..7ba84e6 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +400,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +407,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -58952,14 +59418,14 @@ index 608f454..7ba84e6 100644
- dbus_connect_system_bus(pegasus_t)
+ dmidecode_domtrans(pegasus_t)
+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(pegasus_t)
-+ dbus_connect_system_bus(pegasus_t)
- optional_policy(`
- networkmanager_dbus_chat(pegasus_t)
- ')
++optional_policy(`
++ dbus_system_bus_client(pegasus_t)
++ dbus_connect_system_bus(pegasus_t)
++
+ optional_policy(`
+ networkmanager_dbus_chat(pegasus_t)
+ ')
@@ -58970,7 +59436,7 @@ index 608f454..7ba84e6 100644
')
optional_policy(`
-@@ -151,16 +434,24 @@ optional_policy(`
+@@ -151,16 +441,24 @@ optional_policy(`
')
optional_policy(`
@@ -58999,7 +59465,7 @@ index 608f454..7ba84e6 100644
')
optional_policy(`
-@@ -168,7 +459,7 @@ optional_policy(`
+@@ -168,7 +466,7 @@ optional_policy(`
')
optional_policy(`
@@ -66053,7 +66519,7 @@ index 00edeab..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
-index cc426e6..3bbf1d7 100644
+index cc426e6..cb47806 100644
--- a/procmail.te
+++ b/procmail.te
@@ -14,7 +14,7 @@ type procmail_home_t;
@@ -66082,7 +66548,7 @@ index cc426e6..3bbf1d7 100644
allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,83 +44,96 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,83 +44,97 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@@ -66114,6 +66580,7 @@ index cc426e6..3bbf1d7 100644
-corecmd_exec_bin(procmail_t)
-corecmd_exec_shell(procmail_t)
++dev_read_rand(procmail_t)
dev_read_urand(procmail_t)
-fs_getattr_all_fs(procmail_t)
@@ -66136,10 +66603,10 @@ index cc426e6..3bbf1d7 100644
-miscfiles_read_localization(procmail_t)
+init_read_utmp(procmail_t)
-+
+
+logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
-
++
+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
userdom_search_user_home_dirs(procmail_t)
@@ -66161,17 +66628,17 @@ index cc426e6..3bbf1d7 100644
+userdom_manage_user_tmp_dirs(procmail_t)
+userdom_manage_user_tmp_files(procmail_t)
+userdom_manage_user_tmp_symlinks(procmail_t)
-+
-+# Execute user executables
-+userdom_exec_user_bin_files(procmail_t)
-+
-+mta_manage_spool(procmail_t)
-+mta_read_queue(procmail_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(procmail_t)
- fs_manage_cifs_files(procmail_t)
- fs_manage_cifs_symlinks(procmail_t)
++# Execute user executables
++userdom_exec_user_bin_files(procmail_t)
++
++mta_manage_spool(procmail_t)
++mta_read_queue(procmail_t)
++
+ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(procmail_t)
')
@@ -66215,7 +66682,7 @@ index cc426e6..3bbf1d7 100644
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
postfix_read_spool_files(procmail_t)
-@@ -126,11 +143,17 @@ optional_policy(`
+@@ -126,11 +144,17 @@ optional_policy(`
')
optional_policy(`
@@ -66233,6 +66700,15 @@ index cc426e6..3bbf1d7 100644
sendmail_domtrans(procmail_t)
sendmail_signal(procmail_t)
sendmail_dontaudit_rw_tcp_sockets(procmail_t)
+@@ -145,3 +169,8 @@ optional_policy(`
+ spamassassin_domtrans_client(procmail_t)
+ spamassassin_read_lib_files(procmail_t)
+ ')
++
++optional_policy(`
++ zarafa_stream_connect_server(procmail_t)
++ zarafa_domtrans_deliver(procmail_t)
++')
diff --git a/prosody.fc b/prosody.fc
new file mode 100644
index 0000000..96a0d9f
@@ -71438,7 +71914,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..d760e9e 100644
+index dc3b0ed..0d48e31 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -71481,7 +71957,7 @@ index dc3b0ed..d760e9e 100644
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-@@ -55,11 +64,14 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
+@@ -55,51 +64,67 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
corecmd_exec_bin(rabbitmq_beam_t)
corecmd_exec_shell(rabbitmq_beam_t)
@@ -71496,7 +71972,10 @@ index dc3b0ed..d760e9e 100644
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -69,37 +81,49 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
++corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
+ corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
+
+ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
@@ -71559,7 +72038,16 @@ index dc3b0ed..d760e9e 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -117,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -107,6 +132,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+
+ allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
+
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++
+ corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
+ corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
+ corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
+@@ -117,8 +144,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -76173,21 +76661,23 @@ index 3f32e4b..f97ea42 100644
diff --git a/rhnsd.fc b/rhnsd.fc
new file mode 100644
-index 0000000..1936028
+index 0000000..88fe240
--- /dev/null
+++ b/rhnsd.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/rhnsd.* -- gen_context(system_u:object_r:rhnsd_unit_file_t,s0)
++
+/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0)
+
+/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0)
diff --git a/rhnsd.if b/rhnsd.if
new file mode 100644
-index 0000000..88087b7
+index 0000000..335573a
--- /dev/null
+++ b/rhnsd.if
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,98 @@
+## <summary>policy for rhnsd</summary>
+
+########################################
@@ -76229,6 +76719,30 @@ index 0000000..88087b7
+
+########################################
+## <summary>
++## Execute rhnsd server in the rhnsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rhnsd_systemctl',`
++ gen_require(`
++ type rhnsd_t;
++ type rhnsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 rhnsd_unit_file_t:file read_file_perms;
++ allow $1 rhnsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rhnsd_t)
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an rhnsd environment
+## </summary>
@@ -76264,10 +76778,10 @@ index 0000000..88087b7
+')
diff --git a/rhnsd.te b/rhnsd.te
new file mode 100644
-index 0000000..0e965c3
+index 0000000..be2e57e
--- /dev/null
+++ b/rhnsd.te
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,43 @@
+policy_module(rhnsd, 1.0.0)
+
+########################################
@@ -76285,6 +76799,9 @@ index 0000000..0e965c3
+type rhnsd_initrc_exec_t;
+init_script_file(rhnsd_initrc_exec_t)
+
++type rhnsd_unit_file_t;
++systemd_unit_file(rhnsd_unit_file_t)
++
+########################################
+#
+# rhnsd local policy
@@ -85739,7 +86256,7 @@ index 3a9a70b..903109c 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index ce67935..b3df839 100644
+index ce67935..88fea69 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1)
@@ -85806,7 +86323,14 @@ index ce67935..b3df839 100644
manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
-@@ -61,14 +70,13 @@ corecmd_exec_bin(setroubleshootd_t)
+@@ -55,20 +64,20 @@ kernel_read_net_sysctls(setroubleshootd_t)
+ kernel_read_network_state(setroubleshootd_t)
+ kernel_dontaudit_list_all_proc(setroubleshootd_t)
+ kernel_read_irq_sysctls(setroubleshootd_t)
++kernel_read_rpc_sysctls(setroubleshootd_t)
+ kernel_read_unlabeled_state(setroubleshootd_t)
+
+ corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
corecmd_read_all_executables(setroubleshootd_t)
@@ -85824,7 +86348,7 @@ index ce67935..b3df839 100644
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
-@@ -76,10 +84,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
+@@ -76,10 +85,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
dev_getattr_all_chr_files(setroubleshootd_t)
dev_getattr_mtrr_dev(setroubleshootd_t)
@@ -85836,7 +86360,7 @@ index ce67935..b3df839 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
-@@ -109,27 +116,24 @@ init_read_utmp(setroubleshootd_t)
+@@ -109,27 +117,24 @@ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
@@ -85869,7 +86393,7 @@ index ce67935..b3df839 100644
')
optional_policy(`
-@@ -137,10 +141,18 @@ optional_policy(`
+@@ -137,10 +142,18 @@ optional_policy(`
')
optional_policy(`
@@ -85888,7 +86412,7 @@ index ce67935..b3df839 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -150,26 +162,36 @@ optional_policy(`
+@@ -150,26 +163,36 @@ optional_policy(`
########################################
#
@@ -85927,7 +86451,7 @@ index ce67935..b3df839 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -177,23 +199,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -177,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -93541,10 +94065,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..81e8be9
+index 0000000..bb3e477
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,156 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -93665,8 +94189,9 @@ index 0000000..81e8be9
+
+optional_policy(`
+ dbus_exec_dbusd(thumb_t)
-+ dbus_dontaudit_stream_connect_session_bus(thumb_t)
-+ dbus_dontaudit_chat_session_bus(thumb_t)
++ dbus_connect_session_bus(thumb_t)
++ dbus_stream_connect_session_bus(thumb_t)
++ dbus_chat_session_bus(thumb_t)
+')
+
+optional_policy(`
@@ -94608,7 +95133,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 393a330..fc018c1 100644
+index 393a330..b500795 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -94673,7 +95198,7 @@ index 393a330..fc018c1 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +78,59 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +78,60 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -94697,6 +95222,7 @@ index 393a330..fc018c1 100644
logging_send_syslog_msg(tuned_t)
+#bug in tuned
+logging_manage_syslog_config(tuned_t)
++logging_filetrans_named_conf(tuned_t)
+
+mount_read_pid_files(tuned_t)
@@ -96383,7 +96909,7 @@ index a4f20bc..6351bcb 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..15562ad 100644
+index facdee8..fddb027 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -97398,7 +97924,7 @@ index facdee8..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +658,263 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +658,265 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -97542,6 +98068,8 @@ index facdee8..15562ad 100644
+
+ manage_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+ manage_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+ manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+')
+
@@ -97684,7 +98212,7 @@ index facdee8..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -935,19 +922,17 @@ interface(`virt_read_log',`
+@@ -935,19 +924,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@@ -97708,7 +98236,7 @@ index facdee8..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +940,17 @@ interface(`virt_append_log',`
+@@ -955,20 +942,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@@ -97733,7 +98261,7 @@ index facdee8..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +958,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +960,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -97756,7 +98284,7 @@ index facdee8..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +976,57 @@ interface(`virt_search_images',`
+@@ -995,36 +978,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -97833,7 +98361,7 @@ index facdee8..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1034,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +1036,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -97869,7 +98397,7 @@ index facdee8..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,37 +1063,131 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1065,131 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -98015,7 +98543,7 @@ index facdee8..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1195,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1197,54 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -98089,7 +98617,7 @@ index facdee8..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1258,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1260,36 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -100358,10 +100886,10 @@ index 0000000..044be2f
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
-index 0000000..1398ead
+index 0000000..5549375
--- /dev/null
+++ b/vmtools.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,46 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
@@ -100383,6 +100911,7 @@ index 0000000..1398ead
+#
+# vmtools local policy
+#
++
+allow vmtools_t self:capability { sys_time sys_rawio };
+allow vmtools_t self:fifo_file rw_fifo_file_perms;
+allow vmtools_t self:unix_stream_socket create_stream_socket_perms;
@@ -100396,6 +100925,7 @@ index 0000000..1398ead
+kernel_read_system_state(vmtools_t)
+kernel_read_network_state(vmtools_t)
+
++corecmd_exec_bin(vmtools_t)
+corecmd_exec_shell(vmtools_t)
+
+dev_read_urand(vmtools_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index be21a00..07ae53c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -578,6 +578,30 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Feb 5 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-21
+- Add kernel_mounton_messages() interface
+- init wants to manage lock files for iscsi
+- Add support for dey_sapi port
+- Fixes needed for docker
+- Allow epmd to manage /var/log/rabbitmq/startup_err file
+- Allow beam.smp connect to amqp port
+- drbdadm executes drbdmeta
+- Added osad policy
+- Allow postfix to deliver to procmail
+- Allow vmtools to execute /usr/bin/lsb_release
+- Allow geoclue to read /etc/passwd
+- Allow docker to write system net ctrls
+- Add support for rhnsd unit file
+- Add dbus_chat_session_bus() interface
+- Add dbus_stream_connect_session_bus() interface
+- Fix pcp.te
+- Fix logrotate_use_nfs boolean
+- Add lot of pcp fixes found in RHEL7
+- fix labeling for pmie for pcp pkg
+- Change thumb_t to be allowed to chat/connect with session bus type
+- Add logrotate_use_nfs boolean
+- Allow setroubleshootd to read rpc sysctl
+
* Thu Jan 30 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-20
- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
- Allow geoclue to create temporary files/dirs in /tmp
More information about the scm-commits
mailing list