[selinux-policy/f20] - Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit message
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 11 19:20:06 UTC 2014
commit 23f3cc6593bb13755710db9335ce7c6e3d427096
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Feb 11 20:20:32 2014 +0100
- Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages.
- Allow postfix-local to search .forward in munin lib dirs
- Allow udisks to connect to D-Bus
- Allow spamd to connect to spamd port
- Fix syntax error in snapper.te
- Dontaudit osad to search gconf home files
- Allow rhsmcertd to manage /etc/sysconf/rhn director
- Fix pcp labeling to accept /usr/bin for all daemon binaries
- Fix mcelog_read_log() interface
- Allow iscsid to manage iscsi lib files
- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
- Make tuned_t as unconfined domain for RHEL7.0
- Allow ABRT to read puppet certs
- Add sys_time capability for virt-ga
- Allow gemu-ga to domtrans to hwclock_t
- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages
- Fix some AVCs in pcp policy
- Add to bacula capability setgid and setuid and allow to bind to bacula ports
- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t
- Add access rhnsd and osad to /etc/sysconfig/rhn
- drbdadm executes drbdmeta
- Fixes needed for docker
- Allow epmd to manage /var/log/rabbitmq/startup_err file
- Allow beam.smp connect to amqp port
- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t
- Allow systemd_tmpfiles_t to manage all non security files on the system
- Added labels for bacula ports
- Fix label on /dev/vfio/vfio
- Add kernel_mounton_messages() interface
- init wants to manage lock files for iscsi
policy-f20-base.patch | 204 ++++++++++---------
policy-f20-contrib.patch | 500 ++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 36 ++++-
3 files changed, 489 insertions(+), 251 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 683c834..688449e 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -5596,7 +5596,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..f7e6f88 100644
+index 4edc40d..f9f01e8 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5670,7 +5670,7 @@ index 4edc40d..f7e6f88 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -84,10 +107,10 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,54 +107,65 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@@ -5683,7 +5683,9 @@ index 4edc40d..f7e6f88 100644
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
-@@ -96,42 +119,52 @@ network_port(boinc, tcp,31416,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
++network_port(bacula, tcp,9103,s0, udp,9103,s0)
+ network_port(boinc, tcp,31416,s0)
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
@@ -5741,7 +5743,7 @@ index 4edc40d..f7e6f88 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +172,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +173,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5808,7 +5810,7 @@ index 4edc40d..f7e6f88 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +225,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +226,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5848,7 +5850,7 @@ index 4edc40d..f7e6f88 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +263,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +264,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5901,7 +5903,7 @@ index 4edc40d..f7e6f88 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +313,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +314,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5912,7 +5914,7 @@ index 4edc40d..f7e6f88 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +325,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +326,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5925,7 +5927,7 @@ index 4edc40d..f7e6f88 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -285,19 +342,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -285,19 +343,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5952,7 +5954,7 @@ index 4edc40d..f7e6f88 100644
########################################
#
-@@ -330,6 +391,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +392,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5961,7 +5963,7 @@ index 4edc40d..f7e6f88 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +405,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +406,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -6017,7 +6019,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..5d200ef 100644
+index b31c054..341e29c 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -6065,7 +6067,7 @@ index b31c054..5d200ef 100644
')
+/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-+/dev/vfio/(vfio)?[0-9]+ -c gen_context(system_u:object_r:vfio_device_t,s0)
++/dev/vfio/(vfio)?[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -14453,7 +14455,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..646d467 100644
+index 649e458..3270372 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -14567,7 +14569,33 @@ index 649e458..646d467 100644
## Do not audit attempts by caller to
## read system state information in proc.
## </summary>
-@@ -1477,6 +1529,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1208,6 +1260,25 @@ interface(`kernel_read_messages',`
+
+ ########################################
+ ## <summary>
++## Allow caller to read kernel messages
++## using the /proc/kmsg interface.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_mounton_messages',`
++ gen_require(`
++ type proc_kmsg_t, proc_t;
++ ')
++
++ allow $1 proc_kmsg_t:dir mounton;
++')
++
++########################################
++## <summary>
+ ## Allow caller to get the attributes of kernel message
+ ## interface (/proc/kmsg).
+ ## </summary>
+@@ -1477,6 +1548,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@@ -14592,7 +14620,7 @@ index 649e458..646d467 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -2085,7 +2155,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2174,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -14601,7 +14629,7 @@ index 649e458..646d467 100644
')
########################################
-@@ -2282,6 +2352,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2371,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -14627,7 +14655,7 @@ index 649e458..646d467 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2395,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2414,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -14636,7 +14664,7 @@ index 649e458..646d467 100644
## </summary>
## </param>
#
-@@ -2488,6 +2577,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2596,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -14661,7 +14689,7 @@ index 649e458..646d467 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2525,6 +2632,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2651,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -14686,7 +14714,7 @@ index 649e458..646d467 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2632,7 +2757,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2776,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -14695,7 +14723,7 @@ index 649e458..646d467 100644
')
########################################
-@@ -2670,6 +2795,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2814,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -14720,7 +14748,7 @@ index 649e458..646d467 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2697,6 +2840,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2859,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -14746,7 +14774,7 @@ index 649e458..646d467 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2806,6 +2968,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +2987,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -14780,7 +14808,7 @@ index 649e458..646d467 100644
########################################
## <summary>
-@@ -2961,6 +3150,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3169,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -14805,7 +14833,7 @@ index 649e458..646d467 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2975,5 +3182,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3201,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -23347,7 +23375,7 @@ index 6bf0ecc..115c533 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..38c1435 100644
+index 2696452..40660b1 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -23996,7 +24024,7 @@ index 2696452..38c1435 100644
+
+#userdom_home_manager(xdm_t)
+tunable_policy(`xdm_write_home',`
-+ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
++ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
+',`
+ userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file })
+')
@@ -28419,7 +28447,7 @@ index 24e7804..45d0b37 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..3f4f878 100644
+index dd3be8d..b3ddfe3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -28667,7 +28695,7 @@ index dd3be8d..3f4f878 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +286,208 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +286,210 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -28711,6 +28739,7 @@ index dd3be8d..3f4f878 100644
+
+optional_policy(`
+ iscsi_read_lib_files(init_t)
++ iscsi_manage_lock(init_t)
+')
+
+optional_policy(`
@@ -28844,6 +28873,7 @@ index dd3be8d..3f4f878 100644
+
+optional_policy(`
+ ipsec_read_config(init_t)
++ ipsec_manage_pid(init_t)
+')
+
+optional_policy(`
@@ -28884,7 +28914,7 @@ index dd3be8d..3f4f878 100644
')
optional_policy(`
-@@ -216,7 +495,30 @@ optional_policy(`
+@@ -216,7 +497,30 @@ optional_policy(`
')
optional_policy(`
@@ -28915,7 +28945,7 @@ index dd3be8d..3f4f878 100644
')
########################################
-@@ -225,8 +527,9 @@ optional_policy(`
+@@ -225,8 +529,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28927,7 +28957,7 @@ index dd3be8d..3f4f878 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +560,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +562,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28944,7 +28974,7 @@ index dd3be8d..3f4f878 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +585,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +587,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28987,7 +29017,7 @@ index dd3be8d..3f4f878 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +622,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +624,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28999,7 +29029,7 @@ index dd3be8d..3f4f878 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +634,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +636,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -29010,7 +29040,7 @@ index dd3be8d..3f4f878 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +645,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +647,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29020,7 +29050,7 @@ index dd3be8d..3f4f878 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +654,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +656,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -29028,7 +29058,7 @@ index dd3be8d..3f4f878 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +661,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +663,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -29036,7 +29066,7 @@ index dd3be8d..3f4f878 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +669,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +671,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29054,7 +29084,7 @@ index dd3be8d..3f4f878 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +687,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +689,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29068,7 +29098,7 @@ index dd3be8d..3f4f878 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +702,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +704,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29082,7 +29112,7 @@ index dd3be8d..3f4f878 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +715,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +717,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -29090,7 +29120,7 @@ index dd3be8d..3f4f878 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +727,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +729,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -29098,7 +29128,7 @@ index dd3be8d..3f4f878 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +746,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +748,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -29122,7 +29152,7 @@ index dd3be8d..3f4f878 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +779,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +781,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -29130,7 +29160,7 @@ index dd3be8d..3f4f878 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +813,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +815,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -29141,7 +29171,7 @@ index dd3be8d..3f4f878 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +837,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +839,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29150,7 +29180,7 @@ index dd3be8d..3f4f878 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +852,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +854,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -29158,7 +29188,7 @@ index dd3be8d..3f4f878 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +873,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +875,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -29166,7 +29196,7 @@ index dd3be8d..3f4f878 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +883,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +885,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -29211,7 +29241,7 @@ index dd3be8d..3f4f878 100644
')
optional_policy(`
-@@ -558,14 +928,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +930,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -29243,7 +29273,7 @@ index dd3be8d..3f4f878 100644
')
')
-@@ -576,6 +963,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +965,39 @@ ifdef(`distro_suse',`
')
')
@@ -29283,7 +29313,7 @@ index dd3be8d..3f4f878 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1008,8 @@ optional_policy(`
+@@ -588,6 +1010,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29292,7 +29322,7 @@ index dd3be8d..3f4f878 100644
')
optional_policy(`
-@@ -609,6 +1031,7 @@ optional_policy(`
+@@ -609,6 +1033,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -29300,7 +29330,7 @@ index dd3be8d..3f4f878 100644
')
optional_policy(`
-@@ -625,6 +1048,17 @@ optional_policy(`
+@@ -625,6 +1050,17 @@ optional_policy(`
')
optional_policy(`
@@ -29318,7 +29348,7 @@ index dd3be8d..3f4f878 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1075,13 @@ optional_policy(`
+@@ -641,9 +1077,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29332,7 +29362,7 @@ index dd3be8d..3f4f878 100644
')
optional_policy(`
-@@ -656,15 +1094,11 @@ optional_policy(`
+@@ -656,15 +1096,11 @@ optional_policy(`
')
optional_policy(`
@@ -29350,7 +29380,7 @@ index dd3be8d..3f4f878 100644
')
optional_policy(`
-@@ -685,6 +1119,15 @@ optional_policy(`
+@@ -685,6 +1121,15 @@ optional_policy(`
')
optional_policy(`
@@ -29366,7 +29396,7 @@ index dd3be8d..3f4f878 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1168,7 @@ optional_policy(`
+@@ -725,6 +1170,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -29374,7 +29404,7 @@ index dd3be8d..3f4f878 100644
')
optional_policy(`
-@@ -742,7 +1186,13 @@ optional_policy(`
+@@ -742,7 +1188,13 @@ optional_policy(`
')
optional_policy(`
@@ -29389,7 +29419,7 @@ index dd3be8d..3f4f878 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1215,10 @@ optional_policy(`
+@@ -765,6 +1217,10 @@ optional_policy(`
')
optional_policy(`
@@ -29400,7 +29430,7 @@ index dd3be8d..3f4f878 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1228,20 @@ optional_policy(`
+@@ -774,10 +1230,20 @@ optional_policy(`
')
optional_policy(`
@@ -29421,7 +29451,7 @@ index dd3be8d..3f4f878 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1250,10 @@ optional_policy(`
+@@ -786,6 +1252,10 @@ optional_policy(`
')
optional_policy(`
@@ -29432,7 +29462,7 @@ index dd3be8d..3f4f878 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1275,6 @@ optional_policy(`
+@@ -807,8 +1277,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29441,7 +29471,7 @@ index dd3be8d..3f4f878 100644
')
optional_policy(`
-@@ -817,6 +1283,10 @@ optional_policy(`
+@@ -817,6 +1285,10 @@ optional_policy(`
')
optional_policy(`
@@ -29452,7 +29482,7 @@ index dd3be8d..3f4f878 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1296,12 @@ optional_policy(`
+@@ -826,10 +1298,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -29465,7 +29495,7 @@ index dd3be8d..3f4f878 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1328,35 @@ optional_policy(`
+@@ -856,12 +1330,35 @@ optional_policy(`
')
optional_policy(`
@@ -29502,7 +29532,7 @@ index dd3be8d..3f4f878 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1366,18 @@ optional_policy(`
+@@ -871,6 +1368,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29521,7 +29551,7 @@ index dd3be8d..3f4f878 100644
')
optional_policy(`
-@@ -886,6 +1393,10 @@ optional_policy(`
+@@ -886,6 +1395,10 @@ optional_policy(`
')
optional_policy(`
@@ -29532,7 +29562,7 @@ index dd3be8d..3f4f878 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1407,218 @@ optional_policy(`
+@@ -896,3 +1409,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -38284,10 +38314,10 @@ index 0000000..1d9bdfd
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..04b5e3e
+index 0000000..8376f43
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,657 @@
+@@ -0,0 +1,633 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -38572,32 +38602,8 @@ index 0000000..04b5e3e
+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
+fs_list_all(systemd_tmpfiles_t)
+
-+files_getattr_all_dirs(systemd_tmpfiles_t)
-+files_getattr_all_files(systemd_tmpfiles_t)
-+files_getattr_all_sockets(systemd_tmpfiles_t)
-+files_getattr_all_symlinks(systemd_tmpfiles_t)
-+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
-+files_relabel_all_lock_files(systemd_tmpfiles_t)
-+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
-+files_relabel_all_pid_files(systemd_tmpfiles_t)
-+files_relabel_all_spool_dirs(systemd_tmpfiles_t)
-+files_manage_all_pids(systemd_tmpfiles_t)
-+files_manage_all_pid_dirs(systemd_tmpfiles_t)
-+files_manage_all_locks(systemd_tmpfiles_t)
-+files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
-+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
-+files_delete_boot_flag(systemd_tmpfiles_t)
-+files_delete_all_non_security_dirs(systemd_tmpfiles_t)
-+files_delete_all_non_security_files(systemd_tmpfiles_t)
-+files_delete_all_pid_sockets(systemd_tmpfiles_t)
-+files_delete_all_pid_pipes(systemd_tmpfiles_t)
-+files_purge_tmp(systemd_tmpfiles_t)
-+files_manage_generic_tmp_files(systemd_tmpfiles_t)
-+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
-+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
-+files_relabel_all_tmp_files(systemd_tmpfiles_t)
++files_manage_non_auth_files(systemd_tmpfiles_t)
++files_relabel_non_auth_files(systemd_tmpfiles_t)
+files_list_lost_found(systemd_tmpfiles_t)
+
+mls_file_read_all_levels(systemd_tmpfiles_t)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 71b66a6..210ca24 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -560,7 +560,7 @@ index 058d908..10edac5 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..4c4830b 100644
+index cc43d25..23aea8e 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -878,15 +878,19 @@ index cc43d25..4c4830b 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +271,7 @@ optional_policy(`
- corecmd_exec_all_executables(abrt_t)
+@@ -221,6 +272,11 @@ optional_policy(`
')
-+# to install debuginfo packages
optional_policy(`
++ puppet_read_lib(abrt_t)
++')
++
++# to install debuginfo packages
++optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +282,7 @@ optional_policy(`
+ rpm_manage_cache(abrt_t)
+@@ -230,6 +286,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -894,7 +898,7 @@ index cc43d25..4c4830b 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +293,17 @@ optional_policy(`
+@@ -240,9 +297,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -913,7 +917,7 @@ index cc43d25..4c4830b 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +314,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +318,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -928,7 +932,7 @@ index cc43d25..4c4830b 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +333,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +337,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -936,7 +940,7 @@ index cc43d25..4c4830b 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +342,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +346,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -957,7 +961,7 @@ index cc43d25..4c4830b 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +363,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +367,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -984,7 +988,7 @@ index cc43d25..4c4830b 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +399,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +403,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -998,7 +1002,7 @@ index cc43d25..4c4830b 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +417,11 @@ optional_policy(`
+@@ -330,10 +421,11 @@ optional_policy(`
#######################################
#
@@ -1012,7 +1016,7 @@ index cc43d25..4c4830b 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +440,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +444,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1074,7 +1078,7 @@ index cc43d25..4c4830b 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +498,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +502,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1100,9 +1104,11 @@ index cc43d25..4c4830b 100644
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
+
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
-+
+
+-logging_send_syslog_msg(abrt_domain)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
-+
+
+-miscfiles_read_localization(abrt_domain)
+corecmd_exec_bin(abrt_upload_watch_t)
+
+dev_read_urand(abrt_upload_watch_t)
@@ -1110,8 +1116,7 @@ index cc43d25..4c4830b 100644
+files_search_spool(abrt_upload_watch_t)
+
+auth_read_passwd(abrt_upload_watch_t)
-
--logging_send_syslog_msg(abrt_domain)
++
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
@@ -1124,8 +1129,7 @@ index cc43d25..4c4830b 100644
+#
+# Local policy for all abrt domain
+#
-
--miscfiles_read_localization(abrt_domain)
++
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
+
@@ -8322,10 +8326,30 @@ index dcd774e..c240ffa 100644
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
-index 3beba2f..7ca4480 100644
+index 3beba2f..5c5bd6e 100644
--- a/bacula.te
+++ b/bacula.te
-@@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
+ # Local policy
+ #
+
+-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
++allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid};
+ allow bacula_t self:process signal;
+ allow bacula_t self:fifo_file rw_fifo_file_perms;
+ allow bacula_t self:tcp_socket { accept listen };
+@@ -88,6 +88,10 @@ corenet_udp_bind_generic_node(bacula_t)
+ corenet_sendrecv_generic_server_packets(bacula_t)
+ corenet_udp_bind_generic_port(bacula_t)
+
++
++#TODO: check port labels for hplip a bacula
++corenet_tcp_bind_bacula_port(bacula_t)
++
+ corenet_sendrecv_hplip_server_packets(bacula_t)
+ corenet_tcp_bind_hplip_port(bacula_t)
+ corenet_udp_bind_hplip_port(bacula_t)
+@@ -148,9 +152,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
@@ -22902,7 +22926,7 @@ index 0000000..1c4ac02
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..3061ae5
+index 0000000..cc6846a
--- /dev/null
+++ b/docker.if
@@ -0,0 +1,323 @@
@@ -23153,7 +23177,7 @@ index 0000000..3061ae5
+ type docker_devpts_t;
+ ')
+
-+ allow $1 docker_devpts_t:chr_file rw_inherited_term_perms;
++ allow $1 docker_devpts_t:chr_file rw_term_perms;
+')
+
+#######################################
@@ -23231,10 +23255,10 @@ index 0000000..3061ae5
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..1e88da4
+index 0000000..7de0c90
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,241 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -23266,6 +23290,9 @@ index 0000000..1e88da4
+type docker_tmp_t;
+files_tmp_file(docker_tmp_t)
+
++type docker_tmpfs_t;
++files_tmpfs_file(docker_tmpfs_t)
++
+type docker_var_run_t;
+files_pid_file(docker_var_run_t)
+
@@ -23304,6 +23331,13 @@ index 0000000..1e88da4
+manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
+files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
+
++manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
++
+manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
+manage_files_pattern(docker_t, docker_share_t, docker_share_t)
+manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
@@ -23382,12 +23416,13 @@ index 0000000..1e88da4
+# lxc rules
+#
+
-+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
++allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
++
+allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
+
+allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
+allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
-+allow docker_t self:unix_dgram_socket create_socket_perms;
++allow docker_t self:unix_dgram_socket { create_socket_perms sendto };
+allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow docker_t docker_var_lib_t:dir mounton;
@@ -23397,6 +23432,7 @@ index 0000000..1e88da4
+kernel_setsched(docker_t)
+kernel_get_sysvipc_info(docker_t)
+kernel_request_load_module(docker_t)
++kernel_mounton_messages(docker_t)
+
+dev_getattr_all_blk_files(docker_t)
+dev_getattr_sysfs_fs(docker_t)
@@ -23434,6 +23470,11 @@ index 0000000..1e88da4
+modutils_domtrans_insmod(docker_t)
+
+optional_policy(`
++ dbus_system_bus_client(docker_t)
++ init_dbus_chat(docker_t)
++')
++
++optional_policy(`
+ udev_read_db(docker_t)
+')
+
@@ -24310,7 +24351,7 @@ index 9a21639..26c5986 100644
')
+
diff --git a/drbd.te b/drbd.te
-index 8e5ee54..6e11edb 100644
+index 8e5ee54..bdd8883 100644
--- a/drbd.te
+++ b/drbd.te
@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config;
@@ -24322,7 +24363,13 @@ index 8e5ee54..6e11edb 100644
manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-@@ -46,10 +46,6 @@ dev_read_rand(drbd_t)
+@@ -42,14 +42,12 @@ can_exec(drbd_t, drbd_exec_t)
+
+ kernel_read_system_state(drbd_t)
+
++corecmd_exec_bin(drbd_t)
++
+ dev_read_rand(drbd_t)
dev_read_sysfs(drbd_t)
dev_read_urand(drbd_t)
@@ -33090,7 +33137,7 @@ index 1a35420..2ea1241 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index 57304e4..46e5e3d 100644
+index 57304e4..56d45ec 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -9,8 +9,8 @@ type iscsid_t;
@@ -33114,7 +33161,20 @@ index 57304e4..46e5e3d 100644
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { accept connectto listen };
-@@ -64,11 +63,12 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+@@ -55,20 +54,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+ manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+ fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file })
+
+-allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
+-read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+-read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++manage_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++manage_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++manage_dirs_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++files_var_lib_filetrans(iscsid_t, iscsi_var_lib_t, dir)
+
+ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
+ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
can_exec(iscsid_t, iscsid_exec_t)
@@ -33128,7 +33188,7 @@ index 57304e4..46e5e3d 100644
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,21 +85,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,21 +86,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
@@ -40079,7 +40139,7 @@ index 5a414e0..24f45a8 100644
')
+
diff --git a/mcelog.if b/mcelog.if
-index 9dbe694..ea89ab1 100644
+index 9dbe694..c73214d 100644
--- a/mcelog.if
+++ b/mcelog.if
@@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
@@ -40098,11 +40158,11 @@ index 9dbe694..ea89ab1 100644
+#
+interface(`mcelog_read_log',`
+ gen_require(`
-+ type mcelog_var_log_t;
++ type mcelog_log_t;
+ ')
+
+ logging_search_logs($1)
-+ read_files_pattern($1, mcelog_var_log_t, mcelog_var_log_t)
++ read_files_pattern($1, mcelog_log_t, mcelog_log_t)
+')
+
########################################
@@ -57619,10 +57679,10 @@ index 0000000..05648bd
+')
diff --git a/osad.te b/osad.te
new file mode 100644
-index 0000000..ac767bc
+index 0000000..a40fcc3
--- /dev/null
+++ b/osad.te
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,45 @@
+policy_module(osad, 1.0.0)
+
+########################################
@@ -57661,6 +57721,13 @@ index 0000000..ac767bc
+
+dev_read_urand(osad_t)
+
++optional_policy(`
++ gnome_dontaudit_search_config(osad_t)
++')
++
++optional_policy(`
++ rhnsd_manage_config(osad_t)
++')
diff --git a/pacemaker.fc b/pacemaker.fc
index 2f0ad56..d4da0b8 100644
--- a/pacemaker.fc
@@ -58372,10 +58439,10 @@ index 3ad10b5..49baca5 100644
diff --git a/pcp.fc b/pcp.fc
new file mode 100644
-index 0000000..ceecf91
+index 0000000..9b8cb6b
--- /dev/null
+++ b/pcp.fc
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,28 @@
+/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
@@ -58383,7 +58450,13 @@ index 0000000..ceecf91
+/etc/rc\.d/init\.d/pmie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0)
+
-+/usr/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
++/usr/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
++/usr/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
++/usr/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
++/usr/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
++/usr/bin/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
++/usr/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
++
+
+/usr/libexec/pcp/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
+/usr/libexec/pcp/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
@@ -58400,10 +58473,10 @@ index 0000000..ceecf91
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
-index 0000000..9ca6d26
+index 0000000..4f074cb
--- /dev/null
+++ b/pcp.if
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,100 @@
+## <summary>The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
+
+######################################
@@ -58484,12 +58557,32 @@ index 0000000..9ca6d26
+ files_search_pids($1)
+ admin_pattern($1, pcp_var_run_t)
+')
++
++########################################
++## <summary>
++## Allow the specified domain to execute pcp_pmie
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pcp_pmie_exec',`
++ gen_require(`
++ type pcp_pmie_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, pcp_pmie_exec_t)
++')
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..6493b00
+index 0000000..8ec3a48
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,150 @@
+@@ -0,0 +1,164 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -58599,7 +58692,7 @@ index 0000000..6493b00
+
+optional_policy(`
+ dbus_system_bus_client(pcp_pmcd_t)
-+
++
+ optional_policy(`
+ avahi_dbus_chat(pcp_pmcd_t)
+ ')
@@ -58640,6 +58733,20 @@ index 0000000..6493b00
+corecmd_exec_bin(pcp_pmmgr_t)
+
+auth_use_nsswitch(pcp_pmmgr_t)
++
++optional_policy(`
++ pcp_pmie_exec(pcp_pmmgr_t)
++')
++
++########################################
++#
++# pcp_pmie local policy
++#
++
++allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
++
++allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
++
diff --git a/pcscd.if b/pcscd.if
index 43d50f9..7f77d32 100644
--- a/pcscd.if
@@ -63864,7 +63971,7 @@ index 2e23946..d8a163f 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..9e7ec0a 100644
+index 191a66f..cd766c0 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -63966,9 +64073,8 @@ index 191a66f..9e7ec0a 100644
########################################
#
-# Common postfix domain local policy
-+# Postfix master process local policy
- #
-
+-#
+-
-allow postfix_domain self:capability { sys_nice sys_chroot };
-dontaudit postfix_domain self:capability sys_tty_config;
-allow postfix_domain self:process { signal_perms setpgid setsched };
@@ -64056,8 +64162,9 @@ index 191a66f..9e7ec0a 100644
-########################################
-#
-# Master local policy
--#
--
++# Postfix master process local policy
+ #
+
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -64083,10 +64190,10 @@ index 191a66f..9e7ec0a 100644
+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
+
+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-+
-+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
++allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
++
+manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -64113,7 +64220,7 @@ index 191a66f..9e7ec0a 100644
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
--
+
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -64131,14 +64238,14 @@ index 191a66f..9e7ec0a 100644
-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
-
+-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
+-
+-can_exec(postfix_master_t, postfix_exec_t)
+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
--can_exec(postfix_master_t, postfix_exec_t)
--
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+kernel_read_all_sysctls(postfix_master_t)
@@ -64354,7 +64461,7 @@ index 191a66f..9e7ec0a 100644
')
optional_policy(`
-@@ -434,6 +335,7 @@ optional_policy(`
+@@ -434,16 +335,25 @@ optional_policy(`
')
optional_policy(`
@@ -64362,7 +64469,14 @@ index 191a66f..9e7ec0a 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +346,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ munin_search_lib(postfix_local_t)
++')
++
++optional_policy(`
+ nagios_search_spool(postfix_local_t)
')
optional_policy(`
@@ -64373,7 +64487,7 @@ index 191a66f..9e7ec0a 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +364,17 @@ optional_policy(`
+@@ -458,15 +368,17 @@ optional_policy(`
########################################
#
@@ -64397,7 +64511,7 @@ index 191a66f..9e7ec0a 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +384,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -64417,7 +64531,7 @@ index 191a66f..9e7ec0a 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +401,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -64425,7 +64539,7 @@ index 191a66f..9e7ec0a 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +408,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -64451,7 +64565,7 @@ index 191a66f..9e7ec0a 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,21 +433,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,21 +437,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -64477,7 +64591,7 @@ index 191a66f..9e7ec0a 100644
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
-@@ -549,6 +458,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+@@ -549,6 +462,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
corecmd_exec_bin(postfix_pipe_t)
optional_policy(`
@@ -64488,7 +64602,7 @@ index 191a66f..9e7ec0a 100644
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -576,19 +489,26 @@ optional_policy(`
+@@ -576,19 +493,26 @@ optional_policy(`
########################################
#
@@ -64520,7 +64634,7 @@ index 191a66f..9e7ec0a 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +523,7 @@ optional_policy(`
+@@ -603,10 +527,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -64532,7 +64646,7 @@ index 191a66f..9e7ec0a 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +538,24 @@ optional_policy(`
+@@ -621,17 +542,24 @@ optional_policy(`
#######################################
#
@@ -64560,7 +64674,7 @@ index 191a66f..9e7ec0a 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +571,77 @@ optional_policy(`
+@@ -647,67 +575,77 @@ optional_policy(`
########################################
#
@@ -64656,7 +64770,7 @@ index 191a66f..9e7ec0a 100644
')
optional_policy(`
-@@ -720,29 +654,30 @@ optional_policy(`
+@@ -720,29 +658,30 @@ optional_policy(`
########################################
#
@@ -64695,7 +64809,7 @@ index 191a66f..9e7ec0a 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
dovecot_stream_connect(postfix_smtpd_t)
-@@ -754,6 +689,7 @@ optional_policy(`
+@@ -754,6 +693,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -64703,7 +64817,7 @@ index 191a66f..9e7ec0a 100644
')
optional_policy(`
-@@ -764,31 +700,99 @@ optional_policy(`
+@@ -764,31 +704,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -72148,7 +72262,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..a422fca 100644
+index 3698b51..b475e72 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -72170,7 +72284,7 @@ index 3698b51..a422fca 100644
allow rabbitmq_beam_t self:process { setsched signal signull };
allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,27 +43,35 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+@@ -38,50 +43,88 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -72209,7 +72323,10 @@ index 3698b51..a422fca 100644
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +81,49 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
++corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
+ corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
+
+ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
@@ -72223,16 +72340,16 @@ index 3698b51..a422fca 100644
+
+auth_read_passwd(rabbitmq_beam_t)
+auth_use_pam(rabbitmq_beam_t)
-
--files_read_etc_files(rabbitmq_beam_t)
++
+files_getattr_all_mountpoints(rabbitmq_beam_t)
--miscfiles_read_localization(rabbitmq_beam_t)
+-files_read_etc_files(rabbitmq_beam_t)
+fs_getattr_all_fs(rabbitmq_beam_t)
+fs_getattr_all_dirs(rabbitmq_beam_t)
+fs_getattr_cgroup(rabbitmq_beam_t)
+fs_search_cgroup_dirs(rabbitmq_beam_t)
-+
+
+-miscfiles_read_localization(rabbitmq_beam_t)
+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
+
+dev_read_sysfs(rabbitmq_beam_t)
@@ -72263,7 +72380,16 @@ index 3698b51..a422fca 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -89,6 +132,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+
+ allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
+
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++
+ corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
+ corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
+ corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
+@@ -99,8 +144,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -72704,7 +72830,7 @@ index 951db7f..c0cabe8 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index 2c1730b..4fae3d2 100644
+index 2c1730b..5aa98aa 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
@@ -72819,7 +72945,15 @@ index 2c1730b..4fae3d2 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -93,13 +128,30 @@ optional_policy(`
+@@ -89,17 +124,38 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client(mdadm_t)
++')
++
++optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mdadm_t)
')
optional_policy(`
@@ -76958,10 +77092,10 @@ index 3f32e4b..f97ea42 100644
diff --git a/rhnsd.fc b/rhnsd.fc
new file mode 100644
-index 0000000..88fe240
+index 0000000..860a91d
--- /dev/null
+++ b/rhnsd.fc
-@@ -0,0 +1,7 @@
+@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/rhnsd.* -- gen_context(system_u:object_r:rhnsd_unit_file_t,s0)
@@ -76969,12 +77103,14 @@ index 0000000..88fe240
+/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0)
+
+/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0)
++
++/etc/sysconfig/rhn(/.*)? gen_context(system_u:object_r:rhnsd_conf_t,s0)
diff --git a/rhnsd.if b/rhnsd.if
new file mode 100644
-index 0000000..335573a
+index 0000000..8a5aaf0
--- /dev/null
+++ b/rhnsd.if
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,118 @@
+## <summary>policy for rhnsd</summary>
+
+########################################
@@ -77038,6 +77174,26 @@ index 0000000..335573a
+ ps_process_pattern($1, rhnsd_t)
+')
+
++######################################
++## <summary>
++## Allow the specified domain to manage
++## rhnsd configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhnsd_manage_config',`
++ gen_require(`
++ type rhnsd_conf_t;
++ ')
++
++ files_search_etc($1)
++ manage_files_pattern( $1, rhnsd_conf_t, rhnsd_conf_t)
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -77075,10 +77231,10 @@ index 0000000..335573a
+')
diff --git a/rhnsd.te b/rhnsd.te
new file mode 100644
-index 0000000..be2e57e
+index 0000000..898d82c
--- /dev/null
+++ b/rhnsd.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,47 @@
+policy_module(rhnsd, 1.0.0)
+
+########################################
@@ -77099,6 +77255,9 @@ index 0000000..be2e57e
+type rhnsd_unit_file_t;
+systemd_unit_file(rhnsd_unit_file_t)
+
++type rhnsd_conf_t;
++files_config_file(rhnsd_conf_t)
++
+########################################
+#
+# rhnsd local policy
@@ -77113,14 +77272,15 @@ index 0000000..be2e57e
+manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
+files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file })
+
-+corecmd_exec_bin(rhnsd_t)
++manage_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t)
+
++corecmd_exec_bin(rhnsd_t)
+
+logging_send_syslog_msg(rhnsd_t)
+
+optional_policy(`
-+ # execute rhn_check
-+ rpm_domtrans(rhnsd_t)
++ # execute rhn_check
++ rpm_domtrans(rhnsd_t)
+')
diff --git a/rhsmcertd.if b/rhsmcertd.if
index 6dbc905..4b17c93 100644
@@ -77382,7 +77542,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..bfc90eb 100644
+index 1cedd70..36fb74e 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -77403,7 +77563,7 @@ index 1cedd70..bfc90eb 100644
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -52,21 +51,40 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -52,21 +51,44 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
@@ -77424,11 +77584,11 @@ index 1cedd70..bfc90eb 100644
+files_manage_system_conf_files(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
++
++init_read_state(rhsmcertd_t)
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
-+init_read_state(rhsmcertd_t)
-+
+logging_send_syslog_msg(rhsmcertd_t)
+
+miscfiles_manage_cert_files(rhsmcertd_t)
@@ -77445,6 +77605,10 @@ index 1cedd70..bfc90eb 100644
+')
+
+optional_policy(`
++ rhnsd_manage_config(rhsmcertd_t)
++')
++
++optional_policy(`
rpm_read_db(rhsmcertd_t)
+ rpm_signull(rhsmcertd_t)
')
@@ -79953,7 +80117,7 @@ index 0628d50..e9dbd7e 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..e1d9ae1 100644
+index 5cbe81c..ce45f0c 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -80244,7 +80408,7 @@ index 5cbe81c..e1d9ae1 100644
kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
-@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t)
+@@ -277,45 +293,29 @@ kernel_read_network_state(rpm_script_t)
kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
@@ -80259,6 +80423,8 @@ index 5cbe81c..e1d9ae1 100644
-corenet_tcp_sendrecv_http_port(rpm_script_t)
-
-corecmd_exec_all_executables(rpm_script_t)
++# needed by unbound-anchor
++corenet_udp_bind_all_unreserved_ports(rpm_script_t)
dev_list_sysfs(rpm_script_t)
+
@@ -80294,7 +80460,7 @@ index 5cbe81c..e1d9ae1 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,30 +329,51 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +331,52 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -80335,6 +80501,7 @@ index 5cbe81c..e1d9ae1 100644
+libs_ldconfig_exec_entry_type(rpm_script_t)
logging_send_syslog_msg(rpm_script_t)
++logging_send_audit_msgs(rpm_script_t)
-miscfiles_read_localization(rpm_script_t)
-
@@ -80355,7 +80522,7 @@ index 5cbe81c..e1d9ae1 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +382,69 @@ ifdef(`distro_redhat',`
+@@ -363,41 +385,69 @@ ifdef(`distro_redhat',`
')
')
@@ -80435,7 +80602,7 @@ index 5cbe81c..e1d9ae1 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +456,6 @@ optional_policy(`
+@@ -409,6 +459,6 @@ optional_policy(`
')
optional_policy(`
@@ -88466,12 +88633,14 @@ index cbfe369..6594af3 100644
files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
-index 0000000..48c0623
+index 0000000..1cb1360
--- /dev/null
+++ b/snapper.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,5 @@
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
+
++/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0)
++
+/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
diff --git a/snapper.if b/snapper.if
new file mode 100644
@@ -88523,10 +88692,10 @@ index 0000000..94105ee
+')
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..3df20a6
+index 0000000..838f907
--- /dev/null
+++ b/snapper.te
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,66 @@
+policy_module(snapper, 1.0.0)
+
+########################################
@@ -88541,6 +88710,9 @@ index 0000000..3df20a6
+type snapperd_log_t;
+logging_log_file(snapperd_log_t)
+
++type snappperd_conf_t;
++files_config_file(snappperd_conf_t)
++
+type snapperd_data_t;
+files_type(snapperd_data_t)
+
@@ -88555,6 +88727,10 @@ index 0000000..3df20a6
+manage_files_pattern(snapperd_t, snapperd_log_t, snapperd_log_t)
+logging_log_filetrans(snapperd_t, snapperd_log_t, file)
+
++manage_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
++manage_dirs_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
++manage_lnk_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
++
+manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
@@ -88583,6 +88759,9 @@ index 0000000..3df20a6
+ mount_domtrans(snapperd_t)
+')
+
++optional_policy(`
++ lvm_domtrans(snapperd_t)
++')
diff --git a/snmp.fc b/snmp.fc
index c73fa24..50d80f4 100644
--- a/snmp.fc
@@ -89671,7 +89850,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..04dd34a 100644
+index 4faa7e0..d5d1214 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -1,4 +1,4 @@
@@ -90212,7 +90391,7 @@ index 4faa7e0..04dd34a 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +430,58 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +430,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -90222,6 +90401,7 @@ index 4faa7e0..04dd34a 100644
corenet_tcp_bind_spamd_port(spamd_t)
-
-corenet_sendrecv_razor_client_packets(spamd_t)
++corenet_tcp_connect_spamd_port(spamd_t)
corenet_tcp_connect_razor_port(spamd_t)
-
-corenet_sendrecv_smtp_client_packets(spamd_t)
@@ -90315,7 +90495,7 @@ index 4faa7e0..04dd34a 100644
')
optional_policy(`
-@@ -421,21 +500,13 @@ optional_policy(`
+@@ -421,21 +501,13 @@ optional_policy(`
')
optional_policy(`
@@ -90339,7 +90519,7 @@ index 4faa7e0..04dd34a 100644
')
optional_policy(`
-@@ -443,8 +514,8 @@ optional_policy(`
+@@ -443,8 +515,8 @@ optional_policy(`
')
optional_policy(`
@@ -90349,7 +90529,7 @@ index 4faa7e0..04dd34a 100644
')
optional_policy(`
-@@ -455,7 +526,12 @@ optional_policy(`
+@@ -455,7 +527,12 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -90363,7 +90543,7 @@ index 4faa7e0..04dd34a 100644
')
optional_policy(`
-@@ -463,9 +539,9 @@ optional_policy(`
+@@ -463,9 +540,9 @@ optional_policy(`
')
optional_policy(`
@@ -90374,7 +90554,7 @@ index 4faa7e0..04dd34a 100644
')
optional_policy(`
-@@ -474,32 +550,32 @@ optional_policy(`
+@@ -474,32 +551,32 @@ optional_policy(`
########################################
#
@@ -90417,7 +90597,7 @@ index 4faa7e0..04dd34a 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +584,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +585,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -95615,7 +95795,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..d25d643 100644
+index 7116181..3f42127 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -95691,22 +95871,22 @@ index 7116181..d25d643 100644
files_dontaudit_search_home(tuned_t)
-files_dontaudit_list_tmp(tuned_t)
+files_list_tmp(tuned_t)
-
--fs_getattr_xattr_fs(tuned_t)
++
+fs_getattr_all_fs(tuned_t)
+fs_search_all(tuned_t)
+fs_rw_hugetlbfs_files(tuned_t)
-+
+
+-fs_getattr_xattr_fs(tuned_t)
+auth_use_nsswitch(tuned_t)
logging_send_syslog_msg(tuned_t)
+#bug in tuned
+logging_manage_syslog_config(tuned_t)
+logging_filetrans_named_conf(tuned_t)
-+
-+mount_read_pid_files(tuned_t)
-miscfiles_read_localization(tuned_t)
++mount_read_pid_files(tuned_t)
++
+modutils_domtrans_insmod(tuned_t)
udev_read_pid_files(tuned_t)
@@ -95743,6 +95923,14 @@ index 7116181..d25d643 100644
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
')
+@@ -96,3 +139,7 @@ optional_policy(`
+ optional_policy(`
+ unconfined_dbus_send(tuned_t)
+ ')
++
++optional_policy(`
++ unconfined_domain(tuned_t)
++')
diff --git a/tvtime.if b/tvtime.if
index 1bb0f7c..372be2f 100644
--- a/tvtime.if
@@ -97408,7 +97596,7 @@ index c30da4c..6351bcb 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..15562ad 100644
+index 9dec06c..fddb027 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -98423,7 +98611,7 @@ index 9dec06c..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +658,263 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +658,265 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -98567,6 +98755,8 @@ index 9dec06c..15562ad 100644
+
+ manage_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+ manage_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+ manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+')
+
@@ -98709,7 +98899,7 @@ index 9dec06c..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -935,19 +922,17 @@ interface(`virt_read_log',`
+@@ -935,19 +924,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@@ -98733,7 +98923,7 @@ index 9dec06c..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +940,17 @@ interface(`virt_append_log',`
+@@ -955,20 +942,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@@ -98758,7 +98948,7 @@ index 9dec06c..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +958,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +960,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -98781,7 +98971,7 @@ index 9dec06c..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +976,57 @@ interface(`virt_search_images',`
+@@ -995,36 +978,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -98858,7 +99048,7 @@ index 9dec06c..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1034,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +1036,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -98894,7 +99084,7 @@ index 9dec06c..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,37 +1063,131 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1065,131 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -99040,7 +99230,7 @@ index 9dec06c..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1195,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1197,54 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -99114,7 +99304,7 @@ index 9dec06c..15562ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1258,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1260,36 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -99187,7 +99377,7 @@ index 9dec06c..15562ad 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..82a523e 100644
+index 1f22fba..f48af33 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,194 @@
@@ -100307,7 +100497,7 @@ index 1f22fba..82a523e 100644
+ term_use_unallocated_ttys(virt_domain)
+ dev_rw_printer(virt_domain)
+')
-+
+
+tunable_policy(`virt_use_fusefs',`
+ fs_manage_fusefs_dirs(virt_domain)
+ fs_manage_fusefs_files(virt_domain)
@@ -100354,7 +100544,7 @@ index 1f22fba..82a523e 100644
+ xserver_stream_connect(virt_domain)
+ ')
+')
-
++
+########################################
+#
+# xm local policy
@@ -100635,30 +100825,30 @@ index 1f22fba..82a523e 100644
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
-
--miscfiles_read_localization(virtd_lxc_t)
++
+ optional_policy(`
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
+-miscfiles_read_localization(virtd_lxc_t)
++optional_policy(`
++ docker_exec_lib(virtd_lxc_t)
++')
+
-seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
-+ docker_exec_lib(virtd_lxc_t)
++ gnome_read_generic_cache_files(virtd_lxc_t)
+')
+
+optional_policy(`
-+ gnome_read_generic_cache_files(virtd_lxc_t)
++ setrans_manage_pid_files(virtd_lxc_t)
+')
-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
-+ setrans_manage_pid_files(virtd_lxc_t)
-+')
-+
-+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -100761,10 +100951,6 @@ index 1f22fba..82a523e 100644
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
+ docker_use_ptys(svirt_sandbox_domain)
+')
-+
-+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -100849,6 +101035,10 @@ index 1f22fba..82a523e 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
@@ -100917,9 +101107,9 @@ index 1f22fba..82a523e 100644
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
-
-+kernel_read_irq_sysctls(svirt_lxc_net_t)
+
++kernel_read_irq_sysctls(svirt_lxc_net_t)
+
+dev_read_sysfs(svirt_lxc_net_t)
dev_getattr_mtrr_dev(svirt_lxc_net_t)
dev_read_rand(svirt_lxc_net_t)
@@ -100986,12 +101176,12 @@ index 1f22fba..82a523e 100644
+
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
@@ -101056,7 +101246,7 @@ index 1f22fba..82a523e 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1420,198 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1420,206 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -101069,7 +101259,7 @@ index 1f22fba..82a523e 100644
+# virt_qemu_ga local policy
+#
+
-+allow virt_qemu_ga_t self:capability { sys_admin sys_tty_config };
++allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config };
+
+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
@@ -101097,7 +101287,10 @@ index 1f22fba..82a523e 100644
+corecmd_exec_shell(virt_qemu_ga_t)
+corecmd_exec_bin(virt_qemu_ga_t)
+
++clock_read_adjtime(virt_qemu_ga_t)
++
+dev_rw_sysfs(virt_qemu_ga_t)
++dev_rw_realtime_clock(virt_qemu_ga_t)
+
+files_list_all_mountpoints(virt_qemu_ga_t)
+files_write_all_mountpoints(virt_qemu_ga_t)
@@ -101110,6 +101303,7 @@ index 1f22fba..82a523e 100644
+term_use_unallocated_ttys(virt_qemu_ga_t)
+
+logging_send_syslog_msg(virt_qemu_ga_t)
++logging_send_audit_msgs(virt_qemu_ga_t)
+
+sysnet_dns_name_resolve(virt_qemu_ga_t)
+
@@ -101123,6 +101317,10 @@ index 1f22fba..82a523e 100644
+')
+
+optional_policy(`
++ clock_domtrans(virt_qemu_ga_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(virt_qemu_ga_t)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c709ae0..b91ef42 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 124%{?dist}
+Release: 125%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,40 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Feb 11 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-125
+- Addopt corenet rules for unbound-anchor to rpm_script_t
+- Allow runuser to send send audit messages.
+- Allow postfix-local to search .forward in munin lib dirs
+- Allow udisks to connect to D-Bus
+- Allow spamd to connect to spamd port
+- Fix syntax error in snapper.te
+- Dontaudit osad to search gconf home files
+- Allow rhsmcertd to manage /etc/sysconf/rhn director
+- Fix pcp labeling to accept /usr/bin for all daemon binaries
+- Fix mcelog_read_log() interface
+- Allow iscsid to manage iscsi lib files
+- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
+- Make tuned_t as unconfined domain for RHEL7.0
+- Allow ABRT to read puppet certs
+- Add sys_time capability for virt-ga
+- Allow gemu-ga to domtrans to hwclock_t
+- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages
+- Fix some AVCs in pcp policy
+- Add to bacula capability setgid and setuid and allow to bind to bacula ports
+- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t
+- Add access rhnsd and osad to /etc/sysconfig/rhn
+- drbdadm executes drbdmeta
+- Fixes needed for docker
+- Allow epmd to manage /var/log/rabbitmq/startup_err file
+- Allow beam.smp connect to amqp port
+- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
+- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t
+- Allow systemd_tmpfiles_t to manage all non security files on the system
+- Added labels for bacula ports
+- Fix label on /dev/vfio/vfio
+- Add kernel_mounton_messages() interface
+- init wants to manage lock files for iscsi
+
* Mon Feb 3 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-124
- Added osad policy
- Allow postfix to deliver to procmail
More information about the scm-commits
mailing list