[selinux-policy/f20] - Add lvm_read_metadata() - Allow auditadm to search /var/log/audit dir - Add lvm_read_metadata() in
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 18 16:24:42 UTC 2014
commit ee9a7542f3896a740a5dcc2db65ab2299b936e99
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Feb 18 17:25:12 2014 +0100
- Add lvm_read_metadata()
- Allow auditadm to search /var/log/audit dir
- Add lvm_read_metadata() interface
- Allow confined users to run vmtools helpers
- Fix userdom_common_user_template()
- Generic systemd unit scripts do write check on /
- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files
- Add additional fixes needed for init_t and setup script running in generic unit files
- Allow general users to create packet_sockets
- added connlcli port
- Add init_manage_transient_unit() interface
- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t
- Fix userdomain.te to require passwd class
- devicekit_power sends out a signal to all processes on the message bus when power is going down
- Dontaudit rendom domains listing /proc and hittping system_map_t
- Dontauit leaks of var_t into ifconfig_t
- Allow domains that transition to ssh_t to manipulate its keyring
- Define oracleasm_t as a device node
- Change to handle /root as a symbolic link for os-tree
- Allow sysadm_t to create packet_socket, also move some rules to attributes
- Add label for openvswitch port
- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label.
- Allow postfix_local to read .forward in pcp lib files
- Allow pegasus_openlmi_storage_t to read lvm metadata
- Add additional fixes for pegasus_openlmi_storage_t
- Allow bumblebee to manage debugfs
- Make bumblebee as unconfined domain
- Allow snmp to read etc_aliases_t
- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem
- Allow pegasus_openlmi_storage_t to read /proc/1/environ
- Dontaudit read gconf files for cupsd_config_t
- make vmtools as unconfined domain
- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.
- Allow collectd_t to use a mysql database
- Allow ipa-otpd to perform DNS name resolution
- Added new policy for keepalived
- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd
- Add additional fixes new pscs-lite+polkit support
- Add labeling for /run/krb5kdc
- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20
- Allow pcscd to read users proc info
- Dontaudit smbd_t sending out random signuls
- Add boolean to allow openshift domains to use nfs
- Allow w3c_validator to create content in /tmp
- zabbix_agent uses nsswitch
- Allow procmail and dovecot to work together to deliver mail
- Allow spamd to execute files in homedir if boolean turned on
- Allow openvswitch to listen on port 6634
- Add net_admin capability in collectd policy
- Fixed snapperd policy
- Fixed bugsfor pcp policy
- Allow dbus_system_domains to be started by init
- Fixed some interfaces
- Add kerberos_keytab_domain attribute
- Fix snapperd_conf_t def
policy-f20-base.patch | 1701 ++++++++++++++++++++++++++++++----------------
policy-f20-contrib.patch | 833 +++++++++++++++++------
selinux-policy.spec | 59 ++-
3 files changed, 1827 insertions(+), 766 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 688449e..67411f3 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -5596,7 +5596,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..f9f01e8 100644
+index 4edc40d..3173c7b 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5670,7 +5670,7 @@ index 4edc40d..f9f01e8 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -84,54 +107,65 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,54 +107,66 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@@ -5702,6 +5702,7 @@ index 4edc40d..f9f01e8 100644
network_port(comsat, udp,512,s0)
network_port(condor, tcp,9618,s0, udp,9618,s0)
+network_port(conman, tcp,7890,s0, udp,7890,s0)
++network_port(connlcli, tcp,1358,s0, udp,1358,s0)
network_port(couchdb, tcp,5984,s0, udp,5984,s0)
-network_port(cslistener, tcp,9000,s0, udp,9000,s0)
-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
@@ -5743,7 +5744,7 @@ index 4edc40d..f9f01e8 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +173,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +174,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5810,7 +5811,7 @@ index 4edc40d..f9f01e8 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +226,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +227,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5832,6 +5833,7 @@ index 4edc40d..f9f01e8 100644
+network_port(openflow, tcp,6633,s0, tcp,6653,s0)
network_port(openhpid, tcp,4743,s0, udp,4743,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
++network_port(openvswitch, tcp,6634,s0)
+network_port(osapi_compute, tcp, 8774, s0)
network_port(pdps, tcp,1314,s0, udp,1314,s0)
network_port(pegasus_http, tcp,5988,s0)
@@ -5850,7 +5852,7 @@ index 4edc40d..f9f01e8 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +264,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +266,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5903,7 +5905,7 @@ index 4edc40d..f9f01e8 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +314,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +316,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5914,7 +5916,7 @@ index 4edc40d..f9f01e8 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +326,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +328,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5927,7 +5929,7 @@ index 4edc40d..f9f01e8 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -285,19 +343,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -285,19 +345,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5954,7 +5956,7 @@ index 4edc40d..f9f01e8 100644
########################################
#
-@@ -330,6 +392,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +394,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5963,7 +5965,7 @@ index 4edc40d..f9f01e8 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +406,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +408,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -8903,7 +8905,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..4b49713 100644
+index cf04cb5..1abe365 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8944,7 +8946,7 @@ index cf04cb5..4b49713 100644
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,46 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +110,47 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
@@ -8982,6 +8984,7 @@ index cf04cb5..4b49713 100644
+files_read_inherited_tmp_files(domain)
+files_append_inherited_tmp_files(domain)
+files_read_all_base_ro_files(domain)
++files_dontaduit_getattr_kernel_symbol_table(domain)
+
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
@@ -8992,7 +8995,7 @@ index cf04cb5..4b49713 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +168,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +169,18 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -9011,7 +9014,7 @@ index cf04cb5..4b49713 100644
')
optional_policy(`
-@@ -133,6 +190,9 @@ optional_policy(`
+@@ -133,6 +191,9 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -9021,7 +9024,7 @@ index cf04cb5..4b49713 100644
')
########################################
-@@ -147,12 +207,18 @@ optional_policy(`
+@@ -147,12 +208,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -9041,7 +9044,7 @@ index cf04cb5..4b49713 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +232,326 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +233,330 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9300,6 +9303,10 @@ index cf04cb5..4b49713 100644
+ cron_rw_system_job_pipes(domain)
+')
+
++optional_policy(`
++ devicekit_dbus_chat_power(domain)
++')
++
+ifdef(`hide_broken_symptoms',`
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
@@ -9619,7 +9626,7 @@ index c2c6e05..2282452 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..8eb459b 100644
+index 64ff4d7..a47b644 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -11387,7 +11394,32 @@ index 64ff4d7..8eb459b 100644
')
########################################
-@@ -5223,6 +6319,24 @@ interface(`files_list_var',`
+@@ -5094,6 +6190,24 @@ interface(`files_create_kernel_symbol_table',`
+
+ ########################################
+ ## <summary>
++## Dontaudit getattr attempts on the system.map file
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
++ gen_require(`
++ type system_map_t;
++ ')
++
++ dontaudit $1 system_map_t:file getattr;
++')
++
++########################################
++## <summary>
+ ## Read system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -5223,6 +6337,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -11412,7 +11444,16 @@ index 64ff4d7..8eb459b 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5507,6 +6621,23 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5310,7 +6442,7 @@ interface(`files_dontaudit_rw_var_files',`
+ type var_t;
+ ')
+
+- dontaudit $1 var_t:file rw_file_perms;
++ dontaudit $1 var_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -5507,6 +6639,23 @@ interface(`files_rw_var_lib_dirs',`
rw_dirs_pattern($1, var_lib_t, var_lib_t)
')
@@ -11436,7 +11477,7 @@ index 64ff4d7..8eb459b 100644
########################################
## <summary>
## Create objects in the /var/lib directory
-@@ -5578,6 +6709,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5578,6 +6727,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11462,7 +11503,7 @@ index 64ff4d7..8eb459b 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5623,7 +6773,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6791,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11471,7 +11512,7 @@ index 64ff4d7..8eb459b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5631,12 +6781,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6799,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11487,7 +11528,7 @@ index 64ff4d7..8eb459b 100644
')
########################################
-@@ -5654,6 +6805,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6823,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11495,7 +11536,7 @@ index 64ff4d7..8eb459b 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6832,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6850,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11523,7 +11564,7 @@ index 64ff4d7..8eb459b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,13 +6859,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6877,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11540,7 +11581,7 @@ index 64ff4d7..8eb459b 100644
')
########################################
-@@ -5713,7 +6883,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6901,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11549,7 +11590,7 @@ index 64ff4d7..8eb459b 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +6916,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6934,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11557,7 +11598,7 @@ index 64ff4d7..8eb459b 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5761,7 +6930,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5761,7 +6948,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11566,7 +11607,7 @@ index 64ff4d7..8eb459b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5769,13 +6938,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,13 +6956,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11601,7 +11642,7 @@ index 64ff4d7..8eb459b 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6980,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6998,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11619,7 +11660,7 @@ index 64ff4d7..8eb459b 100644
')
########################################
-@@ -5816,9 +7004,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +7022,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11630,7 +11671,7 @@ index 64ff4d7..8eb459b 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +7046,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +7064,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11640,7 +11681,7 @@ index 64ff4d7..8eb459b 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +7068,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +7086,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11650,7 +11691,7 @@ index 64ff4d7..8eb459b 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +7105,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +7123,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11660,7 +11701,7 @@ index 64ff4d7..8eb459b 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +7144,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +7162,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11669,7 +11710,7 @@ index 64ff4d7..8eb459b 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,10 +7164,48 @@ interface(`files_search_pids',`
+@@ -5981,18 +7182,56 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11678,11 +11719,16 @@ index 64ff4d7..8eb459b 100644
search_dirs_pattern($1, var_t, var_run_t)
')
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Do not audit attempts to search
+-## the /var/run directory.
+## Add and remove entries from pid directories.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain to not audit.
+## <summary>
+## Domain allowed access.
+## </summary>
@@ -11715,10 +11761,18 @@ index 64ff4d7..8eb459b 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
- ########################################
- ## <summary>
- ## Do not audit attempts to search
-@@ -6007,6 +7228,25 @@ interface(`files_dontaudit_search_pids',`
++########################################
++## <summary>
++## Do not audit attempts to search
++## the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+@@ -6007,6 +7246,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11744,7 +11798,7 @@ index 64ff4d7..8eb459b 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6021,7 +7261,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7279,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11753,7 +11807,7 @@ index 64ff4d7..8eb459b 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6040,7 +7280,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7298,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11762,7 +11816,7 @@ index 64ff4d7..8eb459b 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7300,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7318,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11771,7 +11825,7 @@ index 64ff4d7..8eb459b 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7362,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7380,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11779,7 +11833,7 @@ index 64ff4d7..8eb459b 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6151,6 +7390,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6151,6 +7408,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@@ -11804,7 +11858,7 @@ index 64ff4d7..8eb459b 100644
## Read and write generic process ID files.
## </summary>
## <param name="domain">
-@@ -6164,7 +7421,7 @@ interface(`files_rw_generic_pids',`
+@@ -6164,7 +7439,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -11813,236 +11867,392 @@ index 64ff4d7..8eb459b 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6231,6 +7488,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,55 +7506,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
+-## Read all process ID files.
+## Relable all pid directories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_read_all_pids',`
+interface(`files_relabel_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
+ relabel_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process IDs.
+## Delete all pid sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
+interface(`files_delete_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ allow $1 pidfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process ID directories.
+## Create all pid sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6287,42 +7550,35 @@ interface(`files_delete_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
+interface(`files_create_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
+ allow $1 pidfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Create all pid named pipes
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain alloed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
+interface(`files_create_all_pid_pipes',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Delete all pid named pipes
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6330,18 +7586,18 @@ interface(`files_manage_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
+interface(`files_delete_all_pid_pipes',`
-+ gen_require(`
+ gen_require(`
+- attribute polymember;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- allow $1 polymember:dir mounton;
+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of generic spool
+-## directories (/var/spool).
+## manage all pidfile directories
+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6349,37 +7605,40 @@ interface(`files_mounton_all_poly_members',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
+interface(`files_manage_all_pid_dirs',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
+ manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
+ ')
+
+
-+########################################
-+## <summary>
- ## Read all process ID files.
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search generic
+-## spool directories.
++## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -6243,12 +7610,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
- interface(`files_read_all_pids',`
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_search_spool',`
++interface(`files_read_all_pids',`
gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
+- type var_spool_t;
++ attribute pidfile;
+ type var_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, pidfile)
- read_files_pattern($1, pidfile, pidfile)
+- dontaudit $1 var_spool_t:dir search_dir_perms;
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of generic spool
+-## (/var/spool) directories.
+## Relable all pid files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6387,18 +7646,17 @@ interface(`files_dontaudit_search_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
+interface(`files_relabel_all_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+ relabel_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
+## Execute generic programs in /var/run in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6406,18 +7664,18 @@ interface(`files_list_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
+interface(`files_exec_generic_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ type var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic spool files.
+## manage all pidfiles
+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6425,19 +7683,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
+interface(`files_manage_all_pids',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
+ manage_files_pattern($1,pidfile,pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool files.
+## Mount filesystems on all polyinstantiation
+## member directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6445,55 +7702,43 @@ interface(`files_read_generic_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool',`
+interface(`files_mounton_all_poly_members',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute polymember;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
+ allow $1 polymember:dir mounton;
')
########################################
-@@ -6268,8 +7709,8 @@ interface(`files_delete_all_pids',`
- type var_t, var_run_t;
- ')
-
-+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:dir rmdir;
- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
- delete_files_pattern($1, pidfile, pidfile)
-@@ -6293,36 +7734,80 @@ interface(`files_delete_all_pid_dirs',`
- type var_t, var_run_t;
+ ## <summary>
+-## Create objects in the spool directory
+-## with a private type with a type transition.
++## Delete all process IDs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file">
+-## <summary>
+-## Type to which the created node will be transitioned.
+-## </summary>
+-## </param>
+-## <param name="class">
+-## <summary>
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
++## <rolecap/>
+ #
+-interface(`files_spool_filetrans',`
++interface(`files_delete_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
++ type var_t, var_run_t;
')
+ files_search_pids($1)
allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- delete_dirs_pattern($1, pidfile, pidfile)
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
')
########################################
## <summary>
--## Create, read, write and delete all
--## var_run (pid) content
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
++## Delete all process ID directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6501,53 +7746,68 @@ interface(`files_spool_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_polyinstantiate_all',`
++interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
++ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
++ files_search_pids($1)
++ allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
+
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
++########################################
++## <summary>
+## Make the specified type a file
+## used for spool files.
+## </summary>
@@ -12083,56 +12293,49 @@ index 64ff4d7..8eb459b 100644
+interface(`files_spool_file',`
+ gen_require(`
+ attribute spoolfile;
-+ ')
+ ')
+
+ files_type($1)
+ typeattribute $1 spoolfile;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Unconfined access to files.
+## Create all spool sockets
## </summary>
## <param name="domain">
## <summary>
--## Domain alloed access.
-+## Domain allowed access.
+@@ -6555,10 +7815,785 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
--interface(`files_manage_all_pids',`
+-interface(`files_unconfined',`
+interface(`files_create_all_spool_sockets',`
gen_require(`
-- attribute pidfile;
+- attribute files_unconfined_type;
+ attribute spoolfile;
')
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
+- typeattribute $1 files_unconfined_type;
+ allow $1 spoolfile:sock_file create_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
++')
++
++########################################
++## <summary>
+## Delete all spool sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6330,12 +7815,33 @@ interface(`files_manage_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_delete_all_spool_sockets',`
- gen_require(`
-- attribute polymember;
++ gen_require(`
+ attribute spoolfile;
- ')
-
-- allow $1 polymember:dir mounton;
++ ')
++
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
@@ -12155,13 +12358,232 @@ index 64ff4d7..8eb459b 100644
+ ')
+
+ relabel_dirs_pattern($1, spoolfile, spoolfile)
- ')
-
- ########################################
-@@ -6562,3 +8068,514 @@ interface(`files_unconfined',`
-
- typeattribute $1 files_unconfined_type;
- ')
++')
++
++########################################
++## <summary>
++## Search the contents of generic spool
++## directories (/var/spool).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ search_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search generic
++## spool directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_spool',`
++ gen_require(`
++ type var_spool_t;
++ ')
++
++ dontaudit $1 var_spool_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## List the contents of generic spool
++## (/var/spool) directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_spool_dirs',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Read generic spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete generic
++## spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Create objects in the spool directory
++## with a private type with a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="file">
++## <summary>
++## Type to which the created node will be transitioned.
++## </summary>
++## </param>
++## <param name="class">
++## <summary>
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_spool_filetrans',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## Allow access to manage all polyinstantiated
++## directories on the system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_polyinstantiate_all',`
++ gen_require(`
++ attribute polydir, polymember, polyparent;
++ type poly_t;
++ ')
++
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
++
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
++ allow $1 polyparent:dir { getattr mounton };
++
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
++')
++
++########################################
++## <summary>
++## Unconfined access to files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_unconfined',`
++ gen_require(`
++ attribute files_unconfined_type;
++ ')
++
++ typeattribute $1 files_unconfined_type;
++')
+
+########################################
+## <summary>
@@ -12672,7 +13094,7 @@ index 64ff4d7..8eb459b 100644
+ ')
+
+ allow $1 etc_t:service status;
-+')
+ ')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 148d87a..ccbcb66 100644
--- a/policy/modules/kernel/files.te
@@ -14319,7 +14741,7 @@ index 8416beb..c6cd3eb 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..1198b51 100644
+index 9e603f5..3b8dd74 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
@@ -14342,12 +14764,13 @@ index 9e603f5..1198b51 100644
type bdev_t;
fs_type(bdev_t)
-@@ -63,12 +67,17 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,12 +67,18 @@ fs_type(binfmt_misc_fs_t)
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
+type oracleasmfs_t;
+fs_type(oracleasmfs_t)
++dev_node(oracleasmfs_t)
+files_mountpoint(oracleasmfs_t)
+genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0)
+
@@ -14361,7 +14784,7 @@ index 9e603f5..1198b51 100644
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
-@@ -89,6 +98,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -89,6 +99,11 @@ fs_noxattr_type(ecryptfs_t)
files_mountpoint(ecryptfs_t)
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
@@ -14373,7 +14796,7 @@ index 9e603f5..1198b51 100644
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -97,6 +111,7 @@ type hugetlbfs_t;
+@@ -97,6 +112,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -14381,7 +14804,7 @@ index 9e603f5..1198b51 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -119,12 +134,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -119,12 +135,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
@@ -14399,7 +14822,7 @@ index 9e603f5..1198b51 100644
type ramfs_t;
fs_type(ramfs_t)
files_mountpoint(ramfs_t)
-@@ -145,11 +165,6 @@ fs_type(spufs_t)
+@@ -145,11 +166,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -14411,7 +14834,7 @@ index 9e603f5..1198b51 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -167,6 +182,8 @@ type vxfs_t;
+@@ -167,6 +183,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -14420,7 +14843,7 @@ index 9e603f5..1198b51 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +193,8 @@ fs_type(tmpfs_t)
+@@ -176,6 +194,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -14429,7 +14852,7 @@ index 9e603f5..1198b51 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +274,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +275,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -14438,7 +14861,7 @@ index 9e603f5..1198b51 100644
files_mountpoint(removable_t)
#
-@@ -274,6 +295,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +296,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -17363,7 +17786,7 @@ index 0000000..48caabc
+allow domain unlabeled_t:packet { send recv };
+
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
-index 834a065..c769f81 100644
+index 834a065..ff93697 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0)
@@ -17375,10 +17798,12 @@ index 834a065..c769f81 100644
########################################
#
-@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t)
+@@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t)
domain_kill_all_domains(auditadm_t)
++mls_file_read_all_levels(auditadm_t)
++
+selinux_read_policy(auditadm_t)
+
logging_send_syslog_msg(auditadm_t)
@@ -17455,7 +17880,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..6412825 100644
+index 5da7870..5247b99 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,71 @@ policy_module(staff, 2.3.1)
@@ -17680,7 +18105,7 @@ index 5da7870..6412825 100644
')
optional_policy(`
-@@ -52,11 +230,57 @@ optional_policy(`
+@@ -52,11 +230,61 @@ optional_policy(`
')
optional_policy(`
@@ -17725,6 +18150,10 @@ index 5da7870..6412825 100644
')
optional_policy(`
++ vmtools_run_helper(staff_t, staff_r)
++')
++
++optional_policy(`
+ vnstatd_read_lib_files(staff_t)
+')
+
@@ -17738,7 +18167,7 @@ index 5da7870..6412825 100644
')
ifndef(`distro_redhat',`
-@@ -65,10 +289,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +293,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17749,7 +18178,7 @@ index 5da7870..6412825 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +298,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +302,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -17760,7 +18189,7 @@ index 5da7870..6412825 100644
')
optional_policy(`
-@@ -101,10 +317,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +321,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17771,7 +18200,7 @@ index 5da7870..6412825 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +337,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +341,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17782,7 +18211,7 @@ index 5da7870..6412825 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +349,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +353,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17793,7 +18222,7 @@ index 5da7870..6412825 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +380,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +384,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -17845,7 +18274,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..f520b74 100644
+index 88d0028..4a77968 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
@@ -18354,7 +18783,7 @@ index 88d0028..f520b74 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +575,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +575,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18421,6 +18850,10 @@ index 88d0028..f520b74 100644
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
++ optional_policy(`
++ vmtools_run_helper(sysadm_t, sysadm_r)
++ ')
++
+ optional_policy(`
+ vmware_role(sysadm_r, sysadm_t)
+ ')
@@ -19137,10 +19570,10 @@ index 0000000..b1163a6
+')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..539c163
+index 0000000..b126e2b
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,332 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -19301,6 +19734,10 @@ index 0000000..539c163
+ sandbox_x_transition(unconfined_t, unconfined_r)
+ ')
+
++ optional_policy(`
++ vmtools_run_helper(unconfined_t, unconfined_r)
++ ')
++
+ optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
@@ -19480,7 +19917,7 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index cdfddf4..ad1f001 100644
+index cdfddf4..e53ec1a 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@@ -19636,7 +20073,18 @@ index cdfddf4..ad1f001 100644
optional_policy(`
su_role_template(user, user_r, user_t)
')
-@@ -161,3 +263,15 @@ ifndef(`distro_redhat',`
+@@ -153,6 +255,10 @@ ifndef(`distro_redhat',`
+ userhelper_role_template(user, user_r, user_t)
+ ')
+
++ optional_policy(`
++ vmtools_run_helper(user_t, user_r)
++ ')
++
+ optional_policy(`
+ vmware_role(user_r, user_t)
+ ')
+@@ -161,3 +267,15 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -20270,7 +20718,7 @@ index 76d9f66..5c271ce 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..c0413e8 100644
+index fe0c682..e8dcfa7 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -20521,7 +20969,7 @@ index fe0c682..c0413e8 100644
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
+ allow ssh_t $3:key manage_key_perms;
-+ allow $3 ssh_t:key read;
++ allow $3 ssh_t:key { write search read view };
# user can manage the keys and config
manage_files_pattern($3, ssh_home_t, ssh_home_t)
@@ -27031,7 +27479,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..45d0b37 100644
+index 24e7804..e28a0ca 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -28013,7 +28461,7 @@ index 24e7804..45d0b37 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2338,432 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2338,450 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -28427,6 +28875,24 @@ index 24e7804..45d0b37 100644
+
+########################################
+## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_manage_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service { start stop reload status };
++')
++
++########################################
++## <summary>
+## Transition to init named content
+## </summary>
+## <param name="domain">
@@ -28447,7 +28913,7 @@ index 24e7804..45d0b37 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..b3ddfe3 100644
+index dd3be8d..381903f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -28502,7 +28968,7 @@ index dd3be8d..b3ddfe3 100644
# Mark file type as a daemon run directory
attribute daemonrundir;
-@@ -35,12 +64,14 @@ attribute daemonrundir;
+@@ -35,12 +64,20 @@ attribute daemonrundir;
#
# init_t is the domain of the init process.
#
@@ -28515,10 +28981,16 @@ index dd3be8d..b3ddfe3 100644
kernel_domtrans_to(init_t, init_exec_t)
role system_r types init_t;
+init_initrc_domain(init_t)
++
++#
++# init_tmp_t is the type for content in /tmp directory
++#
++type init_tmp_t;
++files_tmp_file(init_tmp_t)
#
# init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -49,6 +80,15 @@ type init_var_run_t;
+@@ -49,6 +86,15 @@ type init_var_run_t;
files_pid_file(init_var_run_t)
#
@@ -28534,7 +29006,7 @@ index dd3be8d..b3ddfe3 100644
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
-@@ -57,7 +97,7 @@ type initctl_t;
+@@ -57,7 +103,7 @@ type initctl_t;
files_type(initctl_t)
mls_trusted_object(initctl_t)
@@ -28543,7 +29015,7 @@ index dd3be8d..b3ddfe3 100644
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
-@@ -98,7 +138,9 @@ ifdef(`enable_mls',`
+@@ -98,7 +144,9 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -28554,7 +29026,7 @@ index dd3be8d..b3ddfe3 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -108,14 +150,37 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +156,42 @@ allow init_t self:capability ~sys_module;
allow init_t self:fifo_file rw_fifo_file_perms;
@@ -28577,6 +29049,11 @@ index dd3be8d..b3ddfe3 100644
+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
+
++manage_files_pattern(init_t, init_tmp_t, init_tmp_t)
++manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t)
++manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t)
++files_tmp_filetrans(init_t, init_tmp_t, { file dir })
++
+manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t)
+manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
+manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
@@ -28598,7 +29075,7 @@ index dd3be8d..b3ddfe3 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +190,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +201,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -28618,7 +29095,7 @@ index dd3be8d..b3ddfe3 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +209,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +220,21 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -28636,10 +29113,11 @@ index dd3be8d..b3ddfe3 100644
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
+files_read_usr_files(init_t)
++files_write_root_dirs(init_t)
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +232,52 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +244,52 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -28682,20 +29160,20 @@ index dd3be8d..b3ddfe3 100644
seutil_read_config(init_t)
+seutil_read_module_store(init_t)
-+
+
+-miscfiles_read_localization(init_t)
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
+
+userdom_use_user_ttys(init_t)
+userdom_manage_tmp_dirs(init_t)
+userdom_manage_tmp_sockets(init_t)
-
--miscfiles_read_localization(init_t)
++
+allow init_t self:process setsched;
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +286,210 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +298,225 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -28871,9 +29349,24 @@ index dd3be8d..b3ddfe3 100644
+auth_rw_login_records(init_t)
+auth_domtrans_chk_passwd(init_t)
+
-+optional_policy(`
-+ ipsec_read_config(init_t)
-+ ipsec_manage_pid(init_t)
++ifdef(`distro_redhat',`
++ # it comes from setupr scripts used in systemd unit files
++ # has been covered by initrc_t
++ optional_policy(`
++ bind_manage_config_dirs(init_t)
++ bind_manage_config(init_t)
++ bind_write_config(init_t)
++ bind_setattr_zone_dirs(init_t)
++ ')
++
++ optional_policy(`
++ ipsec_read_config(init_t)
++ ipsec_manage_pid(init_t)
++ ')
++
++ optional_policy(`
++ rpc_manage_nfs_state_data(init_t)
++ ')
+')
+
+optional_policy(`
@@ -28893,18 +29386,18 @@ index dd3be8d..b3ddfe3 100644
+ optional_policy(`
+ devicekit_dbus_chat_power(init_t)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ networkmanager_stream_connect(init_t)
+')
+
@@ -28914,7 +29407,7 @@ index dd3be8d..b3ddfe3 100644
')
optional_policy(`
-@@ -216,7 +497,30 @@ optional_policy(`
+@@ -216,7 +524,30 @@ optional_policy(`
')
optional_policy(`
@@ -28945,7 +29438,7 @@ index dd3be8d..b3ddfe3 100644
')
########################################
-@@ -225,8 +529,9 @@ optional_policy(`
+@@ -225,8 +556,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28957,7 +29450,7 @@ index dd3be8d..b3ddfe3 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +562,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +589,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28974,7 +29467,7 @@ index dd3be8d..b3ddfe3 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +587,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +614,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29017,7 +29510,7 @@ index dd3be8d..b3ddfe3 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +624,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +651,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -29029,7 +29522,7 @@ index dd3be8d..b3ddfe3 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +636,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +663,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -29040,7 +29533,7 @@ index dd3be8d..b3ddfe3 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +647,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +674,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29050,7 +29543,7 @@ index dd3be8d..b3ddfe3 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +656,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +683,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -29058,7 +29551,7 @@ index dd3be8d..b3ddfe3 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +663,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +690,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -29066,7 +29559,7 @@ index dd3be8d..b3ddfe3 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +671,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +698,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29084,7 +29577,7 @@ index dd3be8d..b3ddfe3 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +689,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +716,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29098,7 +29591,7 @@ index dd3be8d..b3ddfe3 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +704,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +731,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29112,7 +29605,7 @@ index dd3be8d..b3ddfe3 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +717,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +744,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -29120,7 +29613,7 @@ index dd3be8d..b3ddfe3 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +729,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +756,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -29128,7 +29621,7 @@ index dd3be8d..b3ddfe3 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +748,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +775,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -29152,7 +29645,7 @@ index dd3be8d..b3ddfe3 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +781,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +808,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -29160,7 +29653,7 @@ index dd3be8d..b3ddfe3 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +815,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +842,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -29171,7 +29664,7 @@ index dd3be8d..b3ddfe3 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +839,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +866,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29180,7 +29673,7 @@ index dd3be8d..b3ddfe3 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +854,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +881,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -29188,7 +29681,7 @@ index dd3be8d..b3ddfe3 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +875,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +902,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -29196,7 +29689,7 @@ index dd3be8d..b3ddfe3 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +885,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +912,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -29241,7 +29734,7 @@ index dd3be8d..b3ddfe3 100644
')
optional_policy(`
-@@ -558,14 +930,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +957,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -29273,7 +29766,7 @@ index dd3be8d..b3ddfe3 100644
')
')
-@@ -576,6 +965,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +992,39 @@ ifdef(`distro_suse',`
')
')
@@ -29313,7 +29806,7 @@ index dd3be8d..b3ddfe3 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1010,8 @@ optional_policy(`
+@@ -588,6 +1037,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29322,7 +29815,7 @@ index dd3be8d..b3ddfe3 100644
')
optional_policy(`
-@@ -609,6 +1033,7 @@ optional_policy(`
+@@ -609,6 +1060,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -29330,7 +29823,7 @@ index dd3be8d..b3ddfe3 100644
')
optional_policy(`
-@@ -625,6 +1050,17 @@ optional_policy(`
+@@ -625,6 +1077,17 @@ optional_policy(`
')
optional_policy(`
@@ -29348,7 +29841,7 @@ index dd3be8d..b3ddfe3 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1077,13 @@ optional_policy(`
+@@ -641,9 +1104,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29362,7 +29855,7 @@ index dd3be8d..b3ddfe3 100644
')
optional_policy(`
-@@ -656,15 +1096,11 @@ optional_policy(`
+@@ -656,15 +1123,11 @@ optional_policy(`
')
optional_policy(`
@@ -29380,7 +29873,7 @@ index dd3be8d..b3ddfe3 100644
')
optional_policy(`
-@@ -685,6 +1121,15 @@ optional_policy(`
+@@ -685,6 +1148,15 @@ optional_policy(`
')
optional_policy(`
@@ -29396,7 +29889,7 @@ index dd3be8d..b3ddfe3 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1170,7 @@ optional_policy(`
+@@ -725,6 +1197,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -29404,7 +29897,7 @@ index dd3be8d..b3ddfe3 100644
')
optional_policy(`
-@@ -742,7 +1188,13 @@ optional_policy(`
+@@ -742,7 +1215,13 @@ optional_policy(`
')
optional_policy(`
@@ -29419,7 +29912,7 @@ index dd3be8d..b3ddfe3 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1217,10 @@ optional_policy(`
+@@ -765,6 +1244,10 @@ optional_policy(`
')
optional_policy(`
@@ -29430,7 +29923,7 @@ index dd3be8d..b3ddfe3 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1230,20 @@ optional_policy(`
+@@ -774,10 +1257,20 @@ optional_policy(`
')
optional_policy(`
@@ -29451,7 +29944,7 @@ index dd3be8d..b3ddfe3 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1252,10 @@ optional_policy(`
+@@ -786,6 +1279,10 @@ optional_policy(`
')
optional_policy(`
@@ -29462,7 +29955,7 @@ index dd3be8d..b3ddfe3 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1277,6 @@ optional_policy(`
+@@ -807,8 +1304,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29471,7 +29964,7 @@ index dd3be8d..b3ddfe3 100644
')
optional_policy(`
-@@ -817,6 +1285,10 @@ optional_policy(`
+@@ -817,6 +1312,10 @@ optional_policy(`
')
optional_policy(`
@@ -29482,7 +29975,7 @@ index dd3be8d..b3ddfe3 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1298,12 @@ optional_policy(`
+@@ -826,10 +1325,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -29495,7 +29988,7 @@ index dd3be8d..b3ddfe3 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1330,35 @@ optional_policy(`
+@@ -856,12 +1357,35 @@ optional_policy(`
')
optional_policy(`
@@ -29532,7 +30025,7 @@ index dd3be8d..b3ddfe3 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1368,18 @@ optional_policy(`
+@@ -871,6 +1395,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29551,7 +30044,7 @@ index dd3be8d..b3ddfe3 100644
')
optional_policy(`
-@@ -886,6 +1395,10 @@ optional_policy(`
+@@ -886,6 +1422,10 @@ optional_policy(`
')
optional_policy(`
@@ -29562,7 +30055,7 @@ index dd3be8d..b3ddfe3 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1409,218 @@ optional_policy(`
+@@ -896,3 +1436,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -32546,10 +33039,39 @@ index 879bb1e..633e449 100644
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..f0de612 100644
+index 58bc27f..4e8728f 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
-@@ -123,3 +123,113 @@ interface(`lvm_domtrans_clvmd',`
+@@ -86,6 +86,28 @@ interface(`lvm_read_config',`
+
+ ########################################
+ ## <summary>
++## Read LVM configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`lvm_read_metadata',`
++ gen_require(`
++ type lvm_etc_t;
++ type lvm_metadata_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 lvm_etc_t:dir list_dir_perms;
++ read_files_pattern($1,lvm_metadata_t ,lvm_metadata_t)
++')
++
++########################################
++## <summary>
+ ## Manage LVM configuration files.
+ ## </summary>
+ ## <param name="domain">
+@@ -123,3 +145,113 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
@@ -36455,7 +36977,7 @@ index 6944526..86c7a82 100644
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..087fe08 100644
+index b7686d5..28f16ce 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -36707,7 +37229,7 @@ index b7686d5..087fe08 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +333,31 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -36731,6 +37253,7 @@ index b7686d5..087fe08 100644
+files_dontaudit_rw_inherited_locks(ifconfig_t)
+files_dontaudit_read_root_files(ifconfig_t)
+files_rw_inherited_tmp_file(ifconfig_t)
++files_dontaudit_rw_var_files(ifconfig_t)
+
files_read_etc_files(ifconfig_t)
files_read_etc_runtime_files(ifconfig_t)
@@ -36738,7 +37261,7 @@ index b7686d5..087fe08 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +370,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -36766,7 +37289,7 @@ index b7686d5..087fe08 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +394,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -36789,7 +37312,7 @@ index b7686d5..087fe08 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +420,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -36803,7 +37326,7 @@ index b7686d5..087fe08 100644
')
optional_policy(`
-@@ -339,7 +432,15 @@ optional_policy(`
+@@ -339,7 +433,15 @@ optional_policy(`
')
optional_policy(`
@@ -36820,7 +37343,7 @@ index b7686d5..087fe08 100644
')
optional_policy(`
-@@ -360,3 +461,13 @@ optional_policy(`
+@@ -360,3 +462,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -40341,7 +40864,7 @@ index db75976..e4eb903 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..1e5eb3b 100644
+index 3c5dba7..519b132 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40931,7 +41454,7 @@ index 3c5dba7..1e5eb3b 100644
')
')
-@@ -491,7 +659,8 @@ template(`userdom_common_user_template',`
+@@ -491,51 +659,63 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -40941,7 +41464,10 @@ index 3c5dba7..1e5eb3b 100644
##############################
#
-@@ -501,41 +670,51 @@ template(`userdom_common_user_template',`
+ # User domain Local policy
+ #
++ allow $1_t self:packet_socket create_socket_perms;
+
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -41016,7 +41542,7 @@ index 3c5dba7..1e5eb3b 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +725,120 @@ template(`userdom_common_user_template',`
+@@ -546,93 +726,120 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -41175,7 +41701,7 @@ index 3c5dba7..1e5eb3b 100644
')
optional_policy(`
-@@ -642,23 +848,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +849,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -41204,7 +41730,7 @@ index 3c5dba7..1e5eb3b 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +875,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +876,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -41213,7 +41739,7 @@ index 3c5dba7..1e5eb3b 100644
')
optional_policy(`
-@@ -680,9 +884,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +885,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -41226,7 +41752,7 @@ index 3c5dba7..1e5eb3b 100644
')
')
-@@ -693,32 +897,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +898,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -41273,7 +41799,7 @@ index 3c5dba7..1e5eb3b 100644
')
')
-@@ -743,17 +950,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +951,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -41311,7 +41837,7 @@ index 3c5dba7..1e5eb3b 100644
userdom_change_password_template($1)
-@@ -761,83 +984,107 @@ template(`userdom_login_user_template', `
+@@ -761,83 +985,107 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -41455,7 +41981,7 @@ index 3c5dba7..1e5eb3b 100644
')
#######################################
-@@ -868,6 +1115,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1116,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -41468,7 +41994,7 @@ index 3c5dba7..1e5eb3b 100644
##############################
#
# Local policy
-@@ -907,42 +1160,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1161,99 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -41581,7 +42107,7 @@ index 3c5dba7..1e5eb3b 100644
')
optional_policy(`
-@@ -951,19 +1261,40 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,19 +1262,40 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -41630,7 +42156,7 @@ index 3c5dba7..1e5eb3b 100644
## <desc>
## <p>
## The template for creating a unprivileged user roughly
-@@ -990,27 +1321,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1322,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -41668,7 +42194,7 @@ index 3c5dba7..1e5eb3b 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1358,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1359,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -41739,7 +42265,7 @@ index 3c5dba7..1e5eb3b 100644
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1420,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1421,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -41750,7 +42276,7 @@ index 3c5dba7..1e5eb3b 100644
')
')
-@@ -1082,7 +1458,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1459,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -41761,7 +42287,7 @@ index 3c5dba7..1e5eb3b 100644
')
##############################
-@@ -1098,6 +1476,7 @@ template(`userdom_admin_user_template',`
+@@ -1098,6 +1477,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -41769,25 +42295,24 @@ index 3c5dba7..1e5eb3b 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1109,6 +1488,7 @@ template(`userdom_admin_user_template',`
+@@ -1108,14 +1488,8 @@ template(`userdom_admin_user_template',`
+ # $1_t local policy
#
- allow $1_t self:capability ~{ sys_module audit_control audit_write };
-+ allow $1_t self:capability2 { block_suspend syslog };
- allow $1_t self:process { setexec setfscreate };
- allow $1_t self:netlink_audit_socket nlmsg_readpriv;
- allow $1_t self:tun_socket create;
-@@ -1117,6 +1497,9 @@ template(`userdom_admin_user_template',`
- # Skip authentication when pam_rootok is specified.
- allow $1_t self:passwd rootok;
-
+- allow $1_t self:capability ~{ sys_module audit_control audit_write };
+- allow $1_t self:process { setexec setfscreate };
+- allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+- allow $1_t self:tun_socket create;
+- # Set password information for other users.
+- allow $1_t self:passwd { passwd chfn chsh };
+- # Skip authentication when pam_rootok is specified.
+- allow $1_t self:passwd rootok;
+ # Manipulate other users crontab.
+ allow $1_t self:passwd crontab;
-+
+
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
- kernel_getattr_message_if($1_t)
-@@ -1131,6 +1514,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1505,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -41795,7 +42320,7 @@ index 3c5dba7..1e5eb3b 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1532,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1523,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -41810,7 +42335,7 @@ index 3c5dba7..1e5eb3b 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1550,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1541,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -41853,7 +42378,7 @@ index 3c5dba7..1e5eb3b 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1591,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1582,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -41862,7 +42387,7 @@ index 3c5dba7..1e5eb3b 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1600,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1591,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -41881,7 +42406,7 @@ index 3c5dba7..1e5eb3b 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1243,7 +1646,7 @@ template(`userdom_admin_user_template',`
+@@ -1243,7 +1637,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -41890,7 +42415,7 @@ index 3c5dba7..1e5eb3b 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1253,6 +1656,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1647,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -41899,7 +42424,7 @@ index 3c5dba7..1e5eb3b 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1670,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1661,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -41911,7 +42436,7 @@ index 3c5dba7..1e5eb3b 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1684,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1675,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -41954,7 +42479,7 @@ index 3c5dba7..1e5eb3b 100644
')
optional_policy(`
-@@ -1360,14 +1769,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1760,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -41973,7 +42498,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -1408,6 +1820,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1811,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -42025,7 +42550,7 @@ index 3c5dba7..1e5eb3b 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1969,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1960,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -42057,7 +42582,7 @@ index 3c5dba7..1e5eb3b 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +2035,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +2026,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -42072,7 +42597,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -1573,9 +2058,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2049,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -42084,7 +42609,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -1632,6 +2119,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2110,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -42127,7 +42652,7 @@ index 3c5dba7..1e5eb3b 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2234,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2225,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -42136,7 +42661,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -1744,10 +2269,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2260,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -42151,7 +42676,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -1772,7 +2299,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2290,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -42178,7 +42703,7 @@ index 3c5dba7..1e5eb3b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1782,53 +2327,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2318,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -42261,7 +42786,7 @@ index 3c5dba7..1e5eb3b 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1848,6 +2410,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2401,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -42287,7 +42812,7 @@ index 3c5dba7..1e5eb3b 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,15 +2459,18 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2450,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -42303,48 +42828,39 @@ index 3c5dba7..1e5eb3b 100644
########################################
## <summary>
--## Do not audit attempts to read user home files.
+## Do not audit attempts to getattr user home files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1894,18 +2478,18 @@ interface(`userdom_read_user_home_content_files',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_read_user_home_content_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
+interface(`userdom_dontaudit_getattr_user_home_content',`
- gen_require(`
-- type user_home_t;
++ gen_require(`
+ attribute user_home_type;
- ')
-
-- dontaudit $1 user_home_t:dir list_dir_perms;
-- dontaudit $1 user_home_t:file read_file_perms;
++ ')
++
+ dontaudit $1 user_home_type:dir getattr;
+ dontaudit $1 user_home_type:file getattr;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to append user home files.
-+## Do not audit attempts to read user home files.
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -1913,17 +2497,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
- ## </summary>
- ## </param>
+@@ -1896,11 +2490,14 @@ interface(`userdom_read_user_home_content_files',`
#
--interface(`userdom_dontaudit_append_user_home_content_files',`
-+interface(`userdom_dontaudit_read_user_home_content_files',`
+ interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
- type user_home_t;
+ attribute user_home_type;
+ type user_home_dir_t;
')
-- dontaudit $1 user_home_t:file append_file_perms;
+- dontaudit $1 user_home_t:dir list_dir_perms;
+- dontaudit $1 user_home_t:file read_file_perms;
+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
@@ -42352,40 +42868,21 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
- ## <summary>
--## Do not audit attempts to write user home files.
-+## Do not audit attempts to append user home files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1931,32 +2519,30 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_write_user_home_content_files',`
-+interface(`userdom_dontaudit_append_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-
-- dontaudit $1 user_home_t:file write_file_perms;
-+ dontaudit $1 user_home_t:file append_file_perms;
- ')
+@@ -1941,7 +2538,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
-## Delete all user home content files.
-+## Do not audit attempts to write user home files.
++## Delete files in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -1949,19 +2546,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
-interface(`userdom_delete_all_user_home_content_files',`
-+interface(`userdom_dontaudit_write_user_home_content_files',`
++interface(`userdom_delete_user_home_content_files',`
gen_require(`
- attribute user_home_content_type;
- type user_home_dir_t;
@@ -42394,34 +42891,34 @@ index 3c5dba7..1e5eb3b 100644
- userdom_search_user_home_content($1)
- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
-+ dontaudit $1 user_home_t:file write_file_perms;
++ allow $1 user_home_t:file delete_file_perms;
')
########################################
-@@ -1979,11 +2565,83 @@ interface(`userdom_delete_user_home_content_files',`
-
- ########################################
## <summary>
--## Do not audit attempts to write user home files.
+-## Delete files in a user home subdirectory.
+## Delete all files in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+@@ -1969,17 +2564,71 @@ interface(`userdom_delete_all_user_home_content_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_delete_user_home_content_files',`
+interface(`userdom_delete_all_user_home_content_files',`
-+ gen_require(`
+ gen_require(`
+- type user_home_t;
+ attribute user_home_type;
-+ ')
-+
+ ')
+
+- allow $1 user_home_t:file delete_file_perms;
+ allow $1 user_home_type:file delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write user home files.
+## Delete sock files in a user home subdirectory.
+## </summary>
+## <param name="domain">
@@ -42477,14 +42974,10 @@ index 3c5dba7..1e5eb3b 100644
+########################################
+## <summary>
+## Do not audit attempts to write user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -2010,8 +2668,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2010,8 +2659,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -42494,7 +42987,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -2027,21 +2684,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2675,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -42508,19 +43001,18 @@ index 3c5dba7..1e5eb3b 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
-@@ -2123,7 +2774,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2765,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -42529,7 +43021,7 @@ index 3c5dba7..1e5eb3b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2782,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2773,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -42553,7 +43045,7 @@ index 3c5dba7..1e5eb3b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2800,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2791,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -42569,7 +43061,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -2393,11 +3042,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +3033,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -42584,7 +43076,7 @@ index 3c5dba7..1e5eb3b 100644
files_search_tmp($1)
')
-@@ -2417,7 +3066,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3057,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -42593,7 +43085,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -2664,6 +3313,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3304,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -42619,7 +43111,7 @@ index 3c5dba7..1e5eb3b 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3348,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3339,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -42635,7 +43127,7 @@ index 3c5dba7..1e5eb3b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3376,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3367,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -42644,7 +43136,7 @@ index 3c5dba7..1e5eb3b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,14 +3384,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3375,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -42679,7 +43171,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -2817,6 +3502,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3493,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -42704,7 +43196,7 @@ index 3c5dba7..1e5eb3b 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3538,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3529,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -42747,7 +43239,7 @@ index 3c5dba7..1e5eb3b 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3574,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3565,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -42785,7 +43277,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -2885,8 +3619,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3610,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -42815,7 +43307,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -2958,69 +3711,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3702,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -42916,7 +43408,7 @@ index 3c5dba7..1e5eb3b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3780,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3771,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -42931,7 +43423,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -3097,7 +3849,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3840,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -42940,7 +43432,7 @@ index 3c5dba7..1e5eb3b 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3865,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3856,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -42974,7 +43466,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -3217,7 +3953,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3944,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -43001,7 +43493,7 @@ index 3c5dba7..1e5eb3b 100644
')
########################################
-@@ -3272,12 +4026,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,12 +4017,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -43017,42 +43509,90 @@ index 3c5dba7..1e5eb3b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3285,12 +4040,87 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3285,44 +4031,120 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
-interface(`userdom_dontaudit_use_user_ttys',`
+interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tmp_t:file write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read the process state of all user domains.
++## Do not audit attempts to delete users
++## temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_delete_user_tmp_files',`
+ gen_require(`
+- attribute userdomain;
++ type user_tmp_t;
+ ')
+
+- read_files_pattern($1, userdomain, userdomain)
+- kernel_search_proc($1)
++ dontaudit $1 user_tmp_t:file delete_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of all user domains.
++## Do not audit attempts to read/write users
++## temporary fifo files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_getattr_all_users',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:file write;
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to delete users
-+## temporary files.
++## Allow domain to read/write inherited users
++## fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_delete_user_tmp_files',`
++interface(`userdom_rw_inherited_user_pipes',`
+ gen_require(`
-+ type user_tmp_t;
++ attribute userdomain;
+ ')
+
-+ dontaudit $1 user_tmp_t:file delete_file_perms;
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
++## Do not audit attempts to use user ttys.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -43060,18 +43600,17 @@ index 3c5dba7..1e5eb3b 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
++interface(`userdom_dontaudit_use_user_ttys',`
+ gen_require(`
-+ type user_tmp_t;
++ type user_tty_device_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Allow domain to read/write inherited users
-+## fifo files.
++## Read the process state of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -43079,43 +43618,31 @@ index 3c5dba7..1e5eb3b 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_rw_inherited_user_pipes',`
++interface(`userdom_read_all_users_state',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
-+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
++ read_files_pattern($1, userdomain, userdomain)
++ read_lnk_files_pattern($1,userdomain,userdomain)
++ kernel_search_proc($1)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to use user ttys.
++## Get the attributes of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_getattr_all_users',`
gen_require(`
- type user_tty_device_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -3309,6 +4139,7 @@ interface(`userdom_read_all_users_state',`
+ attribute userdomain;
')
-
- read_files_pattern($1, userdomain, userdomain)
-+ read_lnk_files_pattern($1,userdomain,userdomain)
- kernel_search_proc($1)
- ')
-
-@@ -3385,6 +4216,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4207,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -43158,7 +43685,7 @@ index 3c5dba7..1e5eb3b 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4272,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4263,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -43183,7 +43710,32 @@ index 3c5dba7..1e5eb3b 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4323,1671 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3423,6 +4299,24 @@ interface(`userdom_create_all_users_keys',`
+
+ ########################################
+ ## <summary>
++## Manage keys for all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_all_users_keys',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:key manage_key_perms;
++')
++
++########################################
++## <summary>
+ ## Send a dbus message to all user domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -3438,4 +4332,1661 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -43312,6 +43864,7 @@ index 3c5dba7..1e5eb3b 100644
+ type admin_home_t;
+ ')
+
++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 admin_home_t:dir search_dir_perms;
+')
+
@@ -43330,6 +43883,7 @@ index 3c5dba7..1e5eb3b 100644
+ type admin_home_t;
+ ')
+
++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 admin_home_t:dir list_dir_perms;
+')
+
@@ -43348,6 +43902,7 @@ index 3c5dba7..1e5eb3b 100644
+ type admin_home_t;
+ ')
+
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ allow $1 admin_home_t:dir list_dir_perms;
+')
+
@@ -43366,8 +43921,9 @@ index 3c5dba7..1e5eb3b 100644
+ type admin_home_t;
+ ')
+
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ allow $1 admin_home_t:dir search_dir_perms;
-+')
+ ')
+
+########################################
+## <summary>
@@ -43385,7 +43941,7 @@ index 3c5dba7..1e5eb3b 100644
+ ')
+
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
- ')
++')
+
+########################################
+## <summary>
@@ -43460,6 +44016,7 @@ index 3c5dba7..1e5eb3b 100644
+ type admin_home_t;
+ ')
+
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, admin_home_t, admin_home_t)
+')
+
@@ -43479,6 +44036,7 @@ index 3c5dba7..1e5eb3b 100644
+ type admin_home_t;
+ ')
+
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ allow $1 admin_home_t:file delete_file_perms;
+')
+
@@ -43498,6 +44056,7 @@ index 3c5dba7..1e5eb3b 100644
+ type admin_home_t;
+ ')
+
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ exec_files_pattern($1, admin_home_t, admin_home_t)
+')
+
@@ -43646,6 +44205,7 @@ index 3c5dba7..1e5eb3b 100644
+ type admin_home_t;
+ ')
+
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ filetrans_pattern($1, admin_home_t, $2, $3, $4)
+')
+
@@ -43687,25 +44247,6 @@ index 3c5dba7..1e5eb3b 100644
+
+########################################
+## <summary>
-+## Manage keys for all user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_manage_all_users_keys',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:key manage_key_perms;
-+')
-+
-+
-+########################################
-+## <summary>
+## Do not audit attempts to read and write
+## unserdomain stream.
+## </summary>
@@ -44166,6 +44707,7 @@ index 3c5dba7..1e5eb3b 100644
+ type admin_home_t;
+ ')
+
++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 admin_home_t:file read_file_perms;
+')
+
@@ -44856,7 +45398,7 @@ index 3c5dba7..1e5eb3b 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..af7e095 100644
+index e2b538b..066ae4d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5)
@@ -44945,7 +45487,7 @@ index e2b538b..af7e095 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,366 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,379 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -45188,8 +45730,21 @@ index e2b538b..af7e095 100644
+#
+gen_require(`
+ class context contains;
++ class passwd { passwd chfn chsh rootok };
+')
+
++allow confined_admindomain self:capability ~{ sys_module audit_control audit_write };
++allow confined_admindomain self:capability2 { block_suspend syslog };
++allow confined_admindomain self:process { setexec setfscreate };
++allow confined_admindomain self:netlink_audit_socket nlmsg_readpriv;
++allow confined_admindomain self:tun_socket create_socket_perms;
++allow confined_admindomain self:packet_socket create_socket_perms;
++
++# Set password information for other users.
++allow confined_admindomain self:passwd { passwd chfn chsh };
++# Skip authentication when pam_rootok is specified.
++allow confined_admindomain self:passwd rootok;
++
+corecmd_shell_entry_type(confined_admindomain)
+corecmd_bin_entry_type(confined_admindomain)
+
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 210ca24..7461ae5 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -10045,10 +10045,10 @@ index 0000000..de66654
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..daceb19
+index 0000000..e49e117
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,64 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -10084,6 +10084,7 @@ index 0000000..daceb19
+
+kernel_read_system_state(bumblebee_t)
+kernel_dontaudit_access_check_proc(bumblebee_t)
++kernel_manage_debugfs(bumblebee_t)
+
+corecmd_exec_shell(bumblebee_t)
+corecmd_exec_bin(bumblebee_t)
@@ -10108,6 +10109,10 @@ index 0000000..daceb19
+optional_policy(`
+ apm_stream_connect(bumblebee_t)
+')
++
++optional_policy(`
++ unconfined_domain(bumblebee_t)
++')
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
--- a/cachefilesd.fc
@@ -10387,7 +10392,7 @@ index 581c8ef..2c71b1d 100644
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/calamaris.if b/calamaris.if
-index cd9c528..9de38c4 100644
+index cd9c528..ba793b7 100644
--- a/calamaris.if
+++ b/calamaris.if
@@ -42,7 +42,7 @@ interface(`calamaris_run',`
@@ -10395,7 +10400,7 @@ index cd9c528..9de38c4 100644
')
- lightsquid_domtrans($1)
-+ clamd_domtrans($1)
++ calamaris_domtrans($1)
roleattribute $2 calamaris_roles;
')
@@ -13090,10 +13095,10 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..dc0423c 100644
+index 6471fa8..3b69f43 100644
--- a/collectd.te
+++ b/collectd.te
-@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
+@@ -26,18 +26,27 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
@@ -13108,7 +13113,11 @@ index 6471fa8..dc0423c 100644
########################################
#
# Local policy
-@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal };
+ #
+
+-allow collectd_t self:capability { ipc_lock sys_nice };
++allow collectd_t self:capability { ipc_lock net_admin sys_nice };
+ allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen };
@@ -13126,13 +13135,13 @@ index 6471fa8..dc0423c 100644
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
-+
-+auth_getattr_passwd(collectd_t)
-+auth_read_passwd(collectd_t)
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
++auth_getattr_passwd(collectd_t)
++auth_read_passwd(collectd_t)
++
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
@@ -13154,10 +13163,14 @@ index 6471fa8..dc0423c 100644
logging_send_syslog_msg(collectd_t)
-@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +89,30 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
++ mysql_stream_connect(collectd_t)
++')
++
++optional_policy(`
+ netutils_domtrans_ping(collectd_t)
+')
+
@@ -18020,7 +18033,7 @@ index 06da9a0..c7834c8 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..0663b64 100644
+index 9f34c2e..ae75cc4 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -18444,7 +18457,7 @@ index 9f34c2e..0663b64 100644
')
optional_policy(`
-+ gnome_dontaudit_search_config(cupsd_config_t)
++ gnome_dontaudit_read_config(cupsd_config_t)
+')
+
+optional_policy(`
@@ -19189,7 +19202,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index afcf3a2..7574fa1 100644
+index afcf3a2..98a4fb7 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -19709,7 +19722,7 @@ index afcf3a2..7574fa1 100644
## <param name="domain">
## <summary>
## Type to be used as a domain.
-@@ -396,81 +402,66 @@ interface(`dbus_manage_lib_files',`
+@@ -396,81 +402,67 @@ interface(`dbus_manage_lib_files',`
## </param>
## <param name="entry_point">
## <summary>
@@ -19734,6 +19747,7 @@ index afcf3a2..7574fa1 100644
+ domain_entry_file($1, $2)
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
++ init_system_domain($1, $2)
+
+ ps_process_pattern($1, system_dbusd_t)
+
@@ -19818,7 +19832,7 @@ index afcf3a2..7574fa1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -478,18 +469,18 @@ interface(`dbus_spec_session_domain',`
+@@ -478,18 +470,18 @@ interface(`dbus_spec_session_domain',`
## </summary>
## </param>
#
@@ -19842,7 +19856,7 @@ index afcf3a2..7574fa1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -497,98 +488,80 @@ interface(`dbus_connect_system_bus',`
+@@ -497,98 +489,80 @@ interface(`dbus_connect_system_bus',`
## </summary>
## </param>
#
@@ -19969,7 +19983,7 @@ index afcf3a2..7574fa1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -596,28 +569,32 @@ interface(`dbus_use_system_bus_fds',`
+@@ -596,28 +570,32 @@ interface(`dbus_use_system_bus_fds',`
## </summary>
## </param>
#
@@ -23576,7 +23590,7 @@ index c880070..4448055 100644
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/dovecot.if b/dovecot.if
-index dbcac59..66d42bb 100644
+index dbcac59..067c453 100644
--- a/dovecot.if
+++ b/dovecot.if
@@ -1,29 +1,49 @@
@@ -23703,8 +23717,29 @@ index dbcac59..66d42bb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,8 +138,8 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -120,10 +136,29 @@ interface(`dovecot_write_inherited_tmp_files',`
+ allow $1 dovecot_tmp_t:file write;
+ ')
++####################################
++## <summary>
++## Read dovecot configuration file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dovecot_read_config',`
++ gen_require(`
++ type dovecot_etc_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
++')
++
########################################
## <summary>
-## All of the rules required to
@@ -23714,7 +23749,7 @@ index dbcac59..66d42bb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -132,21 +148,24 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -132,21 +167,24 @@ interface(`dovecot_write_inherited_tmp_files',`
## </param>
## <param name="role">
## <summary>
@@ -23745,7 +23780,7 @@ index dbcac59..66d42bb 100644
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -156,20 +175,25 @@ interface(`dovecot_admin',`
+@@ -156,20 +194,25 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, dovecot_etc_t)
@@ -28065,7 +28100,7 @@ index e39de43..6a6db28 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..4155cd4 100644
+index d03fd43..394cbf1 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,157 @@
@@ -29552,7 +29587,7 @@ index d03fd43..4155cd4 100644
+#
+interface(`gnome_create_home_config_dirs',`
+ gen_require(`
-+ type cache_home_t;
++ type config_home_t;
+ ')
+
+ allow $1 config_home_t:dir create_dir_perms;
@@ -32629,7 +32664,7 @@ index 0000000..9278f85
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..c6cf456
+index 0000000..deb738f
--- /dev/null
+++ b/ipa.if
@@ -0,0 +1,21 @@
@@ -32647,7 +32682,7 @@ index 0000000..c6cf456
+#
+interface(`ipa_domtrans_otpd',`
+ gen_require(`
-+ type ipa_otpd_t, ipa_otpd_t_exec_t;
++ type ipa_otpd_t, ipa_otpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
@@ -32656,10 +32691,10 @@ index 0000000..c6cf456
+
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..02f7cfa
+index 0000000..589066e
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,33 @@
+@@ -0,0 +1,38 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -32686,6 +32721,11 @@ index 0000000..02f7cfa
+
+corenet_tcp_connect_radius_port(ipa_otpd_t)
+
++dev_read_urand(ipa_otpd_t)
++dev_read_rand(ipa_otpd_t)
++
++sysnet_dns_name_resolve(ipa_otpd_t)
++
+optional_policy(`
+ dirsrv_stream_connect(ipa_otpd_t)
+')
@@ -35073,11 +35113,165 @@ index e7f5c81..8c75bc8 100644
+optional_policy(`
+ policykit_dbus_chat(kdumpgui_t)
')
+diff --git a/keepalived.fc b/keepalived.fc
+new file mode 100644
+index 0000000..7e6f8be
+--- /dev/null
++++ b/keepalived.fc
+@@ -0,0 +1,5 @@
++/usr/lib/systemd/system/keepalived.* -- gen_context(system_u:object_r:keepalived_unit_file_t,s0)
++
++/usr/sbin/keepalived -- gen_context(system_u:object_r:keepalived_exec_t,s0)
++
++/var/run/keepalived.* -- gen_context(system_u:object_r:keepalived_var_run_t,s0)
+diff --git a/keepalived.if b/keepalived.if
+new file mode 100644
+index 0000000..0d61849
+--- /dev/null
++++ b/keepalived.if
+@@ -0,0 +1,84 @@
++
++## <summary> keepalived - load-balancing and high-availability service</summary>
++
++########################################
++## <summary>
++## Execute keepalived in the keepalived domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`keepalived_domtrans',`
++ gen_require(`
++ type keepalived_t, keepalived_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, keepalived_exec_t, keepalived_t)
++')
++########################################
++## <summary>
++## Execute keepalived server in the keepalived domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`keepalived_systemctl',`
++ gen_require(`
++ type keepalived_t;
++ type keepalived_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 keepalived_unit_file_t:file read_file_perms;
++ allow $1 keepalived_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, keepalived_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an keepalived environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`keepalived_admin',`
++ gen_require(`
++ type keepalived_t;
++ type keepalived_unit_file_t;
++ ')
++
++ allow $1 keepalived_t:process { signal_perms };
++ ps_process_pattern($1, keepalived_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 keepalived_t:process ptrace;
++ ')
++
++ keepalived_systemctl($1)
++ admin_pattern($1, keepalived_unit_file_t)
++ allow $1 keepalived_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/keepalived.te b/keepalived.te
+new file mode 100644
+index 0000000..535f79b
+--- /dev/null
++++ b/keepalived.te
+@@ -0,0 +1,47 @@
++policy_module(keepalived, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type keepalived_t;
++type keepalived_exec_t;
++init_daemon_domain(keepalived_t, keepalived_exec_t)
++
++type keepalived_unit_file_t;
++systemd_unit_file(keepalived_unit_file_t)
++
++type keepalived_var_run_t;
++files_pid_file(keepalived_var_run_t)
++
++########################################
++#
++# keepalived local policy
++#
++allow keepalived_t self:capability { net_admin net_raw };
++allow keepalived_t self:process { signal_perms };
++allow keepalived_t self:netlink_socket create_socket_perms;
++allow keepalived_t self:netlink_route_socket nlmsg_write;
++allow keepalived_t self:packet_socket create_socket_perms;
++allow keepalived_t self:rawip_socket create_socket_perms;
++
++
++manage_files_pattern(keepalived_t, keepalived_var_run_t, keepalived_var_run_t)
++files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file })
++
++kernel_read_system_state(keepalived_t)
++kernel_read_network_state(keepalived_t)
++
++auth_use_nsswitch(keepalived_t)
++
++corenet_tcp_connect_connlcli_port(keepalived_t)
++corenet_tcp_connect_http_port(keepalived_t)
++corenet_tcp_connect_smtp_port(keepalived_t)
++
++dev_read_urand(keepalived_t)
++
++modutils_domtrans_insmod(keepalived_t)
++
++logging_send_syslog_msg(keepalived_t)
++
diff --git a/kerberos.fc b/kerberos.fc
-index 4fe75fd..8c702c9 100644
+index 4fe75fd..b029c28 100644
--- a/kerberos.fc
+++ b/kerberos.fc
-@@ -1,52 +1,44 @@
+@@ -1,52 +1,46 @@
-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@@ -35111,25 +35305,33 @@ index 4fe75fd..8c702c9 100644
-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
--
++/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
--
++/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
++/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
--
++/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
++/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
+
-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
--
++/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
+
-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+-/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
-+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
- /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-
-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
@@ -35144,13 +35346,6 @@ index 4fe75fd..8c702c9 100644
-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-+
-+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
-+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
-+
-+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+
+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
@@ -35161,7 +35356,7 @@ index 4fe75fd..8c702c9 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f9de9fc..11e6268 100644
+index f9de9fc..11504e6 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -35487,16 +35682,20 @@ index f9de9fc..11e6268 100644
## </summary>
## <param name="prefix">
## <summary>
-@@ -354,21 +255,15 @@ interface(`kerberos_etc_filetrans_keytab',`
+@@ -354,21 +255,21 @@ interface(`kerberos_etc_filetrans_keytab',`
## </param>
#
template(`kerberos_keytab_template',`
--
++ gen_require(`
++ attribute kerberos_keytab_domain;
++ ')
+
- ########################################
- #
- # Declarations
- #
--
++ typeattribute $2 kerberos_keytab_domain;
+
type $1_keytab_t;
files_type($1_keytab_t)
@@ -35514,7 +35713,7 @@ index f9de9fc..11e6268 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -376,7 +271,7 @@ template(`kerberos_keytab_template',`
+@@ -376,7 +277,7 @@ template(`kerberos_keytab_template',`
########################################
## <summary>
@@ -35523,7 +35722,7 @@ index f9de9fc..11e6268 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -396,8 +291,7 @@ interface(`kerberos_read_kdc_config',`
+@@ -396,8 +297,7 @@ interface(`kerberos_read_kdc_config',`
########################################
## <summary>
@@ -35533,7 +35732,7 @@ index f9de9fc..11e6268 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -411,34 +305,99 @@ interface(`kerberos_manage_host_rcache',`
+@@ -411,34 +311,99 @@ interface(`kerberos_manage_host_rcache',`
type krb5_host_rcache_t;
')
@@ -35573,8 +35772,7 @@ index f9de9fc..11e6268 100644
## </param>
-## <param name="object_class">
+## <param name="role">
- ## <summary>
--## Class of the object being created.
++## <summary>
+## The role to be allowed to manage the kerberos domain.
+## </summary>
+## </param>
@@ -35636,12 +35834,13 @@ index f9de9fc..11e6268 100644
+## to the krb5_host_rcache type.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -452,12 +411,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -452,12 +417,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
type krb5_host_rcache_t;
')
@@ -35657,7 +35856,7 @@ index f9de9fc..11e6268 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -465,82 +425,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -465,82 +431,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
## </summary>
## </param>
#
@@ -35798,7 +35997,7 @@ index f9de9fc..11e6268 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 3465a9a..15b3d6d 100644
+index 3465a9a..cf08ae1 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -1,4 +1,4 @@
@@ -35807,7 +36006,7 @@ index 3465a9a..15b3d6d 100644
########################################
#
-@@ -6,11 +6,11 @@ policy_module(kerberos, 1.11.7)
+@@ -6,11 +6,13 @@ policy_module(kerberos, 1.11.7)
#
## <desc>
@@ -35820,10 +36019,12 @@ index 3465a9a..15b3d6d 100644
## </desc>
-gen_tunable(allow_kerberos, false)
+gen_tunable(kerberos_enabled, false)
++
++attribute kerberos_keytab_domain;
type kadmind_t;
type kadmind_exec_t;
-@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
+@@ -35,23 +37,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
domain_obj_id_change_exemption(kpropd_t)
type krb5_conf_t;
@@ -35849,13 +36050,13 @@ index 3465a9a..15b3d6d 100644
type krb5kdc_lock_t;
-files_type(krb5kdc_lock_t)
+files_lock_file(krb5kdc_lock_t)
-
+
+
+# types for KDC principal file(s)
type krb5kdc_principal_t;
files_type(krb5kdc_principal_t)
-@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t)
+@@ -74,28 +80,31 @@ files_pid_file(krb5kdc_var_run_t)
# kadmind local policy
#
@@ -35893,7 +36094,7 @@ index 3465a9a..15b3d6d 100644
manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
-@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
+@@ -103,13 +112,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
@@ -35912,7 +36113,7 @@ index 3465a9a..15b3d6d 100644
corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_generic_if(kadmind_t)
corenet_udp_sendrecv_generic_if(kadmind_t)
-@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
+@@ -119,31 +130,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
@@ -35959,7 +36160,7 @@ index 3465a9a..15b3d6d 100644
sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-@@ -154,11 +173,16 @@ optional_policy(`
+@@ -154,11 +175,16 @@ optional_policy(`
')
optional_policy(`
@@ -35976,7 +36177,7 @@ index 3465a9a..15b3d6d 100644
')
optional_policy(`
-@@ -174,24 +198,27 @@ optional_policy(`
+@@ -174,24 +200,27 @@ optional_policy(`
# Krb5kdc local policy
#
@@ -36008,12 +36209,17 @@ index 3465a9a..15b3d6d 100644
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -203,54 +230,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
- manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
- files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
+@@ -201,56 +230,57 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
--can_exec(krb5kdc_t, krb5kdc_exec_t)
+ manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+-files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
-
+-can_exec(krb5kdc_t, krb5kdc_exec_t)
++manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
++manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
++files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file })
+
kernel_read_system_state(krb5kdc_t)
kernel_read_kernel_sysctls(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
@@ -36074,7 +36280,7 @@ index 3465a9a..15b3d6d 100644
sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-@@ -261,11 +287,11 @@ optional_policy(`
+@@ -261,11 +291,11 @@ optional_policy(`
')
optional_policy(`
@@ -36088,7 +36294,7 @@ index 3465a9a..15b3d6d 100644
')
optional_policy(`
-@@ -273,6 +299,10 @@ optional_policy(`
+@@ -273,6 +303,10 @@ optional_policy(`
')
optional_policy(`
@@ -36099,7 +36305,7 @@ index 3465a9a..15b3d6d 100644
udev_read_db(krb5kdc_t)
')
-@@ -281,10 +311,12 @@ optional_policy(`
+@@ -281,10 +315,12 @@ optional_policy(`
# kpropd local policy
#
@@ -36115,7 +36321,7 @@ index 3465a9a..15b3d6d 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
-@@ -303,26 +335,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,26 +339,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -44986,7 +45192,7 @@ index f42896c..cb2791a 100644
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..26c97cd 100644
+index ed81cac..e968c28 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -46095,7 +46301,7 @@ index ed81cac..26c97cd 100644
+ type etc_mail_t;
+ ')
+
-+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
++ #filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
+ mta_etc_filetrans_aliases($1, "aliases")
+ mta_etc_filetrans_aliases($1, "aliases.db")
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
@@ -46103,7 +46309,7 @@ index ed81cac..26c97cd 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..5979160 100644
+index afd2fad..b995f01 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -46300,15 +46506,15 @@ index afd2fad..5979160 100644
init_use_script_ptys(system_mail_t)
+init_dontaudit_rw_stream_socket(system_mail_t)
-
--userdom_use_user_terminals(system_mail_t)
++
+userdom_use_inherited_user_terminals(system_mail_t)
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
-+
+
+-userdom_use_user_terminals(system_mail_t)
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
@@ -46528,7 +46734,18 @@ index afd2fad..5979160 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -387,24 +282,177 @@ optional_policy(`
+@@ -378,6 +273,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ pcp_read_lib_files(mailserver_delivery)
++')
++
++optional_policy(`
+ postfix_rw_inherited_master_pipes(mailserver_delivery)
+ ')
+
+@@ -387,24 +286,177 @@ optional_policy(`
########################################
#
@@ -53722,7 +53939,7 @@ index 379af96..41ff159 100644
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
-index 57c0161..54bd4d7 100644
+index 57c0161..dae3360 100644
--- a/nut.if
+++ b/nut.if
@@ -1,39 +1,24 @@
@@ -53778,7 +53995,7 @@ index 57c0161..54bd4d7 100644
- files_search_pids($1)
- admin_pattern($1, nut_var_run_t)
-+ ps_process_pattern($1, swift_t)
++ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
index 0c9deb7..76988d6 100644
@@ -55691,16 +55908,24 @@ index 0000000..9451b83
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..3c4beaf
+index 0000000..e13b578
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,558 @@
+@@ -0,0 +1,573 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
+ role system_r;
+')
+
++## <desc>
++## <p>
++## Allow openshift to access nfs file systems without labels
++## </p>
++## </desc>
++gen_tunable(openshift_use_nfs, false)
++
++
+########################################
+#
+# Declarations
@@ -56253,6 +56478,13 @@ index 0000000..3c4beaf
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
+
++tunable_policy(`openshift_use_nfs',`
++ fs_list_auto_mountpoints(openshift_domain)
++ fs_manage_nfs_dirs(openshift_domain)
++ fs_manage_nfs_files(openshift_domain)
++ fs_manage_nfs_symlinks(openshift_domain)
++ fs_exec_nfs_files(openshift_domain)
++')
diff --git a/opensm.fc b/opensm.fc
new file mode 100644
index 0000000..51650fa
@@ -57084,7 +57316,7 @@ index 9b15730..eedd136 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..dd3be82 100644
+index 508fedf..452ad74 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
@@ -57107,7 +57339,7 @@ index 508fedf..dd3be82 100644
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
-@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t)
+@@ -21,23 +18,34 @@ files_type(openvswitch_var_lib_t)
type openvswitch_log_t;
logging_log_file(openvswitch_log_t)
@@ -57135,6 +57367,7 @@ index 508fedf..dd3be82 100644
-allow openvswitch_t self:rawip_socket create_socket_perms;
-allow openvswitch_t self:unix_stream_socket { accept connectto listen };
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow openvswitch_t self:tcp_socket create_stream_socket_perms;
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -57149,7 +57382,7 @@ index 508fedf..dd3be82 100644
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,45 +52,55 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,45 +53,57 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -57182,6 +57415,8 @@ index 508fedf..dd3be82 100644
-corenet_raw_sendrecv_generic_if(openvswitch_t)
-corenet_raw_sendrecv_generic_node(openvswitch_t)
+corenet_tcp_connect_openflow_port(openvswitch_t)
++corenet_tcp_bind_generic_node(openvswitch_t)
++corenet_tcp_bind_openvswitch_port(openvswitch_t)
corecmd_exec_bin(openvswitch_t)
+corecmd_exec_shell(openvswitch_t)
@@ -58473,10 +58708,10 @@ index 0000000..9b8cb6b
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
-index 0000000..4f074cb
+index 0000000..ba24b40
--- /dev/null
+++ b/pcp.if
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,139 @@
+## <summary>The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
+
+######################################
@@ -58504,6 +58739,24 @@ index 0000000..4f074cb
+
+')
+
++######################################
++## <summary>
++## Allow domain to read pcp lib files
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++interface(`pcp_read_lib_files',`
++ gen_require(`
++ type pcp_var_lib_t;
++ ')
++ libs_search_lib($1)
++ read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -58577,12 +58830,33 @@ index 0000000..4f074cb
+ corecmd_search_bin($1)
+ can_exec($1, pcp_pmie_exec_t)
+')
++
++########################################
++## <summary>
++## Allow the specified domain to execute pcp_pmlogger
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pcp_pmlogger_exec',`
++ gen_require(`
++ type pcp_pmlogger_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, pcp_pmlogger_exec_t)
++')
++
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..8ec3a48
+index 0000000..d21c5d7
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,164 @@
+@@ -0,0 +1,192 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -58648,6 +58922,8 @@ index 0000000..8ec3a48
+
+dev_read_urand(pcp_domain)
+
++files_read_etc_files(pcp_domain)
++
+fs_getattr_all_fs(pcp_domain)
+
+auth_read_passwd(pcp_domain)
@@ -58665,6 +58941,8 @@ index 0000000..8ec3a48
+allow pcp_pmcd_t self:netlink_route_socket create_socket_perms;
+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;;
+
++auth_use_nsswitch(pcp_pmcd_t)
++
+kernel_read_network_state(pcp_pmcd_t)
+kernel_read_system_state(pcp_pmcd_t)
+kernel_read_state(pcp_pmcd_t)
@@ -58686,9 +58964,9 @@ index 0000000..8ec3a48
+fs_getattr_all_dirs(pcp_pmcd_t)
+fs_list_cgroup_dirs(pcp_pmcd_t)
+
-+storage_getattr_fixed_disk_dev(pcp_pmcd_t)
++logging_send_syslog_msg(pcp_pmcd_t)
+
-+auth_use_nsswitch(pcp_pmcd_t)
++storage_getattr_fixed_disk_dev(pcp_pmcd_t)
+
+optional_policy(`
+ dbus_system_bus_client(pcp_pmcd_t)
@@ -58705,9 +58983,12 @@ index 0000000..8ec3a48
+
+allow pcp_pmproxy_t self:process setsched;
+allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms;
++allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
+
+auth_use_nsswitch(pcp_pmproxy_t)
+
++logging_send_syslog_msg(pcp_pmproxy_t)
++
+########################################
+#
+# pcp_pmwebd local policy
@@ -58721,21 +59002,27 @@ index 0000000..8ec3a48
+#
+
+allow pcp_pmmgr_t self:process { setpgid };
-+
++allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms;
+allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto;
+
+kernel_read_system_state(pcp_pmmgr_t)
+
++auth_use_nsswitch(pcp_pmmgr_t)
++
+corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
+
++corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t)
++corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t)
++
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t)
+
+corecmd_exec_bin(pcp_pmmgr_t)
+
-+auth_use_nsswitch(pcp_pmmgr_t)
++logging_send_syslog_msg(pcp_pmmgr_t)
+
+optional_policy(`
+ pcp_pmie_exec(pcp_pmmgr_t)
++ pcp_pmlogger_exec(pcp_pmmgr_t)
+')
+
+########################################
@@ -58747,6 +59034,21 @@ index 0000000..8ec3a48
+
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
++
++########################################
++#
++# pcp_pmlogger local policy
++#
++
++allow pcp_pmlogger_t self:process setpgid;
++allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
++
++allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
++
++corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
++corenet_tcp_bind_generic_node(pcp_pmlogger_t)
++
diff --git a/pcscd.if b/pcscd.if
index 43d50f9..7f77d32 100644
--- a/pcscd.if
@@ -58761,7 +59063,7 @@ index 43d50f9..7f77d32 100644
########################################
diff --git a/pcscd.te b/pcscd.te
-index 96db654..6d3feb9 100644
+index 96db654..a958595 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
@@ -58787,7 +59089,14 @@ index 96db654..6d3feb9 100644
corenet_all_recvfrom_netlabel(pcscd_t)
corenet_tcp_sendrecv_generic_if(pcscd_t)
corenet_tcp_sendrecv_generic_node(pcscd_t)
-@@ -50,7 +50,6 @@ dev_rw_smartcard(pcscd_t)
+@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t)
+ corenet_tcp_connect_http_port(pcscd_t)
+ corenet_tcp_sendrecv_http_port(pcscd_t)
+
++domain_read_all_domains_state(pcscd_t)
++
+ dev_rw_generic_usb_dev(pcscd_t)
+ dev_rw_smartcard(pcscd_t)
dev_rw_usbfs(pcscd_t)
dev_read_sysfs(pcscd_t)
@@ -58795,7 +59104,7 @@ index 96db654..6d3feb9 100644
files_read_etc_runtime_files(pcscd_t)
term_use_unallocated_ttys(pcscd_t)
-@@ -60,8 +59,6 @@ locallogin_use_fds(pcscd_t)
+@@ -60,16 +61,22 @@ locallogin_use_fds(pcscd_t)
logging_send_syslog_msg(pcscd_t)
@@ -58803,8 +59112,24 @@ index 96db654..6d3feb9 100644
-
sysnet_dns_name_resolve(pcscd_t)
++userdom_read_all_users_state(pcscd_t)
++
optional_policy(`
-@@ -85,3 +82,7 @@ optional_policy(`
+ dbus_system_bus_client(pcscd_t)
+
+ optional_policy(`
+ hal_dbus_chat(pcscd_t)
+ ')
++
++ optional_policy(`
++ policykit_dbus_chat(pcscd_t)
++ policykit_dbus_chat_auth(pcscd_t)
++ ')
++
+ ')
+
+ optional_policy(`
+@@ -85,3 +92,7 @@ optional_policy(`
optional_policy(`
udev_read_db(pcscd_t)
')
@@ -58958,7 +59283,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..a8401a8 100644
+index 7bcf327..8ad2a04 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -58982,7 +59307,7 @@ index 7bcf327..a8401a8 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,304 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,316 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -59160,6 +59485,7 @@ index 7bcf327..a8401a8 100644
+# pegasus openlmi service local policy
+#
+
++init_manage_transient_unit(pegasus_openlmi_admin_t)
+init_disable_services(pegasus_openlmi_admin_t)
+init_enable_services(pegasus_openlmi_admin_t)
+init_reload_services(pegasus_openlmi_admin_t)
@@ -59180,7 +59506,7 @@ index 7bcf327..a8401a8 100644
+')
+
+optional_policy(`
-+ sssd_search_lib(pegasus_openlmi_admin_t)
++ sssd_stream_connect(pegasus_openlmi_admin_t)
+')
+
+######################################
@@ -59206,9 +59532,11 @@ index 7bcf327..a8401a8 100644
+files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
+
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
++kernel_read_network_state(pegasus_openlmi_storage_t)
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
+kernel_request_load_module(pegasus_openlmi_storage_t)
+
++dev_read_raw_memory(pegasus_openlmi_storage_t)
+dev_read_rand(pegasus_openlmi_storage_t)
+dev_read_urand(pegasus_openlmi_storage_t)
+
@@ -59220,6 +59548,7 @@ index 7bcf327..a8401a8 100644
+seutil_read_file_contexts(pegasus_openlmi_storage_t)
+
+storage_raw_read_removable_device(pegasus_openlmi_storage_t)
++storage_raw_write_removable_device(pegasus_openlmi_storage_t)
+storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
+storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
+
@@ -59232,6 +59561,8 @@ index 7bcf327..a8401a8 100644
+udev_domtrans(pegasus_openlmi_storage_t)
+udev_read_pid_files(pegasus_openlmi_storage_t)
+
++init_read_state(pegasus_openlmi_storage_t)
++
+miscfiles_read_hwdata(pegasus_openlmi_storage_t)
+
+optional_policy(`
@@ -59244,10 +59575,16 @@ index 7bcf327..a8401a8 100644
+
+optional_policy(`
+ iscsi_manage_lock(pegasus_openlmi_storage_t)
++ iscsi_read_lib_files(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
++ libs_exec_ldconfig(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+ lvm_domtrans(pegasus_openlmi_storage_t)
++ lvm_read_metadata(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
@@ -59292,7 +59629,7 @@ index 7bcf327..a8401a8 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +337,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +349,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -59323,7 +59660,7 @@ index 7bcf327..a8401a8 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +363,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +375,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -59356,7 +59693,7 @@ index 7bcf327..a8401a8 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +391,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +403,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -59368,7 +59705,7 @@ index 7bcf327..a8401a8 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +407,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +419,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -59404,7 +59741,7 @@ index 7bcf327..a8401a8 100644
')
optional_policy(`
-@@ -151,16 +441,24 @@ optional_policy(`
+@@ -151,16 +453,24 @@ optional_policy(`
')
optional_policy(`
@@ -59433,7 +59770,7 @@ index 7bcf327..a8401a8 100644
')
optional_policy(`
-@@ -168,7 +466,7 @@ optional_policy(`
+@@ -168,7 +478,7 @@ optional_policy(`
')
optional_policy(`
@@ -66823,7 +67160,7 @@ index 00edeab..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
-index d447152..2f0ae78 100644
+index d447152..f3e6fbf 100644
--- a/procmail.te
+++ b/procmail.te
@@ -1,4 +1,4 @@
@@ -66858,7 +67195,7 @@ index d447152..2f0ae78 100644
allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,89 +44,107 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,89 +44,108 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@@ -66965,6 +67302,7 @@ index d447152..2f0ae78 100644
optional_policy(`
- cyrus_stream_connect(procmail_t)
+ dovecot_stream_connect(procmail_t)
++ dovecot_read_config(procmail_t)
')
optional_policy(`
@@ -67003,16 +67341,17 @@ index d447152..2f0ae78 100644
')
optional_policy(`
-@@ -131,6 +153,8 @@ optional_policy(`
+@@ -131,6 +154,9 @@ optional_policy(`
')
optional_policy(`
+ mta_read_config(procmail_t)
++ mta_mailserver_delivery(procmail_t)
+ mta_manage_home_rw(procmail_t)
sendmail_domtrans(procmail_t)
sendmail_signal(procmail_t)
sendmail_dontaudit_rw_tcp_sockets(procmail_t)
-@@ -145,3 +169,8 @@ optional_policy(`
+@@ -145,3 +171,8 @@ optional_policy(`
spamassassin_domtrans_client(procmail_t)
spamassassin_read_lib_files(procmail_t)
')
@@ -74297,16 +74636,15 @@ index 0000000..638d6b4
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
new file mode 100644
-index 0000000..72a2d7b
+index 0000000..2640ab5
--- /dev/null
+++ b/redis.if
-@@ -0,0 +1,271 @@
-+
-+## <summary>redis-server SELinux policy</summary>
+@@ -0,0 +1,266 @@
++## <summary>Advanced key-value store</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the redis domin.
++## Execute redis server in the redis domin.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -74340,6 +74678,7 @@ index 0000000..72a2d7b
+
+ init_labeled_script_domtrans($1, redis_initrc_exec_t)
+')
++
+########################################
+## <summary>
+## Read redis's log files.
@@ -74349,7 +74688,6 @@ index 0000000..72a2d7b
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
+interface(`redis_read_log',`
+ gen_require(`
@@ -74512,14 +74850,13 @@ index 0000000..72a2d7b
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 redis_unit_file_t:file read_file_perms;
+ allow $1 redis_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, redis_t)
+')
+
-+
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -74539,18 +74876,14 @@ index 0000000..72a2d7b
+#
+interface(`redis_admin',`
+ gen_require(`
-+ type redis_t;
-+ type redis_initrc_exec_t;
-+ type redis_log_t;
-+ type redis_var_lib_t;
-+ type redis_var_run_t;
-+ type redis_unit_file_t;
++ type redis_t, redis_initrc_exec_t, redis_var_lib_t;
++ type redis_log_t, redis_var_run_t, redis_unit_file_t;
+ ')
+
+ allow $1 redis_t:process { ptrace signal_perms };
+ ps_process_pattern($1, redis_t)
+
-+ redis_initrc_domtrans($1)
++ init_labeled_script_domtrans($1, redis_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 redis_initrc_exec_t system_r;
+ allow $2 system_r;
@@ -74567,6 +74900,7 @@ index 0000000..72a2d7b
+ redis_systemctl($1)
+ admin_pattern($1, redis_unit_file_t)
+ allow $1 redis_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -82583,7 +82917,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..ded3288 100644
+index 57c034b..3ac0bb1 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -82962,7 +83296,7 @@ index 57c034b..ded3288 100644
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -315,43 +328,33 @@ kernel_read_kernel_sysctls(smbd_t)
+@@ -315,42 +328,34 @@ kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
@@ -83013,11 +83347,11 @@ index 57c034b..ded3288 100644
-files_dontaudit_getattr_all_dirs(smbd_t)
-files_dontaudit_list_all_mountpoints(smbd_t)
-files_list_mnt(smbd_t)
--
++domain_dontaudit_signull_all_domains(smbd_t)
+
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
- fs_get_xattr_fs_quotas(smbd_t)
-@@ -360,44 +363,55 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -360,44 +365,55 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
@@ -83084,7 +83418,7 @@ index 57c034b..ded3288 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -413,20 +427,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -413,20 +429,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -83107,7 +83441,7 @@ index 57c034b..ded3288 100644
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -435,6 +439,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -435,6 +441,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -83115,7 +83449,7 @@ index 57c034b..ded3288 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -442,17 +447,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -442,17 +449,6 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -83133,7 +83467,7 @@ index 57c034b..ded3288 100644
optional_policy(`
ccs_read_config(smbd_t)
')
-@@ -460,6 +454,7 @@ optional_policy(`
+@@ -460,6 +456,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
@@ -83141,7 +83475,7 @@ index 57c034b..ded3288 100644
')
optional_policy(`
-@@ -473,6 +468,11 @@ optional_policy(`
+@@ -473,6 +470,11 @@ optional_policy(`
')
optional_policy(`
@@ -83153,7 +83487,7 @@ index 57c034b..ded3288 100644
lpd_exec_lpr(smbd_t)
')
-@@ -482,6 +482,10 @@ optional_policy(`
+@@ -482,6 +484,10 @@ optional_policy(`
')
optional_policy(`
@@ -83164,7 +83498,7 @@ index 57c034b..ded3288 100644
rpc_search_nfs_state_data(smbd_t)
')
-@@ -493,9 +497,33 @@ optional_policy(`
+@@ -493,9 +499,33 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -83199,7 +83533,7 @@ index 57c034b..ded3288 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +534,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +536,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -83214,7 +83548,7 @@ index 57c034b..ded3288 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +550,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +552,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -83238,7 +83572,7 @@ index 57c034b..ded3288 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +567,42 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +569,42 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -83305,7 +83639,7 @@ index 57c034b..ded3288 100644
')
optional_policy(`
-@@ -600,19 +615,26 @@ optional_policy(`
+@@ -600,19 +617,26 @@ optional_policy(`
########################################
#
@@ -83337,7 +83671,7 @@ index 57c034b..ded3288 100644
samba_search_var(smbcontrol_t)
samba_read_winbind_pid(smbcontrol_t)
-@@ -620,16 +642,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +644,12 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -83355,7 +83689,7 @@ index 57c034b..ded3288 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +655,23 @@ optional_policy(`
+@@ -637,22 +657,23 @@ optional_policy(`
########################################
#
@@ -83387,7 +83721,7 @@ index 57c034b..ded3288 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -661,26 +680,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +682,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -83423,7 +83757,7 @@ index 57c034b..ded3288 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -692,58 +707,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +709,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -83515,7 +83849,7 @@ index 57c034b..ded3288 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +786,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +788,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -83539,7 +83873,7 @@ index 57c034b..ded3288 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -770,36 +800,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +802,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -83582,7 +83916,7 @@ index 57c034b..ded3288 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -811,10 +830,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +832,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -83596,7 +83930,7 @@ index 57c034b..ded3288 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -834,16 +854,19 @@ optional_policy(`
+@@ -834,16 +856,19 @@ optional_policy(`
#
allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
@@ -83620,7 +83954,7 @@ index 57c034b..ded3288 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +876,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +878,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -83631,7 +83965,7 @@ index 57c034b..ded3288 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +887,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +889,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -83661,7 +83995,7 @@ index 57c034b..ded3288 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +910,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +912,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -83682,7 +84016,7 @@ index 57c034b..ded3288 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +928,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +930,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -83693,7 +84027,7 @@ index 57c034b..ded3288 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,26 +936,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,26 +938,39 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -83735,7 +84069,7 @@ index 57c034b..ded3288 100644
')
optional_policy(`
-@@ -952,31 +984,29 @@ optional_policy(`
+@@ -952,31 +986,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -83773,7 +84107,7 @@ index 57c034b..ded3288 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +1020,38 @@ optional_policy(`
+@@ -990,25 +1022,38 @@ optional_policy(`
########################################
#
@@ -88692,7 +89026,7 @@ index 0000000..94105ee
+')
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..838f907
+index 0000000..a299f53
--- /dev/null
+++ b/snapper.te
@@ -0,0 +1,66 @@
@@ -88710,8 +89044,8 @@ index 0000000..838f907
+type snapperd_log_t;
+logging_log_file(snapperd_log_t)
+
-+type snappperd_conf_t;
-+files_config_file(snappperd_conf_t)
++type snapperd_conf_t;
++files_config_file(snapperd_conf_t)
+
+type snapperd_data_t;
+files_type(snapperd_data_t)
@@ -88904,7 +89238,7 @@ index 7a9cc9d..86cbca9 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 81864ce..4b6b771 100644
+index 81864ce..7408ed7 100644
--- a/snmp.te
+++ b/snmp.te
@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
@@ -88987,6 +89321,14 @@ index 81864ce..4b6b771 100644
')
optional_policy(`
+@@ -140,6 +146,7 @@ optional_policy(`
+
+ optional_policy(`
+ mta_read_config(snmpd_t)
++ mta_read_aliases(snmpd_t)
+ mta_search_queue(snmpd_t)
+ ')
+
diff --git a/snort.if b/snort.if
index 7d86b34..5f58180 100644
--- a/snort.if
@@ -89850,7 +90192,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..d5d1214 100644
+index 4faa7e0..32f670e 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -1,4 +1,4 @@
@@ -89929,7 +90271,7 @@ index 4faa7e0..d5d1214 100644
type spamd_initrc_exec_t;
init_script_file(spamd_initrc_exec_t)
-@@ -72,87 +39,198 @@ type spamd_log_t;
+@@ -72,87 +39,199 @@ type spamd_log_t;
logging_log_file(spamd_log_t)
type spamd_spool_t;
@@ -90133,6 +90475,7 @@ index 4faa7e0..d5d1214 100644
+ userdom_manage_user_home_content_dirs(spamd_t)
+ userdom_manage_user_home_content_files(spamd_t)
+ userdom_manage_user_home_content_symlinks(spamd_t)
++ userdom_exec_user_bin_files(spamd_t)
')
-tunable_policy(`use_samba_home_dirs',`
@@ -90150,7 +90493,7 @@ index 4faa7e0..d5d1214 100644
nis_use_ypbind_uncond(spamassassin_t)
')
')
-@@ -160,6 +238,8 @@ optional_policy(`
+@@ -160,6 +239,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -90159,7 +90502,7 @@ index 4faa7e0..d5d1214 100644
')
########################################
-@@ -167,72 +247,85 @@ optional_policy(`
+@@ -167,72 +248,85 @@ optional_policy(`
# Client local policy
#
@@ -90276,7 +90619,7 @@ index 4faa7e0..d5d1214 100644
optional_policy(`
abrt_stream_connect(spamc_t)
-@@ -243,6 +336,7 @@ optional_policy(`
+@@ -243,6 +337,7 @@ optional_policy(`
')
optional_policy(`
@@ -90284,7 +90627,7 @@ index 4faa7e0..d5d1214 100644
evolution_stream_connect(spamc_t)
')
-@@ -251,52 +345,55 @@ optional_policy(`
+@@ -251,52 +346,55 @@ optional_policy(`
')
optional_policy(`
@@ -90365,7 +90708,7 @@ index 4faa7e0..d5d1214 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +405,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +406,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -90375,7 +90718,7 @@ index 4faa7e0..d5d1214 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +415,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +416,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -90391,7 +90734,7 @@ index 4faa7e0..d5d1214 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +430,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +431,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -90495,7 +90838,7 @@ index 4faa7e0..d5d1214 100644
')
optional_policy(`
-@@ -421,21 +501,13 @@ optional_policy(`
+@@ -421,21 +502,13 @@ optional_policy(`
')
optional_policy(`
@@ -90519,7 +90862,7 @@ index 4faa7e0..d5d1214 100644
')
optional_policy(`
-@@ -443,8 +515,8 @@ optional_policy(`
+@@ -443,8 +516,8 @@ optional_policy(`
')
optional_policy(`
@@ -90529,7 +90872,7 @@ index 4faa7e0..d5d1214 100644
')
optional_policy(`
-@@ -455,7 +527,12 @@ optional_policy(`
+@@ -455,7 +528,12 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -90543,7 +90886,7 @@ index 4faa7e0..d5d1214 100644
')
optional_policy(`
-@@ -463,9 +540,9 @@ optional_policy(`
+@@ -463,9 +541,9 @@ optional_policy(`
')
optional_policy(`
@@ -90554,7 +90897,7 @@ index 4faa7e0..d5d1214 100644
')
optional_policy(`
-@@ -474,32 +551,32 @@ optional_policy(`
+@@ -474,32 +552,32 @@ optional_policy(`
########################################
#
@@ -90597,7 +90940,7 @@ index 4faa7e0..d5d1214 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +585,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +586,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -101471,19 +101814,21 @@ index 9ead775..b5285e7 100644
+userdom_use_inherited_user_terminals(vlock_t)
diff --git a/vmtools.fc b/vmtools.fc
new file mode 100644
-index 0000000..5726cdb
+index 0000000..c5deffb
--- /dev/null
+++ b/vmtools.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,5 @@
+/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmtools_exec_t,s0)
+
++/usr/bin/vmware-user-suid-wrapper -- gen_context(system_u:object_r:vmtools_helper_exec_t,s0)
++
+/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0)
diff --git a/vmtools.if b/vmtools.if
new file mode 100644
-index 0000000..044be2f
+index 0000000..7933d80
--- /dev/null
+++ b/vmtools.if
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,122 @@
+## <summary>VMware Tools daemon</summary>
+
+########################################
@@ -101504,6 +101849,50 @@ index 0000000..044be2f
+ corecmd_search_bin($1)
+ domtrans_pattern($1, vmtools_exec_t, vmtools_t)
+')
++
++########################################
++## <summary>
++## Execute vmtools in the vmtools domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`vmtools_domtrans_helper',`
++ gen_require(`
++ type vmtools_helper_t, vmtools_helper_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, vmtools_helper_exec_t, vmtools_helper_t)
++')
++
++########################################
++## <summary>
++## Execute vmtools helpers in the vmtools_heler domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the mozilla_plugin domain.
++## </summary>
++## </param>
++#
++interface(`vmtools_run_helper',`
++ gen_require(`
++ attribute_role vmtools_helper_roles;
++ ')
++
++ vmtools_domtrans_helper($1)
++ roleattribute $2 vmtools_helper_roles;
++')
++
+########################################
+## <summary>
+## Execute vmtools server in the vmtools domain.
@@ -101551,7 +101940,7 @@ index 0000000..044be2f
+ ps_process_pattern($1, vmtools_t)
+
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ninfod_t:process ptrace;
++ allow $1 vmtools_t:process ptrace;
+ ')
+
+ vmtools_systemctl($1)
@@ -101564,10 +101953,10 @@ index 0000000..044be2f
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
-index 0000000..5549375
+index 0000000..b881c53
--- /dev/null
+++ b/vmtools.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,82 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
@@ -101575,9 +101964,19 @@ index 0000000..5549375
+# Declarations
+#
+
++attribute_role vmtools_helper_roles;
++
++roleattribute system_r vmtools_helper_roles;
++
+type vmtools_t;
+type vmtools_exec_t;
+init_daemon_domain(vmtools_t, vmtools_exec_t)
++role vmtools_helper_roles types vmtools_t;
++
++type vmtools_helper_t;
++type vmtools_helper_exec_t;
++application_domain(vmtools_helper_t, vmtools_helper_exec_t)
++role vmtools_helper_roles types vmtools_t;
+
+type vmtools_unit_file_t;
+systemd_unit_file(vmtools_unit_file_t)
@@ -101613,7 +102012,33 @@ index 0000000..5549375
+
+auth_use_nsswitch(vmtools_t)
+
++#shutdown
++init_rw_utmp(vmtools_t)
++init_stream_connect(vmtools_t)
++init_telinit(vmtools_t)
++
+logging_send_syslog_msg(vmtools_t)
++
++systemd_exec_systemctl(vmtools_t)
++
++sysnet_domtrans_ifconfig(vmtools_t)
++
++xserver_stream_connect_xdm(vmtools_t)
++xserver_stream_connect(vmtools_t)
++
++optional_policy(`
++ unconfined_domain(vmtools_t)
++')
++
++########################################
++#
++# vmtools-helper local policy
++#
++
++domtrans_pattern(vmtools_helper_t, vmtools_exec_t, vmtools_t)
++can_exec(vmtools_helper_t, vmtools_helper_exec_t)
++
++userdom_stream_connect(vmtools_helper_t)
diff --git a/vmware.if b/vmware.if
index 20a1fb2..470ea95 100644
--- a/vmware.if
@@ -102021,6 +102446,28 @@ index 9329eae..824e86f 100644
-optional_policy(`
- seutil_use_newrole_fds(vpnc_t)
-')
+diff --git a/w3c.te b/w3c.te
+index bcb76b6..d3cf4a8 100644
+--- a/w3c.te
++++ b/w3c.te
+@@ -7,10 +7,17 @@ policy_module(w3c, 1.0.1)
+
+ apache_content_template(w3c_validator)
+
++type httpd_w3c_validator_tmp_t;
++files_tmp_file(httpd_w3c_validator_tmp_t)
++
+ ########################################
+ #
+ # Local policy
+ #
++manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
++manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
++files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir })
++
+
+ corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t)
+ corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t)
diff --git a/watchdog.fc b/watchdog.fc
index eecd0e0..8df2e8c 100644
--- a/watchdog.fc
@@ -104555,7 +105002,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..47847ad 100644
+index 46e4cd3..20fc1ba 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3)
@@ -104760,7 +105207,7 @@ index 46e4cd3..47847ad 100644
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -177,12 +181,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +181,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t)
@@ -104774,7 +105221,9 @@ index 46e4cd3..47847ad 100644
fs_getattr_all_fs(zabbix_agent_t)
-@@ -190,8 +193,14 @@ init_read_utmp(zabbix_agent_t)
++auth_use_nsswitch(zabbix_agent_t)
++
+ init_read_utmp(zabbix_agent_t)
logging_search_logs(zabbix_agent_t)
@@ -105614,7 +106063,7 @@ index 0000000..8c61505
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
diff --git a/zoneminder.if b/zoneminder.if
new file mode 100644
-index 0000000..d02a6f4
+index 0000000..e0604c7
--- /dev/null
+++ b/zoneminder.if
@@ -0,0 +1,374 @@
@@ -105827,7 +106276,7 @@ index 0000000..d02a6f4
+#
+interface(`zoneminder_manage_lib_sock_files',`
+ gen_require(`
-+ type sock_var_lib_t;
++ type zoneminder_sock_var_lib_t;
+ ')
+ files_search_var_lib($1)
+ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9b35494..17b87f4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 125%{?dist}
+Release: 126%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,63 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Feb 18 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-126
+- Add lvm_read_metadata()
+- Allow auditadm to search /var/log/audit dir
+- Add lvm_read_metadata() interface
+- Allow confined users to run vmtools helpers
+- Fix userdom_common_user_template()
+- Generic systemd unit scripts do write check on /
+- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files
+- Add additional fixes needed for init_t and setup script running in generic unit files
+- Allow general users to create packet_sockets
+- added connlcli port
+- Add init_manage_transient_unit() interface
+- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t
+- Fix userdomain.te to require passwd class
+- devicekit_power sends out a signal to all processes on the message bus when power is going down
+- Dontaudit rendom domains listing /proc and hittping system_map_t
+- Dontauit leaks of var_t into ifconfig_t
+- Allow domains that transition to ssh_t to manipulate its keyring
+- Define oracleasm_t as a device node
+- Change to handle /root as a symbolic link for os-tree
+- Allow sysadm_t to create packet_socket, also move some rules to attributes
+- Add label for openvswitch port
+- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label.
+- Allow postfix_local to read .forward in pcp lib files
+- Allow pegasus_openlmi_storage_t to read lvm metadata
+- Add additional fixes for pegasus_openlmi_storage_t
+- Allow bumblebee to manage debugfs
+- Make bumblebee as unconfined domain
+- Allow snmp to read etc_aliases_t
+- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem
+- Allow pegasus_openlmi_storage_t to read /proc/1/environ
+- Dontaudit read gconf files for cupsd_config_t
+- make vmtools as unconfined domain
+- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.
+- Allow collectd_t to use a mysql database
+- Allow ipa-otpd to perform DNS name resolution
+- Added new policy for keepalived
+- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd
+- Add additional fixes new pscs-lite+polkit support
+- Add labeling for /run/krb5kdc
+- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20
+- Allow pcscd to read users proc info
+- Dontaudit smbd_t sending out random signuls
+- Add boolean to allow openshift domains to use nfs
+- Allow w3c_validator to create content in /tmp
+- zabbix_agent uses nsswitch
+- Allow procmail and dovecot to work together to deliver mail
+- Allow spamd to execute files in homedir if boolean turned on
+- Allow openvswitch to listen on port 6634
+- Add net_admin capability in collectd policy
+- Fixed snapperd policy
+- Fixed bugsfor pcp policy
+- Allow dbus_system_domains to be started by init
+- Fixed some interfaces
+- Add kerberos_keytab_domain attribute
+- Fix snapperd_conf_t def
+
* Tue Feb 11 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-125
- Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages.
More information about the scm-commits
mailing list