[selinux-policy] - Make unconfined_service_t valid in enforcing - Remove transition for temp dirs created by init_t -
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Feb 24 19:12:39 UTC 2014
commit 3e0039f0652626810f29de6c8d49a8bd82eb3e6b
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Feb 24 20:13:11 2014 +0100
- Make unconfined_service_t valid in enforcing
- Remove transition for temp dirs created by init_t
- gdm-simple-slave uses use setsockopt
- Treat usermodehelper_t as a sysctl_type
- xdm communicates with geo
- Add lvm_read_metadata()
- Allow rabbitmq_beam to connect to jabber_interserver_port
- Allow logwatch_mail_t to transition to qmail_inject and queueu
- Added new rules to pcp policy
- Allow vmtools_helper_t to change role to system_r
- Allow NM to dbus chat with vmtools
policy-rawhide-base.patch | 466 ++++++++++++++++++++++--------------------
policy-rawhide-contrib.patch | 97 ++++++----
selinux-policy.spec | 15 ++-
3 files changed, 312 insertions(+), 266 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 1679ed1..e8a0f00 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -15993,7 +15993,7 @@ index e100d88..1c1a61c 100644
+ allow $1 usermodehelper_t:file relabelto;
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..b1a339b 100644
+index 8dbab4c..15230be 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -16042,7 +16042,7 @@ index 8dbab4c..b1a339b 100644
+genfscon proc /sys/kernel/modules_disabled gen_context(system_u:object_r:proc_security_t,s0)
+genfscon proc /sys/kernel/randomize_va_space gen_context(system_u:object_r:proc_security_t,s0)
+
-+type usermodehelper_t, proc_type;
++type usermodehelper_t, proc_type, sysctl_type;
+typealias usermodehelper_t alias sysctl_hotplug_t;
+typealias usermodehelper_t alias sysctl_modprobe_t;
+dev_associate_sysfs(usermodehelper_t)
@@ -24323,7 +24323,7 @@ index 6bf0ecc..115c533 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..787bc72 100644
+index 8b40377..a02343f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -24662,13 +24662,13 @@ index 8b40377..787bc72 100644
+ifdef(`hide_broken_symptoms',`
+ term_dontaudit_use_unallocated_ttys(xauth_t)
+ dev_dontaudit_rw_dri(xauth_t)
- ')
-
- optional_policy(`
-+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
+')
+
+optional_policy(`
++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
+ ')
+
+ optional_policy(`
+ ssh_use_ptys(xauth_t)
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
@@ -24679,7 +24679,7 @@ index 8b40377..787bc72 100644
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
-+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
+allow xdm_t self:capability2 { block_suspend };
+dontaudit xdm_t self:capability sys_admin;
+tunable_policy(`deny_ptrace',`',`
@@ -24703,7 +24703,8 @@ index 8b40377..787bc72 100644
+allow xdm_t self:dbus { send_msg acquire_svc };
+
+allow xdm_t xauth_home_t:file manage_file_perms;
-+
+
+-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -24712,8 +24713,7 @@ index 8b40377..787bc72 100644
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
+xserver_filetrans_home_content(xdm_t)
+xserver_filetrans_admin_home_content(xdm_t)
-
--allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
++
+#Handle mislabeled files in homedir
+userdom_delete_user_home_content_files(xdm_t)
+userdom_signull_unpriv_users(xdm_t)
@@ -24958,7 +24958,7 @@ index 8b40377..787bc72 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +689,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +689,148 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -25015,6 +25015,10 @@ index 8b40377..787bc72 100644
+')
+
+optional_policy(`
++ geoclue_dbus_chat(xdm_t)
++')
++
++optional_policy(`
+ gnome_filetrans_home_content(xdm_t)
+')
+
@@ -25109,7 +25113,7 @@ index 8b40377..787bc72 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -503,11 +840,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -503,11 +844,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -25136,7 +25140,7 @@ index 8b40377..787bc72 100644
')
optional_policy(`
-@@ -517,9 +869,34 @@ optional_policy(`
+@@ -517,9 +873,34 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -25152,8 +25156,9 @@ index 8b40377..787bc72 100644
+ optional_policy(`
+ cpufreqselector_dbus_chat(xdm_t)
+ ')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- accountsd_dbus_chat(xdm_t)
+ devicekit_dbus_chat_disk(xdm_t)
+ devicekit_dbus_chat_power(xdm_t)
+ ')
@@ -25161,9 +25166,8 @@ index 8b40377..787bc72 100644
+ optional_policy(`
+ hal_dbus_chat(xdm_t)
+ ')
-
- optional_policy(`
-- accountsd_dbus_chat(xdm_t)
++
++ optional_policy(`
+ gnomeclock_dbus_chat(xdm_t)
+ ')
+
@@ -25172,7 +25176,7 @@ index 8b40377..787bc72 100644
')
')
-@@ -530,6 +907,20 @@ optional_policy(`
+@@ -530,6 +911,20 @@ optional_policy(`
')
optional_policy(`
@@ -25193,7 +25197,7 @@ index 8b40377..787bc72 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +938,78 @@ optional_policy(`
+@@ -547,28 +942,78 @@ optional_policy(`
')
optional_policy(`
@@ -25281,7 +25285,7 @@ index 8b40377..787bc72 100644
')
optional_policy(`
-@@ -580,6 +1021,14 @@ optional_policy(`
+@@ -580,6 +1025,14 @@ optional_policy(`
')
optional_policy(`
@@ -25296,7 +25300,7 @@ index 8b40377..787bc72 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1043,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1047,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -25305,7 +25309,7 @@ index 8b40377..787bc72 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1053,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -25318,7 +25322,7 @@ index 8b40377..787bc72 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1070,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -25334,7 +25338,7 @@ index 8b40377..787bc72 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1086,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -25345,7 +25349,7 @@ index 8b40377..787bc72 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1101,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1105,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -25382,7 +25386,7 @@ index 8b40377..787bc72 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1147,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1151,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -25414,7 +25418,7 @@ index 8b40377..787bc72 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1180,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1184,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -25429,7 +25433,7 @@ index 8b40377..787bc72 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1201,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1205,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -25453,7 +25457,7 @@ index 8b40377..787bc72 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1220,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1224,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -25462,7 +25466,7 @@ index 8b40377..787bc72 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1264,44 @@ optional_policy(`
+@@ -785,17 +1268,44 @@ optional_policy(`
')
optional_policy(`
@@ -25509,7 +25513,7 @@ index 8b40377..787bc72 100644
')
optional_policy(`
-@@ -803,6 +1309,10 @@ optional_policy(`
+@@ -803,6 +1313,10 @@ optional_policy(`
')
optional_policy(`
@@ -25520,7 +25524,7 @@ index 8b40377..787bc72 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,10 +1328,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1332,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -25534,7 +25538,7 @@ index 8b40377..787bc72 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1339,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1343,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -25543,7 +25547,7 @@ index 8b40377..787bc72 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1352,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1356,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -25578,7 +25582,7 @@ index 8b40377..787bc72 100644
')
optional_policy(`
-@@ -912,7 +1417,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1421,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -25587,7 +25591,7 @@ index 8b40377..787bc72 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1471,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1475,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -25619,7 +25623,7 @@ index 8b40377..787bc72 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1517,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1521,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -29434,7 +29438,7 @@ index 79a45f6..35df3cb 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..f22157d 100644
+index 17eda24..758e084 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -29573,7 +29577,7 @@ index 17eda24..f22157d 100644
+manage_files_pattern(init_t, init_tmp_t, init_tmp_t)
+manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t)
+manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t)
-+files_tmp_filetrans(init_t, init_tmp_t, { file dir })
++files_tmp_filetrans(init_t, init_tmp_t, { file })
+
+manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t)
+manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
@@ -41168,10 +41172,10 @@ index 5ca20a9..e749152 100644
+ corecmd_bin_domtrans($1, unconfined_service_t)
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 5fe902d..fe042f9 100644
+index 5fe902d..9382e97 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
-@@ -1,207 +1,15 @@
+@@ -1,207 +1,16 @@
-policy_module(unconfined, 3.5.1)
+policy_module(unconfined, 3.5.0)
@@ -41190,6 +41194,7 @@ index 5fe902d..fe042f9 100644
-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+type unconfined_service_t;
+domain_type(unconfined_service_t)
++role system_r types unconfined_service_t;
-type unconfined_exec_t;
-init_system_domain(unconfined_t, unconfined_exec_t)
@@ -41417,7 +41422,7 @@ index db75976..e4eb903 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..ace307f 100644
+index 9dc60c6..771d5b9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -42095,7 +42100,7 @@ index 9dc60c6..ace307f 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +726,120 @@ template(`userdom_common_user_template',`
+@@ -546,93 +726,124 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -42191,6 +42196,10 @@ index 9dc60c6..ace307f 100644
+ ')
+
+ optional_policy(`
++ geoclue_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
+ gnome_dbus_chat_gconfdefault($1_usertype)
+ ')
@@ -42230,31 +42239,31 @@ index 9dc60c6..ace307f 100644
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
+ git_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- kerberos_manage_krb5_home_files($1_t)
- kerberos_relabel_krb5_home_files($1_t)
- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
++ ')
++
++ optional_policy(`
+ lircd_stream_connect($1_usertype)
')
optional_policy(`
-@@ -642,23 +849,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +853,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -42283,7 +42292,7 @@ index 9dc60c6..ace307f 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +876,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +880,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -42292,7 +42301,7 @@ index 9dc60c6..ace307f 100644
')
optional_policy(`
-@@ -680,9 +885,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +889,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -42305,7 +42314,7 @@ index 9dc60c6..ace307f 100644
')
')
-@@ -693,32 +898,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +902,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -42315,27 +42324,31 @@ index 9dc60c6..ace307f 100644
+
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
++ ')
++
++ optional_policy(`
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
-+ seunshare_role_template($1, $1_r, $1_t)
++ slrnpull_search_spool($1_usertype)
')
optional_policy(`
@@ -42344,15 +42357,11 @@ index 9dc60c6..ace307f 100644
- virt_home_filetrans_virt_content($1_t, dir, "isos")
- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
-+ slrnpull_search_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ thumb_role($1_r, $1_usertype)
')
')
-@@ -743,17 +951,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +955,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -42369,12 +42378,12 @@ index 9dc60c6..ace307f 100644
- userdom_manage_tmpfs_role($1_r, $1_t)
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
++
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable($1_exec_content, true)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable($1_exec_content, true)
-+
+ tunable_policy(`$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -42390,7 +42399,7 @@ index 9dc60c6..ace307f 100644
userdom_change_password_template($1)
-@@ -761,83 +985,107 @@ template(`userdom_login_user_template', `
+@@ -761,83 +989,107 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -42484,8 +42493,7 @@ index 9dc60c6..ace307f 100644
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_exec_setfiles($1_usertype)
-
-- seutil_read_config($1_t)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -42496,7 +42504,8 @@ index 9dc60c6..ace307f 100644
+ kerberos_use($1_usertype)
+ init_write_key($1_usertype)
+ ')
-+
+
+- seutil_read_config($1_t)
+ optional_policy(`
+ mysql_filetrans_named_content($1_usertype)
+ ')
@@ -42534,7 +42543,7 @@ index 9dc60c6..ace307f 100644
')
#######################################
-@@ -868,6 +1116,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1120,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -42547,7 +42556,7 @@ index 9dc60c6..ace307f 100644
##############################
#
# Local policy
-@@ -907,56 +1161,140 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1165,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -42621,19 +42630,19 @@ index 9dc60c6..ace307f 100644
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
-+
-+ optional_policy(`
-+ abrt_dbus_chat($1_usertype)
-+ abrt_run_helper($1_usertype, $1_r)
-+ ')
optional_policy(`
- consolekit_dbus_chat($1_t)
-+ accountsd_dbus_chat($1_usertype)
++ abrt_dbus_chat($1_usertype)
++ abrt_run_helper($1_usertype, $1_r)
')
optional_policy(`
- cups_dbus_chat($1_t)
++ accountsd_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
@@ -42669,27 +42678,24 @@ index 9dc60c6..ace307f 100644
optional_policy(`
- java_role($1_r, $1_t)
+ policykit_role($1_r, $1_usertype)
- ')
-
- optional_policy(`
-- setroubleshoot_dontaudit_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
- ')
--')
-
--#######################################
-+ optional_policy(`
-+ rtkit_scheduled($1_usertype)
+ ')
+
+ optional_policy(`
-+ systemd_filetrans_home_content($1_usertype)
++ rtkit_scheduled($1_usertype)
+ ')
+
+ optional_policy(`
-+ setroubleshoot_dontaudit_stream_connect($1_t)
-+ ')
++ systemd_filetrans_home_content($1_usertype)
+ ')
+
+ optional_policy(`
+ setroubleshoot_dontaudit_stream_connect($1_t)
+ ')
+
+ optional_policy(`
+ udev_read_db($1_usertype)
@@ -42698,13 +42704,10 @@ index 9dc60c6..ace307f 100644
+ optional_policy(`
+ xserver_xdm_ioctl_log($1_t)
+ ')
-+')
-+
-+#######################################
- ## <summary>
- ## The template for creating a unprivileged user roughly
- ## equivalent to a regular linux user.
-@@ -987,27 +1325,33 @@ template(`userdom_unpriv_user_template', `
+ ')
+
+ #######################################
+@@ -987,27 +1329,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -42742,7 +42745,7 @@ index 9dc60c6..ace307f 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1362,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1366,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -42813,7 +42816,7 @@ index 9dc60c6..ace307f 100644
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1424,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1428,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -42824,7 +42827,7 @@ index 9dc60c6..ace307f 100644
')
')
-@@ -1079,7 +1462,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1466,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -42835,7 +42838,7 @@ index 9dc60c6..ace307f 100644
')
##############################
-@@ -1095,6 +1480,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1484,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -42843,7 +42846,7 @@ index 9dc60c6..ace307f 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1491,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1495,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -42860,7 +42863,7 @@ index 9dc60c6..ace307f 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1508,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1512,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -42868,7 +42871,7 @@ index 9dc60c6..ace307f 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1526,14 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1530,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -42883,7 +42886,7 @@ index 9dc60c6..ace307f 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1544,38 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1548,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -42926,7 +42929,7 @@ index 9dc60c6..ace307f 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1585,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1589,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -42935,7 +42938,7 @@ index 9dc60c6..ace307f 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1594,17 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1598,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -42954,7 +42957,7 @@ index 9dc60c6..ace307f 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1640,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1644,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -42963,7 +42966,7 @@ index 9dc60c6..ace307f 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1650,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1654,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -42972,7 +42975,7 @@ index 9dc60c6..ace307f 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1664,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1668,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -42984,7 +42987,7 @@ index 9dc60c6..ace307f 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1678,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1682,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -43027,7 +43030,7 @@ index 9dc60c6..ace307f 100644
')
optional_policy(`
-@@ -1357,14 +1763,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1767,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -43046,7 +43049,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -1405,6 +1814,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1405,6 +1818,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -43098,7 +43101,7 @@ index 9dc60c6..ace307f 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1509,11 +1963,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1967,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -43130,7 +43133,7 @@ index 9dc60c6..ace307f 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1555,6 +2029,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2033,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -43145,7 +43148,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -1570,9 +2052,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2056,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -43157,7 +43160,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -1629,6 +2113,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2117,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -43200,7 +43203,7 @@ index 9dc60c6..ace307f 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1708,6 +2228,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1708,6 +2232,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -43209,7 +43212,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -1741,10 +2263,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2267,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -43224,7 +43227,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -1769,7 +2293,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2297,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -43251,7 +43254,7 @@ index 9dc60c6..ace307f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1779,53 +2321,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1779,53 +2325,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -43334,7 +43337,7 @@ index 9dc60c6..ace307f 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1845,6 +2404,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1845,6 +2408,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -43360,7 +43363,7 @@ index 9dc60c6..ace307f 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1875,14 +2453,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1875,14 +2457,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -43398,7 +43401,7 @@ index 9dc60c6..ace307f 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1893,11 +2493,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2497,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -43416,7 +43419,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -1938,7 +2541,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2545,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -43425,7 +43428,7 @@ index 9dc60c6..ace307f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,10 +2549,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2553,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -43438,7 +43441,7 @@ index 9dc60c6..ace307f 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2560,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2564,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@@ -43447,7 +43450,7 @@ index 9dc60c6..ace307f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1966,35 +2568,89 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,35 +2572,35 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -43488,39 +43491,51 @@ index 9dc60c6..ace307f 100644
## <summary>
-## Read user home subdirectory symbolic links.
+## Delete all sock files in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2002,45 +2608,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_read_user_home_content_symlinks',`
+interface(`userdom_delete_all_user_home_content_sock_files',`
-+ gen_require(`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
+ attribute user_home_type;
-+ ')
-+
+ ')
+
+- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
+ allow $1 user_home_type:sock_file delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute user home files.
+## Delete all files in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`userdom_exec_user_home_content_files',`
+interface(`userdom_delete_all_user_home_content',`
-+ gen_require(`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
+ attribute user_home_type;
-+ ')
-+
+ ')
+
+- files_search_home($1)
+- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ allow $1 user_home_type:dir_file_class_set delete_file_perms;
+')
-+
+
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1)
+########################################
+## <summary>
+## Do not audit attempts to write user home files.
@@ -43534,54 +43549,59 @@ index 9dc60c6..ace307f 100644
+interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
-+ ')
-+
+ ')
+
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ dontaudit $1 user_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+## Read user home subdirectory symbolic links.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2007,8 +2663,7 @@ interface(`userdom_read_user_home_content_symlinks',`
- type user_home_dir_t, user_home_t;
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_read_user_home_content_symlinks',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
')
-
-- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
++
+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
')
########################################
-@@ -2024,21 +2679,15 @@ interface(`userdom_read_user_home_content_symlinks',`
- #
- interface(`userdom_exec_user_home_content_files',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
+ ## <summary>
++## Execute user home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_exec_user_home_content_files',`
++ gen_require(`
+ type user_home_dir_t;
+ attribute user_home_type;
- ')
-
- files_search_home($1)
-- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1)
++ ')
++
++ files_search_home($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
- ')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
--')
--
- ########################################
- ## <summary>
++ ')
++
++########################################
++## <summary>
## Do not audit attempts to execute user home files.
-@@ -2120,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+ ## </summary>
+ ## <param name="domain">
+@@ -2120,7 +2773,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -43590,7 +43610,7 @@ index 9dc60c6..ace307f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2781,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -43614,7 +43634,7 @@ index 9dc60c6..ace307f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2799,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -43630,7 +43650,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -2390,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2390,11 +3041,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -43645,7 +43665,7 @@ index 9dc60c6..ace307f 100644
files_search_tmp($1)
')
-@@ -2414,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3065,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -43654,7 +43674,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -2661,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3312,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -43680,7 +43700,7 @@ index 9dc60c6..ace307f 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2677,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2677,13 +3347,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -43696,7 +43716,7 @@ index 9dc60c6..ace307f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2704,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2704,7 +3375,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -43705,7 +43725,7 @@ index 9dc60c6..ace307f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2712,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2712,14 +3383,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -43740,7 +43760,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -2814,6 +3497,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3501,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -43765,7 +43785,7 @@ index 9dc60c6..ace307f 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3533,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3537,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -43808,7 +43828,7 @@ index 9dc60c6..ace307f 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3569,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3573,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -43846,7 +43866,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -2882,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3618,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -43876,7 +43896,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -2955,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3710,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -43977,7 +43997,7 @@ index 9dc60c6..ace307f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3025,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3779,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -43992,7 +44012,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -3094,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +3848,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -44001,7 +44021,7 @@ index 9dc60c6..ace307f 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +3864,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -44035,7 +44055,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -3214,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +3952,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -44062,7 +44082,7 @@ index 9dc60c6..ace307f 100644
')
########################################
-@@ -3269,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4025,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -44078,7 +44098,7 @@ index 9dc60c6..ace307f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,36 +4035,112 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,31 +4039,107 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -44116,11 +44136,10 @@ index 9dc60c6..ace307f 100644
- read_files_pattern($1, userdomain, userdomain)
- kernel_search_proc($1)
+ dontaudit $1 user_tmp_t:file delete_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of all user domains.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to read/write users
+## temporary fifo files.
+## </summary>
@@ -44193,15 +44212,10 @@ index 9dc60c6..ace307f 100644
+ read_files_pattern($1, userdomain, userdomain)
+ read_lnk_files_pattern($1,userdomain,userdomain)
+ kernel_search_proc($1)
-+')
-+
-+########################################
-+## <summary>
-+## Get the attributes of all user domains.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3382,6 +4211,42 @@ interface(`userdom_signal_all_users',`
+ ')
+
+ ########################################
+@@ -3382,6 +4215,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -44244,7 +44258,7 @@ index 9dc60c6..ace307f 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4267,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4271,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -44269,7 +44283,7 @@ index 9dc60c6..ace307f 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4318,1680 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4322,1680 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -44400,7 +44414,7 @@ index 9dc60c6..ace307f 100644
+
+ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 admin_home_t:dir search_dir_perms;
-+')
+ ')
+
+########################################
+## <summary>
@@ -44475,7 +44489,7 @@ index 9dc60c6..ace307f 100644
+ ')
+
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
- ')
++')
+
+########################################
+## <summary>
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 1c6e10c..a6f1306 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2335,10 +2335,10 @@ index aa44abf..16a6342 100644
rpm_domtrans(anaconda_t)
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
-index 0000000..9d5214b
+index 0000000..219f32d
--- /dev/null
+++ b/antivirus.fc
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,44 @@
+/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:antivirus_conf_t,s0)
+/etc/amavisd(/.*)? gen_context(system_u:object_r:antivirus_conf_t,s0)
+
@@ -2350,6 +2350,7 @@ index 0000000..9d5214b
+
+/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+
++/usr/sbin/amavi -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamdscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
@@ -14439,10 +14440,10 @@ index 5b830ec..0647a3b 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
-index bd18063..0957efc 100644
+index bd18063..47c8fd0 100644
--- a/consolekit.te
+++ b/consolekit.te
-@@ -19,12 +19,16 @@ type consolekit_var_run_t;
+@@ -19,21 +19,23 @@ type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
@@ -14459,16 +14460,19 @@ index bd18063..0957efc 100644
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
-@@ -33,7 +37,7 @@ create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
- append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
- read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
- setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+
+-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
++manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
++manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
-@@ -54,38 +58,37 @@ dev_read_sysfs(consolekit_t)
+@@ -54,38 +56,37 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -14517,7 +14521,7 @@ index bd18063..0957efc 100644
')
optional_policy(`
-@@ -109,13 +112,6 @@ optional_policy(`
+@@ -109,13 +110,6 @@ optional_policy(`
')
')
@@ -14747,7 +14751,7 @@ index c086302..4f33119 100644
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 715a826..36d5a7d 100644
+index 715a826..3f0c0dc 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,7 +2,7 @@
@@ -14848,7 +14852,7 @@ index 715a826..36d5a7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -73,19 +112,85 @@ interface(`couchdb_read_pid_files',`
+@@ -73,19 +112,87 @@ interface(`couchdb_read_pid_files',`
')
files_search_pids($1)
@@ -14890,11 +14894,13 @@ index 715a826..36d5a7d 100644
+ type couchdb_var_run_t;
+ type couchdb_log_t;
+ type couchdb_var_lib_t;
++ type couchdb_conf_t;
+ ')
+
+ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
++ manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
')
########################################
@@ -14938,7 +14944,7 @@ index 715a826..36d5a7d 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -95,14 +200,19 @@ interface(`couchdb_read_pid_files',`
+@@ -95,14 +202,19 @@ interface(`couchdb_read_pid_files',`
#
interface(`couchdb_admin',`
gen_require(`
@@ -14959,7 +14965,7 @@ index 715a826..36d5a7d 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -122,4 +232,13 @@ interface(`couchdb_admin',`
+@@ -122,4 +234,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -31415,7 +31421,7 @@ index 180f1b7..3c8757e 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 0e97e82..0a158ad 100644
+index 0e97e82..695e8fa 100644
--- a/gpg.te
+++ b/gpg.te
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
@@ -31488,7 +31494,7 @@ index 0e97e82..0a158ad 100644
+allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
-+dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
++dontaudit gpgdomain self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
@@ -39059,7 +39065,7 @@ index be0ab84..1859690 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index ab65034..ed34956 100644
+index ab65034..c76dbda 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
@@ -39144,7 +39150,7 @@ index ab65034..ed34956 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -187,6 +192,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -187,6 +192,17 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -39157,6 +39163,11 @@ index ab65034..ed34956 100644
+optional_policy(`
+ courier_stream_connect_authdaemon(logwatch_mail_t)
+')
++
++optional_policy(`
++ qmail_domtrans_inject(logwatch_mail_t)
++ qmail_domtrans_queue(logwatch_mail_t)
++')
diff --git a/lpd.fc b/lpd.fc
index 2fb9b2e..08974e3 100644
--- a/lpd.fc
@@ -58980,10 +58991,10 @@ index 0000000..ba24b40
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..d21c5d7
+index 0000000..3bd4aa3
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,192 @@
+@@ -0,0 +1,196 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -59090,6 +59101,7 @@ index 0000000..d21c5d7
+fs_getattr_all_fs(pcp_pmcd_t)
+fs_getattr_all_dirs(pcp_pmcd_t)
+fs_list_cgroup_dirs(pcp_pmcd_t)
++fs_read_cgroup_files(pcp_pmcd_t)
+
+logging_send_syslog_msg(pcp_pmcd_t)
+
@@ -59158,11 +59170,14 @@ index 0000000..d21c5d7
+#
+
+allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
++allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };
+
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
+
++logging_send_syslog_msg(pcp_pmie_t)
++
+########################################
+#
+# pcp_pmlogger local policy
@@ -72386,7 +72401,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..0d48e31 100644
+index dc3b0ed..c77c09c 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -72429,7 +72444,7 @@ index dc3b0ed..0d48e31 100644
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-@@ -55,51 +64,67 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
+@@ -55,51 +64,63 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
corecmd_exec_bin(rabbitmq_beam_t)
corecmd_exec_shell(rabbitmq_beam_t)
@@ -72443,25 +72458,28 @@ index dc3b0ed..0d48e31 100644
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
- corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-+corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
- corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
+-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
++corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
++corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
++corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
++corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
++corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
++corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
++corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
++corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
- corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
+-corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t)
++domain_read_all_domains_state(rabbitmq_beam_t)
-dev_read_sysfs(rabbitmq_beam_t)
-dev_read_urand(rabbitmq_beam_t)
-+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
-+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
-+
-+domain_read_all_domains_state(rabbitmq_beam_t)
-+
+files_getattr_all_mountpoints(rabbitmq_beam_t)
fs_getattr_all_fs(rabbitmq_beam_t)
@@ -72470,8 +72488,6 @@ index dc3b0ed..0d48e31 100644
fs_search_cgroup_dirs(rabbitmq_beam_t)
-files_read_etc_files(rabbitmq_beam_t)
-+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
-+
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
@@ -72493,8 +72509,6 @@ index dc3b0ed..0d48e31 100644
+
+optional_policy(`
+ couchdb_manage_files(rabbitmq_beam_t)
-+ couchdb_manage_lib_files(rabbitmq_beam_t)
-+ couchdb_read_conf_files(rabbitmq_beam_t)
+')
+
+optional_policy(`
@@ -72510,7 +72524,7 @@ index dc3b0ed..0d48e31 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -107,6 +132,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+@@ -107,6 +128,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
@@ -72519,7 +72533,7 @@ index dc3b0ed..0d48e31 100644
corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
-@@ -117,8 +144,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -117,8 +140,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -101472,10 +101486,10 @@ index 0000000..7933d80
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
-index 0000000..c47cb0e
+index 0000000..ab589a9
--- /dev/null
+++ b/vmtools.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,87 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
@@ -101495,6 +101509,7 @@ index 0000000..c47cb0e
+type vmtools_helper_t;
+type vmtools_helper_exec_t;
+application_domain(vmtools_helper_t, vmtools_helper_exec_t)
++domain_system_change_exemption(vmtools_helper_t)
+role vmtools_helper_roles types vmtools_helper_t;
+
+type vmtools_unit_file_t;
@@ -101546,6 +101561,10 @@ index 0000000..c47cb0e
+xserver_stream_connect(vmtools_t)
+
+optional_policy(`
++ networkmanager_dbus_chat(vmtools_t)
++')
++
++optional_policy(`
+ unconfined_domain(vmtools_t)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ab2ad46..ed4d120 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 26%{?dist}
+Release: 27%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -580,6 +580,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Feb 24 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-27
+- Make unconfined_service_t valid in enforcing
+- Remove transition for temp dirs created by init_t
+- gdm-simple-slave uses use setsockopt
+- Treat usermodehelper_t as a sysctl_type
+- xdm communicates with geo
+- Add lvm_read_metadata()
+- Allow rabbitmq_beam to connect to jabber_interserver_port
+- Allow logwatch_mail_t to transition to qmail_inject and queueu
+- Added new rules to pcp policy
+- Allow vmtools_helper_t to change role to system_r
+- Allow NM to dbus chat with vmtools
+
* Fri Feb 21 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-26
- Add labeling for /usr/sbin/amavi
- Colin asked for this program to be treated as cloud-init
More information about the scm-commits
mailing list