[selinux-policy] - Allow bumblebeed to send signal to insmod - Dontaudit attempts by crond_t net_admin caused by jour
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Feb 27 11:33:35 UTC 2014
commit 439063013f7e0d88fd45507e28737bbab8ebc155
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Feb 27 12:34:10 2014 +0100
- Allow bumblebeed to send signal to insmod
- Dontaudit attempts by crond_t net_admin caused by journald
- Allow the docker daemon to mounton tty_device_t
- Add addtional snapper fixes to allo relabel file_t
- Allow setattr for all mountpoints
- Allow snapperd to write all dirs
- Add support for /etc/sysconfig/snapper
- Allow mozilla_plugin to getsession
- Add labeling for thttpd
- Allow sosreport to execute grub2-probe
- Allow NM to manage hostname config file
- Allow systemd_timedated_t to dbus chat with rpm_script_t
- Allow lsmd plugins to connect to http/ssh/http_cache ports by default
- Add lsmd_plugin_connect_any boolea
- Add support for ipset
- Add support for /dev/sclp_line0
- Add modutils_signal_insmod()
- Add files_relabelto_all_mountpoints() interface
- Allow the docker daemon to mounton tty_device_t
- Allow all systemd domains to read /proc/1
- Login programs talking to journald are attempting to net_admin, add dontaudit
- init is not gettar on processes as shutdown time
- Add systemd_hostnamed_manage_config() interface
- Make unconfined_service_t valid in enforcing
- Remove transition for temp dirs created by init_t
- gdm-simple-slave uses use setsockopt
- Add lvm_read_metadata()
policy-rawhide-base.patch | 622 +++++++++++++++++++++++-------------------
policy-rawhide-contrib.patch | 141 +++++++---
selinux-policy.spec | 31 ++-
3 files changed, 473 insertions(+), 321 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e8a0f00..48aad36 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -9454,7 +9454,7 @@ index b876c48..27f60c6 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..42fc031 100644
+index f962f76..ae94e80 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10060,7 +10060,32 @@ index f962f76..42fc031 100644
')
#############################################
-@@ -1691,6 +2043,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1601,6 +1953,24 @@ interface(`files_setattr_all_mountpoints',`
+
+ ########################################
+ ## <summary>
++## Set the attributes of all mount points.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelto_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir relabelto;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to set the attributes on all mount points.
+ ## </summary>
+ ## <param name="domain">
+@@ -1691,6 +2061,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -10085,7 +10110,7 @@ index f962f76..42fc031 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1709,6 +2079,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1709,6 +2097,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
@@ -10128,7 +10153,7 @@ index f962f76..42fc031 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1725,6 +2131,23 @@ interface(`files_list_root',`
+@@ -1725,6 +2149,23 @@ interface(`files_list_root',`
allow $1 root_t:dir list_dir_perms;
allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
')
@@ -10152,7 +10177,7 @@ index f962f76..42fc031 100644
########################################
## <summary>
-@@ -1765,6 +2188,26 @@ interface(`files_dontaudit_rw_root_dir',`
+@@ -1765,6 +2206,26 @@ interface(`files_dontaudit_rw_root_dir',`
########################################
## <summary>
@@ -10179,7 +10204,7 @@ index f962f76..42fc031 100644
## Create an object in the root directory, with a private
## type using a type transition.
## </summary>
-@@ -1892,25 +2335,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1892,25 +2353,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -10211,7 +10236,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1923,7 +2366,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2384,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -10220,7 +10245,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -1946,6 +2389,24 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2407,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -10245,7 +10270,7 @@ index f962f76..42fc031 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2181,6 +2642,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2660,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10270,7 +10295,7 @@ index f962f76..42fc031 100644
######################################
## <summary>
## Read symbolic links in the /boot directory.
-@@ -2645,6 +3124,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3142,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10295,7 +10320,7 @@ index f962f76..42fc031 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2716,6 +3213,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3231,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10303,7 +10328,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -2724,7 +3222,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3240,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10312,7 +10337,7 @@ index f962f76..42fc031 100644
## </summary>
## </param>
#
-@@ -2780,6 +3278,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3296,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -10338,7 +10363,7 @@ index f962f76..42fc031 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2798,6 +3315,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3333,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10363,7 +10388,7 @@ index f962f76..42fc031 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2963,24 +3498,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3516,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -10388,7 +10413,7 @@ index f962f76..42fc031 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3021,9 +3538,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3556,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -10399,7 +10424,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3031,18 +3546,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3564,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -10421,16 +10446,18 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3060,6 +3574,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,12 +3592,32 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
+-## Read and write files in /etc that are dynamically
+## Do not audit attempts to read files
+## in /etc that are dynamically
-+## created on boot, such as mtab.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## created on boot, such as mtab.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
+## </summary>
+## </param>
@@ -10445,10 +10472,16 @@ index f962f76..42fc031 100644
+
+########################################
+## <summary>
- ## Read and write files in /etc that are dynamically
- ## created on boot, such as mtab.
- ## </summary>
-@@ -3077,6 +3611,7 @@ interface(`files_rw_etc_runtime_files',`
++## Read and write files in /etc that are dynamically
++## created on boot, such as mtab.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -3077,6 +3629,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10456,7 +10489,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3098,6 +3633,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3651,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10464,7 +10497,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3142,10 +3678,48 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,10 +3696,48 @@ interface(`files_etc_filetrans_etc_runtime',`
#
interface(`files_getattr_isid_type_dirs',`
gen_require(`
@@ -10489,9 +10522,8 @@ index f962f76..42fc031 100644
+interface(`files_getattr_isid_type',`
+ gen_require(`
+ type unlabeled_t;
- ')
-
-- allow $1 file_t:dir getattr;
++ ')
++
+ allow $1 unlabeled_t:dir_file_class_set getattr;
+')
+
@@ -10509,13 +10541,14 @@ index f962f76..42fc031 100644
+interface(`files_setattr_isid_type_dirs',`
+ gen_require(`
+ type unlabeled_t;
-+ ')
-+
+ ')
+
+- allow $1 file_t:dir getattr;
+ allow $1 unlabeled_t:dir setattr;
')
########################################
-@@ -3161,10 +3735,10 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3161,10 +3753,10 @@ interface(`files_getattr_isid_type_dirs',`
#
interface(`files_dontaudit_search_isid_type_dirs',`
gen_require(`
@@ -10528,7 +10561,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3180,10 +3754,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3180,10 +3772,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
#
interface(`files_list_isid_type_dirs',`
gen_require(`
@@ -10541,7 +10574,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3199,10 +3773,10 @@ interface(`files_list_isid_type_dirs',`
+@@ -3199,10 +3791,10 @@ interface(`files_list_isid_type_dirs',`
#
interface(`files_rw_isid_type_dirs',`
gen_require(`
@@ -10554,7 +10587,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3218,10 +3792,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3810,66 @@ interface(`files_rw_isid_type_dirs',`
#
interface(`files_delete_isid_type_dirs',`
gen_require(`
@@ -10597,8 +10630,9 @@ index f962f76..42fc031 100644
+interface(`files_mounton_isid',`
+ gen_require(`
+ type unlabeled_t;
-+ ')
-+
+ ')
+
+- delete_dirs_pattern($1, file_t, file_t)
+ allow $1 unlabeled_t:dir mounton;
+')
+
@@ -10616,14 +10650,13 @@ index f962f76..42fc031 100644
+interface(`files_relabelfrom_isid_type',`
+ gen_require(`
+ type unlabeled_t;
- ')
-
-- delete_dirs_pattern($1, file_t, file_t)
++ ')
++
+ dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
')
########################################
-@@ -3237,10 +3867,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +3885,10 @@ interface(`files_delete_isid_type_dirs',`
#
interface(`files_manage_isid_type_dirs',`
gen_require(`
@@ -10636,7 +10669,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3256,10 +3886,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +3904,29 @@ interface(`files_manage_isid_type_dirs',`
#
interface(`files_mounton_isid_type_dirs',`
gen_require(`
@@ -10668,7 +10701,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3275,10 +3924,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +3942,10 @@ interface(`files_mounton_isid_type_dirs',`
#
interface(`files_read_isid_type_files',`
gen_require(`
@@ -10681,7 +10714,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3294,10 +3943,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +3961,10 @@ interface(`files_read_isid_type_files',`
#
interface(`files_delete_isid_type_files',`
gen_require(`
@@ -10694,7 +10727,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3313,10 +3962,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +3980,10 @@ interface(`files_delete_isid_type_files',`
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
@@ -10707,7 +10740,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3332,10 +3981,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +3999,10 @@ interface(`files_delete_isid_type_symlinks',`
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
@@ -10720,7 +10753,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3351,10 +4000,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4018,10 @@ interface(`files_delete_isid_type_fifo_files',`
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
@@ -10733,7 +10766,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3370,10 +4019,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4037,10 @@ interface(`files_delete_isid_type_sock_files',`
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
@@ -10746,7 +10779,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3389,10 +4038,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4056,10 @@ interface(`files_delete_isid_type_blk_files',`
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
@@ -10759,7 +10792,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3408,10 +4057,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4075,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
@@ -10772,7 +10805,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3427,10 +4076,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4094,10 @@ interface(`files_delete_isid_type_chr_files',`
#
interface(`files_manage_isid_type_files',`
gen_require(`
@@ -10785,7 +10818,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3446,10 +4095,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4113,10 @@ interface(`files_manage_isid_type_files',`
#
interface(`files_manage_isid_type_symlinks',`
gen_require(`
@@ -10798,7 +10831,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3465,10 +4114,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4132,29 @@ interface(`files_manage_isid_type_symlinks',`
#
interface(`files_rw_isid_type_blk_files',`
gen_require(`
@@ -10830,7 +10863,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3484,10 +4152,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4170,10 @@ interface(`files_rw_isid_type_blk_files',`
#
interface(`files_manage_isid_type_blk_files',`
gen_require(`
@@ -10843,7 +10876,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3503,10 +4171,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4189,10 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
@@ -10856,7 +10889,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -3814,20 +4482,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4500,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10900,7 +10933,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -4217,6 +4903,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +4921,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -11073,7 +11106,7 @@ index f962f76..42fc031 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4239,6 +5091,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5109,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -11100,7 +11133,7 @@ index f962f76..42fc031 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4252,17 +5124,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5142,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -11139,7 +11172,7 @@ index f962f76..42fc031 100644
## </summary>
## </param>
#
-@@ -4289,6 +5181,7 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5199,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -11147,7 +11180,7 @@ index f962f76..42fc031 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5218,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5236,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -11155,7 +11188,7 @@ index f962f76..42fc031 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5228,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5246,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -11164,20 +11197,26 @@ index f962f76..42fc031 100644
## </summary>
## </param>
#
-@@ -4346,6 +5240,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,21 +5258,41 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Remove entries from the tmp directory.
+## Allow read and write to the tmp directory (/tmp).
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain not to audit.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_delete_tmp_dir_entry',`
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
@@ -11187,10 +11226,18 @@ index f962f76..42fc031 100644
+ allow $1 tmp_t:dir rw_dir_perms;
+')
+
- ########################################
- ## <summary>
- ## Remove entries from the tmp directory.
-@@ -4361,6 +5274,7 @@ interface(`files_delete_tmp_dir_entry',`
++########################################
++## <summary>
++## Remove entries from the tmp directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_tmp_dir_entry',`
+ gen_require(`
type tmp_t;
')
@@ -11198,13 +11245,12 @@ index f962f76..42fc031 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,25 +5316,33 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5334,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
--## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
- ## </summary>
++## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
@@ -11213,70 +11259,26 @@ index f962f76..42fc031 100644
+## This is added to support java policy.
+## </p>
+## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_tmp_files',`
-+interface(`files_execmod_tmp',`
- gen_require(`
-- type tmp_t;
-+ attribute tmpfile;
- ')
-
-- manage_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmpfile:file execmod;
- ')
-
- ########################################
- ## <summary>
--## Read symbolic links in the tmp directory (/tmp).
-+## Manage temporary files and directories in /tmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4428,17 +5350,35 @@ interface(`files_manage_generic_tmp_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_generic_tmp_symlinks',`
-+interface(`files_manage_generic_tmp_files',`
- gen_require(`
- type tmp_t;
- ')
-
-- read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ manage_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Read and write generic named sockets in the tmp directory (/tmp).
-+## Read symbolic links in the tmp directory (/tmp).
-+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_read_generic_tmp_symlinks',`
++interface(`files_execmod_tmp',`
+ gen_require(`
-+ type tmp_t;
++ attribute tmpfile;
+ ')
+
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:file execmod;
+')
+
+########################################
+## <summary>
-+## Read and write generic named sockets in the tmp directory (/tmp).
+ ## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -4456,6 +5396,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5414,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -11319,7 +11321,7 @@ index f962f76..42fc031 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4474,6 +5450,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5468,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
## <summary>
@@ -11380,7 +11382,7 @@ index f962f76..42fc031 100644
## List all tmp directories.
## </summary>
## <param name="domain">
-@@ -4519,7 +5549,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5567,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -11389,7 +11391,7 @@ index f962f76..42fc031 100644
## </summary>
## </param>
#
-@@ -4579,7 +5609,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5627,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -11398,7 +11400,7 @@ index f962f76..42fc031 100644
## </summary>
## </param>
#
-@@ -4611,6 +5641,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5659,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@@ -11443,7 +11445,7 @@ index f962f76..42fc031 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
-@@ -4664,6 +5732,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5750,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11460,7 +11462,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -5112,6 +6190,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6208,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
## <summary>
@@ -11485,7 +11487,7 @@ index f962f76..42fc031 100644
## Read system.map in the /boot directory.
## </summary>
## <param name="domain">
-@@ -5241,6 +6337,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6355,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -11510,7 +11512,7 @@ index f962f76..42fc031 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5328,7 +6442,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6460,7 @@ interface(`files_dontaudit_rw_var_files',`
type var_t;
')
@@ -11519,7 +11521,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -5527,6 +6641,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6659,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
## <summary>
@@ -11545,7 +11547,7 @@ index f962f76..42fc031 100644
## Create objects in the /var/lib directory
## </summary>
## <param name="domain">
-@@ -5596,6 +6729,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6747,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11571,7 +11573,7 @@ index f962f76..42fc031 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6793,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6811,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11580,7 +11582,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5649,12 +6801,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6819,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11596,7 +11598,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -5672,6 +6825,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6843,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11604,7 +11606,7 @@ index f962f76..42fc031 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6852,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6870,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11632,7 +11634,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5706,13 +6879,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6897,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11649,7 +11651,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -5731,7 +6903,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +6921,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11658,7 +11660,7 @@ index f962f76..42fc031 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +6936,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +6954,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11666,7 +11668,7 @@ index f962f76..42fc031 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +6950,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +6968,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11675,7 +11677,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5787,13 +6958,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +6976,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11710,7 +11712,7 @@ index f962f76..42fc031 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +7000,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7018,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11728,7 +11730,7 @@ index f962f76..42fc031 100644
')
########################################
-@@ -5834,9 +7024,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7042,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11739,7 +11741,7 @@ index f962f76..42fc031 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7066,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7084,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11749,7 +11751,7 @@ index f962f76..42fc031 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7088,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7106,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11759,7 +11761,7 @@ index f962f76..42fc031 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7125,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7143,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11769,7 +11771,7 @@ index f962f76..42fc031 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7164,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7182,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11778,7 +11780,7 @@ index f962f76..42fc031 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,22 +7184,60 @@ interface(`files_search_pids',`
+@@ -5999,10 +7202,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11787,23 +11789,16 @@ index f962f76..42fc031 100644
search_dirs_pattern($1, var_t, var_run_t)
')
--########################################
+######################################
- ## <summary>
--## Do not audit attempts to search
--## the /var/run directory.
++## <summary>
+## Add and remove entries from pid directories.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain to not audit.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_pids',`
++## </param>
++#
+interface(`files_rw_pid_dirs',`
+ gen_require(`
+ type var_run_t;
@@ -11831,22 +11826,10 @@ index f962f76..42fc031 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
-+########################################
-+## <summary>
-+## Do not audit attempts to search
-+## the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_pids',`
- gen_require(`
- type var_run_t;
- ')
-@@ -6025,6 +7248,25 @@ interface(`files_dontaudit_search_pids',`
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to search
+@@ -6025,6 +7266,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11872,7 +11855,7 @@ index f962f76..42fc031 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6039,7 +7281,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7299,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11881,7 +11864,7 @@ index f962f76..42fc031 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6058,7 +7300,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7318,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11890,7 +11873,7 @@ index f962f76..42fc031 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7320,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7338,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11899,7 +11882,7 @@ index f962f76..42fc031 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7382,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7400,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11907,7 +11890,7 @@ index f962f76..42fc031 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7410,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7428,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@@ -11932,7 +11915,7 @@ index f962f76..42fc031 100644
## Read and write generic process ID files.
## </summary>
## <param name="domain">
-@@ -6182,7 +7441,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7459,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -11941,7 +11924,7 @@ index f962f76..42fc031 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7508,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7526,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -12004,7 +11987,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6305,42 +7552,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7570,35 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -12054,7 +12037,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6348,18 +7588,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7606,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -12078,7 +12061,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6367,37 +7607,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7625,40 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
@@ -12130,7 +12113,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6405,18 +7648,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7666,17 @@ interface(`files_dontaudit_search_spool',`
## </summary>
## </param>
#
@@ -12153,7 +12136,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6424,18 +7666,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7684,18 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -12177,7 +12160,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6443,19 +7685,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7703,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -12202,7 +12185,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6463,55 +7704,43 @@ interface(`files_read_generic_spool',`
+@@ -6463,55 +7722,43 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -12273,7 +12256,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6519,53 +7748,68 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +7766,68 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -12380,7 +12363,7 @@ index f962f76..42fc031 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6573,10 +7817,785 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7835,785 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@@ -12389,9 +12372,8 @@ index f962f76..42fc031 100644
gen_require(`
- attribute files_unconfined_type;
+ attribute spoolfile;
- ')
-
-- typeattribute $1 files_unconfined_type;
++ ')
++
+ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
@@ -12654,10 +12636,10 @@ index f962f76..42fc031 100644
+interface(`files_unconfined',`
+ gen_require(`
+ attribute files_unconfined_type;
-+ ')
-+
-+ typeattribute $1 files_unconfined_type;
-+')
+ ')
+
+ typeattribute $1 files_unconfined_type;
+ ')
+
+########################################
+## <summary>
@@ -13168,7 +13150,7 @@ index f962f76..42fc031 100644
+ ')
+
+ allow $1 etc_t:service status;
- ')
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abd..dfcd2ad 100644
--- a/policy/modules/kernel/files.te
@@ -17420,23 +17402,24 @@ index 156c333..02f5a3c 100644
+ dev_manage_generic_blk_files(fixed_disk_raw_write)
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 0ea25b6..e2ac77c 100644
+index 0ea25b6..01b968e 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -14,11 +14,11 @@
+@@ -14,11 +14,12 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
-/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
-@@ -42,3 +42,7 @@ ifdef(`distro_gentoo',`
+@@ -42,3 +43,7 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
@@ -17445,7 +17428,7 @@ index 0ea25b6..e2ac77c 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index cbb729b..a6adfc1 100644
+index cbb729b..ef15aac 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -17672,7 +17655,33 @@ index cbb729b..a6adfc1 100644
## </summary>
## </param>
#
-@@ -1259,7 +1376,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1165,6 +1282,25 @@ interface(`term_relabel_unallocated_ttys',`
+
+ ########################################
+ ## <summary>
++## Mounton unallocated tty device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`term_mounton_unallocated_ttys',`
++ gen_require(`
++ type tty_device_t;
++ ')
++
++ allow $1 tty_device_t:chr_file mounton;
++')
++
++########################################
++## <summary>
+ ## Relabel from all user tty types to
+ ## the unallocated tty type.
+ ## </summary>
+@@ -1259,7 +1395,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -17721,7 +17730,7 @@ index cbb729b..a6adfc1 100644
')
########################################
-@@ -1275,11 +1432,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1451,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -17735,7 +17744,7 @@ index cbb729b..a6adfc1 100644
')
########################################
-@@ -1296,10 +1455,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1474,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -17748,7 +17757,7 @@ index cbb729b..a6adfc1 100644
')
########################################
-@@ -1377,7 +1538,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1557,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -17777,7 +17786,7 @@ index cbb729b..a6adfc1 100644
')
########################################
-@@ -1396,7 +1577,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1596,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -17786,7 +17795,7 @@ index cbb729b..a6adfc1 100644
')
########################################
-@@ -1504,7 +1685,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1704,7 @@ interface(`term_use_all_user_ttys',`
## </summary>
## <param name="domain">
## <summary>
@@ -17795,7 +17804,7 @@ index cbb729b..a6adfc1 100644
## </summary>
## </param>
#
-@@ -1513,21 +1694,435 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1513,21 +1713,435 @@ interface(`term_dontaudit_use_all_user_ttys',`
term_dontaudit_use_all_ttys($1)
')
@@ -26871,7 +26880,7 @@ index 3efd5b6..08c3e93 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..4f331be 100644
+index 09b791d..8e6648e 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -27183,7 +27192,7 @@ index 09b791d..4f331be 100644
')
optional_policy(`
-@@ -463,3 +508,134 @@ optional_policy(`
+@@ -463,3 +508,135 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -27199,6 +27208,7 @@ index 09b791d..4f331be 100644
+
+allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
+allow login_pgm self:capability ipc_lock;
++dontaudit login_pgm self:capability net_admin;
+allow login_pgm self:process setkeycreate;
+allow login_pgm self:key manage_key_perms;
+userdom_manage_all_users_keys(login_pgm)
@@ -27801,6 +27811,18 @@ index 9dfecf7..6d00f5c 100644
/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+
+/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
+index 187f04f..cf0af09 100644
+--- a/policy/modules/system/hostname.if
++++ b/policy/modules/system/hostname.if
+@@ -53,7 +53,6 @@ interface(`hostname_run',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`hostname_exec',`
+ gen_require(`
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index 24a7889..d97f6d5 100644
--- a/policy/modules/system/hostname.te
@@ -28004,7 +28026,7 @@ index bc0ffc8..8de430d 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..35df3cb 100644
+index 79a45f6..b822c29 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -28387,7 +28409,7 @@ index 79a45f6..35df3cb 100644
+ type init_t;
+ ')
+
-+ dontaudit $1 init_t:unix_stream_socket { getattr read write };
++ dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl };
')
########################################
@@ -29438,7 +29460,7 @@ index 79a45f6..35df3cb 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..758e084 100644
+index 17eda24..e8e4114 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -29620,11 +29642,12 @@ index 17eda24..758e084 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +220,21 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +220,22 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
+domain_read_all_domains_state(init_t)
++domain_getattr_all_domains(init_t)
files_read_etc_files(init_t)
+files_read_all_pids(init_t)
@@ -29642,7 +29665,7 @@ index 17eda24..758e084 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +244,52 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +245,52 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -29698,7 +29721,7 @@ index 17eda24..758e084 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +298,229 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +299,229 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -29936,7 +29959,7 @@ index 17eda24..758e084 100644
')
optional_policy(`
-@@ -216,7 +528,31 @@ optional_policy(`
+@@ -216,7 +529,31 @@ optional_policy(`
')
optional_policy(`
@@ -29968,7 +29991,7 @@ index 17eda24..758e084 100644
')
########################################
-@@ -225,9 +561,9 @@ optional_policy(`
+@@ -225,9 +562,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29980,7 +30003,7 @@ index 17eda24..758e084 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +594,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +595,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29997,7 +30020,7 @@ index 17eda24..758e084 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +619,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +620,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -30040,7 +30063,7 @@ index 17eda24..758e084 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +656,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +657,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -30052,7 +30075,7 @@ index 17eda24..758e084 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +668,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +669,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -30063,7 +30086,7 @@ index 17eda24..758e084 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +679,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +680,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -30073,7 +30096,7 @@ index 17eda24..758e084 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +688,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +689,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -30081,7 +30104,7 @@ index 17eda24..758e084 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +695,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +696,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -30089,7 +30112,7 @@ index 17eda24..758e084 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +703,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +704,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -30107,7 +30130,7 @@ index 17eda24..758e084 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +721,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +722,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -30121,7 +30144,7 @@ index 17eda24..758e084 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +736,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +737,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -30135,7 +30158,7 @@ index 17eda24..758e084 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +749,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +750,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -30146,7 +30169,7 @@ index 17eda24..758e084 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +762,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +763,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -30154,7 +30177,7 @@ index 17eda24..758e084 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +781,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +782,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -30178,7 +30201,7 @@ index 17eda24..758e084 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +814,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +815,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -30186,7 +30209,7 @@ index 17eda24..758e084 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +848,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +849,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -30197,7 +30220,7 @@ index 17eda24..758e084 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +872,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +873,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30206,7 +30229,7 @@ index 17eda24..758e084 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +887,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +888,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -30214,7 +30237,7 @@ index 17eda24..758e084 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +908,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +909,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -30222,7 +30245,7 @@ index 17eda24..758e084 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +918,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +919,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -30267,7 +30290,7 @@ index 17eda24..758e084 100644
')
optional_policy(`
-@@ -559,14 +963,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +964,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30299,7 +30322,7 @@ index 17eda24..758e084 100644
')
')
-@@ -577,6 +998,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +999,39 @@ ifdef(`distro_suse',`
')
')
@@ -30339,7 +30362,7 @@ index 17eda24..758e084 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1043,8 @@ optional_policy(`
+@@ -589,6 +1044,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30348,7 +30371,7 @@ index 17eda24..758e084 100644
')
optional_policy(`
-@@ -610,6 +1066,7 @@ optional_policy(`
+@@ -610,6 +1067,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -30356,7 +30379,7 @@ index 17eda24..758e084 100644
')
optional_policy(`
-@@ -626,6 +1083,17 @@ optional_policy(`
+@@ -626,6 +1084,17 @@ optional_policy(`
')
optional_policy(`
@@ -30374,7 +30397,7 @@ index 17eda24..758e084 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1110,13 @@ optional_policy(`
+@@ -642,9 +1111,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30388,7 +30411,7 @@ index 17eda24..758e084 100644
')
optional_policy(`
-@@ -657,15 +1129,11 @@ optional_policy(`
+@@ -657,15 +1130,11 @@ optional_policy(`
')
optional_policy(`
@@ -30406,7 +30429,7 @@ index 17eda24..758e084 100644
')
optional_policy(`
-@@ -686,6 +1154,15 @@ optional_policy(`
+@@ -686,6 +1155,15 @@ optional_policy(`
')
optional_policy(`
@@ -30422,7 +30445,7 @@ index 17eda24..758e084 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1203,7 @@ optional_policy(`
+@@ -726,6 +1204,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -30430,7 +30453,7 @@ index 17eda24..758e084 100644
')
optional_policy(`
-@@ -743,7 +1221,13 @@ optional_policy(`
+@@ -743,7 +1222,13 @@ optional_policy(`
')
optional_policy(`
@@ -30445,7 +30468,7 @@ index 17eda24..758e084 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1250,10 @@ optional_policy(`
+@@ -766,6 +1251,10 @@ optional_policy(`
')
optional_policy(`
@@ -30456,7 +30479,7 @@ index 17eda24..758e084 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1263,20 @@ optional_policy(`
+@@ -775,10 +1264,20 @@ optional_policy(`
')
optional_policy(`
@@ -30477,7 +30500,7 @@ index 17eda24..758e084 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1285,10 @@ optional_policy(`
+@@ -787,6 +1286,10 @@ optional_policy(`
')
optional_policy(`
@@ -30488,7 +30511,7 @@ index 17eda24..758e084 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1310,6 @@ optional_policy(`
+@@ -808,8 +1311,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30497,7 +30520,7 @@ index 17eda24..758e084 100644
')
optional_policy(`
-@@ -818,6 +1318,10 @@ optional_policy(`
+@@ -818,6 +1319,10 @@ optional_policy(`
')
optional_policy(`
@@ -30508,7 +30531,7 @@ index 17eda24..758e084 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1331,12 @@ optional_policy(`
+@@ -827,10 +1332,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -30521,7 +30544,7 @@ index 17eda24..758e084 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1363,60 @@ optional_policy(`
+@@ -857,21 +1364,60 @@ optional_policy(`
')
optional_policy(`
@@ -30583,7 +30606,7 @@ index 17eda24..758e084 100644
')
optional_policy(`
-@@ -887,6 +1432,10 @@ optional_policy(`
+@@ -887,6 +1433,10 @@ optional_policy(`
')
optional_policy(`
@@ -30594,7 +30617,7 @@ index 17eda24..758e084 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1446,218 @@ optional_policy(`
+@@ -897,3 +1447,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31346,10 +31369,10 @@ index 312cd04..a97e8da 100644
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 73a1c4e..e0d3d07 100644
+index 73a1c4e..738e9ff 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,22 +1,28 @@
+@@ -1,22 +1,33 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -31359,6 +31382,9 @@ index 73a1c4e..e0d3d07 100644
-/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
++/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -31371,6 +31397,7 @@ index 73a1c4e..e0d3d07 100644
+/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -31390,6 +31417,7 @@ index 73a1c4e..e0d3d07 100644
+/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -34330,7 +34358,7 @@ index 9933677..ca14c17 100644
+
+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..28cb8a3 100644
+index 7449974..23bbbf2 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@@ -34387,7 +34415,32 @@ index 7449974..28cb8a3 100644
## Read the configuration options used when
## loading modules.
## </summary>
-@@ -208,6 +246,24 @@ interface(`modutils_exec_insmod',`
+@@ -163,6 +201,24 @@ interface(`modutils_domtrans_insmod',`
+
+ ########################################
+ ## <summary>
++## Allow send signal to insmod.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`modutils_signal_insmod',`
++ gen_require(`
++ type insmod_t;
++ ')
++
++ allow $1 insmod_t:process signal;
++')
++
++########################################
++## <summary>
+ ## Execute insmod in the insmod domain, and
+ ## allow the specified role the insmod domain,
+ ## and use the caller's terminal. Has a sigchld
+@@ -208,6 +264,24 @@ interface(`modutils_exec_insmod',`
can_exec($1, insmod_exec_t)
')
@@ -34412,7 +34465,7 @@ index 7449974..28cb8a3 100644
########################################
## <summary>
## Execute depmod in the depmod domain.
-@@ -308,11 +364,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -308,11 +382,18 @@ interface(`modutils_domtrans_update_mods',`
#
interface(`modutils_run_update_mods',`
gen_require(`
@@ -34433,7 +34486,7 @@ index 7449974..28cb8a3 100644
')
########################################
-@@ -333,3 +396,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +414,25 @@ interface(`modutils_exec_update_mods',`
corecmd_search_bin($1)
can_exec($1, update_modules_exec_t)
')
@@ -37977,10 +38030,10 @@ index 0000000..e9f1096
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..1d9bdfd
+index 0000000..8bca1d7
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1419 @@
+@@ -0,0 +1,1440 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -38927,6 +38980,27 @@ index 0000000..1d9bdfd
+ allow $1 hostname_etc_t:file read_file_perms;
+')
+
++########################################
++## <summary>
++## Allow process to manage hostname config file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`systemd_hostnamed_manage_config',`
++ gen_require(`
++ type hostname_etc_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 hostname_etc_t:file manage_file_perms;
++ files_etc_filetrans($1, hostname_etc_t, file, "hostname")
++')
++
+#######################################
+## <summary>
+## Create objects in /run/systemd/generator directory
@@ -39402,7 +39476,7 @@ index 0000000..1d9bdfd
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..e4b127c
+index 0000000..4b0bb47
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,636 @@
@@ -39570,7 +39644,6 @@ index 0000000..e4b127c
+init_dbus_chat(systemd_logind_t)
+init_dbus_chat_script(systemd_logind_t)
+init_read_script_state(systemd_logind_t)
-+init_read_state(systemd_logind_t)
+init_rw_stream_sockets(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
@@ -39897,7 +39970,6 @@ index 0000000..e4b127c
+dev_read_sysfs(systemd_hostnamed_t)
+
+init_status(systemd_hostnamed_t)
-+init_read_state(systemd_hostnamed_t)
+init_stream_connect(systemd_hostnamed_t)
+
+logging_send_syslog_msg(systemd_hostnamed_t)
@@ -40030,6 +40102,7 @@ index 0000000..e4b127c
+init_stop_transient_unit(systemd_domain)
+init_status_transient_unit(systemd_domain)
+init_reload_transient_unit(systemd_domain)
++init_read_state(systemd_domain)
+
+logging_stream_connect_syslog(systemd_domain)
+
@@ -40042,6 +40115,7 @@ index 0000000..e4b127c
+
+read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
+read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
++
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index f41857e..49fd32e 100644
--- a/policy/modules/system/udev.fc
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index a6f1306..20293f5 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2992,10 +2992,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..536a4bd 100644
+index 7caefc3..516f7bb 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,197 @@
+@@ -1,162 +1,200 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3040,6 +3040,7 @@ index 7caefc3..536a4bd 100644
-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/thttpd\.conf -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3112,6 +3113,7 @@ index 7caefc3..536a4bd 100644
+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
++/usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -3249,6 +3251,7 @@ index 7caefc3..536a4bd 100644
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/log/thttpd\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ifdef(`distro_debian', `
@@ -3282,6 +3285,7 @@ index 7caefc3..536a4bd 100644
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+
@@ -3331,7 +3335,6 @@ index 7caefc3..536a4bd 100644
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-+
diff --git a/apache.if b/apache.if
index f6eb485..51b128e 100644
--- a/apache.if
@@ -10107,10 +10110,10 @@ index 0000000..de66654
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..fe923e3
+index 0000000..1076e6a
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,60 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -10158,6 +10161,7 @@ index 0000000..fe923e3
+logging_send_syslog_msg(bumblebee_t)
+
+modutils_domtrans_insmod(bumblebee_t)
++modutils_signal_insmod(bumblebee_t)
+
+sysnet_dns_name_resolve(bumblebee_t)
+
@@ -16522,7 +16526,7 @@ index 1303b30..72481a7 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 7de3859..ce147f1 100644
+index 7de3859..4e6ebcd 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,46 @@ gen_require(`
@@ -16722,7 +16726,7 @@ index 7de3859..ce147f1 100644
selinux_get_fs_mount(admin_crontab_t)
selinux_validate_context(admin_crontab_t)
selinux_compute_access_vector(admin_crontab_t)
-@@ -204,12 +148,14 @@ selinux_compute_relabel_context(admin_crontab_t)
+@@ -204,22 +148,26 @@ selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond',`
@@ -16738,7 +16742,9 @@ index 7de3859..ce147f1 100644
#
allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-@@ -218,8 +164,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec
+-dontaudit crond_t self:capability { sys_resource sys_tty_config };
++dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
+ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
@@ -23445,10 +23451,10 @@ index 0000000..89401fe
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..a1e6966
+index 0000000..75d51ed
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,239 @@
+@@ -0,0 +1,240 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -23657,6 +23663,7 @@ index 0000000..a1e6966
+term_use_ptmx(docker_t)
+term_getattr_pty_fs(docker_t)
+term_relabel_pty_fs(docker_t)
++term_mounton_unallocated_ttys(docker_t)
+
+modutils_domtrans_insmod(docker_t)
+
@@ -39632,10 +39639,24 @@ index d314333..da30c5d 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
-index 4ec0eea..5bf5627 100644
+index 4ec0eea..0f702df 100644
--- a/lsm.te
+++ b/lsm.te
-@@ -12,6 +12,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
+@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
+ #
+ # Declarations
+ #
++## <desc>
++## <p>
++## Determine whether lsmd_plugin can
++## connect to all TCP ports.
++## </p>
++## </desc>
++gen_tunable(lsmd_plugin_connect_any, false)
+
+ type lsmd_t;
+ type lsmd_exec_t;
+@@ -12,6 +19,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
type lsmd_var_run_t;
files_pid_file(lsmd_var_run_t)
@@ -39653,7 +39674,7 @@ index 4ec0eea..5bf5627 100644
########################################
#
# Local policy
-@@ -26,4 +37,36 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,47 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@@ -39667,6 +39688,7 @@ index 4ec0eea..5bf5627 100644
+#
+
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
++allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
@@ -39678,12 +39700,22 @@ index 4ec0eea..5bf5627 100644
+manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
+
++tunable_policy(`lsmd_plugin_connect_any',`
++ corenet_tcp_connect_all_ports(lsmd_plugin_t)
++ corenet_sendrecv_all_packets(lsmd_plugin_t)
++ corenet_tcp_sendrecv_all_ports(lsmd_plugin_t)
++')
++
+kernel_read_system_state(lsmd_plugin_t)
+
+dev_read_urand(lsmd_plugin_t)
+
+corecmd_exec_bin(lsmd_plugin_t)
+
++corenet_tcp_connect_http_port(lsmd_plugin_t)
++corenet_tcp_connect_http_cache_port(lsmd_plugin_t)
++corenet_tcp_connect_ssh_port(lsmd_plugin_t)
++
+init_stream_connect(lsmd_plugin_t)
+init_dontaudit_rw_stream_socket(lsmd_plugin_t)
+
@@ -44133,7 +44165,7 @@ index 6194b80..03c6414 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..ea784b3 100644
+index 11ac8e4..dfd8d3a 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@@ -44571,7 +44603,7 @@ index 11ac8e4..ea784b3 100644
')
optional_policy(`
-@@ -300,259 +324,241 @@ optional_policy(`
+@@ -300,259 +324,243 @@ optional_policy(`
########################################
#
@@ -44585,7 +44617,7 @@ index 11ac8e4..ea784b3 100644
+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
+
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
++allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -44670,6 +44702,8 @@ index 11ac8e4..ea784b3 100644
kernel_request_load_module(mozilla_plugin_t)
kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+files_dontaudit_read_root_files(mozilla_plugin_t)
++kernel_dontaudit_list_all_proc(mozilla_plugin_t)
++kernel_dontaudit_list_all_sysctls(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -44962,7 +44996,7 @@ index 11ac8e4..ea784b3 100644
')
optional_policy(`
-@@ -560,7 +566,11 @@ optional_policy(`
+@@ -560,7 +568,11 @@ optional_policy(`
')
optional_policy(`
@@ -44975,7 +45009,7 @@ index 11ac8e4..ea784b3 100644
')
optional_policy(`
-@@ -568,108 +578,131 @@ optional_policy(`
+@@ -568,108 +580,131 @@ optional_policy(`
')
optional_policy(`
@@ -48293,7 +48327,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 7584bbe..d053405 100644
+index 7584bbe..ae0d53a 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
@@ -48453,7 +48487,7 @@ index 7584bbe..d053405 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -155,21 +160,17 @@ optional_policy(`
+@@ -155,21 +160,18 @@ optional_policy(`
#######################################
#
@@ -48463,6 +48497,7 @@ index 7584bbe..d053405 100644
-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource };
++dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
@@ -48479,7 +48514,7 @@ index 7584bbe..d053405 100644
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-@@ -177,9 +178,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +179,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -48490,7 +48525,7 @@ index 7584bbe..d053405 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +186,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +187,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -48526,7 +48561,7 @@ index 7584bbe..d053405 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -209,7 +216,7 @@ optional_policy(`
+@@ -209,7 +217,7 @@ optional_policy(`
########################################
#
@@ -48535,7 +48570,7 @@ index 7584bbe..d053405 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -218,11 +225,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -218,11 +226,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -48553,7 +48588,7 @@ index 7584bbe..d053405 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -230,31 +238,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +239,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -50258,7 +50293,7 @@ index 86dc29d..993ecf5 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..8562dec 100644
+index 55f2009..5e67bb6 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -50624,7 +50659,7 @@ index 55f2009..8562dec 100644
+ systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
-+ systemd_hostnamed_read_config(NetworkManager_t)
++ systemd_hostnamed_manage_config(NetworkManager_t)
+')
+
+optional_policy(`
@@ -80070,7 +80105,7 @@ index ef3b225..d248cd3 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rpm.te b/rpm.te
-index 6fc360e..4e28c91 100644
+index 6fc360e..44f9739 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -80474,7 +80509,7 @@ index 6fc360e..4e28c91 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +385,67 @@ ifdef(`distro_redhat',`
+@@ -363,41 +385,68 @@ ifdef(`distro_redhat',`
')
')
@@ -80512,6 +80547,7 @@ index 6fc360e..4e28c91 100644
- ')
+ optional_policy(`
+ systemd_dbus_chat_logind(rpm_script_t)
++ systemd_dbus_chat_timedated(rpm_script_t)
+ ')
+')
+
@@ -80553,7 +80589,7 @@ index 6fc360e..4e28c91 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +457,6 @@ optional_policy(`
+@@ -409,6 +458,6 @@ optional_policy(`
')
optional_policy(`
@@ -83828,10 +83864,10 @@ index 0000000..b7db254
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..8a6ad19
+index 0000000..89bc443
--- /dev/null
+++ b/sandbox.if
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,57 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -83862,6 +83898,7 @@ index 0000000..8a6ad19
+ allow sandbox_domain $1:process { sigchld signull };
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit sandbox_domain $1:process signal;
++ dontaudit sandbox_domain $1:key { link read search view };
+ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+')
+
@@ -83966,10 +84003,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..e30b346
+index 0000000..3258f45
--- /dev/null
+++ b/sandboxX.if
-@@ -0,0 +1,393 @@
+@@ -0,0 +1,394 @@
+
+## <summary>policy for sandboxX </summary>
+
@@ -84011,6 +84048,7 @@ index 0000000..e30b346
+ dontaudit sandbox_xserver_t $1:file read;
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
++ dontaudit sandbox_x_domain $1:key { link read search view };
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
@@ -88492,13 +88530,14 @@ index cbfe369..6594af3 100644
files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
-index 0000000..1cb1360
+index 0000000..ab5d7e7
--- /dev/null
+++ b/snapper.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,6 @@
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
+
+/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0)
++/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0)
+
+/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
diff --git a/snapper.if b/snapper.if
@@ -88551,10 +88590,10 @@ index 0000000..94105ee
+')
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..a299f53
+index 0000000..01ade60
--- /dev/null
+++ b/snapper.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,70 @@
+policy_module(snapper, 1.0.0)
+
+########################################
@@ -88599,6 +88638,10 @@ index 0000000..a299f53
+corecmd_exec_shell(snapperd_t)
+corecmd_exec_bin(snapperd_t)
+
++files_write_all_dirs(snapperd_t)
++files_setattr_all_mountpoints(snapperd_t)
++files_relabelto_all_mountpoints(snapperd_t)
++files_relabelfrom_isid_type(snapperd_t)
+files_read_all_files(snapperd_t)
+files_list_all(snapperd_t)
+
@@ -88948,7 +88991,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index f2f507d..3d93f55 100644
+index f2f507d..0d4a35c 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@@ -89016,16 +89059,17 @@ index f2f507d..3d93f55 100644
corecmd_exec_all_executables(sosreport_t)
-@@ -69,6 +89,8 @@ dev_read_urand(sosreport_t)
+@@ -69,6 +89,9 @@ dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
dev_rw_generic_usb_dev(sosreport_t)
++dev_rw_lvm_control(sosreport_t)
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
-@@ -83,7 +105,6 @@ files_list_all(sosreport_t)
+@@ -83,7 +106,6 @@ files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
files_read_non_auth_files(sosreport_t)
@@ -89033,7 +89077,7 @@ index f2f507d..3d93f55 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -92,25 +113,35 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -92,25 +114,35 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -89072,10 +89116,14 @@ index f2f507d..3d93f55 100644
optional_policy(`
abrt_manage_pid_files(sosreport_t)
-@@ -119,6 +150,10 @@ optional_policy(`
+@@ -119,6 +151,14 @@ optional_policy(`
')
optional_policy(`
++ bootloader_exec(sosreport_t)
++')
++
++optional_policy(`
+ brctl_domtrans(sosreport_t)
+')
+
@@ -89083,10 +89131,11 @@ index f2f507d..3d93f55 100644
cups_stream_connect(sosreport_t)
')
-@@ -127,6 +162,15 @@ optional_policy(`
+@@ -127,6 +167,16 @@ optional_policy(`
')
optional_policy(`
++ lvm_read_config(sosreport_t)
+ lvm_dontaudit_access_check_lock(sosreport_t)
+')
+
@@ -89099,7 +89148,7 @@ index f2f507d..3d93f55 100644
fstools_domtrans(sosreport_t)
')
-@@ -136,6 +180,10 @@ optional_policy(`
+@@ -136,6 +186,10 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(sosreport_t)
')
@@ -89110,7 +89159,7 @@ index f2f507d..3d93f55 100644
')
optional_policy(`
-@@ -147,13 +195,34 @@ optional_policy(`
+@@ -147,13 +201,34 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ed4d120..de84a11 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 27%{?dist}
+Release: 28%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -580,6 +580,35 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Feb 27 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-28
+- Allow bumblebeed to send signal to insmod
+- Dontaudit attempts by crond_t net_admin caused by journald
+- Allow the docker daemon to mounton tty_device_t
+- Add addtional snapper fixes to allo relabel file_t
+- Allow setattr for all mountpoints
+- Allow snapperd to write all dirs
+- Add support for /etc/sysconfig/snapper
+- Allow mozilla_plugin to getsession
+- Add labeling for thttpd
+- Allow sosreport to execute grub2-probe
+- Allow NM to manage hostname config file
+- Allow systemd_timedated_t to dbus chat with rpm_script_t
+- Allow lsmd plugins to connect to http/ssh/http_cache ports by default
+- Add lsmd_plugin_connect_any boolea
+- Add support for ipset
+- Add support for /dev/sclp_line0
+- Add modutils_signal_insmod()
+- Add files_relabelto_all_mountpoints() interface
+- Allow the docker daemon to mounton tty_device_t
+- Allow all systemd domains to read /proc/1
+- Login programs talking to journald are attempting to net_admin, add dontaudit
+- init is not gettar on processes as shutdown time
+- Add systemd_hostnamed_manage_config() interface
+- Make unconfined_service_t valid in enforcing
+- Remove transition for temp dirs created by init_t
+- gdm-simple-slave uses use setsockopt
+- Add lvm_read_metadata()
+
* Mon Feb 24 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-27
- Make unconfined_service_t valid in enforcing
- Remove transition for temp dirs created by init_t
More information about the scm-commits
mailing list