[selinux-policy] - Allow block_suspend cap2 for systemd-logind and rw dri device - Add labeling for /usr/libexec/nm-l
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Mar 4 09:16:21 UTC 2014
commit 08fe2e457ef2dbc37fa759a7fdebc42cb1a7cc4a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Mar 4 10:17:06 2014 +0100
- Allow block_suspend cap2 for systemd-logind and rw dri device
- Add labeling for /usr/libexec/nm-libreswan-service
- Allow locallogin to rw xdm key to make Virtual Terminal login providing
- Add xserver_rw_xdm_keys()
- Allow rpm_script_t to dbus chat also with systemd-located
- Fix ipa_stream_connect_otpd()
- update lpd_manage_spool() interface
- Allow krb5kdc to stream connect to ipa-otpd
- Add ipa_stream_connect_otpd() interface
- Allow vpnc to unlink NM pids
- Add networkmanager_delete_pid_files()
- Allow munin plugins to access unconfined plugins
- update abrt_filetrans_named_content to cover /var/spool/debug
- Label /var/spool/debug as abrt_var_cache_t
- Allow rhsmcertd to connect to squid port
- Make docker_transition_unconfined as optional boolean
- Allow certmonger to list home dirs
policy-rawhide-base.patch | 138 ++++++++++++-------
policy-rawhide-contrib.patch | 319 +++++++++++++++++++++++++-----------------
selinux-policy.spec | 21 +++-
3 files changed, 300 insertions(+), 178 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 48aad36..77e2037 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -22720,7 +22720,7 @@ index 8274418..0069d82 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..115c533 100644
+index 6bf0ecc..0d55916 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -23704,7 +23704,7 @@ index 6bf0ecc..115c533 100644
')
########################################
-@@ -1284,10 +1679,624 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1679,643 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -24331,6 +24331,25 @@ index 6bf0ecc..115c533 100644
+
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
++
++########################################
++## <summary>
++## Manage keys for xdm.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_rw_xdm_keys',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:key { read write };
++')
++
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8b40377..a02343f 100644
--- a/policy/modules/services/xserver.te
@@ -27522,7 +27541,7 @@ index 016a770..1effeb4 100644
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 3f48d30..90a20cf 100644
+index 3f48d30..1fb0cde 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -13,9 +13,15 @@ role system_r types fsadm_t;
@@ -27541,7 +27560,15 @@ index 3f48d30..90a20cf 100644
type swapfile_t; # customizable
files_type(swapfile_t)
-@@ -41,10 +47,21 @@ allow fsadm_t self:msg { send receive };
+@@ -26,6 +32,7 @@ files_type(swapfile_t)
+
+ # ipc_lock is for losetup
+ allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
++dontaudit fsadm_t self:capability net_admin;
+ allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
+ allow fsadm_t self:fd use;
+ allow fsadm_t self:fifo_file rw_fifo_file_perms;
+@@ -41,10 +48,21 @@ allow fsadm_t self:msg { send receive };
can_exec(fsadm_t, fsadm_exec_t)
@@ -27565,7 +27592,7 @@ index 3f48d30..90a20cf 100644
# log files
allow fsadm_t fsadm_log_t:dir setattr;
manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
-@@ -53,6 +70,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+@@ -53,6 +71,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
# Enable swapping to files
allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -27573,7 +27600,7 @@ index 3f48d30..90a20cf 100644
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
kernel_request_load_module(fsadm_t)
-@@ -101,6 +119,8 @@ files_read_usr_files(fsadm_t)
+@@ -101,6 +120,8 @@ files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
@@ -27582,7 +27609,7 @@ index 3f48d30..90a20cf 100644
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -112,7 +132,6 @@ files_read_isid_type_files(fsadm_t)
+@@ -112,7 +133,6 @@ files_read_isid_type_files(fsadm_t)
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
fs_rw_ramfs_pipes(fsadm_t)
@@ -27590,7 +27617,7 @@ index 3f48d30..90a20cf 100644
# remount file system to apply changes
fs_remount_xattr_fs(fsadm_t)
# for /dev/shm
-@@ -120,6 +139,9 @@ fs_list_auto_mountpoints(fsadm_t)
+@@ -120,6 +140,9 @@ fs_list_auto_mountpoints(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -27600,7 +27627,7 @@ index 3f48d30..90a20cf 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -133,21 +155,27 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +156,27 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -27630,7 +27657,7 @@ index 3f48d30..90a20cf 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +194,11 @@ optional_policy(`
+@@ -166,6 +195,11 @@ optional_policy(`
')
optional_policy(`
@@ -27642,7 +27669,7 @@ index 3f48d30..90a20cf 100644
hal_dontaudit_write_log(fsadm_t)
')
-@@ -179,6 +212,10 @@ optional_policy(`
+@@ -179,6 +213,10 @@ optional_policy(`
')
optional_policy(`
@@ -27653,7 +27680,7 @@ index 3f48d30..90a20cf 100644
nis_use_ypbind(fsadm_t)
')
-@@ -192,6 +229,10 @@ optional_policy(`
+@@ -192,6 +230,10 @@ optional_policy(`
')
optional_policy(`
@@ -28026,7 +28053,7 @@ index bc0ffc8..8de430d 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..b822c29 100644
+index 79a45f6..89b43aa 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -28413,7 +28440,7 @@ index 79a45f6..b822c29 100644
')
########################################
-@@ -743,22 +923,23 @@ interface(`init_write_initctl',`
+@@ -743,22 +923,24 @@ interface(`init_write_initctl',`
interface(`init_telinit',`
gen_require(`
type initctl_t;
@@ -28438,6 +28465,7 @@ index 79a45f6..b822c29 100644
- ')
+ ps_process_pattern($1, init_t)
+ allow $1 init_t:process signal;
++ dontaudit $1 self:capability net_admin;
+ # upstart uses a datagram socket instead of initctl pipe
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
@@ -28446,7 +28474,7 @@ index 79a45f6..b822c29 100644
')
########################################
-@@ -787,7 +968,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +969,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -28455,7 +28483,7 @@ index 79a45f6..b822c29 100644
## </summary>
## </param>
#
-@@ -830,11 +1011,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1012,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -28470,7 +28498,7 @@ index 79a45f6..b822c29 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -845,11 +1027,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1028,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -28484,7 +28512,7 @@ index 79a45f6..b822c29 100644
')
')
-@@ -865,19 +1047,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1048,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -28530,7 +28558,7 @@ index 79a45f6..b822c29 100644
')
########################################
-@@ -933,9 +1137,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1138,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -28545,7 +28573,7 @@ index 79a45f6..b822c29 100644
files_search_etc($1)
')
-@@ -1012,6 +1221,42 @@ interface(`init_read_state',`
+@@ -1012,6 +1222,42 @@ interface(`init_read_state',`
########################################
## <summary>
@@ -28588,7 +28616,7 @@ index 79a45f6..b822c29 100644
## Ptrace init
## </summary>
## <param name="domain">
-@@ -1026,7 +1271,9 @@ interface(`init_ptrace',`
+@@ -1026,7 +1272,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -28599,7 +28627,7 @@ index 79a45f6..b822c29 100644
')
########################################
-@@ -1125,6 +1372,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1373,25 @@ interface(`init_getattr_all_script_files',`
########################################
## <summary>
@@ -28625,7 +28653,7 @@ index 79a45f6..b822c29 100644
## Read all init script files.
## </summary>
## <param name="domain">
-@@ -1144,6 +1410,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1411,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -28650,7 +28678,7 @@ index 79a45f6..b822c29 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1195,12 +1479,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1480,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -28664,7 +28692,7 @@ index 79a45f6..b822c29 100644
')
########################################
-@@ -1314,7 +1593,7 @@ interface(`init_signal_script',`
+@@ -1314,7 +1594,7 @@ interface(`init_signal_script',`
########################################
## <summary>
@@ -28673,7 +28701,7 @@ index 79a45f6..b822c29 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1322,17 +1601,17 @@ interface(`init_signal_script',`
+@@ -1322,17 +1602,17 @@ interface(`init_signal_script',`
## </summary>
## </param>
#
@@ -28694,7 +28722,7 @@ index 79a45f6..b822c29 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1340,17 +1619,17 @@ interface(`init_signull_script',`
+@@ -1340,17 +1620,17 @@ interface(`init_signull_script',`
## </summary>
## </param>
#
@@ -28715,7 +28743,7 @@ index 79a45f6..b822c29 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1358,7 +1637,25 @@ interface(`init_rw_script_pipes',`
+@@ -1358,7 +1638,25 @@ interface(`init_rw_script_pipes',`
## </summary>
## </param>
#
@@ -28742,7 +28770,7 @@ index 79a45f6..b822c29 100644
refpolicywarn(`$0($*) has been deprecated.')
')
-@@ -1440,6 +1737,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1738,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -28770,7 +28798,7 @@ index 79a45f6..b822c29 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1547,6 +1865,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +1866,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -28796,7 +28824,7 @@ index 79a45f6..b822c29 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1605,6 +1942,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +1943,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -28821,7 +28849,7 @@ index 79a45f6..b822c29 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1677,6 +2032,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2033,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -28865,7 +28893,7 @@ index 79a45f6..b822c29 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1765,7 +2157,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2158,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -28874,7 +28902,7 @@ index 79a45f6..b822c29 100644
')
########################################
-@@ -1806,6 +2198,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,6 +2199,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -29008,7 +29036,7 @@ index 79a45f6..b822c29 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2359,450 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2360,450 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -30837,7 +30865,7 @@ index 17eda24..e8e4114 100644
+ ')
+ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..05d25b0 100644
+index 662e79b..08589f8 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -1,14 +1,23 @@
@@ -30865,10 +30893,11 @@ index 662e79b..05d25b0 100644
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,16 +35,23 @@
+@@ -26,16 +35,24 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/libexec/nm-libreswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -32288,7 +32317,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa99..050a2ac 100644
+index 446fa99..6043534 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -32412,7 +32441,15 @@ index 446fa99..050a2ac 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -202,7 +198,7 @@ optional_policy(`
+@@ -195,6 +191,7 @@ optional_policy(`
+ optional_policy(`
+ xserver_read_xdm_tmp_files(local_login_t)
+ xserver_rw_xdm_tmp_files(local_login_t)
++ xserver_rw_xdm_keys(local_login_t)
+ ')
+
+ #################################
+@@ -202,7 +199,7 @@ optional_policy(`
# Sulogin local policy
#
@@ -32421,7 +32458,7 @@ index 446fa99..050a2ac 100644
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_fifo_file_perms;
-@@ -215,18 +211,27 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,18 +212,27 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -32449,7 +32486,7 @@ index 446fa99..050a2ac 100644
logging_send_syslog_msg(sulogin_t)
-@@ -235,17 +240,28 @@ seutil_read_default_contexts(sulogin_t)
+@@ -235,17 +241,28 @@ seutil_read_default_contexts(sulogin_t)
userdom_use_unpriv_users_fds(sulogin_t)
@@ -32480,7 +32517,7 @@ index 446fa99..050a2ac 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +272,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +273,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -39476,10 +39513,10 @@ index 0000000..8bca1d7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..4b0bb47
+index 0000000..e0c3372
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,636 @@
+@@ -0,0 +1,638 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -39563,6 +39600,7 @@ index 0000000..4b0bb47
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
++allow systemd_logind_t self:capability2 block_suspend;
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -39590,7 +39628,7 @@ index 0000000..4b0bb47
+dev_getattr_all_blk_files(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
-+dev_rw_inherited_dri(systemd_logind_t)
++dev_rw_dri(systemd_logind_t)
+dev_setattr_all_chr_files(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
@@ -39696,7 +39734,7 @@ index 0000000..4b0bb47
+# Local policy
+#
+
-+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override net_admin };
++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:process { setsockcreate };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
@@ -39740,7 +39778,7 @@ index 0000000..4b0bb47
+# Local policy
+#
+
-+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod net_admin };
++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@@ -40090,6 +40128,7 @@ index 0000000..4b0bb47
+# Common rules for systemd domains
+#
+allow systemd_domain self:process { setfscreate signal_perms };
++dontaudit systemd_domain self:capability net_admin;
+
+dev_read_urand(systemd_domain)
+
@@ -46039,7 +46078,7 @@ index 9dc60c6..771d5b9 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..799a5cc 100644
+index f4ac38d..711759c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -46128,7 +46167,7 @@ index f4ac38d..799a5cc 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,383 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,384 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -46188,6 +46227,7 @@ index f4ac38d..799a5cc 100644
+
+allow userdomain userdomain:process signull;
+allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
++dontaudit unpriv_userdomain self:rawip_socket create_socket_perms;
+
+# Nautilus causes this avc
+domain_dontaudit_access_check(unpriv_userdomain)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b9dfcdd..de2bffe 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -68,7 +68,7 @@ index 1a93dc5..40dda9e 100644
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..70eb89d 100644
+index 058d908..1e5378d 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -344,7 +344,7 @@ index 058d908..70eb89d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -288,39 +407,172 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +407,173 @@ interface(`abrt_manage_pid_files',`
## </param>
## <param name="role">
## <summary>
@@ -527,6 +527,7 @@ index 058d908..70eb89d 100644
+ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
++ files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
+ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
+')
+
@@ -10752,7 +10753,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..6f366b4 100644
+index 550b287..b988f57 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10789,7 +10790,7 @@ index 550b287..6f366b4 100644
corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,16 +55,23 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -10812,9 +10813,11 @@ index 550b287..6f366b4 100644
-files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
++files_list_home(certmonger_t)
fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +83,18 @@ init_getattr_all_script_files(certmonger_t)
+
+@@ -70,16 +84,18 @@ init_getattr_all_script_files(certmonger_t)
logging_send_syslog_msg(certmonger_t)
@@ -10835,7 +10838,7 @@ index 550b287..6f366b4 100644
')
optional_policy(`
-@@ -92,11 +107,47 @@ optional_policy(`
+@@ -92,11 +108,47 @@ optional_policy(`
')
optional_policy(`
@@ -20127,7 +20130,7 @@ index 62d22cb..2d33fcd 100644
+ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index c9998c8..163708f 100644
+index c9998c8..8b8b691 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@@ -20250,7 +20253,7 @@ index c9998c8..163708f 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +121,159 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +121,160 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -20355,6 +20358,7 @@ index c9998c8..163708f 100644
+# system_bus_type rules
#
+role system_r types system_bus_type;
++dontaudit system_bus_type self:capability net_admin;
+
+fs_search_all(system_bus_type)
+
@@ -20424,7 +20428,7 @@ index c9998c8..163708f 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +282,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +283,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -20449,7 +20453,7 @@ index c9998c8..163708f 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +301,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +302,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -20457,7 +20461,7 @@ index c9998c8..163708f 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +310,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +311,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -20499,7 +20503,7 @@ index c9998c8..163708f 100644
')
########################################
-@@ -244,5 +347,6 @@ optional_policy(`
+@@ -244,5 +348,6 @@ optional_policy(`
# Unconfined access to this module
#
@@ -33116,10 +33120,10 @@ index 0000000..9278f85
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..deb738f
+index 0000000..70c67d3
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,21 @@
+@@ -0,0 +1,38 @@
+## <summary>Policy for IPA services.</summary>
+
+########################################
@@ -33141,6 +33145,23 @@ index 0000000..deb738f
+ domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t)
+')
+
++########################################
++## <summary>
++## Connect to ipa-otpd over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipa_stream_connect_otpd',`
++ gen_require(`
++ type ipa_otpd_t;
++ ')
++ allow $1 ipa_otpd_t:unix_stream_socket connectto;
++')
++
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 0000000..0fd2678
@@ -36378,7 +36399,7 @@ index f6c00d8..c0946cf 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 8833d59..ff53b77 100644
+index 8833d59..534f815 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@@ -36582,7 +36603,7 @@ index 8833d59..ff53b77 100644
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -201,56 +228,57 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+@@ -201,71 +228,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
@@ -36653,7 +36674,14 @@ index 8833d59..ff53b77 100644
sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-@@ -261,11 +289,11 @@ optional_policy(`
+ userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+
+ optional_policy(`
++ ipa_stream_connect_otpd(krb5kdc_t)
++')
++
++optional_policy(`
+ ldap_stream_connect(krb5kdc_t)
')
optional_policy(`
@@ -36667,7 +36695,7 @@ index 8833d59..ff53b77 100644
')
optional_policy(`
-@@ -273,6 +301,10 @@ optional_policy(`
+@@ -273,6 +305,10 @@ optional_policy(`
')
optional_policy(`
@@ -36678,7 +36706,7 @@ index 8833d59..ff53b77 100644
udev_read_db(krb5kdc_t)
')
-@@ -281,10 +313,12 @@ optional_policy(`
+@@ -281,10 +317,12 @@ optional_policy(`
# kpropd local policy
#
@@ -36694,7 +36722,7 @@ index 8833d59..ff53b77 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
-@@ -303,26 +337,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,26 +341,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -38115,7 +38143,7 @@ index 3602712..fc7b071 100644
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index 4c2b111..6effd5f 100644
+index 4c2b111..deb2d7d 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -38137,7 +38165,18 @@ index 4c2b111..6effd5f 100644
allow slapd_t self:fifo_file rw_fifo_file_perms;
allow slapd_t self:tcp_socket { accept listen };
-@@ -93,7 +96,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -69,9 +72,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
+ files_lock_filetrans(slapd_t, slapd_lock_t, file)
+
+ manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-append_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-create_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-setattr_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
++manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+ logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
+
+ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+@@ -93,7 +94,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
@@ -38145,7 +38184,7 @@ index 4c2b111..6effd5f 100644
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_generic_if(slapd_t)
corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -115,15 +117,14 @@ fs_getattr_all_fs(slapd_t)
+@@ -115,15 +115,14 @@ fs_getattr_all_fs(slapd_t)
fs_search_auto_mountpoints(slapd_t)
files_read_etc_runtime_files(slapd_t)
@@ -38162,7 +38201,7 @@ index 4c2b111..6effd5f 100644
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_user_home_dirs(slapd_t)
-@@ -131,9 +132,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
+@@ -131,9 +130,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
optional_policy(`
kerberos_manage_host_rcache(slapd_t)
kerberos_read_keytab(slapd_t)
@@ -39192,7 +39231,7 @@ index 2fb9b2e..08974e3 100644
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
diff --git a/lpd.if b/lpd.if
-index 6256371..7826e38 100644
+index 6256371..ce2acb8 100644
--- a/lpd.if
+++ b/lpd.if
@@ -1,44 +1,49 @@
@@ -39317,7 +39356,12 @@ index 6256371..7826e38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -153,7 +155,7 @@ interface(`lpd_manage_spool',`
+@@ -149,11 +151,12 @@ interface(`lpd_manage_spool',`
+ manage_dirs_pattern($1, print_spool_t, print_spool_t)
+ manage_files_pattern($1, print_spool_t, print_spool_t)
+ manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
++ manage_fifo_files_pattern($1, print_spool_t, print_spool_t)
+ ')
########################################
## <summary>
@@ -39326,7 +39370,7 @@ index 6256371..7826e38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -172,7 +174,7 @@ interface(`lpd_relabel_spool',`
+@@ -172,7 +175,7 @@ interface(`lpd_relabel_spool',`
########################################
## <summary>
@@ -39335,7 +39379,7 @@ index 6256371..7826e38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -200,12 +202,11 @@ interface(`lpd_read_config',`
+@@ -200,12 +203,11 @@ interface(`lpd_read_config',`
## </summary>
## </param>
#
@@ -39349,7 +39393,7 @@ index 6256371..7826e38 100644
domtrans_pattern($1, lpr_exec_t, lpr_t)
')
-@@ -237,7 +238,8 @@ interface(`lpd_run_lpr',`
+@@ -237,7 +239,8 @@ interface(`lpd_run_lpr',`
########################################
## <summary>
@@ -39359,7 +39403,7 @@ index 6256371..7826e38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -250,6 +252,5 @@ interface(`lpd_exec_lpr',`
+@@ -250,6 +253,5 @@ interface(`lpd_exec_lpr',`
type lpr_exec_t;
')
@@ -47493,10 +47537,10 @@ index b744fe3..900d083 100644
+ admin_pattern($1, munin_content_t)
')
diff --git a/munin.te b/munin.te
-index b708708..16b96d0 100644
+index b708708..0deb9fa 100644
--- a/munin.te
+++ b/munin.te
-@@ -44,12 +44,15 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
+@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
munin_plugin_template(system)
munin_plugin_template(unconfined)
@@ -47513,7 +47557,14 @@ index b708708..16b96d0 100644
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -62,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+
+ read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
+
++allow munin_plugin_domain munin_unconfined_plugin_exec_t:file read_file_perms;
++
+ allow munin_plugin_domain munin_exec_t:file read_file_perms;
+
+ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
@@ -47538,7 +47589,7 @@ index b708708..16b96d0 100644
optional_policy(`
nscd_use(munin_plugin_domain)
-@@ -118,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -47547,7 +47598,7 @@ index b708708..16b96d0 100644
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -134,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
@@ -47555,7 +47606,7 @@ index b708708..16b96d0 100644
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -157,7 +153,6 @@ domain_use_interactive_fds(munin_t)
+@@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -47563,7 +47614,7 @@ index b708708..16b96d0 100644
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
-@@ -169,7 +164,6 @@ logging_send_syslog_msg(munin_t)
+@@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -47571,7 +47622,7 @@ index b708708..16b96d0 100644
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
-@@ -177,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -47585,7 +47636,7 @@ index b708708..16b96d0 100644
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
-@@ -217,7 +204,6 @@ optional_policy(`
+@@ -217,7 +206,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -47593,7 +47644,7 @@ index b708708..16b96d0 100644
')
optional_policy(`
-@@ -246,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -246,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -47621,7 +47672,7 @@ index b708708..16b96d0 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -272,6 +260,10 @@ optional_policy(`
+@@ -272,6 +262,10 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
@@ -47632,7 +47683,7 @@ index b708708..16b96d0 100644
####################################
#
# Mail local policy
-@@ -279,27 +271,36 @@ optional_policy(`
+@@ -279,27 +273,36 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -47673,7 +47724,7 @@ index b708708..16b96d0 100644
')
optional_policy(`
-@@ -339,7 +340,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -339,7 +342,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
@@ -47682,7 +47733,7 @@ index b708708..16b96d0 100644
')
optional_policy(`
-@@ -361,7 +362,11 @@ optional_policy(`
+@@ -361,7 +364,11 @@ optional_policy(`
')
optional_policy(`
@@ -47695,7 +47746,7 @@ index b708708..16b96d0 100644
')
optional_policy(`
-@@ -393,6 +398,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -393,6 +400,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -47703,7 +47754,7 @@ index b708708..16b96d0 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +427,32 @@ optional_policy(`
+@@ -421,3 +429,32 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -49873,7 +49924,7 @@ index 94b9734..bb9c83e 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29d..993ecf5 100644
+index 86dc29d..1cd0d0e 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -49953,28 +50004,10 @@ index 86dc29d..993ecf5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -95,8 +98,7 @@ interface(`networkmanager_domtrans',`
+@@ -93,10 +96,27 @@ interface(`networkmanager_domtrans',`
+ domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
+ ')
- ########################################
- ## <summary>
--## Execute networkmanager scripts with
--## an automatic domain transition to initrc.
-+## Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',`
- ## </summary>
- ## </param>
- #
-+interface(`networkmanager_NetworkManagerrc_domtrans',`
-+ gen_require(`
-+ type NetworkManager_NetworkManagerrc_exec_t;
-+ ')
-+
-+ NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t)
-+')
-+
+#######################################
+## <summary>
+## Execute NetworkManager scripts with an automatic domain transition to initrc.
@@ -49985,7 +50018,7 @@ index 86dc29d..993ecf5 100644
+## </summary>
+## </param>
+#
- interface(`networkmanager_initrc_domtrans',`
++interface(`networkmanager_initrc_domtrans',`
+ gen_require(`
+ type NetworkManager_initrc_exec_t;
+ ')
@@ -49993,16 +50026,19 @@ index 86dc29d..993ecf5 100644
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Execute networkmanager scripts with
+-## an automatic domain transition to initrc.
+## Execute NetworkManager server in the NetworkManager domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -104,18 +124,23 @@ interface(`networkmanager_domtrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`networkmanager_initrc_domtrans',`
+interface(`networkmanager_systemctl',`
gen_require(`
- type NetworkManager_initrc_exec_t;
@@ -50026,7 +50062,7 @@ index 86dc29d..993ecf5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -155,7 +198,29 @@ interface(`networkmanager_read_state',`
+@@ -155,7 +180,29 @@ interface(`networkmanager_read_state',`
########################################
## <summary>
@@ -50057,7 +50093,7 @@ index 86dc29d..993ecf5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -211,9 +276,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -211,9 +258,28 @@ interface(`networkmanager_read_lib_files',`
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
')
@@ -50087,7 +50123,7 @@ index 86dc29d..993ecf5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -221,19 +305,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -221,19 +287,18 @@ interface(`networkmanager_read_lib_files',`
## </summary>
## </param>
#
@@ -50108,11 +50144,11 @@ index 86dc29d..993ecf5 100644
########################################
## <summary>
-## Read networkmanager pid files.
-+## Read NetworkManager PID files.
++## Manage NetworkManager PID files.
## </summary>
## <param name="domain">
## <summary>
-@@ -241,13 +324,13 @@ interface(`networkmanager_append_log_files',`
+@@ -241,13 +306,13 @@ interface(`networkmanager_append_log_files',`
## </summary>
## </param>
#
@@ -50128,23 +50164,43 @@ index 86dc29d..993ecf5 100644
')
####################################
-@@ -272,12 +355,12 @@ interface(`networkmanager_stream_connect',`
+@@ -272,14 +337,33 @@ interface(`networkmanager_stream_connect',`
########################################
## <summary>
-## All of the rules required to
-## administrate an networkmanager environment.
-+## Execute NetworkManager in the NetworkManager domain, and
-+## allow the specified role the NetworkManager domain.
++## Delete NetworkManager PID files.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain allowed to transition.
+ ## Domain allowed access.
## </summary>
## </param>
++#
++interface(`networkmanager_delete_pid_files',`
++ gen_require(`
++ type NetworkManager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ delete_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute NetworkManager in the NetworkManager domain, and
++## allow the specified role the NetworkManager domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
## <param name="role">
-@@ -287,33 +370,132 @@ interface(`networkmanager_stream_connect',`
+ ## <summary>
+ ## Role allowed access.
+@@ -287,33 +371,132 @@ interface(`networkmanager_stream_connect',`
## </param>
## <rolecap/>
#
@@ -77644,7 +77700,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..413f4b8 100644
+index d32e1a2..a87ab50 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -77665,11 +77721,12 @@ index d32e1a2..413f4b8 100644
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -52,23 +51,44 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -52,23 +51,45 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
+corenet_tcp_connect_http_port(rhsmcertd_t)
++corenet_tcp_connect_squid_port(rhsmcertd_t)
+
corecmd_exec_bin(rhsmcertd_t)
+corecmd_exec_shell(rhsmcertd_t)
@@ -80109,7 +80166,7 @@ index ef3b225..d248cd3 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rpm.te b/rpm.te
-index 6fc360e..44f9739 100644
+index 6fc360e..1abda8b 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -80513,7 +80570,7 @@ index 6fc360e..44f9739 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +385,68 @@ ifdef(`distro_redhat',`
+@@ -363,41 +385,69 @@ ifdef(`distro_redhat',`
')
')
@@ -80552,6 +80609,7 @@ index 6fc360e..44f9739 100644
+ optional_policy(`
+ systemd_dbus_chat_logind(rpm_script_t)
+ systemd_dbus_chat_timedated(rpm_script_t)
++ systemd_dbus_chat_localed(rpm_script_t)
+ ')
+')
+
@@ -80593,7 +80651,7 @@ index 6fc360e..44f9739 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +458,6 @@ optional_policy(`
+@@ -409,6 +459,6 @@ optional_policy(`
')
optional_policy(`
@@ -82560,7 +82618,7 @@ index 50d07fb..bada62f 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..3504791 100644
+index 2b7c441..e411600 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -82904,7 +82962,7 @@ index 2b7c441..3504791 100644
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
allow smbd_t samba_share_t:filesystem { getattr quotaget };
-@@ -298,20 +304,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -298,65 +304,64 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -82935,7 +82993,10 @@ index 2b7c441..3504791 100644
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -321,42 +333,34 @@ kernel_read_kernel_sysctls(smbd_t)
+ kernel_read_network_state(smbd_t)
+ kernel_read_fs_sysctls(smbd_t)
+ kernel_read_kernel_sysctls(smbd_t)
++kernel_read_usermodehelper_state(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
@@ -82990,7 +83051,7 @@ index 2b7c441..3504791 100644
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
-@@ -366,44 +370,53 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -366,44 +371,53 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
@@ -83056,7 +83117,7 @@ index 2b7c441..3504791 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -419,20 +432,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +433,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -83079,7 +83140,7 @@ index 2b7c441..3504791 100644
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -441,6 +444,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +445,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -83087,7 +83148,7 @@ index 2b7c441..3504791 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -448,17 +452,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,17 +453,6 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -83105,7 +83166,7 @@ index 2b7c441..3504791 100644
optional_policy(`
ccs_read_config(smbd_t)
')
-@@ -466,6 +459,7 @@ optional_policy(`
+@@ -466,6 +460,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
@@ -83113,7 +83174,7 @@ index 2b7c441..3504791 100644
')
optional_policy(`
-@@ -479,6 +473,11 @@ optional_policy(`
+@@ -479,6 +474,11 @@ optional_policy(`
')
optional_policy(`
@@ -83125,7 +83186,7 @@ index 2b7c441..3504791 100644
lpd_exec_lpr(smbd_t)
')
-@@ -488,6 +487,10 @@ optional_policy(`
+@@ -488,6 +488,10 @@ optional_policy(`
')
optional_policy(`
@@ -83136,7 +83197,7 @@ index 2b7c441..3504791 100644
rpc_search_nfs_state_data(smbd_t)
')
-@@ -499,9 +502,33 @@ optional_policy(`
+@@ -499,9 +503,33 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -83171,7 +83232,7 @@ index 2b7c441..3504791 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +539,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +540,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -83186,7 +83247,7 @@ index 2b7c441..3504791 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +556,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -83210,7 +83271,7 @@ index 2b7c441..3504791 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -548,52 +572,42 @@ kernel_read_network_state(nmbd_t)
+@@ -548,52 +573,42 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -83277,7 +83338,7 @@ index 2b7c441..3504791 100644
')
optional_policy(`
-@@ -606,16 +620,22 @@ optional_policy(`
+@@ -606,16 +621,22 @@ optional_policy(`
########################################
#
@@ -83304,7 +83365,7 @@ index 2b7c441..3504791 100644
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -627,16 +647,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +648,11 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -83322,7 +83383,7 @@ index 2b7c441..3504791 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +659,23 @@ optional_policy(`
+@@ -644,22 +660,23 @@ optional_policy(`
########################################
#
@@ -83354,7 +83415,7 @@ index 2b7c441..3504791 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +684,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -83390,7 +83451,7 @@ index 2b7c441..3504791 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +711,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +712,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -83482,7 +83543,7 @@ index 2b7c441..3504791 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +790,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -83506,7 +83567,7 @@ index 2b7c441..3504791 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +804,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +805,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -83549,7 +83610,7 @@ index 2b7c441..3504791 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +834,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +835,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -83563,7 +83624,7 @@ index 2b7c441..3504791 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +857,20 @@ optional_policy(`
+@@ -840,17 +858,20 @@ optional_policy(`
# Winbind local policy
#
@@ -83589,7 +83650,7 @@ index 2b7c441..3504791 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +880,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -83600,7 +83661,7 @@ index 2b7c441..3504791 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,23 +891,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -83630,7 +83691,7 @@ index 2b7c441..3504791 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -898,13 +914,17 @@ kernel_read_system_state(winbind_t)
+@@ -898,13 +915,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -83651,7 +83712,7 @@ index 2b7c441..3504791 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,10 +932,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -83662,7 +83723,7 @@ index 2b7c441..3504791 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -924,26 +940,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -924,26 +941,39 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -83704,7 +83765,7 @@ index 2b7c441..3504791 100644
')
optional_policy(`
-@@ -959,31 +988,29 @@ optional_policy(`
+@@ -959,31 +989,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -83742,7 +83803,7 @@ index 2b7c441..3504791 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1024,38 @@ optional_policy(`
+@@ -997,25 +1025,38 @@ optional_policy(`
########################################
#
@@ -101919,7 +101980,7 @@ index 7a7f342..afedcba 100644
## <param name="domain">
## <summary>
diff --git a/vpn.te b/vpn.te
-index 95b26d1..55557cb 100644
+index 95b26d1..28e0030 100644
--- a/vpn.te
+++ b/vpn.te
@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
@@ -102023,14 +102084,16 @@ index 95b26d1..55557cb 100644
optional_policy(`
dbus_system_bus_client(vpnc_t)
-@@ -125,7 +122,3 @@ optional_policy(`
+@@ -124,8 +121,5 @@ optional_policy(`
+
optional_policy(`
networkmanager_attach_tun_iface(vpnc_t)
- ')
+-')
-
-optional_policy(`
- seutil_use_newrole_fds(vpnc_t)
--')
++ networkmanager_delete_pid_files(vpnc_t)
+ ')
diff --git a/w3c.fc b/w3c.fc
index 463c799..227feaf 100644
--- a/w3c.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 773dccb..6aed8b1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 28%{?dist}
+Release: 29%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -580,6 +580,25 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Mar 4 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-30
+- Allow block_suspend cap2 for systemd-logind and rw dri device
+- Add labeling for /usr/libexec/nm-libreswan-service
+- Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working
+- Add xserver_rw_xdm_keys()
+- Allow rpm_script_t to dbus chat also with systemd-located
+- Fix ipa_stream_connect_otpd()
+- update lpd_manage_spool() interface
+- Allow krb5kdc to stream connect to ipa-otpd
+- Add ipa_stream_connect_otpd() interface
+- Allow vpnc to unlink NM pids
+- Add networkmanager_delete_pid_files()
+- Allow munin plugins to access unconfined plugins
+- update abrt_filetrans_named_content to cover /var/spool/debug
+- Label /var/spool/debug as abrt_var_cache_t
+- Allow rhsmcertd to connect to squid port
+- Make docker_transition_unconfined as optional boolean
+- Allow certmonger to list home dirs
+
* Fri Feb 28 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-29
- Make docker as permissive domain
More information about the scm-commits
mailing list