[selinux-policy] - Fix labeling for /root/\.yubico - userdom_search_admin_dir() calling needs to be optional in kerne
Miroslav Grepl
mgrepl at fedoraproject.org
Mon May 5 17:15:46 UTC 2014
commit 4e5d63b465da35e7b4b7771d871b76592afed52c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon May 5 19:15:58 2014 +0200
- Fix labeling for /root/\.yubico
- userdom_search_admin_dir() calling needs to be optional in kernel.te
- Dontaudit leaked xserver_misc_device_t into plugins
- Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy
- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
- Bootloader wants to look at init state
- Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm
- init reads kdbump etc files
- Add support for tcp/9697
- Fix labeling for /var/run/user/<UID>/gvfs
- Add support for us_cli ports
- fix sysnet_use_ldap
- Allow mysql to execute ifconfig if Red Hat OpenStack
- ALlow stap-server to get attr on all fs
- Fix mail_pool_t to mail_spool_t
- Dontaudit leaked xserver_misc_device_t into plugins
- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
- Add new labeling for /var/spool/smtpd
- Allow httpd_t to kill passenger
- Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets
- Allow nova-scheduler to read passwd/utmp files
- Additional rules required by openstack, needs backport to F20 and RHEL7
- Additional access required by docker
- ALlow motion to use tcp/8082 port
policy-rawhide-base.patch | 619 +++++++++++++++++++++++-------------------
policy-rawhide-contrib.patch | 308 ++++++++++++---------
selinux-policy.spec | 28 ++-
3 files changed, 537 insertions(+), 418 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 1d74ecc..f7786c2 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1022,7 +1022,7 @@ index 4705ab6..b7e7ea5 100644
+## </desc>
+gen_tunable(mount_anyfile, false)
diff --git a/policy/mcs b/policy/mcs
-index 216b3d1..275d3d9 100644
+index 216b3d1..064ec83 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -1,4 +1,6 @@
@@ -1032,7 +1032,7 @@ index 216b3d1..275d3d9 100644
#
# Define sensitivities
#
-@@ -69,53 +71,50 @@ gen_levels(1,mcs_num_cats)
+@@ -69,53 +71,56 @@ gen_levels(1,mcs_num_cats)
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
@@ -1069,6 +1069,12 @@ index 216b3d1..275d3d9 100644
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
++
++mlsconstrain key { create link read search setattr view write }
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
++
++mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
@@ -1103,7 +1109,7 @@ index 216b3d1..275d3d9 100644
mlsconstrain process { signal }
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-@@ -135,6 +134,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
+@@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
mlsconstrain { db_tuple } { insert relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
@@ -1113,7 +1119,7 @@ index 216b3d1..275d3d9 100644
# Access control for any database objects based on MCS rules.
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
( h1 dom h2 );
-@@ -166,4 +168,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
@@ -1138,10 +1144,20 @@ index 216b3d1..275d3d9 100644
+
') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
-index f11e5e2..656f7a7 100644
+index f11e5e2..9e0c245 100644
--- a/policy/mls
+++ b/policy/mls
-@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
+@@ -156,9 +156,6 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
+ # these access vectors have no MLS restrictions
+ # filesystem { transition associate }
+
+-
+-
+-
+ #
+ # MLS policy for the socket classes
+ #
+@@ -195,7 +192,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
@@ -1151,7 +1167,19 @@ index f11e5e2..656f7a7 100644
# used by netlabel to restrict normal domains to same level connections
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
-@@ -361,9 +362,6 @@ mlsconstrain { peer packet } { recv }
+@@ -252,6 +250,11 @@ mlsconstrain msg receive
+ (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsipcread ));
+
++mlsconstrain key { create link read search setattr view write }
++ (( l1 eq l2 ) or
++ (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ ( t1 == mlsprocwrite ));
++
+ # the ipc "write" ops (implicit single level)
+ mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+ (( l1 eq l2 ) or
+@@ -361,9 +364,6 @@ mlsconstrain { peer packet } { recv }
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -1334,7 +1362,7 @@ index cc8df9d..90467f3 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index 0fd5c5f..32514ee 100644
+index 0fd5c5f..643341a 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -20,13 +20,20 @@ type bootloader_t;
@@ -1419,15 +1447,16 @@ index 0fd5c5f..32514ee 100644
# for nscd
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
-@@ -111,6 +134,7 @@ files_manage_etc_runtime_files(bootloader_t)
+@@ -111,6 +134,8 @@ files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
+
++init_read_state(bootloader_t)
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
init_use_script_fds(bootloader_t)
-@@ -118,19 +142,20 @@ init_rw_script_pipes(bootloader_t)
+@@ -118,19 +143,20 @@ init_rw_script_pipes(bootloader_t)
libs_read_lib_files(bootloader_t)
libs_exec_lib_files(bootloader_t)
@@ -1453,7 +1482,7 @@ index 0fd5c5f..32514ee 100644
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
-@@ -174,6 +199,10 @@ ifdef(`distro_redhat',`
+@@ -174,6 +200,10 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -1464,7 +1493,7 @@ index 0fd5c5f..32514ee 100644
fstools_exec(bootloader_t)
')
-@@ -183,6 +212,14 @@ optional_policy(`
+@@ -183,6 +213,14 @@ optional_policy(`
')
optional_policy(`
@@ -1479,7 +1508,7 @@ index 0fd5c5f..32514ee 100644
kudzu_domtrans(bootloader_t)
')
-@@ -195,17 +232,18 @@ optional_policy(`
+@@ -195,17 +233,18 @@ optional_policy(`
optional_policy(`
modutils_exec_insmod(bootloader_t)
@@ -5418,7 +5447,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..dd4a176 100644
+index b191055..1463ef3 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5677,7 +5706,7 @@ index b191055..dd4a176 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -215,52 +268,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -215,66 +268,74 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5686,7 +5715,7 @@ index b191055..dd4a176 100644
network_port(puppet, tcp, 8140, s0)
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
-+network_port(neutron, tcp,9696,s0)
++network_port(neutron, tcp,9696,s0, tcp,9697,s0)
network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
@@ -5746,7 +5775,11 @@ index b191055..dd4a176 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
-@@ -271,10 +331,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+ network_port(ups, tcp,3493,s0)
+ network_port(utcpserver) # no defined portcon
+ network_port(uucpd, tcp,540,s0)
++network_port(us_cli, tcp,8082,s0, udp,8082,s0, tcp,8083,s0, udp,8083,s0)
+ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5759,7 +5792,7 @@ index b191055..dd4a176 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +348,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +349,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5786,7 +5819,7 @@ index b191055..dd4a176 100644
########################################
#
-@@ -333,6 +397,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +398,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5795,7 +5828,7 @@ index b191055..dd4a176 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +411,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +412,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -5960,7 +5993,7 @@ index b31c054..5e37a40 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..fb27ae5 100644
+index 76f285e..d86836b 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7022,7 +7055,15 @@ index 76f285e..fb27ae5 100644
## <summary>
-## Read hardware state information.
+## Do not audit attempts to search sysfs.
-+## </summary>
+ ## </summary>
+-## <desc>
+-## <p>
+-## Allow the specified domain to read the contents of
+-## the sysfs filesystem. This filesystem contains
+-## information, parameters, and other settings on the
+-## hardware installed on the system.
+-## </p>
+-## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
@@ -7120,15 +7161,7 @@ index 76f285e..fb27ae5 100644
+########################################
+## <summary>
+## Relabel cpu online hardware state information.
- ## </summary>
--## <desc>
--## <p>
--## Allow the specified domain to read the contents of
--## the sysfs filesystem. This filesystem contains
--## information, parameters, and other settings on the
--## hardware installed on the system.
--## </p>
--## </desc>
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -7461,10 +7494,28 @@ index 76f285e..fb27ae5 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4762,6 +5532,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5532,44 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
++## Dontaudit attempts to Read and write X server miscellaneous devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_leaked_xserver_misc',`
++ gen_require(`
++ type xserver_misc_device_t;
++ ')
++
++ dontaudit $1 xserver_misc_device_t:chr_file { read write };
++')
++
++########################################
++## <summary>
+## Read and write X server miscellaneous devices.
+## </summary>
+## <param name="domain">
@@ -7488,7 +7539,7 @@ index 76f285e..fb27ae5 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4851,3 +5641,946 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5659,946 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -8744,7 +8795,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..e0615d1 100644
+index cf04cb5..71f4c33 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8785,7 +8836,7 @@ index cf04cb5..e0615d1 100644
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,47 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +110,51 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
@@ -8816,9 +8867,10 @@ index cf04cb5..e0615d1 100644
# list the root directory
files_list_root(domain)
-+# allow all domains to search through default_t directory, since users sometimes
-+# place labels within these directories. (samba_share_t) for example.
-+files_search_default(domain)
++# allow all domains to search through base_file_type directory, since users
++# sometimes place labels within these directories. (samba_share_t) for example.
++files_search_base_file_types(domain)
++
+files_read_inherited_tmp_files(domain)
+files_append_inherited_tmp_files(domain)
+files_read_all_base_ro_files(domain)
@@ -8827,6 +8879,9 @@ index cf04cb5..e0615d1 100644
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
++optional_policy(`
++ userdom_search_admin_dir(domain)
++')
+
+tunable_policy(`domain_kernel_load_modules',`
+ kernel_request_load_module(domain)
@@ -8834,7 +8889,7 @@ index cf04cb5..e0615d1 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +169,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +173,18 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -8853,7 +8908,7 @@ index cf04cb5..e0615d1 100644
')
optional_policy(`
-@@ -133,6 +191,9 @@ optional_policy(`
+@@ -133,6 +195,9 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -8863,7 +8918,7 @@ index cf04cb5..e0615d1 100644
')
########################################
-@@ -147,12 +208,18 @@ optional_policy(`
+@@ -147,12 +212,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -8883,7 +8938,7 @@ index cf04cb5..e0615d1 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +233,347 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +237,347 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9479,7 +9534,7 @@ index b876c48..bbd0e79 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..337a00e 100644
+index f962f76..ec9e64a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -9799,7 +9854,7 @@ index f962f76..337a00e 100644
## Read all files.
## </summary>
## <param name="domain">
-@@ -683,12 +906,107 @@ interface(`files_read_non_security_files',`
+@@ -683,12 +906,125 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -9879,6 +9934,24 @@ index f962f76..337a00e 100644
+
+########################################
+## <summary>
++## Search all base file dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_base_file_types',`
++ gen_require(`
++ attribute base_file_type;
++ ')
++
++ allow $1 base_file_type:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+## Relabel all base file types.
+## </summary>
+## <param name="domain">
@@ -9907,7 +9980,7 @@ index f962f76..337a00e 100644
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
-@@ -953,6 +1271,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+@@ -953,6 +1289,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
########################################
## <summary>
@@ -9933,7 +10006,7 @@ index f962f76..337a00e 100644
## Get the attributes of all named sockets.
## </summary>
## <param name="domain">
-@@ -991,8 +1328,8 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,8 +1346,8 @@ interface(`files_dontaudit_getattr_all_sockets',`
########################################
## <summary>
@@ -9944,7 +10017,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1000,43 +1337,81 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -1000,12 +1355,50 @@ interface(`files_dontaudit_getattr_all_sockets',`
## </summary>
## </param>
#
@@ -9957,87 +10030,48 @@ index f962f76..337a00e 100644
- dontaudit $1 non_security_file_type:sock_file getattr;
+ dontaudit $1 file_type:sock_file read;
- ')
-
- ########################################
- ## <summary>
--## Read all block nodes with file types.
-+## Do not audit attempts to read
-+## of all security file types.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_read_all_blk_files',`
-+interface(`files_dontaudit_read_all_non_security_files',`
- gen_require(`
-- attribute file_type;
-+ attribute non_security_file_type;
- ')
-
-- read_blk_files_pattern($1, file_type, file_type)
-+ dontaudit $1 non_security_file_type:file read_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Read all character nodes with file types.
-+## Do not audit attempts to get the attributes
-+## of non security named sockets.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_read_all_chr_files',`
-+interface(`files_dontaudit_getattr_non_security_sockets',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
-+## Read all block nodes with file types.
++## Do not audit attempts to read
++## of all security file types.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`files_read_all_blk_files',`
++interface(`files_dontaudit_read_all_non_security_files',`
+ gen_require(`
-+ attribute file_type;
++ attribute non_security_file_type;
+ ')
+
-+ read_blk_files_pattern($1, file_type, file_type)
++ dontaudit $1 non_security_file_type:file read_file_perms;
+')
+
+########################################
+## <summary>
-+## Read all character nodes with file types.
++## Do not audit attempts to get the attributes
++## of non security named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`files_read_all_chr_files',`
- gen_require(`
- attribute file_type;
- ')
-@@ -1073,10 +1448,8 @@ interface(`files_relabel_all_files',`
++interface(`files_dontaudit_getattr_non_security_sockets',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:sock_file getattr;
+ ')
+
+ ########################################
+@@ -1073,10 +1466,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -10050,7 +10084,7 @@ index f962f76..337a00e 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1555,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1573,6 @@ interface(`files_list_all',`
########################################
## <summary>
@@ -10075,7 +10109,7 @@ index f962f76..337a00e 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,9 +1798,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1816,6 @@ interface(`files_relabel_non_auth_files',`
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@@ -10085,7 +10119,7 @@ index f962f76..337a00e 100644
')
#############################################
-@@ -1601,6 +1953,24 @@ interface(`files_setattr_all_mountpoints',`
+@@ -1601,6 +1971,24 @@ interface(`files_setattr_all_mountpoints',`
########################################
## <summary>
@@ -10110,7 +10144,7 @@ index f962f76..337a00e 100644
## Do not audit attempts to set the attributes on all mount points.
## </summary>
## <param name="domain">
-@@ -1691,6 +2061,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1691,6 +2079,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -10135,7 +10169,7 @@ index f962f76..337a00e 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1709,6 +2097,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1709,6 +2115,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
@@ -10178,7 +10212,7 @@ index f962f76..337a00e 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1725,6 +2149,23 @@ interface(`files_list_root',`
+@@ -1725,6 +2167,23 @@ interface(`files_list_root',`
allow $1 root_t:dir list_dir_perms;
allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
')
@@ -10202,7 +10236,7 @@ index f962f76..337a00e 100644
########################################
## <summary>
-@@ -1765,6 +2206,26 @@ interface(`files_dontaudit_rw_root_dir',`
+@@ -1765,6 +2224,26 @@ interface(`files_dontaudit_rw_root_dir',`
########################################
## <summary>
@@ -10229,7 +10263,7 @@ index f962f76..337a00e 100644
## Create an object in the root directory, with a private
## type using a type transition.
## </summary>
-@@ -1892,25 +2353,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1892,25 +2371,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -10261,7 +10295,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1923,7 +2384,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2402,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -10270,7 +10304,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -1946,6 +2407,24 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2425,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -10295,7 +10329,7 @@ index f962f76..337a00e 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2181,6 +2660,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2678,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10320,7 +10354,7 @@ index f962f76..337a00e 100644
######################################
## <summary>
## Read symbolic links in the /boot directory.
-@@ -2645,6 +3142,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3160,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10345,7 +10379,7 @@ index f962f76..337a00e 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2716,6 +3231,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3249,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10353,7 +10387,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -2724,7 +3240,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3258,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10362,7 +10396,7 @@ index f962f76..337a00e 100644
## </summary>
## </param>
#
-@@ -2780,6 +3296,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3314,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -10388,7 +10422,7 @@ index f962f76..337a00e 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2798,6 +3333,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3351,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10413,7 +10447,7 @@ index f962f76..337a00e 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2963,24 +3516,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3534,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -10438,7 +10472,7 @@ index f962f76..337a00e 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3021,9 +3556,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3574,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -10449,7 +10483,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3031,18 +3564,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3582,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -10471,7 +10505,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3060,12 +3592,32 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,23 +3610,44 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -10484,9 +10518,11 @@ index f962f76..337a00e 100644
## <summary>
-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_rw_etc_runtime_files',`
+interface(`files_dontaudit_read_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
@@ -10503,10 +10539,14 @@ index f962f76..337a00e 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- ## <rolecap/>
-@@ -3077,6 +3629,7 @@ interface(`files_rw_etc_runtime_files',`
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_rw_etc_runtime_files',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ ')
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10514,7 +10554,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3098,6 +3651,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3669,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10522,7 +10562,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3142,10 +3696,48 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,10 +3714,48 @@ interface(`files_etc_filetrans_etc_runtime',`
#
interface(`files_getattr_isid_type_dirs',`
gen_require(`
@@ -10573,7 +10613,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3161,10 +3753,10 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3161,10 +3771,10 @@ interface(`files_getattr_isid_type_dirs',`
#
interface(`files_dontaudit_search_isid_type_dirs',`
gen_require(`
@@ -10586,7 +10626,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3180,10 +3772,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3180,10 +3790,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
#
interface(`files_list_isid_type_dirs',`
gen_require(`
@@ -10599,7 +10639,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3199,10 +3791,10 @@ interface(`files_list_isid_type_dirs',`
+@@ -3199,10 +3809,10 @@ interface(`files_list_isid_type_dirs',`
#
interface(`files_rw_isid_type_dirs',`
gen_require(`
@@ -10612,7 +10652,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3218,10 +3810,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3828,66 @@ interface(`files_rw_isid_type_dirs',`
#
interface(`files_delete_isid_type_dirs',`
gen_require(`
@@ -10655,9 +10695,8 @@ index f962f76..337a00e 100644
+interface(`files_mounton_isid',`
+ gen_require(`
+ type unlabeled_t;
- ')
-
-- delete_dirs_pattern($1, file_t, file_t)
++ ')
++
+ allow $1 unlabeled_t:dir mounton;
+')
+
@@ -10675,13 +10714,14 @@ index f962f76..337a00e 100644
+interface(`files_relabelfrom_isid_type',`
+ gen_require(`
+ type unlabeled_t;
-+ ')
-+
+ ')
+
+- delete_dirs_pattern($1, file_t, file_t)
+ dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
')
########################################
-@@ -3237,10 +3885,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +3903,10 @@ interface(`files_delete_isid_type_dirs',`
#
interface(`files_manage_isid_type_dirs',`
gen_require(`
@@ -10694,7 +10734,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3256,10 +3904,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +3922,29 @@ interface(`files_manage_isid_type_dirs',`
#
interface(`files_mounton_isid_type_dirs',`
gen_require(`
@@ -10726,7 +10766,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3275,10 +3942,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +3960,10 @@ interface(`files_mounton_isid_type_dirs',`
#
interface(`files_read_isid_type_files',`
gen_require(`
@@ -10739,7 +10779,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3294,10 +3961,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +3979,10 @@ interface(`files_read_isid_type_files',`
#
interface(`files_delete_isid_type_files',`
gen_require(`
@@ -10752,7 +10792,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3313,10 +3980,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +3998,10 @@ interface(`files_delete_isid_type_files',`
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
@@ -10765,7 +10805,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3332,10 +3999,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4017,10 @@ interface(`files_delete_isid_type_symlinks',`
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
@@ -10778,7 +10818,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3351,10 +4018,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4036,10 @@ interface(`files_delete_isid_type_fifo_files',`
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
@@ -10791,7 +10831,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3370,10 +4037,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4055,10 @@ interface(`files_delete_isid_type_sock_files',`
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
@@ -10804,7 +10844,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3389,10 +4056,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4074,10 @@ interface(`files_delete_isid_type_blk_files',`
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
@@ -10817,7 +10857,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3408,10 +4075,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4093,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
@@ -10830,7 +10870,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3427,10 +4094,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4112,10 @@ interface(`files_delete_isid_type_chr_files',`
#
interface(`files_manage_isid_type_files',`
gen_require(`
@@ -10843,7 +10883,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3446,10 +4113,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4131,10 @@ interface(`files_manage_isid_type_files',`
#
interface(`files_manage_isid_type_symlinks',`
gen_require(`
@@ -10856,14 +10896,15 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3465,10 +4132,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4150,29 @@ interface(`files_manage_isid_type_symlinks',`
#
interface(`files_rw_isid_type_blk_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
-+ ')
-+
+ ')
+
+- allow $1 file_t:blk_file rw_blk_file_perms;
+ allow $1 unlabeled_t:blk_file rw_blk_file_perms;
+')
+
@@ -10881,14 +10922,13 @@ index f962f76..337a00e 100644
+interface(`files_rw_inherited_isid_type_files',`
+ gen_require(`
+ type unlabeled_t;
- ')
-
-- allow $1 file_t:blk_file rw_blk_file_perms;
++ ')
++
+ allow $1 unlabeled_t:file rw_inherited_file_perms;
')
########################################
-@@ -3484,10 +4170,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4188,10 @@ interface(`files_rw_isid_type_blk_files',`
#
interface(`files_manage_isid_type_blk_files',`
gen_require(`
@@ -10901,7 +10941,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3503,10 +4189,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4207,10 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
@@ -10914,7 +10954,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -3814,20 +4500,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4518,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10958,7 +10998,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -4217,6 +4921,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +4939,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -11131,7 +11171,7 @@ index f962f76..337a00e 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4239,6 +5109,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5127,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -11158,7 +11198,7 @@ index f962f76..337a00e 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4252,17 +5142,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5160,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -11197,7 +11237,7 @@ index f962f76..337a00e 100644
## </summary>
## </param>
#
-@@ -4289,6 +5199,7 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5217,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -11205,7 +11245,7 @@ index f962f76..337a00e 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5236,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5254,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -11213,7 +11253,7 @@ index f962f76..337a00e 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5246,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5264,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -11222,7 +11262,7 @@ index f962f76..337a00e 100644
## </summary>
## </param>
#
-@@ -4346,21 +5258,41 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,13 +5276,32 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -11235,13 +11275,11 @@ index f962f76..337a00e 100644
## <param name="domain">
-## <summary>
-## Domain allowed access.
--## </summary>
+## <summary>
+## Domain not to audit.
+## </summary>
- ## </param>
- #
--interface(`files_delete_tmp_dir_entry',`
++## </param>
++#
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
@@ -11258,11 +11296,10 @@ index f962f76..337a00e 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_delete_tmp_dir_entry',`
- gen_require(`
+ ## </summary>
+ ## </param>
+ #
+@@ -4361,6 +5310,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -11270,7 +11307,7 @@ index f962f76..337a00e 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5334,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5352,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -11303,7 +11340,7 @@ index f962f76..337a00e 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4456,6 +5414,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5432,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -11346,7 +11383,7 @@ index f962f76..337a00e 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4474,6 +5468,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5486,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
## <summary>
@@ -11407,7 +11444,7 @@ index f962f76..337a00e 100644
## List all tmp directories.
## </summary>
## <param name="domain">
-@@ -4519,7 +5567,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5585,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -11416,7 +11453,7 @@ index f962f76..337a00e 100644
## </summary>
## </param>
#
-@@ -4579,7 +5627,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5645,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -11425,7 +11462,7 @@ index f962f76..337a00e 100644
## </summary>
## </param>
#
-@@ -4611,6 +5659,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5677,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@@ -11470,7 +11507,7 @@ index f962f76..337a00e 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
-@@ -4664,6 +5750,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5768,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11487,7 +11524,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -5112,6 +6208,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6226,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
## <summary>
@@ -11512,7 +11549,7 @@ index f962f76..337a00e 100644
## Read system.map in the /boot directory.
## </summary>
## <param name="domain">
-@@ -5241,6 +6355,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6373,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -11537,7 +11574,7 @@ index f962f76..337a00e 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5328,7 +6460,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6478,7 @@ interface(`files_dontaudit_rw_var_files',`
type var_t;
')
@@ -11546,7 +11583,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -5527,6 +6659,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6677,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
## <summary>
@@ -11572,7 +11609,7 @@ index f962f76..337a00e 100644
## Create objects in the /var/lib directory
## </summary>
## <param name="domain">
-@@ -5596,6 +6747,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6765,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11598,7 +11635,7 @@ index f962f76..337a00e 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6811,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6829,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11607,7 +11644,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5649,12 +6819,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6837,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11623,7 +11660,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -5672,6 +6843,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6861,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11631,7 +11668,7 @@ index f962f76..337a00e 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6870,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6888,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11659,7 +11696,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5706,13 +6897,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6915,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11676,7 +11713,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -5731,7 +6921,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +6939,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11685,7 +11722,7 @@ index f962f76..337a00e 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +6954,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +6972,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11693,7 +11730,7 @@ index f962f76..337a00e 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +6968,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +6986,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11702,7 +11739,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5787,13 +6976,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +6994,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11737,7 +11774,7 @@ index f962f76..337a00e 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +7018,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7036,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11755,7 +11792,7 @@ index f962f76..337a00e 100644
')
########################################
-@@ -5834,9 +7042,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7060,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11766,7 +11803,7 @@ index f962f76..337a00e 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7084,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7102,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11776,7 +11813,7 @@ index f962f76..337a00e 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7106,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7124,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11786,7 +11823,7 @@ index f962f76..337a00e 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7143,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7161,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11796,7 +11833,7 @@ index f962f76..337a00e 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7182,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7200,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11805,7 +11842,7 @@ index f962f76..337a00e 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7202,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7220,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11854,7 +11891,7 @@ index f962f76..337a00e 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6025,6 +7266,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7284,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11880,7 +11917,7 @@ index f962f76..337a00e 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6039,7 +7299,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7317,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11889,7 +11926,7 @@ index f962f76..337a00e 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6058,7 +7318,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7336,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11898,7 +11935,7 @@ index f962f76..337a00e 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7338,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7356,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11907,7 +11944,7 @@ index f962f76..337a00e 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7400,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7418,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11915,7 +11952,7 @@ index f962f76..337a00e 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7428,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7446,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@@ -11940,7 +11977,7 @@ index f962f76..337a00e 100644
## Read and write generic process ID files.
## </summary>
## <param name="domain">
-@@ -6182,7 +7459,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7477,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -11949,7 +11986,7 @@ index f962f76..337a00e 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7526,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7544,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -12012,7 +12049,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6305,42 +7570,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7588,35 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -12062,7 +12099,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6348,18 +7606,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7624,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -12086,7 +12123,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6367,37 +7625,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7643,40 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
@@ -12138,7 +12175,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6405,18 +7666,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7684,17 @@ interface(`files_dontaudit_search_spool',`
## </summary>
## </param>
#
@@ -12161,7 +12198,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6424,18 +7684,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7702,18 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -12185,7 +12222,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6443,19 +7703,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7721,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -12210,7 +12247,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6463,55 +7722,43 @@ interface(`files_read_generic_spool',`
+@@ -6463,55 +7740,43 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -12281,7 +12318,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6519,53 +7766,68 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +7784,68 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -12388,7 +12425,7 @@ index f962f76..337a00e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6573,10 +7835,784 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7853,784 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@@ -12397,8 +12434,9 @@ index f962f76..337a00e 100644
gen_require(`
- attribute files_unconfined_type;
+ attribute spoolfile;
-+ ')
-+
+ ')
+
+- typeattribute $1 files_unconfined_type;
+ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
@@ -12661,10 +12699,10 @@ index f962f76..337a00e 100644
+interface(`files_unconfined',`
+ gen_require(`
+ attribute files_unconfined_type;
- ')
-
- typeattribute $1 files_unconfined_type;
- ')
++ ')
++
++ typeattribute $1 files_unconfined_type;
++')
+
+########################################
+## <summary>
@@ -13174,7 +13212,7 @@ index f962f76..337a00e 100644
+ ')
+
+ allow $1 etc_t:service status;
-+')
+ ')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abd..32a40f8 100644
--- a/policy/modules/kernel/files.te
@@ -13378,7 +13416,7 @@ index 1a03abd..32a40f8 100644
allow files_unconfined_type file_type:file execmod;
')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index d7c11a0..2fc3436 100644
+index d7c11a0..6b3331d 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1,23 +1,26 @@
@@ -13404,8 +13442,8 @@ index d7c11a0..2fc3436 100644
+/usr/lib/udev/devices/hugepages/.* <<none>>
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
-+/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0)
-+/var/run/[^/]*/gvfs/.* <<none>>
++/var/run/user/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0)
++/var/run/user/[^/]*/gvfs/.* <<none>>
+
+# for systemd systems:
/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
@@ -26124,14 +26162,14 @@ index c6fdab7..af71c62 100644
sudo_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 2479587..077c9bc 100644
+index 2479587..890e1e2 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,14 +1,28 @@
+HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
-+/root/\.yubico/(.*) gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
@@ -26219,7 +26257,7 @@ index 2479587..077c9bc 100644
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..0bd3a26 100644
+index 3efd5b6..b07f3fe 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -26805,7 +26843,7 @@ index 3efd5b6..0bd3a26 100644
')
########################################
-@@ -1805,3 +2029,262 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2029,280 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -27068,6 +27106,24 @@ index 3efd5b6..0bd3a26 100644
+
+ allow $1 login_pgm:process sigchld;
+')
++
++########################################
++## <summary>
++## Manage the keyrings of all login programs
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_login_manage_key',`
++ gen_require(`
++ attribute login_pgm;
++ ')
++
++ allow $1 login_pgm:key manage_key_perms;
++')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 09b791d..ff0708e 100644
--- a/policy/modules/system/authlogin.te
@@ -29680,7 +29736,7 @@ index 79a45f6..89b43aa 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..e5c555c 100644
+index 17eda24..43c0bc6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -29950,7 +30006,7 @@ index 17eda24..e5c555c 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +301,235 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +301,236 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -29986,6 +30042,7 @@ index 17eda24..e5c555c 100644
optional_policy(`
- auth_rw_login_records(init_t)
+ kdump_read_crash(init_t)
++ kdump_read_config(init_t)
')
optional_policy(`
@@ -30194,7 +30251,7 @@ index 17eda24..e5c555c 100644
')
optional_policy(`
-@@ -216,7 +537,31 @@ optional_policy(`
+@@ -216,7 +538,31 @@ optional_policy(`
')
optional_policy(`
@@ -30226,7 +30283,7 @@ index 17eda24..e5c555c 100644
')
########################################
-@@ -225,9 +570,9 @@ optional_policy(`
+@@ -225,9 +571,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -30238,7 +30295,7 @@ index 17eda24..e5c555c 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +604,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -30255,7 +30312,7 @@ index 17eda24..e5c555c 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +629,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -30298,7 +30355,7 @@ index 17eda24..e5c555c 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +666,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -30310,7 +30367,7 @@ index 17eda24..e5c555c 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +677,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +678,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -30321,7 +30378,7 @@ index 17eda24..e5c555c 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +688,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +689,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -30331,7 +30388,7 @@ index 17eda24..e5c555c 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +697,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +698,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -30339,7 +30396,7 @@ index 17eda24..e5c555c 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +705,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -30347,7 +30404,7 @@ index 17eda24..e5c555c 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +712,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +713,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -30365,7 +30422,7 @@ index 17eda24..e5c555c 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +730,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +731,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -30379,7 +30436,7 @@ index 17eda24..e5c555c 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +745,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +746,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -30393,7 +30450,7 @@ index 17eda24..e5c555c 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +758,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +759,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -30404,7 +30461,7 @@ index 17eda24..e5c555c 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +771,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +772,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -30412,7 +30469,7 @@ index 17eda24..e5c555c 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +790,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +791,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -30436,7 +30493,7 @@ index 17eda24..e5c555c 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +823,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +824,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -30444,7 +30501,7 @@ index 17eda24..e5c555c 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +857,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +858,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -30455,7 +30512,7 @@ index 17eda24..e5c555c 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +881,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +882,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30464,7 +30521,7 @@ index 17eda24..e5c555c 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +896,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +897,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -30472,7 +30529,7 @@ index 17eda24..e5c555c 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +917,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +918,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -30480,7 +30537,7 @@ index 17eda24..e5c555c 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +927,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +928,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -30525,7 +30582,7 @@ index 17eda24..e5c555c 100644
')
optional_policy(`
-@@ -559,14 +972,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +973,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30557,7 +30614,7 @@ index 17eda24..e5c555c 100644
')
')
-@@ -577,6 +1007,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1008,39 @@ ifdef(`distro_suse',`
')
')
@@ -30597,7 +30654,7 @@ index 17eda24..e5c555c 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1052,8 @@ optional_policy(`
+@@ -589,6 +1053,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30606,7 +30663,7 @@ index 17eda24..e5c555c 100644
')
optional_policy(`
-@@ -610,6 +1075,7 @@ optional_policy(`
+@@ -610,6 +1076,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -30614,7 +30671,7 @@ index 17eda24..e5c555c 100644
')
optional_policy(`
-@@ -626,6 +1092,17 @@ optional_policy(`
+@@ -626,6 +1093,17 @@ optional_policy(`
')
optional_policy(`
@@ -30632,7 +30689,7 @@ index 17eda24..e5c555c 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1119,13 @@ optional_policy(`
+@@ -642,9 +1120,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30646,7 +30703,7 @@ index 17eda24..e5c555c 100644
')
optional_policy(`
-@@ -657,15 +1138,11 @@ optional_policy(`
+@@ -657,15 +1139,11 @@ optional_policy(`
')
optional_policy(`
@@ -30664,7 +30721,7 @@ index 17eda24..e5c555c 100644
')
optional_policy(`
-@@ -686,6 +1163,15 @@ optional_policy(`
+@@ -686,6 +1164,15 @@ optional_policy(`
')
optional_policy(`
@@ -30680,7 +30737,7 @@ index 17eda24..e5c555c 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1212,7 @@ optional_policy(`
+@@ -726,6 +1213,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -30688,7 +30745,7 @@ index 17eda24..e5c555c 100644
')
optional_policy(`
-@@ -743,7 +1230,13 @@ optional_policy(`
+@@ -743,7 +1231,13 @@ optional_policy(`
')
optional_policy(`
@@ -30703,7 +30760,7 @@ index 17eda24..e5c555c 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1259,10 @@ optional_policy(`
+@@ -766,6 +1260,10 @@ optional_policy(`
')
optional_policy(`
@@ -30714,7 +30771,7 @@ index 17eda24..e5c555c 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1272,20 @@ optional_policy(`
+@@ -775,10 +1273,20 @@ optional_policy(`
')
optional_policy(`
@@ -30735,7 +30792,7 @@ index 17eda24..e5c555c 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1294,10 @@ optional_policy(`
+@@ -787,6 +1295,10 @@ optional_policy(`
')
optional_policy(`
@@ -30746,7 +30803,7 @@ index 17eda24..e5c555c 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1319,6 @@ optional_policy(`
+@@ -808,8 +1320,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30755,7 +30812,7 @@ index 17eda24..e5c555c 100644
')
optional_policy(`
-@@ -818,6 +1327,10 @@ optional_policy(`
+@@ -818,6 +1328,10 @@ optional_policy(`
')
optional_policy(`
@@ -30766,7 +30823,7 @@ index 17eda24..e5c555c 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1340,12 @@ optional_policy(`
+@@ -827,10 +1341,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -30779,7 +30836,7 @@ index 17eda24..e5c555c 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1372,60 @@ optional_policy(`
+@@ -857,21 +1373,60 @@ optional_policy(`
')
optional_policy(`
@@ -30841,7 +30898,7 @@ index 17eda24..e5c555c 100644
')
optional_policy(`
-@@ -887,6 +1441,10 @@ optional_policy(`
+@@ -887,6 +1442,10 @@ optional_policy(`
')
optional_policy(`
@@ -30852,7 +30909,7 @@ index 17eda24..e5c555c 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1455,218 @@ optional_policy(`
+@@ -897,3 +1456,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index f21df75..8be0c99 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3575,7 +3575,7 @@ index 7caefc3..0d9db0a 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb485..51b128e 100644
+index f6eb485..61f36b6 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3591,7 +3591,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="prefix">
## <summary>
-@@ -13,118 +13,125 @@
+@@ -13,118 +13,126 @@
#
template(`apache_content_template',`
gen_require(`
@@ -3708,7 +3708,6 @@ index f6eb485..51b128e 100644
+
+ can_exec($1_script_t, $1_script_exec_t)
+ allow $1_script_t $1_script_exec_t:dir list_dir_perms;
-+
+ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
@@ -3725,6 +3724,8 @@ index f6eb485..51b128e 100644
+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
++ allow $1_script_t httpd_t:unix_stream_socket { getattr read write };
++
+ # Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -3812,7 +3813,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="role">
## <summary>
-@@ -133,47 +140,61 @@ template(`apache_content_template',`
+@@ -133,47 +141,61 @@ template(`apache_content_template',`
## </param>
## <param name="domain">
## <summary>
@@ -3903,7 +3904,7 @@ index f6eb485..51b128e 100644
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
')
-@@ -184,7 +205,7 @@ interface(`apache_role',`
+@@ -184,7 +206,7 @@ interface(`apache_role',`
########################################
## <summary>
@@ -3912,7 +3913,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -204,7 +225,7 @@ interface(`apache_read_user_scripts',`
+@@ -204,7 +226,7 @@ interface(`apache_read_user_scripts',`
########################################
## <summary>
@@ -3921,7 +3922,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -224,7 +245,7 @@ interface(`apache_read_user_content',`
+@@ -224,7 +246,7 @@ interface(`apache_read_user_content',`
########################################
## <summary>
@@ -3930,7 +3931,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -241,27 +262,47 @@ interface(`apache_domtrans',`
+@@ -241,27 +263,47 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -3985,7 +3986,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,7 +320,7 @@ interface(`apache_signal',`
+@@ -279,7 +321,7 @@ interface(`apache_signal',`
########################################
## <summary>
@@ -3994,7 +3995,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -297,7 +338,7 @@ interface(`apache_signull',`
+@@ -297,7 +339,7 @@ interface(`apache_signull',`
########################################
## <summary>
@@ -4003,7 +4004,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -315,8 +356,7 @@ interface(`apache_sigchld',`
+@@ -315,8 +357,7 @@ interface(`apache_sigchld',`
########################################
## <summary>
@@ -4013,7 +4014,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -334,8 +374,8 @@ interface(`apache_use_fds',`
+@@ -334,8 +375,8 @@ interface(`apache_use_fds',`
########################################
## <summary>
@@ -4024,7 +4025,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -348,13 +388,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -348,13 +389,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -4041,7 +4042,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -372,8 +412,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+@@ -372,8 +413,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
########################################
## <summary>
@@ -4052,7 +4053,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -391,8 +431,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
+@@ -391,8 +432,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
@@ -4062,7 +4063,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -417,7 +456,8 @@ interface(`apache_manage_all_content',`
+@@ -417,7 +457,8 @@ interface(`apache_manage_all_content',`
########################################
## <summary>
@@ -4072,7 +4073,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -435,7 +475,8 @@ interface(`apache_setattr_cache_dirs',`
+@@ -435,7 +476,8 @@ interface(`apache_setattr_cache_dirs',`
########################################
## <summary>
@@ -4082,7 +4083,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -453,7 +494,8 @@ interface(`apache_list_cache',`
+@@ -453,7 +495,8 @@ interface(`apache_list_cache',`
########################################
## <summary>
@@ -4092,7 +4093,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -471,7 +513,8 @@ interface(`apache_rw_cache_files',`
+@@ -471,7 +514,8 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
@@ -4102,7 +4103,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -489,7 +532,8 @@ interface(`apache_delete_cache_dirs',`
+@@ -489,7 +533,8 @@ interface(`apache_delete_cache_dirs',`
########################################
## <summary>
@@ -4112,7 +4113,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -507,49 +551,51 @@ interface(`apache_delete_cache_files',`
+@@ -507,49 +552,51 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@@ -4175,7 +4176,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -570,8 +616,8 @@ interface(`apache_manage_config',`
+@@ -570,8 +617,8 @@ interface(`apache_manage_config',`
########################################
## <summary>
@@ -4186,7 +4187,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -608,16 +654,38 @@ interface(`apache_domtrans_helper',`
+@@ -608,16 +655,38 @@ interface(`apache_domtrans_helper',`
#
interface(`apache_run_helper',`
gen_require(`
@@ -4228,7 +4229,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -639,7 +707,8 @@ interface(`apache_read_log',`
+@@ -639,7 +708,8 @@ interface(`apache_read_log',`
########################################
## <summary>
@@ -4238,7 +4239,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -657,10 +726,29 @@ interface(`apache_append_log',`
+@@ -657,10 +727,29 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
@@ -4270,7 +4271,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -678,8 +766,8 @@ interface(`apache_dontaudit_append_log',`
+@@ -678,8 +767,8 @@ interface(`apache_dontaudit_append_log',`
########################################
## <summary>
@@ -4281,7 +4282,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -687,20 +775,21 @@ interface(`apache_dontaudit_append_log',`
+@@ -687,20 +776,21 @@ interface(`apache_dontaudit_append_log',`
## </summary>
## </param>
#
@@ -4311,7 +4312,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -708,19 +797,21 @@ interface(`apache_manage_log',`
+@@ -708,19 +798,21 @@ interface(`apache_manage_log',`
## </summary>
## </param>
#
@@ -4337,7 +4338,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -738,7 +829,8 @@ interface(`apache_dontaudit_search_modules',`
+@@ -738,7 +830,8 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -4347,7 +4348,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -746,17 +838,19 @@ interface(`apache_dontaudit_search_modules',`
+@@ -746,17 +839,19 @@ interface(`apache_dontaudit_search_modules',`
## </summary>
## </param>
#
@@ -4370,7 +4371,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -764,19 +858,19 @@ interface(`apache_list_modules',`
+@@ -764,19 +859,19 @@ interface(`apache_list_modules',`
## </summary>
## </param>
#
@@ -4394,7 +4395,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -784,19 +878,19 @@ interface(`apache_exec_modules',`
+@@ -784,19 +879,19 @@ interface(`apache_exec_modules',`
## </summary>
## </param>
#
@@ -4419,7 +4420,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -809,13 +903,50 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -809,13 +904,50 @@ interface(`apache_domtrans_rotatelogs',`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
@@ -4472,7 +4473,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -829,13 +960,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +961,14 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -4489,7 +4490,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -844,6 +976,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +977,7 @@ interface(`apache_list_sys_content',`
## </param>
## <rolecap/>
#
@@ -4497,7 +4498,7 @@ index f6eb485..51b128e 100644
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
-@@ -855,32 +988,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +989,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -4604,7 +4605,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -888,10 +1087,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1088,17 @@ interface(`apache_manage_sys_rw_content',`
## </summary>
## </param>
#
@@ -4623,7 +4624,7 @@ index f6eb485..51b128e 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1107,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1108,8 @@ interface(`apache_domtrans_sys_script',`
########################################
## <summary>
@@ -4635,7 +4636,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -941,7 +1146,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1147,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
## <summary>
## Execute all user scripts in the user
@@ -4644,7 +4645,7 @@ index f6eb485..51b128e 100644
## to the specified role.
## </summary>
## <param name="domain">
-@@ -954,6 +1159,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1160,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
## </summary>
## </param>
@@ -4652,7 +4653,7 @@ index f6eb485..51b128e 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -966,7 +1172,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1173,8 @@ interface(`apache_run_all_scripts',`
########################################
## <summary>
@@ -4662,7 +4663,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -979,12 +1186,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1187,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -4678,7 +4679,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1002,7 +1210,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1211,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
## <summary>
@@ -4687,7 +4688,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1015,13 +1223,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1224,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
@@ -4702,7 +4703,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1041,7 +1248,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1249,7 @@ interface(`apache_read_sys_content',`
########################################
## <summary>
@@ -4711,7 +4712,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1059,8 +1266,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1267,7 @@ interface(`apache_search_sys_scripts',`
########################################
## <summary>
@@ -4721,7 +4722,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1071,18 +1277,21 @@ interface(`apache_search_sys_scripts',`
+@@ -1071,18 +1278,21 @@ interface(`apache_search_sys_scripts',`
#
interface(`apache_manage_all_user_content',`
gen_require(`
@@ -4749,7 +4750,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1100,7 +1309,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1100,7 +1310,8 @@ interface(`apache_search_sys_script_state',`
########################################
## <summary>
@@ -4759,7 +4760,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1117,10 +1327,29 @@ interface(`apache_read_tmp_files',`
+@@ -1117,10 +1328,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -4791,7 +4792,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1133,7 +1362,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1133,7 +1363,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -4800,7 +4801,7 @@ index f6eb485..51b128e 100644
')
########################################
-@@ -1142,6 +1371,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1142,6 +1372,9 @@ interface(`apache_dontaudit_write_tmp_files',`
## </summary>
## <desc>
## <p>
@@ -4810,7 +4811,7 @@ index f6eb485..51b128e 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1171,8 +1403,30 @@ interface(`apache_cgi_domain',`
+@@ -1171,8 +1404,30 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@@ -4843,7 +4844,7 @@ index f6eb485..51b128e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1189,18 +1443,19 @@ interface(`apache_cgi_domain',`
+@@ -1189,18 +1444,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4872,7 +4873,7 @@ index f6eb485..51b128e 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1210,10 +1465,10 @@ interface(`apache_admin',`
+@@ -1210,10 +1466,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4886,7 +4887,7 @@ index f6eb485..51b128e 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1479,141 @@ interface(`apache_admin',`
+@@ -1224,9 +1480,141 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -5033,7 +5034,7 @@ index f6eb485..51b128e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..a25874f 100644
+index 6649962..da729da 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@@ -6352,7 +6353,7 @@ index 6649962..a25874f 100644
')
optional_policy(`
-@@ -842,20 +1031,39 @@ optional_policy(`
+@@ -842,20 +1031,40 @@ optional_policy(`
')
optional_policy(`
@@ -6363,6 +6364,7 @@ index 6649962..a25874f 100644
+
+optional_policy(`
+ passenger_exec(httpd_t)
++ passenger_kill(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+')
+
@@ -6398,7 +6400,7 @@ index 6649962..a25874f 100644
')
optional_policy(`
-@@ -863,19 +1071,35 @@ optional_policy(`
+@@ -863,19 +1072,35 @@ optional_policy(`
')
optional_policy(`
@@ -6434,7 +6436,7 @@ index 6649962..a25874f 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1107,183 @@ optional_policy(`
+@@ -883,65 +1108,183 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6640,7 +6642,7 @@ index 6649962..a25874f 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1292,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1293,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6795,7 +6797,7 @@ index 6649962..a25874f 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1376,106 @@ optional_policy(`
+@@ -1083,172 +1377,106 @@ optional_policy(`
')
')
@@ -7032,7 +7034,7 @@ index 6649962..a25874f 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1483,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1484,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7129,7 +7131,7 @@ index 6649962..a25874f 100644
########################################
#
-@@ -1321,8 +1558,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1559,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7146,7 +7148,7 @@ index 6649962..a25874f 100644
')
########################################
-@@ -1330,49 +1574,38 @@ optional_policy(`
+@@ -1330,49 +1575,38 @@ optional_policy(`
# User content local policy
#
@@ -7211,7 +7213,7 @@ index 6649962..a25874f 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1615,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1616,101 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -24107,10 +24109,10 @@ index 0000000..1048292
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..4b54a05
+index 0000000..47c8698
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,268 @@
+@@ -0,0 +1,270 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -24211,6 +24213,7 @@ index 0000000..4b54a05
+manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
++allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto };
+files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
@@ -24249,6 +24252,7 @@ index 0000000..4b54a05
+
+fs_read_cgroup_files(docker_t)
+fs_read_tmpfs_symlinks(docker_t)
++fs_getattr_all_fs(docker_t)
+
+storage_raw_rw_fixed_disk(docker_t)
+
@@ -44602,10 +44606,10 @@ index 0000000..39f4a04
+')
diff --git a/motion.te b/motion.te
new file mode 100644
-index 0000000..b694afc
+index 0000000..c7f4eb5
--- /dev/null
+++ b/motion.te
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,65 @@
+policy_module(motion, 1.0.0)
+
+########################################
@@ -44634,7 +44638,7 @@ index 0000000..b694afc
+# motion local policy
+#
+allow motion_t self:udp_socket { create connect getattr };
-+allow motion_t self:tcp_socket { bind create setopt listen };
++allow motion_t self:tcp_socket create_stream_socket_perms;
+allow motion_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(motion_t, motion_log_t, motion_log_t)
@@ -44651,6 +44655,7 @@ index 0000000..b694afc
+
+corenet_tcp_bind_http_cache_port(motion_t)
+corenet_tcp_bind_transproxy_port(motion_t)
++corenet_tcp_bind_us_cli_port(motion_t)
+corenet_tcp_connect_http_port(motion_t)
+corenet_tcp_bind_generic_node(motion_t)
+
@@ -45576,7 +45581,7 @@ index 6194b80..cafb2b0 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..ad56dac 100644
+index 11ac8e4..7bb38c6 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@@ -46014,7 +46019,7 @@ index 11ac8e4..ad56dac 100644
')
optional_policy(`
-@@ -300,259 +324,247 @@ optional_policy(`
+@@ -300,259 +324,248 @@ optional_policy(`
########################################
#
@@ -46230,6 +46235,7 @@ index 11ac8e4..ad56dac 100644
-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
+dev_dontaudit_getattr_all(mozilla_plugin_t)
++dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -46409,7 +46415,7 @@ index 11ac8e4..ad56dac 100644
')
optional_policy(`
-@@ -560,7 +572,11 @@ optional_policy(`
+@@ -560,7 +573,11 @@ optional_policy(`
')
optional_policy(`
@@ -46422,7 +46428,7 @@ index 11ac8e4..ad56dac 100644
')
optional_policy(`
-@@ -568,108 +584,131 @@ optional_policy(`
+@@ -568,108 +585,131 @@ optional_policy(`
')
optional_policy(`
@@ -46980,15 +46986,17 @@ index 65a246a..fa86320 100644
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
-index f42896c..cb2791a 100644
+index f42896c..1e1a679 100644
--- a/mta.fc
+++ b/mta.fc
-@@ -2,33 +2,43 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+@@ -1,34 +1,45 @@
+-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
-HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
++HOME_DIR/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
@@ -47010,10 +47018,10 @@ index f42896c..cb2791a 100644
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+')
+
-+/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -47040,8 +47048,9 @@ index f42896c..cb2791a 100644
/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
++/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..e968c28 100644
+index ed81cac..8f217ea 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -47981,7 +47990,7 @@ index ed81cac..e968c28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1081,3 +1051,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1051,177 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -48108,6 +48117,7 @@ index ed81cac..e968c28 100644
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
+')
+
+########################################
@@ -48132,6 +48142,7 @@ index ed81cac..e968c28 100644
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
+')
+
+########################################
@@ -49770,7 +49781,7 @@ index 687af38..a77dc09 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 7584bbe..494cd37 100644
+index 7584bbe..ef51f2b 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
@@ -49847,7 +49858,7 @@ index 7584bbe..494cd37 100644
manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
-@@ -95,50 +92,56 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -95,50 +92,57 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
@@ -49906,6 +49917,7 @@ index 7584bbe..494cd37 100644
-miscfiles_read_localization(mysqld_t)
+sysnet_read_config(mysqld_t)
++sysnet_exec_ifconfig(mysqld_t)
-userdom_search_user_home_dirs(mysqld_t)
-userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
@@ -49921,7 +49933,7 @@ index 7584bbe..494cd37 100644
')
optional_policy(`
-@@ -146,6 +149,10 @@ optional_policy(`
+@@ -146,6 +150,10 @@ optional_policy(`
')
optional_policy(`
@@ -49932,7 +49944,7 @@ index 7584bbe..494cd37 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -155,21 +162,18 @@ optional_policy(`
+@@ -155,21 +163,18 @@ optional_policy(`
#######################################
#
@@ -49959,7 +49971,7 @@ index 7584bbe..494cd37 100644
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-@@ -177,9 +181,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +182,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -49970,7 +49982,7 @@ index 7584bbe..494cd37 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +189,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +190,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -50006,7 +50018,7 @@ index 7584bbe..494cd37 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -209,7 +219,7 @@ optional_policy(`
+@@ -209,7 +220,7 @@ optional_policy(`
########################################
#
@@ -50015,7 +50027,7 @@ index 7584bbe..494cd37 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -218,11 +228,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -218,11 +229,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -50033,7 +50045,7 @@ index 7584bbe..494cd37 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -230,31 +241,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +242,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -52987,10 +52999,10 @@ index 0000000..28936b4
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..bd2f08f
+index 0000000..f429163
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,318 @@
+@@ -0,0 +1,311 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -53261,18 +53273,15 @@ index 0000000..bd2f08f
+allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
+allow nova_scheduler_t self:udp_socket create_socket_perms;
+
-+#optional_policy(`
-+# unconfined_domain(nova_scheduler_t)
-+#')
++auth_read_passwd(nova_scheduler_t)
++
++init_read_utmp(nova_scheduler_t)
+
+#######################################
+#
+# nova vncproxy local policy
+#
+
-+#optional_policy(`
-+# unconfined_domain(nova_vncproxy_t)
-+#')
+
+#######################################
+#
@@ -53291,10 +53300,6 @@ index 0000000..bd2f08f
+ lvm_domtrans(nova_volume_t)
+')
+
-+#optional_policy(`
-+# unconfined_domain(nova_volume_t)
-+#')
-+
+#######################################
+#
+# nova sudo domain local policy
@@ -60036,7 +60041,7 @@ index 2c389ea..9155bd0 100644
+
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/passenger.if b/passenger.if
-index bf59ef7..0ec51d4 100644
+index bf59ef7..2d8335f 100644
--- a/passenger.if
+++ b/passenger.if
@@ -15,17 +15,16 @@ interface(`passenger_domtrans',`
@@ -60092,7 +60097,7 @@ index bf59ef7..0ec51d4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -53,6 +69,93 @@ interface(`passenger_read_lib_files',`
+@@ -53,6 +69,112 @@ interface(`passenger_read_lib_files',`
type passenger_var_lib_t;
')
@@ -60121,7 +60126,7 @@ index bf59ef7..0ec51d4 100644
+ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ files_search_var_lib($1)
-+')
+ ')
+
+#####################################
+## <summary>
@@ -60186,7 +60191,26 @@ index bf59ef7..0ec51d4 100644
+ files_search_tmp($1)
+ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
- ')
++')
++
++########################################
++## <summary>
++## Send kill signals to passenger.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`passenger_kill',`
++ gen_require(`
++ type passenger_t;
++ ')
++
++ allow $1 passenger_t:process sigkill;
++')
++
diff --git a/passenger.te b/passenger.te
index 08ec33b..24ce7e8 100644
--- a/passenger.te
@@ -73437,10 +73461,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b..e95fc34 100644
+index 8644d8b..96f804c 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -5,92 +5,129 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,131 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@@ -73485,7 +73509,8 @@ index 8644d8b..e95fc34 100644
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin };
++allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
++
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit signal_perms };
+allow neutron_t self:fifo_file rw_fifo_file_perms;
@@ -73521,6 +73546,7 @@ index 8644d8b..e95fc34 100644
-can_exec(quantum_t, quantum_tmp_t)
+kernel_rw_kernel_sysctl(neutron_t)
++kernel_rw_net_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
@@ -73581,45 +73607,45 @@ index 8644d8b..e95fc34 100644
+sysnet_exec_ifconfig(neutron_t)
+sysnet_manage_ifconfig_run(neutron_t)
+sysnet_filetrans_named_content_ifconfig(neutron_t)
++
++optional_policy(`
++ brctl_domtrans(neutron_t)
++')
optional_policy(`
- brctl_domtrans(quantum_t)
-+ brctl_domtrans(neutron_t)
++ dnsmasq_domtrans(neutron_t)
++ dnsmasq_signal(neutron_t)
++ dnsmasq_read_state(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
-+ dnsmasq_domtrans(neutron_t)
-+ dnsmasq_signal(neutron_t)
-+ dnsmasq_read_state(neutron_t)
++ iptables_domtrans(neutron_t)
+')
- mysql_tcp_connect(quantum_t)
+optional_policy(`
-+ iptables_domtrans(neutron_t)
- ')
-
- optional_policy(`
-- postgresql_stream_connect(quantum_t)
-- postgresql_unpriv_client(quantum_t)
+ mysql_stream_connect(neutron_t)
+ mysql_read_db_lnk_files(neutron_t)
+ mysql_read_config(neutron_t)
+ mysql_tcp_connect(neutron_t)
-+')
+ ')
-- postgresql_tcp_connect(quantum_t)
-+optional_policy(`
+ optional_policy(`
+- postgresql_stream_connect(quantum_t)
+- postgresql_unpriv_client(quantum_t)
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
+ postgresql_tcp_connect(neutron_t)
- ')
-+
++')
+
+- postgresql_tcp_connect(quantum_t)
+optional_policy(`
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
-+')
+ ')
+
+optional_policy(`
+ sudo_exec(neutron_t)
@@ -93156,7 +93182,7 @@ index a240455..16a04bf 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..8edae62 100644
+index 2d8db1f..83033bf 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -93224,7 +93250,7 @@ index 2d8db1f..8edae62 100644
files_list_var_lib(sssd_t)
fs_list_inotifyfs(sssd_t)
-@@ -94,14 +88,15 @@ selinux_validate_context(sssd_t)
+@@ -94,17 +88,20 @@ selinux_validate_context(sssd_t)
seutil_read_file_contexts(sssd_t)
# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
@@ -93242,7 +93268,12 @@ index 2d8db1f..8edae62 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +107,34 @@ logging_send_syslog_msg(sssd_t)
++# Bogus allow because we don't handle keyring properly in code.
++auth_login_manage_key(sssd_t)
+
+ init_read_utmp(sssd_t)
+
+@@ -112,18 +109,34 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -93452,10 +93483,10 @@ index 0000000..80c6480
+')
diff --git a/stapserver.te b/stapserver.te
new file mode 100644
-index 0000000..2540ebd
+index 0000000..0522744
--- /dev/null
+++ b/stapserver.te
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,114 @@
+policy_module(systemtap, 1.1.0)
+
+########################################
@@ -93530,6 +93561,7 @@ index 0000000..2540ebd
+files_search_kernel_modules(stapserver_t)
+
+fs_search_cgroup_dirs(stapserver_t)
++fs_getattr_all_fs(stapserver_t)
+
+auth_use_nsswitch(stapserver_t)
+
@@ -93971,10 +94003,10 @@ index 0000000..df82c36
+')
diff --git a/swift.te b/swift.te
new file mode 100644
-index 0000000..3faae22
+index 0000000..159ae72
--- /dev/null
+++ b/swift.te
-@@ -0,0 +1,87 @@
+@@ -0,0 +1,89 @@
+policy_module(swift, 1.0.0)
+
+########################################
@@ -94051,6 +94083,8 @@ index 0000000..3faae22
+
+files_dontaudit_search_home(swift_t)
+
++fs_getattr_all_fs(swift_t)
++
+auth_use_nsswitch(swift_t)
+
+libs_exec_ldconfig(swift_t)
@@ -101108,7 +101142,7 @@ index facdee8..88dcafb 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..25f4104 100644
+index f03dcf5..a26950d 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,212 @@
@@ -102572,7 +102606,7 @@ index f03dcf5..25f4104 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1133,297 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1133,299 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -102629,6 +102663,7 @@ index f03dcf5..25f4104 100644
+allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow svirt_sandbox_domain self:passwd rootok;
++allow svirt_sandbox_domain self:filesystem associate;
+
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
@@ -102799,6 +102834,7 @@ index f03dcf5..25f4104 100644
+ docker_manage_lib_files(svirt_lxc_net_t)
+ docker_manage_lib_dirs(svirt_lxc_net_t)
+ docker_read_share_files(svirt_sandbox_domain)
++ docker_exec_lib(svirt_sandbox_domain)
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
+ docker_use_ptys(svirt_sandbox_domain)
+')
@@ -102829,8 +102865,8 @@ index f03dcf5..25f4104 100644
+')
+
+tunable_policy(`virt_use_samba',`
-+ fs_manage_nfs_files(svirt_sandbox_domain)
+ fs_manage_cifs_files(svirt_sandbox_domain)
++ fs_manage_cifs_dirs(svirt_sandbox_domain)
+ fs_read_cifs_symlinks(svirt_sandbox_domain)
')
@@ -103007,7 +103043,7 @@ index f03dcf5..25f4104 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1436,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1438,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -103022,7 +103058,7 @@ index f03dcf5..25f4104 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1454,8 @@ optional_policy(`
+@@ -1192,9 +1456,8 @@ optional_policy(`
########################################
#
@@ -103033,7 +103069,7 @@ index f03dcf5..25f4104 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1468,218 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1470,218 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 150d041..69704c9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 48%{?dist}
+Release: 49%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -588,6 +588,32 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon May 5 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-49
+- Fix labeling for /root/\.yubico
+- userdom_search_admin_dir() calling needs to be optional in kernel.te
+- Dontaudit leaked xserver_misc_device_t into plugins
+- Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy
+- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
+- Bootloader wants to look at init state
+- Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm
+- init reads kdbump etc files
+- Add support for tcp/9697
+- Fix labeling for /var/run/user/<UID>/gvfs
+- Add support for us_cli ports
+- fix sysnet_use_ldap
+- Allow mysql to execute ifconfig if Red Hat OpenStack
+- ALlow stap-server to get attr on all fs
+- Fix mail_pool_t to mail_spool_t
+- Dontaudit leaked xserver_misc_device_t into plugins
+- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
+- Add new labeling for /var/spool/smtpd
+- Allow httpd_t to kill passenger
+- Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets
+- Allow nova-scheduler to read passwd/utmp files
+- Additional rules required by openstack, needs backport to F20 and RHEL7
+- Additional access required by docker
+- ALlow motion to use tcp/8082 port
+
* Fri Apr 25 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-48
- Fix virt_use_samba boolean
- Looks like all domains that use dbus libraries are now reading /dev/urand
More information about the scm-commits
mailing list