[selinux-policy/f20] * Mon Jun 09 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-167 - Allow keystone to connect to additi
Lukas Vrabec
lvrabec at fedoraproject.org
Mon Jun 9 14:14:33 UTC 2014
commit 0fdab306d68f60db10775949d01a024ce1da608c
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Mon Jun 9 16:13:54 2014 +0200
* Mon Jun 09 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-167
- Allow keystone to connect to additional ports to make OpenStack
working
- Allow thumb_t to connect to the xserver port when you are runnin it
via an ssh tunnel
- Allow certmonger to manage all certs
- rhsmcertd seems to need these accesses.
- Add cups_execmem boolean
- Allow cups to execute its rw_etc_t files, for brothers printers
- Need these privs inorder to watch videon
- Allow locate to list directories without labels
- Allow staff_t to communicate and run docker
- Add fixes to make munin and munin-cgi working. Allow munin-cgit to
create files/dirs in /tmp, list munin conf dir
- Allow bitlbee to use tcp/7778 port
- /etc/cron.daily/logrotate to execute fail2ban-client.
- Allow keepalives to connect to SNMP port. Support to do SNMP stuff
- Allow also fowner cap for varnishd
- Allow keepalived to execute bin_t/shell_exec_t
- Fix bitlbee policy
- Fix rabbitmq.te
- Fix labels on rabbitmq_var_run_t on file/dir creation
- Allow neutron to create sock files
- Allow postfix domains to getattr on all file systems
- Add fixes for squid which is configured to run with more than one
worker.
- Allow certmonger to manage all certs
- Fix *_ecryptfs_home_dirs booleans
- Fix typoes in userdomain.if and libraries.te
- Allow ldconfig_t to read/write inherited user tmp pipes
- Use proper calling in ssh.te for userdom_home_manager attribute
- Fix decl for cockip port
policy-f20-base.patch | 409 ++++++++++++++++++++++++++++++----------------
policy-f20-contrib.patch | 335 ++++++++++++++++++++++++-------------
selinux-policy.spec | 31 ++++-
3 files changed, 511 insertions(+), 264 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 9a9a2d9..5d6dbed 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -3362,10 +3362,10 @@ index 1dc7a85..c6f4da0 100644
+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..b516b43 100644
+index 7590165..85186a9 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,62 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
@@ -3425,17 +3425,20 @@ index 7590165..b516b43 100644
- fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
+ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
+ fs_dontaudit_list_inotifyfs(seunshare_domain)
-+
-+ optional_policy(`
-+ gnome_dontaudit_rw_inherited_config(seunshare_domain)
-+ ')
optional_policy(`
- mozilla_dontaudit_manage_user_home_files(seunshare_t)
++ gnome_dontaudit_rw_inherited_config(seunshare_domain)
+ ')
++
++ optional_policy(`
+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
+ mozilla_plugin_dontaudit_leaks(seunshare_domain)
- ')
- ')
++ ')
++')
++optional_policy(`
++ rsync_exec(seunshare_domain)
++')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_mounton_nfs(seunshare_domain)
@@ -3447,7 +3450,7 @@ index 7590165..b516b43 100644
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_mounton_fusefs(seunshare_domain)
-+')
+ ')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 644d4d7..ad789c2 100644
--- a/policy/modules/kernel/corecommands.fc
@@ -5634,7 +5637,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..77dedae 100644
+index 4edc40d..421e8b1 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5708,7 +5711,7 @@ index 4edc40d..77dedae 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -84,54 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,54 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@@ -5727,6 +5730,7 @@ index 4edc40d..77dedae 100644
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
++network_port(cockpit, udp,1001,s0)
+network_port(collectd, udp,25826,s0)
network_port(chronyd, udp,323,s0)
network_port(clamd, tcp,3310,s0)
@@ -5785,7 +5789,7 @@ index 4edc40d..77dedae 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +176,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5852,7 +5856,7 @@ index 4edc40d..77dedae 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +229,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +230,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5893,7 +5897,7 @@ index 4edc40d..77dedae 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -214,64 +268,73 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,64 +269,73 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5978,7 +5982,7 @@ index 4edc40d..77dedae 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -285,19 +348,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -285,19 +349,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -6005,7 +6009,7 @@ index 4edc40d..77dedae 100644
########################################
#
-@@ -330,6 +397,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +398,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6014,7 +6018,7 @@ index 4edc40d..77dedae 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +411,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +412,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -20460,7 +20464,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..5247b99 100644
+index 5da7870..147eab1 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,71 @@ policy_module(staff, 2.3.1)
@@ -20535,7 +20539,7 @@ index 5da7870..5247b99 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +82,114 @@ optional_policy(`
+@@ -23,11 +82,119 @@ optional_policy(`
')
optional_policy(`
@@ -20564,6 +20568,11 @@ index 5da7870..5247b99 100644
optional_policy(`
- git_role(staff_r, staff_t)
++ docker_stream_connect(staff_t)
++ docker_exec(staff_t)
++')
++
++optional_policy(`
+ dnsmasq_read_pid_files(staff_t)
+')
+
@@ -20651,7 +20660,7 @@ index 5da7870..5247b99 100644
')
optional_policy(`
-@@ -35,15 +197,31 @@ optional_policy(`
+@@ -35,15 +202,31 @@ optional_policy(`
')
optional_policy(`
@@ -20685,7 +20694,7 @@ index 5da7870..5247b99 100644
')
optional_policy(`
-@@ -52,11 +230,61 @@ optional_policy(`
+@@ -52,11 +235,61 @@ optional_policy(`
')
optional_policy(`
@@ -20747,7 +20756,7 @@ index 5da7870..5247b99 100644
')
ifndef(`distro_redhat',`
-@@ -65,10 +293,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +298,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20758,7 +20767,7 @@ index 5da7870..5247b99 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +302,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +307,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -20769,7 +20778,7 @@ index 5da7870..5247b99 100644
')
optional_policy(`
-@@ -101,10 +321,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +326,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20780,7 +20789,7 @@ index 5da7870..5247b99 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +341,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +346,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20791,7 +20800,7 @@ index 5da7870..5247b99 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +353,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +358,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20802,7 +20811,7 @@ index 5da7870..5247b99 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +384,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +389,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -24003,7 +24012,7 @@ index fe0c682..e8dcfa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..5a9d307 100644
+index 5fc0391..9f1c453 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,65 @@ policy_module(ssh, 2.3.3)
@@ -24489,9 +24498,11 @@ index 5fc0391..5a9d307 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +501,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -322,7 +500,14 @@ auth_use_nsswitch(ssh_keygen_t)
+
logging_send_syslog_msg(ssh_keygen_t)
++userdom_home_manager(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+userdom_use_user_terminals(ssh_keygen_t)
+
@@ -24502,7 +24513,7 @@ index 5fc0391..5a9d307 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +515,140 @@ optional_policy(`
+@@ -331,3 +516,141 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -24643,6 +24654,7 @@ index 5fc0391..5a9d307 100644
+ xserver_use_xdm_fds(ssh_agent_type)
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
++
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index d1f64a0..7acda6c 100644
--- a/policy/modules/services/xserver.fc
@@ -31605,7 +31617,7 @@ index 24e7804..2863546 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..98967f5 100644
+index dd3be8d..04c271c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -31767,7 +31779,7 @@ index dd3be8d..98967f5 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +201,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +201,22 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -31777,6 +31789,10 @@ index dd3be8d..98967f5 100644
corecmd_exec_bin(init_t)
-dev_read_sysfs(init_t)
++corenet_all_recvfrom_netlabel(init_t)
++corenet_tcp_bind_all_ports(init_t)
++corenet_udp_bind_all_ports(init_t)
++
+dev_rw_sysfs(init_t)
+dev_read_urand(init_t)
+dev_read_raw_memory(init_t)
@@ -31787,7 +31803,7 @@ index dd3be8d..98967f5 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +220,22 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +224,22 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -31810,7 +31826,7 @@ index dd3be8d..98967f5 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +245,53 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +249,53 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -31854,11 +31870,11 @@ index dd3be8d..98967f5 100644
seutil_read_config(init_t)
+seutil_read_module_store(init_t)
-
--miscfiles_read_localization(init_t)
++
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
-+
+
+-miscfiles_read_localization(init_t)
+userdom_use_user_ttys(init_t)
+userdom_manage_tmp_dirs(init_t)
+userdom_manage_tmp_sockets(init_t)
@@ -31867,7 +31883,7 @@ index dd3be8d..98967f5 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +300,232 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +304,232 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -31898,15 +31914,14 @@ index dd3be8d..98967f5 100644
+
+optional_policy(`
+ chronyd_read_keys(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ kdump_read_crash(init_t)
+ kdump_read_config(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ gnome_filetrans_home_content(init_t)
+ gnome_manage_data(init_t)
+')
@@ -32074,13 +32089,14 @@ index dd3be8d..98967f5 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -32088,18 +32104,18 @@ index dd3be8d..98967f5 100644
+ optional_policy(`
+ devicekit_dbus_chat_power(init_t)
+ ')
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ networkmanager_stream_connect(init_t)
+')
+
@@ -32109,7 +32125,7 @@ index dd3be8d..98967f5 100644
')
optional_policy(`
-@@ -216,7 +533,30 @@ optional_policy(`
+@@ -216,7 +537,30 @@ optional_policy(`
')
optional_policy(`
@@ -32140,7 +32156,7 @@ index dd3be8d..98967f5 100644
')
########################################
-@@ -225,8 +565,9 @@ optional_policy(`
+@@ -225,8 +569,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -32152,7 +32168,7 @@ index dd3be8d..98967f5 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +598,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +602,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -32169,7 +32185,7 @@ index dd3be8d..98967f5 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +623,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +627,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -32212,7 +32228,7 @@ index dd3be8d..98967f5 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +660,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +664,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -32224,7 +32240,7 @@ index dd3be8d..98967f5 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +672,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +676,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -32235,7 +32251,7 @@ index dd3be8d..98967f5 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +683,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +687,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -32245,7 +32261,7 @@ index dd3be8d..98967f5 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +692,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +696,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -32253,7 +32269,7 @@ index dd3be8d..98967f5 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +699,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +703,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -32261,7 +32277,7 @@ index dd3be8d..98967f5 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +707,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +711,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -32279,7 +32295,7 @@ index dd3be8d..98967f5 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +725,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +729,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -32293,7 +32309,7 @@ index dd3be8d..98967f5 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +740,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +744,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -32307,7 +32323,7 @@ index dd3be8d..98967f5 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +753,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +757,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -32315,7 +32331,7 @@ index dd3be8d..98967f5 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +765,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +769,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -32323,7 +32339,7 @@ index dd3be8d..98967f5 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +784,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +788,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -32347,7 +32363,7 @@ index dd3be8d..98967f5 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +817,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +821,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -32355,7 +32371,7 @@ index dd3be8d..98967f5 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +851,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +855,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -32366,7 +32382,7 @@ index dd3be8d..98967f5 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +875,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +879,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -32375,7 +32391,7 @@ index dd3be8d..98967f5 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +890,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +894,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -32383,7 +32399,7 @@ index dd3be8d..98967f5 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +911,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +915,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -32391,7 +32407,7 @@ index dd3be8d..98967f5 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +921,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +925,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -32436,7 +32452,7 @@ index dd3be8d..98967f5 100644
')
optional_policy(`
-@@ -558,14 +966,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +970,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -32468,7 +32484,7 @@ index dd3be8d..98967f5 100644
')
')
-@@ -576,6 +1001,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +1005,39 @@ ifdef(`distro_suse',`
')
')
@@ -32508,7 +32524,7 @@ index dd3be8d..98967f5 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1046,8 @@ optional_policy(`
+@@ -588,6 +1050,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -32517,7 +32533,7 @@ index dd3be8d..98967f5 100644
')
optional_policy(`
-@@ -609,6 +1069,7 @@ optional_policy(`
+@@ -609,6 +1073,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -32525,7 +32541,7 @@ index dd3be8d..98967f5 100644
')
optional_policy(`
-@@ -625,6 +1086,17 @@ optional_policy(`
+@@ -625,6 +1090,17 @@ optional_policy(`
')
optional_policy(`
@@ -32543,7 +32559,7 @@ index dd3be8d..98967f5 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1113,13 @@ optional_policy(`
+@@ -641,9 +1117,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -32557,7 +32573,7 @@ index dd3be8d..98967f5 100644
')
optional_policy(`
-@@ -656,15 +1132,11 @@ optional_policy(`
+@@ -656,15 +1136,11 @@ optional_policy(`
')
optional_policy(`
@@ -32575,7 +32591,7 @@ index dd3be8d..98967f5 100644
')
optional_policy(`
-@@ -685,6 +1157,15 @@ optional_policy(`
+@@ -685,6 +1161,15 @@ optional_policy(`
')
optional_policy(`
@@ -32591,7 +32607,7 @@ index dd3be8d..98967f5 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1206,7 @@ optional_policy(`
+@@ -725,6 +1210,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -32599,7 +32615,7 @@ index dd3be8d..98967f5 100644
')
optional_policy(`
-@@ -742,7 +1224,13 @@ optional_policy(`
+@@ -742,7 +1228,13 @@ optional_policy(`
')
optional_policy(`
@@ -32614,7 +32630,7 @@ index dd3be8d..98967f5 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1253,10 @@ optional_policy(`
+@@ -765,6 +1257,10 @@ optional_policy(`
')
optional_policy(`
@@ -32625,7 +32641,7 @@ index dd3be8d..98967f5 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1266,20 @@ optional_policy(`
+@@ -774,10 +1270,20 @@ optional_policy(`
')
optional_policy(`
@@ -32646,7 +32662,7 @@ index dd3be8d..98967f5 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1288,10 @@ optional_policy(`
+@@ -786,6 +1292,10 @@ optional_policy(`
')
optional_policy(`
@@ -32657,7 +32673,7 @@ index dd3be8d..98967f5 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1313,6 @@ optional_policy(`
+@@ -807,8 +1317,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -32666,7 +32682,7 @@ index dd3be8d..98967f5 100644
')
optional_policy(`
-@@ -817,6 +1321,10 @@ optional_policy(`
+@@ -817,6 +1325,10 @@ optional_policy(`
')
optional_policy(`
@@ -32677,7 +32693,7 @@ index dd3be8d..98967f5 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1334,12 @@ optional_policy(`
+@@ -826,10 +1338,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -32690,7 +32706,7 @@ index dd3be8d..98967f5 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1366,35 @@ optional_policy(`
+@@ -856,12 +1370,35 @@ optional_policy(`
')
optional_policy(`
@@ -32727,7 +32743,7 @@ index dd3be8d..98967f5 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1404,18 @@ optional_policy(`
+@@ -871,6 +1408,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -32746,7 +32762,7 @@ index dd3be8d..98967f5 100644
')
optional_policy(`
-@@ -886,6 +1431,10 @@ optional_policy(`
+@@ -886,6 +1435,10 @@ optional_policy(`
')
optional_policy(`
@@ -32757,7 +32773,7 @@ index dd3be8d..98967f5 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1445,218 @@ optional_policy(`
+@@ -896,3 +1449,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -34246,7 +34262,7 @@ index 808ba93..57a68da 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 23a645e..52a8540 100644
+index 23a645e..5a985c8 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@@ -34310,7 +34326,7 @@ index 23a645e..52a8540 100644
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
-@@ -103,6 +109,12 @@ ifdef(`distro_ubuntu',`
+@@ -103,6 +109,13 @@ ifdef(`distro_ubuntu',`
')
')
@@ -34319,11 +34335,12 @@ index 23a645e..52a8540 100644
+userdom_manage_user_home_content_files(ldconfig_t)
+userdom_manage_user_tmp_files(ldconfig_t)
+userdom_manage_user_tmp_symlinks(ldconfig_t)
++userdom_rw_inherited_user_tmp_pipes(ldconfig_t)
+
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -114,6 +126,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -114,6 +127,11 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -34335,7 +34352,7 @@ index 23a645e..52a8540 100644
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
-@@ -131,6 +148,14 @@ optional_policy(`
+@@ -131,6 +149,14 @@ optional_policy(`
')
optional_policy(`
@@ -34350,7 +34367,7 @@ index 23a645e..52a8540 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +166,3 @@ optional_policy(`
+@@ -141,6 +167,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -36287,10 +36304,38 @@ index 9fe8e01..83acb32 100644
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..416ac0f 100644
+index fc28bc3..faa2281 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
-@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
+@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
+
+ ########################################
+ ## <summary>
++## Read all SSL certificates.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`miscfiles_manage_all_certs',`
++ gen_require(`
++ attribute cert_type;
++ ')
++
++ allow $1 cert_type:dir list_dir_perms;
++ manage_files_pattern($1, cert_type, cert_type)
++ manage_lnk_files_pattern($1, cert_type, cert_type)
++')
++
++########################################
++## <summary>
+ ## Read generic SSL certificates.
+ ## </summary>
+ ## <param name="domain">
+@@ -106,6 +127,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
########################################
## <summary>
@@ -36315,7 +36360,7 @@ index fc28bc3..416ac0f 100644
## Manage generic SSL certificates.
## </summary>
## <param name="domain">
-@@ -156,6 +174,26 @@ interface(`miscfiles_manage_cert_dirs',`
+@@ -156,6 +195,26 @@ interface(`miscfiles_manage_cert_dirs',`
########################################
## <summary>
@@ -36342,7 +36387,7 @@ index fc28bc3..416ac0f 100644
## Manage SSL certificates.
## </summary>
## <param name="domain">
-@@ -434,6 +472,7 @@ interface(`miscfiles_rw_localization',`
+@@ -434,6 +493,7 @@ interface(`miscfiles_rw_localization',`
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
rw_files_pattern($1, locale_t, locale_t)
@@ -36350,7 +36395,7 @@ index fc28bc3..416ac0f 100644
')
########################################
-@@ -453,6 +492,7 @@ interface(`miscfiles_relabel_localization',`
+@@ -453,6 +513,7 @@ interface(`miscfiles_relabel_localization',`
files_search_usr($1)
relabel_files_pattern($1, locale_t, locale_t)
@@ -36358,7 +36403,7 @@ index fc28bc3..416ac0f 100644
')
########################################
-@@ -470,7 +510,6 @@ interface(`miscfiles_legacy_read_localization',`
+@@ -470,7 +531,6 @@ interface(`miscfiles_legacy_read_localization',`
type locale_t;
')
@@ -36366,7 +36411,7 @@ index fc28bc3..416ac0f 100644
allow $1 locale_t:file execute;
')
-@@ -531,6 +570,10 @@ interface(`miscfiles_read_man_pages',`
+@@ -531,6 +591,10 @@ interface(`miscfiles_read_man_pages',`
allow $1 { man_cache_t man_t }:dir list_dir_perms;
read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@@ -36377,7 +36422,7 @@ index fc28bc3..416ac0f 100644
')
########################################
-@@ -554,6 +597,29 @@ interface(`miscfiles_delete_man_pages',`
+@@ -554,6 +618,29 @@ interface(`miscfiles_delete_man_pages',`
delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@@ -36407,7 +36452,7 @@ index fc28bc3..416ac0f 100644
')
########################################
-@@ -622,6 +688,30 @@ interface(`miscfiles_manage_man_cache',`
+@@ -622,6 +709,30 @@ interface(`miscfiles_manage_man_cache',`
########################################
## <summary>
@@ -36438,7 +36483,7 @@ index fc28bc3..416ac0f 100644
## Read public files used for file
## transfer services.
## </summary>
-@@ -784,8 +874,11 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -784,8 +895,11 @@ interface(`miscfiles_etc_filetrans_localization',`
type locale_t;
')
@@ -36452,7 +36497,7 @@ index fc28bc3..416ac0f 100644
')
########################################
-@@ -809,3 +902,61 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +923,61 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -43806,7 +43851,7 @@ index db75976..4ca3a28 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..a7657fa 100644
+index 3c5dba7..79030dd 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -46064,7 +46109,35 @@ index 3c5dba7..a7657fa 100644
## temporary symbolic links.
## </summary>
## <param name="domain">
-@@ -2664,6 +3333,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2569,6 +3238,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+ ## </summary>
+ ## </param>
+ #
++interface(`userdom_rw_inherited_user_tmp_pipes',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++ files_search_tmp($1)
++')
++
++
++########################################
++## <summary>
++## Create, read, write, and delete user
++## temporary named pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+ interface(`userdom_manage_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+@@ -2664,6 +3354,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -46090,7 +46163,7 @@ index 3c5dba7..a7657fa 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3368,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3389,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -46106,7 +46179,7 @@ index 3c5dba7..a7657fa 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3396,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3417,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -46115,7 +46188,7 @@ index 3c5dba7..a7657fa 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,14 +3404,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3425,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -46150,7 +46223,7 @@ index 3c5dba7..a7657fa 100644
')
########################################
-@@ -2817,6 +3522,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3543,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -46175,7 +46248,7 @@ index 3c5dba7..a7657fa 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3558,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3579,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -46218,7 +46291,7 @@ index 3c5dba7..a7657fa 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3594,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3615,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -46256,7 +46329,7 @@ index 3c5dba7..a7657fa 100644
')
########################################
-@@ -2885,8 +3639,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3660,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -46286,7 +46359,7 @@ index 3c5dba7..a7657fa 100644
')
########################################
-@@ -2958,69 +3731,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3752,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -46387,7 +46460,7 @@ index 3c5dba7..a7657fa 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3800,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3821,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -46402,7 +46475,7 @@ index 3c5dba7..a7657fa 100644
')
########################################
-@@ -3097,7 +3869,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3890,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -46411,7 +46484,7 @@ index 3c5dba7..a7657fa 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3885,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,16 +3906,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -46422,11 +46495,54 @@ index 3c5dba7..a7657fa 100644
files_list_home($1)
- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
++ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
++ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Send signull to unprivileged user domains.
++## Send general signals to unprivileged user domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3130,17 +3925,17 @@ interface(`userdom_search_user_home_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_signull_unpriv_users',`
++interface(`userdom_signal_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+- allow $1 unpriv_userdomain:process signull;
++ allow $1 unpriv_userdomain:process signal;
+ ')
+
+ ########################################
+ ## <summary>
+-## Send general signals to unprivileged user domains.
++## Inherit the file descriptors from unprivileged user domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3148,30 +3943,12 @@ interface(`userdom_signull_unpriv_users',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_signal_unpriv_users',`
++interface(`userdom_use_unpriv_users_fds',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+- allow $1 unpriv_userdomain:process signal;
-')
-
-########################################
-## <summary>
--## Send signull to unprivileged user domains.
+-## Inherit the file descriptors from unprivileged user domains.
-## </summary>
-## <param name="domain">
-## <summary>
@@ -46434,18 +46550,17 @@ index 3c5dba7..a7657fa 100644
-## </summary>
-## </param>
-#
--interface(`userdom_signull_unpriv_users',`
+-interface(`userdom_use_unpriv_users_fds',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
-- allow $1 unpriv_userdomain:process signull;
-+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
-+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
+- allow $1 unpriv_userdomain:fd use;
++ allow $1 unpriv_userdomain:fd use;
')
########################################
-@@ -3217,7 +3973,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3994,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -46472,7 +46587,7 @@ index 3c5dba7..a7657fa 100644
')
########################################
-@@ -3272,7 +4046,83 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +4067,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -46557,7 +46672,7 @@ index 3c5dba7..a7657fa 100644
')
########################################
-@@ -3290,7 +4140,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4161,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -46566,7 +46681,7 @@ index 3c5dba7..a7657fa 100644
')
########################################
-@@ -3309,6 +4159,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4180,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -46574,7 +46689,7 @@ index 3c5dba7..a7657fa 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4236,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4257,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -46617,7 +46732,7 @@ index 3c5dba7..a7657fa 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4292,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4313,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -46642,7 +46757,7 @@ index 3c5dba7..a7657fa 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3423,6 +4328,24 @@ interface(`userdom_create_all_users_keys',`
+@@ -3423,6 +4349,24 @@ interface(`userdom_create_all_users_keys',`
########################################
## <summary>
@@ -46667,7 +46782,7 @@ index 3c5dba7..a7657fa 100644
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4361,1661 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4382,1661 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -46817,7 +46932,7 @@ index 3c5dba7..a7657fa 100644
+
+ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 admin_home_t:dir list_dir_perms;
-+')
+ ')
+
+########################################
+## <summary>
@@ -46855,7 +46970,7 @@ index 3c5dba7..a7657fa 100644
+
+ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ allow $1 admin_home_t:dir search_dir_perms;
- ')
++')
+
+########################################
+## <summary>
@@ -48330,7 +48445,7 @@ index 3c5dba7..a7657fa 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..0730c10 100644
+index e2b538b..4027ca7 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5)
@@ -48419,7 +48534,7 @@ index e2b538b..0730c10 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,382 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,386 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -48528,6 +48643,7 @@ index e2b538b..0730c10 100644
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(userdom_home_reader_certs_type)
++ fs_read_ecryptfs_symlinks(userdom_home_reader_certs_type)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
@@ -48545,6 +48661,7 @@ index e2b538b..0730c10 100644
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(userdom_home_reader_type)
++ fs_read_ecryptfs_symlinks(userdom_home_reader_type)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
@@ -48569,7 +48686,9 @@ index e2b538b..0730c10 100644
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_manage_ecryptfs_dirs(userdom_home_manager_type)
+ fs_manage_ecryptfs_files(userdom_home_manager_type)
++ fs_manage_ecryptfs_symlinks(userdom_home_manager_type)
+')
++
+# vi /etc/mtab can cause an avc trying to relabel to self.
+dontaudit userdomain self:file relabelto;
+
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index ce16f17..f6fedab 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -9079,7 +9079,7 @@ index e73fb79..2badfc0 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
-index ac8c91e..80ecd7e 100644
+index ac8c91e..48a96b7 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
@@ -9097,15 +9097,17 @@ index ac8c91e..80ecd7e 100644
allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
allow bitlbee_t bitlbee_conf_t:file read_file_perms;
-@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
+@@ -45,7 +48,9 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
++logging_log_filetrans(bitlbee_t, bitlbee_log_t, { dir file })
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
-@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+ manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+@@ -59,8 +64,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
@@ -9115,7 +9117,17 @@ index ac8c91e..80ecd7e 100644
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_all_recvfrom_netlabel(bitlbee_t)
-@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+@@ -98,7 +103,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
+
+ corenet_sendrecv_ircd_server_packets(bitlbee_t)
+ corenet_tcp_bind_ircd_port(bitlbee_t)
++corenet_tcp_bind_interwise_port(bitlbee_t)
+ corenet_sendrecv_ircd_client_packets(bitlbee_t)
++corenet_tcp_connect_interwise_port(bitlbee_t)
+ corenet_tcp_connect_ircd_port(bitlbee_t)
+ corenet_tcp_sendrecv_ircd_port(bitlbee_t)
+
+@@ -109,16 +116,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
@@ -10922,7 +10934,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..b2b0a2f 100644
+index 2354e21..9a5e1fd 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10986,17 +10998,17 @@ index 2354e21..b2b0a2f 100644
fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +84,18 @@ init_getattr_all_script_files(certmonger_t)
+@@ -70,16 +84,17 @@ init_getattr_all_script_files(certmonger_t)
logging_send_syslog_msg(certmonger_t)
-miscfiles_read_localization(certmonger_t)
- miscfiles_manage_generic_cert_files(certmonger_t)
-
-+systemd_exec_systemctl(certmonger_t)
+-miscfiles_manage_generic_cert_files(certmonger_t)
++miscfiles_manage_all_certs(certmonger_t)
+
++systemd_exec_systemctl(certmonger_t)
+
userdom_search_user_home_content(certmonger_t)
-+userdom_manage_home_certs(certmonger_t)
optional_policy(`
- apache_initrc_domtrans(certmonger_t)
@@ -11007,7 +11019,7 @@ index 2354e21..b2b0a2f 100644
')
optional_policy(`
-@@ -92,11 +108,51 @@ optional_policy(`
+@@ -92,11 +107,51 @@ optional_policy(`
')
optional_policy(`
@@ -13028,7 +13040,7 @@ index c223f81..8b567c1 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
-index 2a71346..3a38b11 100644
+index 2a71346..7755558 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -13089,7 +13101,7 @@ index 2a71346..3a38b11 100644
')
optional_policy(`
-@@ -179,12 +183,22 @@ optional_policy(`
+@@ -179,12 +183,26 @@ optional_policy(`
optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
@@ -13104,6 +13116,10 @@ index 2a71346..3a38b11 100644
+')
+
+optional_policy(`
++ gnome_dontaudit_search_config(cobblerd_t)
++')
++
++optional_policy(`
+ libs_exec_ldconfig(cobblerd_t)
+')
+
@@ -13112,7 +13128,7 @@ index 2a71346..3a38b11 100644
')
optional_policy(`
-@@ -192,13 +206,13 @@ optional_policy(`
+@@ -192,13 +210,13 @@ optional_policy(`
')
optional_policy(`
@@ -18588,14 +18604,21 @@ index 06da9a0..c18145d 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..f3aaaed 100644
+index 9f34c2e..e694e2f 100644
--- a/cups.te
+++ b/cups.te
-@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
+@@ -5,19 +5,31 @@ policy_module(cups, 1.15.9)
# Declarations
#
-type cupsd_config_t;
++## <desc>
++## <p>
++## Allow cups execmem/execstack
++## </p>
++## </desc>
++gen_tunable(cups_execmem, false)
++
+attribute cups_domain;
+
+type cupsd_config_t, cups_domain;
@@ -18618,7 +18641,7 @@ index 9f34c2e..f3aaaed 100644
files_config_file(cupsd_etc_t)
type cupsd_initrc_exec_t;
-@@ -33,13 +38,15 @@ type cupsd_lock_t;
+@@ -33,13 +45,15 @@ type cupsd_lock_t;
files_lock_file(cupsd_lock_t)
type cupsd_log_t;
@@ -18638,7 +18661,7 @@ index 9f34c2e..f3aaaed 100644
type cupsd_lpd_tmp_t;
files_tmp_file(cupsd_lpd_tmp_t)
-@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
+@@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
type cupsd_lpd_var_run_t;
files_pid_file(cupsd_lpd_var_run_t)
@@ -18647,7 +18670,7 @@ index 9f34c2e..f3aaaed 100644
type cups_pdf_exec_t;
cups_backend(cups_pdf_t, cups_pdf_exec_t)
-@@ -55,29 +62,17 @@ type cups_pdf_tmp_t;
+@@ -55,29 +69,17 @@ type cups_pdf_tmp_t;
files_tmp_file(cups_pdf_tmp_t)
type cupsd_tmp_t;
@@ -18681,7 +18704,7 @@ index 9f34c2e..f3aaaed 100644
type ptal_t;
type ptal_exec_t;
-@@ -97,21 +92,49 @@ ifdef(`enable_mls',`
+@@ -97,21 +99,49 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
@@ -18735,7 +18758,7 @@ index 9f34c2e..f3aaaed 100644
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,11 +150,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -18746,10 +18769,11 @@ index 9f34c2e..f3aaaed 100644
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+cups_filetrans_named_content(cupsd_t)
++can_exec(cupsd_t, cupsd_rw_etc_t)
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -133,28 +158,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms;
+@@ -133,28 +166,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
@@ -18784,7 +18808,7 @@ index 9f34c2e..f3aaaed 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -162,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -162,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -18796,7 +18820,7 @@ index 9f34c2e..f3aaaed 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -189,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -189,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -18821,7 +18845,7 @@ index 9f34c2e..f3aaaed 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -206,7 +235,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -206,7 +243,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -18829,7 +18853,7 @@ index 9f34c2e..f3aaaed 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,17 +243,19 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,17 +251,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -18851,7 +18875,7 @@ index 9f34c2e..f3aaaed 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
-@@ -235,6 +265,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -18860,7 +18884,7 @@ index 9f34c2e..f3aaaed 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +279,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -18886,8 +18910,15 @@ index 9f34c2e..f3aaaed 100644
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
++tunable_policy(`cups_execmem',`
++ allow cupsd_t self:process { execmem execstack };
++')
++
++
optional_policy(`
-@@ -275,6 +307,8 @@ optional_policy(`
+ apm_domtrans_client(cupsd_t)
+ ')
+@@ -275,6 +320,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -18896,7 +18927,7 @@ index 9f34c2e..f3aaaed 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +319,10 @@ optional_policy(`
+@@ -285,8 +332,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -18907,7 +18938,7 @@ index 9f34c2e..f3aaaed 100644
')
')
-@@ -299,8 +335,8 @@ optional_policy(`
+@@ -299,8 +348,8 @@ optional_policy(`
')
optional_policy(`
@@ -18917,7 +18948,7 @@ index 9f34c2e..f3aaaed 100644
')
optional_policy(`
-@@ -309,7 +345,6 @@ optional_policy(`
+@@ -309,7 +358,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -18925,7 +18956,7 @@ index 9f34c2e..f3aaaed 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +372,11 @@ optional_policy(`
+@@ -337,7 +385,11 @@ optional_policy(`
')
optional_policy(`
@@ -18938,7 +18969,7 @@ index 9f34c2e..f3aaaed 100644
')
########################################
-@@ -345,12 +384,11 @@ optional_policy(`
+@@ -345,12 +397,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -18954,7 +18985,7 @@ index 9f34c2e..f3aaaed 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +413,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -18975,7 +19006,7 @@ index 9f34c2e..f3aaaed 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +431,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -18996,7 +19027,7 @@ index 9f34c2e..f3aaaed 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +448,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -19008,7 +19039,7 @@ index 9f34c2e..f3aaaed 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +475,12 @@ optional_policy(`
+@@ -452,9 +488,12 @@ optional_policy(`
')
optional_policy(`
@@ -19022,7 +19053,7 @@ index 9f34c2e..f3aaaed 100644
')
optional_policy(`
-@@ -490,10 +516,6 @@ optional_policy(`
+@@ -490,10 +529,6 @@ optional_policy(`
# Lpd local policy
#
@@ -19033,7 +19064,7 @@ index 9f34c2e..f3aaaed 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +533,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +546,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -19067,7 +19098,7 @@ index 9f34c2e..f3aaaed 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +560,6 @@ optional_policy(`
+@@ -546,7 +573,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -19075,7 +19106,7 @@ index 9f34c2e..f3aaaed 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +575,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +588,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -19104,13 +19135,11 @@ index 9f34c2e..f3aaaed 100644
- fs_manage_cifs_dirs(cups_pdf_t)
- fs_manage_cifs_files(cups_pdf_t)
-')
-+userdom_home_manager(cups_pdf_t)
-
- optional_policy(`
+-
+-optional_policy(`
- lpd_manage_spool(cups_pdf_t)
-+ gnome_read_config(cups_pdf_t)
- ')
-
+-')
+-
-########################################
-#
-# HPLIP local policy
@@ -19199,15 +19228,17 @@ index 9f34c2e..f3aaaed 100644
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_user_home_dirs(hplip_t)
-userdom_dontaudit_search_user_home_content(hplip_t)
--
--optional_policy(`
++userdom_home_manager(cups_pdf_t)
+
+ optional_policy(`
- dbus_system_bus_client(hplip_t)
-
- optional_policy(`
- userdom_dbus_send_all_users(hplip_t)
- ')
--')
--
++ gnome_read_config(cups_pdf_t)
+ ')
+
-optional_policy(`
- lpd_read_config(hplip_t)
- lpd_manage_spool(hplip_t)
@@ -19227,7 +19258,7 @@ index 9f34c2e..f3aaaed 100644
########################################
#
-@@ -731,7 +619,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +632,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -19235,7 +19266,7 @@ index 9f34c2e..f3aaaed 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +628,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +641,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -19249,7 +19280,7 @@ index 9f34c2e..f3aaaed 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +640,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +653,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -19258,7 +19289,7 @@ index 9f34c2e..f3aaaed 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +652,4 @@ optional_policy(`
+@@ -769,3 +665,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -23542,10 +23573,10 @@ index 0000000..1c4ac02
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..66fe66d
+index 0000000..683dfdc
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,344 @@
+@@ -0,0 +1,363 @@
+
+## <summary>The open-source application container engine.</summary>
+
@@ -23570,6 +23601,25 @@ index 0000000..66fe66d
+
+########################################
+## <summary>
++## Execute docker in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`docker_exec',`
++ gen_require(`
++ type docker_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, docker_exec_t)
++')
++
++########################################
++## <summary>
+## Search docker lib directories.
+## </summary>
+## <param name="domain">
@@ -36641,10 +36691,10 @@ index 0000000..0d61849
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
-index 0000000..535f79b
+index 0000000..2c08717
--- /dev/null
+++ b/keepalived.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,55 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
@@ -36680,6 +36730,11 @@ index 0000000..535f79b
+kernel_read_system_state(keepalived_t)
+kernel_read_network_state(keepalived_t)
+
++corecmd_exec_bin(keepalived_t)
++corecmd_exec_shell(keepalived_t)
++
++corenet_tcp_connect_snmp_port(keepalived_t)
++
+auth_use_nsswitch(keepalived_t)
+
+corenet_tcp_connect_connlcli_port(keepalived_t)
@@ -36692,6 +36747,9 @@ index 0000000..535f79b
+
+logging_send_syslog_msg(keepalived_t)
+
++optional_policy(`
++ snmp_read_snmp_var_lib_files(keepalived_t)
++')
diff --git a/kerberos.fc b/kerberos.fc
index 4fe75fd..b029c28 100644
--- a/kerberos.fc
@@ -38175,7 +38233,7 @@ index d3e7fc9..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 3494d9b..e1fd252 100644
+index 3494d9b..477d7b6 100644
--- a/keystone.te
+++ b/keystone.te
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
@@ -38193,12 +38251,15 @@ index 3494d9b..e1fd252 100644
allow keystone_t self:fifo_file rw_fifo_file_perms;
allow keystone_t self:unix_stream_socket { accept listen };
-@@ -57,20 +61,33 @@ corenet_all_recvfrom_netlabel(keystone_t)
+@@ -57,20 +61,36 @@ corenet_all_recvfrom_netlabel(keystone_t)
corenet_tcp_sendrecv_generic_if(keystone_t)
corenet_tcp_sendrecv_generic_node(keystone_t)
corenet_tcp_bind_generic_node(keystone_t)
+corenet_tcp_connect_mysqld_port(keystone_t)
+corenet_tcp_connect_ldap_port(keystone_t)
++corenet_tcp_connect_keystone_port(keystone_t)
++corenet_tcp_connect_amqp_port(keystone_t)
++corenet_tcp_connect_osapi_compute_port(keystone_t)
corenet_sendrecv_commplex_main_server_packets(keystone_t)
corenet_tcp_bind_commplex_main_port(keystone_t)
@@ -39857,7 +39918,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..17ea89c 100644
+index 7bab8e5..5fef0a4 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,26 @@
@@ -40072,7 +40133,7 @@ index 7bab8e5..17ea89c 100644
')
optional_policy(`
-@@ -170,6 +203,10 @@ optional_policy(`
+@@ -170,6 +203,11 @@ optional_policy(`
')
optional_policy(`
@@ -40080,10 +40141,11 @@ index 7bab8e5..17ea89c 100644
+')
+
+optional_policy(`
++ fail2ban_domtrans_client(logrotate_t)
fail2ban_stream_connect(logrotate_t)
')
-@@ -178,7 +215,7 @@ optional_policy(`
+@@ -178,7 +216,7 @@ optional_policy(`
')
optional_policy(`
@@ -40092,7 +40154,7 @@ index 7bab8e5..17ea89c 100644
')
optional_policy(`
-@@ -198,21 +235,26 @@ optional_policy(`
+@@ -198,21 +236,26 @@ optional_policy(`
')
optional_policy(`
@@ -40123,7 +40185,7 @@ index 7bab8e5..17ea89c 100644
')
optional_policy(`
-@@ -228,10 +270,21 @@ optional_policy(`
+@@ -228,10 +271,21 @@ optional_policy(`
')
optional_policy(`
@@ -40145,7 +40207,7 @@ index 7bab8e5..17ea89c 100644
su_exec(logrotate_t)
')
-@@ -241,13 +294,11 @@ optional_policy(`
+@@ -241,13 +295,11 @@ optional_policy(`
#######################################
#
@@ -44424,7 +44486,7 @@ index 6ffaba2..ab66d2f 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..cafb2b0 100644
+index 6194b80..7490fe3 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -44710,7 +44772,7 @@ index 6194b80..cafb2b0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -265,140 +173,155 @@ interface(`mozilla_exec_user_plugin_home_files',`
+@@ -265,140 +173,156 @@ interface(`mozilla_exec_user_plugin_home_files',`
## </param>
#
interface(`mozilla_execmod_user_home_files',`
@@ -44814,7 +44876,8 @@ index 6194b80..cafb2b0 100644
+ allow $1 mozilla_plugin_t:shm rw_shm_perms;
+
+ ps_process_pattern($1, mozilla_plugin_t)
-+ allow $1 mozilla_plugin_t:process signal_perms;
++ ps_process_pattern(mozilla_plugin_t, $1)
++ allow $1 mozilla_plugin_t:process { signal_perms noatsecure };
+
+ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
@@ -44926,7 +44989,7 @@ index 6194b80..cafb2b0 100644
')
########################################
-@@ -424,8 +347,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +348,7 @@ interface(`mozilla_dbus_chat',`
########################################
## <summary>
@@ -44936,7 +44999,7 @@ index 6194b80..cafb2b0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -433,76 +355,144 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +356,144 @@ interface(`mozilla_dbus_chat',`
## </summary>
## </param>
#
@@ -45110,7 +45173,7 @@ index 6194b80..cafb2b0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -510,19 +500,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +501,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
## </summary>
## </param>
#
@@ -45135,7 +45198,7 @@ index 6194b80..cafb2b0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +519,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +520,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -48779,7 +48842,7 @@ index b744fe3..17e2514 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..e53abbb 100644
+index 97370e4..dac7323 100644
--- a/munin.te
+++ b/munin.te
@@ -37,44 +37,47 @@ munin_plugin_template(disk)
@@ -49015,7 +49078,7 @@ index 97370e4..e53abbb 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +430,31 @@ optional_policy(`
+@@ -413,3 +430,32 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -49033,12 +49096,13 @@ index 97370e4..e53abbb 100644
+
+manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t)
+manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t)
++files_tmp_filetrans(httpd_munin_script_t, httpd_munin_script_tmp_t, { dir file })
+
+read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
++list_dirs_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
+read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
+
-+read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
-+append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
++manage_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
+
+files_search_var_lib(httpd_munin_script_t)
+
@@ -66112,7 +66176,7 @@ index 2e23946..d8a163f 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..cd766c0 100644
+index 191a66f..c6cf897 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -66294,8 +66358,9 @@ index 191a66f..cd766c0 100644
-########################################
-#
-# Common postfix user domain local policy
--#
--
++# Postfix master process local policy
+ #
+
-allow postfix_user_domains self:capability dac_override;
-
-domain_use_interactive_fds(postfix_user_domains)
@@ -66303,9 +66368,8 @@ index 191a66f..cd766c0 100644
-########################################
-#
-# Master local policy
-+# Postfix master process local policy
- #
-
+-#
+-
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -66911,7 +66975,7 @@ index 191a66f..cd766c0 100644
')
optional_policy(`
-@@ -720,29 +658,30 @@ optional_policy(`
+@@ -720,28 +658,28 @@ optional_policy(`
########################################
#
@@ -66939,18 +67003,17 @@ index 191a66f..cd766c0 100644
-
corecmd_exec_bin(postfix_smtpd_t)
+-fs_getattr_all_dirs(postfix_smtpd_t)
+-fs_getattr_all_fs(postfix_smtpd_t)
+# for OpenSSL certificates
-+
-+# postfix checks the size of all mounted file systems
- fs_getattr_all_dirs(postfix_smtpd_t)
- fs_getattr_all_fs(postfix_smtpd_t)
-mta_read_aliases(postfix_smtpd_t)
--
++# postfix checks the size of all mounted file systems
++fs_getattr_all_dirs(postfix_smtpd_t)
+
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
- dovecot_stream_connect(postfix_smtpd_t)
-@@ -754,6 +693,7 @@ optional_policy(`
+@@ -754,6 +692,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -66958,7 +67021,7 @@ index 191a66f..cd766c0 100644
')
optional_policy(`
-@@ -764,31 +704,99 @@ optional_policy(`
+@@ -764,31 +703,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -67035,7 +67098,7 @@ index 191a66f..cd766c0 100644
+dev_read_urand(postfix_domain)
+
+fs_search_auto_mountpoints(postfix_domain)
-+fs_getattr_xattr_fs(postfix_domain)
++fs_getattr_all_fs(postfix_domain)
+fs_rw_anon_inodefs_files(postfix_domain)
+
+term_dontaudit_use_console(postfix_domain)
@@ -73856,10 +73919,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..a7b42e6 100644
+index 769d1fd..5c8b3c0 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -1,96 +1,144 @@
+@@ -1,96 +1,145 @@
-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.0.3)
@@ -73938,6 +74001,7 @@ index 769d1fd..a7b42e6 100644
-logging_log_filetrans(quantum_t, quantum_log_t, dir)
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
++manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
@@ -74506,7 +74570,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..9fb98a1 100644
+index 3698b51..12f5c46 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -74519,7 +74583,7 @@ index 3698b51..9fb98a1 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -30,6 +33,8 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -30,64 +33,107 @@ files_pid_file(rabbitmq_var_run_t)
# Beam local policy
#
@@ -74528,14 +74592,17 @@ index 3698b51..9fb98a1 100644
allow rabbitmq_beam_t self:process { setsched signal signull };
allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,56 +43,94 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+
+ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
++files_var_lib_filetrans(rabbitmq_beam_t, rabbitmq_var_lib_t, { dir file })
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++logging_log_filetrans(rabbitmq_beam_t, rabbitmq_var_log_t, { dir file })
+
+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
@@ -74543,9 +74610,10 @@ index 3698b51..9fb98a1 100644
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
-
-+ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t)
++files_pid_filetrans(rabbitmq_beam_t, rabbitmq_var_run_t, { dir file })
+
++ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t)
+
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
@@ -74633,7 +74701,7 @@ index 3698b51..9fb98a1 100644
corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
-@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +145,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -79800,10 +79868,20 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..87038e7 100644
+index 1cedd70..7dc8f6e 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
-@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
+@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
+ type rhsmcertd_lock_t;
+ files_lock_file(rhsmcertd_lock_t)
+
++type rhsmcertd_tmp_t;
++files_tmp_file(rhsmcertd_tmp_t)
++
+ type rhsmcertd_var_lib_t;
+ files_type(rhsmcertd_var_lib_t)
+
+@@ -30,18 +33,21 @@ files_pid_file(rhsmcertd_var_run_t)
#
allow rhsmcertd_t self:capability sys_nice;
@@ -79821,7 +79899,15 @@ index 1cedd70..87038e7 100644
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -51,22 +50,48 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+
++manage_dirs_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
++manage_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
++files_tmp_filetrans(rhsmcertd_t, rhsmcertd_tmp_t, { dir file })
++
+ manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+
+@@ -51,22 +57,51 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
@@ -79844,13 +79930,16 @@ index 1cedd70..87038e7 100644
-files_read_usr_files(rhsmcertd_t)
+files_manage_generic_locks(rhsmcertd_t)
+files_manage_system_conf_files(rhsmcertd_t)
++files_create_boot_flag(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
-+
-+init_read_state(rhsmcertd_t)
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
++libs_exec_ldconfig(rhsmcertd_t)
++
++init_read_state(rhsmcertd_t)
++
+logging_send_syslog_msg(rhsmcertd_t)
+
+miscfiles_manage_cert_files(rhsmcertd_t)
@@ -90298,7 +90387,7 @@ index 7880d1f..8804935 100644
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/slocate.te b/slocate.te
-index ba26427..669d253 100644
+index ba26427..5149419 100644
--- a/slocate.te
+++ b/slocate.te
@@ -18,7 +18,7 @@ files_type(locate_var_lib_t)
@@ -90310,7 +90399,15 @@ index ba26427..669d253 100644
allow locate_t self:fifo_file rw_fifo_file_perms;
allow locate_t self:unix_stream_socket create_socket_perms;
-@@ -53,7 +53,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
+@@ -35,6 +35,7 @@ dev_getattr_all_blk_files(locate_t)
+ dev_getattr_all_chr_files(locate_t)
+
+ files_list_all(locate_t)
++files_list_isid_type_dirs(locate_t)
+ files_dontaudit_read_all_symlinks(locate_t)
+ files_getattr_all_files(locate_t)
+ files_getattr_all_pipes(locate_t)
+@@ -53,7 +54,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
auth_use_nsswitch(locate_t)
@@ -90318,7 +90415,7 @@ index ba26427..669d253 100644
ifdef(`enable_mls',`
files_dontaudit_getattr_all_dirs(locate_t)
-@@ -62,3 +61,8 @@ ifdef(`enable_mls',`
+@@ -62,3 +62,8 @@ ifdef(`enable_mls',`
optional_policy(`
cron_system_entry(locate_t, locate_exec_t)
')
@@ -97335,10 +97432,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..0e30ce2
+index 0000000..7f7e7ff
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,157 @@
+@@ -0,0 +1,159 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -97409,6 +97506,8 @@ index 0000000..0e30ce2
+corecmd_exec_bin(thumb_t)
+corecmd_exec_shell(thumb_t)
+
++corenet_tcp_connect_xserver_port(thumb_t)
++
+dev_read_sysfs(thumb_t)
+dev_read_urand(thumb_t)
+dev_dontaudit_rw_dri(thumb_t)
@@ -99817,7 +99916,7 @@ index 1c35171..2cba4df 100644
domain_system_change_exemption($1)
role_transition $2 varnishd_initrc_exec_t system_r;
diff --git a/varnishd.te b/varnishd.te
-index 9d4d8cb..a58e2dd 100644
+index 9d4d8cb..8cade37 100644
--- a/varnishd.te
+++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -99842,22 +99941,22 @@ index 9d4d8cb..a58e2dd 100644
#
-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
-+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown };
++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown fowner };
dontaudit varnishd_t self:capability sys_tty_config;
-allow varnishd_t self:process signal;
+allow varnishd_t self:process { execmem signal };
allow varnishd_t self:fifo_file rw_fifo_file_perms;
allow varnishd_t self:tcp_socket { accept listen };
-@@ -103,7 +103,6 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t)
+@@ -103,15 +103,13 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t)
dev_read_urand(varnishd_t)
-files_read_usr_files(varnishd_t)
-
+-
fs_getattr_all_fs(varnishd_t)
-@@ -111,7 +110,7 @@ auth_use_nsswitch(varnishd_t)
+ auth_use_nsswitch(varnishd_t)
logging_send_syslog_msg(varnishd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0511c76..8b33711 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 166%{?dist}
+Release: 167%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,35 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jun 09 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-167
+- Allow keystone to connect to additional ports to make OpenStack working
+- Allow thumb_t to connect to the xserver port when you are runnin it via an ssh tunnel
+- Allow certmonger to manage all certs
+- rhsmcertd seems to need these accesses.
+- Add cups_execmem boolean
+- Allow cups to execute its rw_etc_t files, for brothers printers
+- Need these privs inorder to watch videon
+- Allow locate to list directories without labels
+- Allow staff_t to communicate and run docker
+- Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin conf dir
+- Allow bitlbee to use tcp/7778 port
+- /etc/cron.daily/logrotate to execute fail2ban-client.
+- Allow keepalives to connect to SNMP port. Support to do SNMP stuff
+- Allow also fowner cap for varnishd
+- Allow keepalived to execute bin_t/shell_exec_t
+- Fix bitlbee policy
+- Fix rabbitmq.te
+- Fix labels on rabbitmq_var_run_t on file/dir creation
+- Allow neutron to create sock files
+- Allow postfix domains to getattr on all file systems
+- Add fixes for squid which is configured to run with more than one worker.
+- Allow certmonger to manage all certs
+- Fix *_ecryptfs_home_dirs booleans
+- Fix typoes in userdomain.if and libraries.te
+- Allow ldconfig_t to read/write inherited user tmp pipes
+- Use proper calling in ssh.te for userdom_home_manager attribute
+- Fix decl for cockip port
+
* Wed May 21 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-166
- Allow cockpit to bind to its port
- Add fixes for squid which is configured to run with more than one worker.
More information about the scm-commits
mailing list