[selinux-policy] * Tue Oct 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-86 - Dontaudit aicuu to search home confi
Lukas Vrabec
lvrabec at fedoraproject.org
Tue Oct 14 09:52:22 UTC 2014
commit 8db354a9b7727f747640c142e75db6f6dee25da6
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue Oct 14 11:51:56 2014 +0200
* Tue Oct 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-86
- Dontaudit aicuu to search home config dir. BZ (#1104076)
- couchdb is using erlang so it needs execmem privs
- ALlow sanlock to send a signal to virtd_t.
- Allow mondogdb to 'accept' accesses on the tcp_socket port.
- Make sosreport as unconfined domain.
- Allow nova-console to connect to mem_cache port.
- Allow mandb to getattr on file systems
- Allow read antivirus domain all kernel sysctls.
- Allow lmsd_plugin to read passwd file. BZ(1093733)
- Label /usr/share/corosync/corosync as cluster_exec_t.
- ALlow sensord to getattr on sysfs.
- automount policy is non-base module so it needs to be called in optional block.
- Add auth_use_nsswitch for portreserve to make it working with sssd.
- Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files.
- Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd.
- Allow openvpn to access /sys/fs/cgroup dir.
- Allow nova-scheduler to read certs
- Add support for /var/lib/swiftdirectory.
- Allow neutron connections to system dbus.
- Allow mongodb to manage own log files.
- Allow opensm_t to read/write /dev/infiniband/umad1.
- Added policy for mon_statd and mon_procd services. BZ (1077821)
- kernel_read_system_state needs to be called with type. Moved it to antivirus.if.
- Allow dnssec_trigger_t to execute unbound-control in own domain.
- Allow all RHCS services to read system state.
- Added monitor device
- Add interfaces for /dev/infiniband
- Add infiniband_device_t for /dev/infiniband instead of fixed_disk_device_t type.
- Add files_dontaudit_search_security_files()
- Add selinuxuser_udp_server boolean
- ALlow syslogd_t to create /var/log/cron with correct labeling
- Add support for /etc/.updated and /var/.updated
- Allow iptables read fail2ban logs. BZ (1147709)
- ALlow ldconfig to read proc//net/sockstat.
policy-rawhide-base.patch | 910 ++++++++++++++++++++++++------------------
policy-rawhide-contrib.patch | 711 ++++++++++++++++++++++-----------
selinux-policy.spec | 38 ++-
3 files changed, 1029 insertions(+), 630 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index c4b22b1..bf9912e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -900,7 +900,7 @@ index 66e85ea..d02654d 100644
## user domains.
## </p>
diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab6..b7e7ea5 100644
+index 4705ab6..b82865c 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -6,52 +6,59 @@
@@ -989,7 +989,7 @@ index 4705ab6..b7e7ea5 100644
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
-@@ -105,9 +103,30 @@ gen_tunable(use_samba_home_dirs,false)
+@@ -105,9 +103,39 @@ gen_tunable(use_samba_home_dirs,false)
## <desc>
## <p>
@@ -1017,6 +1017,15 @@ index 4705ab6..b7e7ea5 100644
+
+## <desc>
+## <p>
++## Allow users to run UDP servers (bind to ports and accept connection from
++## the same domain and outside users) disabling this may break avahi
++## discovering services on the network and other udp related services.
++## </p>
++## </desc>
++gen_tunable(selinuxuser_udp_server,false)
++
++## <desc>
++## <p>
+## Allow the mount commands to mount any directory or file.
+## </p>
+## </desc>
@@ -5913,7 +5922,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..5e37a40 100644
+index b31c054..50bfabf 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -5937,7 +5946,16 @@ index b31c054..5e37a40 100644
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -61,7 +64,8 @@
+@@ -44,6 +47,8 @@
+ /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
+ /dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/infiniband/.* -c gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
++/dev/infiniband/.* -b gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
+ /dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+ /dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+ /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
+@@ -61,7 +66,8 @@
/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -5947,7 +5965,15 @@ index b31c054..5e37a40 100644
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -106,6 +110,7 @@
+@@ -72,6 +78,7 @@
+ /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
++/dev/monwriter -c gen_context(system_u:object_r:monitor_device_t,s0)
+ /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0)
+@@ -106,6 +113,7 @@
/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -5955,7 +5981,7 @@ index b31c054..5e37a40 100644
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +123,11 @@
+@@ -118,6 +126,11 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
@@ -5967,7 +5993,7 @@ index b31c054..5e37a40 100644
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +139,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +142,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -5982,7 +6008,7 @@ index b31c054..5e37a40 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -172,6 +184,8 @@ ifdef(`distro_suse', `
+@@ -172,6 +187,8 @@ ifdef(`distro_suse', `
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -5991,7 +6017,7 @@ index b31c054..5e37a40 100644
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -198,12 +212,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +215,27 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -6022,7 +6048,7 @@ index b31c054..5e37a40 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..03d4787 100644
+index 76f285e..d36451a 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6500,7 +6526,7 @@ index 76f285e..03d4787 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2025,17 +2266,73 @@ interface(`dev_rw_input_dev',`
+@@ -2025,17 +2266,18 @@ interface(`dev_rw_input_dev',`
## </summary>
## </param>
#
@@ -6516,11 +6542,29 @@ index 76f285e..03d4787 100644
+ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
')
-+
########################################
## <summary>
-## Set the attributes of the framebuffer device node.
+## Read ipmi devices.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2043,7 +2285,101 @@ interface(`dev_getattr_framebuffer_dev',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_setattr_framebuffer_dev',`
++interface(`dev_read_ipmi_dev',`
++ gen_require(`
++ type device_t, ipmi_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, ipmi_device_t)
++')
++
++########################################
++## <summary>
++## Read and write ipmi devices.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6528,12 +6572,31 @@ index 76f285e..03d4787 100644
+## </summary>
+## </param>
+#
-+interface(`dev_read_ipmi_dev',`
++interface(`dev_rw_ipmi_dev',`
+ gen_require(`
+ type device_t, ipmi_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, ipmi_device_t)
++ rw_chr_files_pattern($1, device_t, ipmi_device_t)
++')
++
++########################################
++## <summary>
++## Read infiniband devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_infiniband_dev',`
++ gen_require(`
++ type device_t, infiniband_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, infiniband_device_t)
++ read_blk_files_pattern($1, device_t, infiniband_device_t)
+')
+
+########################################
@@ -6546,14 +6609,17 @@ index 76f285e..03d4787 100644
+## </summary>
+## </param>
+#
-+interface(`dev_rw_ipmi_dev',`
++interface(`dev_rw_infiniband_dev',`
+ gen_require(`
-+ type device_t, ipmi_device_t;
++ type device_t, infiniband_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, ipmi_device_t)
++ rw_chr_files_pattern($1, device_t, infiniband_device_t)
++ rw_blk_files_pattern($1, device_t, infiniband_device_t)
+')
+
++
++
+########################################
+## <summary>
+## Get the attributes of the framebuffer device node.
@@ -6575,10 +6641,18 @@ index 76f285e..03d4787 100644
+########################################
+## <summary>
+## Set the attributes of the framebuffer device node.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2402,7 +2699,97 @@ interface(`dev_filetrans_lirc',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_setattr_framebuffer_dev',`
+ gen_require(`
+ type device_t, framebuf_device_t;
+ ')
+@@ -2402,7 +2738,97 @@ interface(`dev_filetrans_lirc',`
########################################
## <summary>
@@ -6677,7 +6751,7 @@ index 76f285e..03d4787 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2725,7 +3112,7 @@ interface(`dev_write_misc',`
+@@ -2725,7 +3151,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -6686,7 +6760,86 @@ index 76f285e..03d4787 100644
## </summary>
## </param>
#
-@@ -2903,20 +3290,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2811,6 +3237,78 @@ interface(`dev_rw_modem',`
+
+ ########################################
+ ## <summary>
++## Get the attributes of the monitor devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_getattr_monitor_dev',`
++ gen_require(`
++ type device_t, monitor_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++## <summary>
++## Set the attributes of the monitor devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_setattr_monitor_dev',`
++ gen_require(`
++ type device_t, monitor_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++## <summary>
++## Read the monitor devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_monitor_dev',`
++ gen_require(`
++ type device_t, monitor_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++## <summary>
++## Read and write to monitor devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_monitor_dev',`
++ gen_require(`
++ type device_t, monitor_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++## <summary>
+ ## Get the attributes of the mouse devices.
+ ## </summary>
+ ## <param name="domain">
+@@ -2903,20 +3401,20 @@ interface(`dev_getattr_mtrr_dev',`
########################################
## <summary>
@@ -6711,7 +6864,7 @@ index 76f285e..03d4787 100644
## </p>
## </desc>
## <param name="domain">
-@@ -2925,43 +3312,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3423,34 @@ interface(`dev_getattr_mtrr_dev',`
## </summary>
## </param>
#
@@ -6767,7 +6920,7 @@ index 76f285e..03d4787 100644
## range registers (MTRR).
## </summary>
## <param name="domain">
-@@ -2970,13 +3348,13 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3459,13 @@ interface(`dev_write_mtrr',`
## </summary>
## </param>
#
@@ -6784,54 +6937,97 @@ index 76f285e..03d4787 100644
')
########################################
-@@ -3144,6 +3522,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,48 +3633,102 @@ interface(`dev_create_null_dev',`
########################################
## <summary>
+-## Do not audit attempts to get the attributes
+-## of the BIOS non-volatile RAM device.
+## Get the status of a null device service.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_getattr_nvram_dev',`
++interface(`dev_service_status_null_dev',`
+ gen_require(`
+- type nvram_device_t;
++ type null_device_t;
+ ')
+
+- dontaudit $1 nvram_device_t:chr_file getattr;
++ allow $1 null_device_t:service status;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write BIOS non-volatile RAM.
++## Configure null_device as a unit files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_rw_nvram',`
++interface(`dev_config_null_dev_service',`
+ gen_require(`
+- type nvram_device_t;
++ type null_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, nvram_device_t)
++ allow $1 null_device_t:service manage_service_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of the printer device nodes.
++## Do not audit attempts to get the attributes
++## of the BIOS non-volatile RAM device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`dev_service_status_null_dev',`
++interface(`dev_dontaudit_getattr_nvram_dev',`
+ gen_require(`
-+ type null_device_t;
++ type nvram_device_t;
+ ')
+
-+ allow $1 null_device_t:service status;
++ dontaudit $1 nvram_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
-+## Configure null_device as a unit files.
++## Read BIOS non-volatile RAM.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`dev_config_null_dev_service',`
++interface(`dev_read_nvram',`
+ gen_require(`
-+ type null_device_t;
++ type nvram_device_t;
+ ')
+
-+ allow $1 null_device_t:service manage_service_perms;
++ read_chr_files_pattern($1, device_t, nvram_device_t)
+')
+
+########################################
+## <summary>
- ## Do not audit attempts to get the attributes
- ## of the BIOS non-volatile RAM device.
- ## </summary>
-@@ -3163,6 +3577,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
-
- ########################################
- ## <summary>
-+## Read BIOS non-volatile RAM.
++## Read and write BIOS non-volatile RAM.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6839,20 +7035,25 @@ index 76f285e..03d4787 100644
+## </summary>
+## </param>
+#
-+interface(`dev_read_nvram',`
++interface(`dev_rw_nvram',`
+ gen_require(`
+ type nvram_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, nvram_device_t)
++ rw_chr_files_pattern($1, device_t, nvram_device_t)
+')
+
+########################################
+## <summary>
- ## Read and write BIOS non-volatile RAM.
- ## </summary>
- ## <param name="domain">
-@@ -3254,7 +3686,25 @@ interface(`dev_rw_printer',`
++## Get the attributes of the printer device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+@@ -3254,7 +3797,25 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -6879,7 +7080,7 @@ index 76f285e..03d4787 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3262,12 +3712,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3823,13 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
@@ -6896,7 +7097,7 @@ index 76f285e..03d4787 100644
')
########################################
-@@ -3399,7 +3850,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +3961,7 @@ interface(`dev_dontaudit_read_rand',`
########################################
## <summary>
@@ -6905,7 +7106,7 @@ index 76f285e..03d4787 100644
## number generator devices (e.g., /dev/random)
## </summary>
## <param name="domain">
-@@ -3413,7 +3864,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +3975,7 @@ interface(`dev_dontaudit_append_rand',`
type random_device_t;
')
@@ -6914,175 +7115,11 @@ index 76f285e..03d4787 100644
')
########################################
-@@ -3855,7 +4306,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,6 +4417,96 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
--## Search the sysfs directories.
+## Set the attributes of sysfs directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3863,53 +4314,53 @@ interface(`dev_getattr_sysfs_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`dev_search_sysfs',`
-+interface(`dev_setattr_sysfs_dirs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- search_dirs_pattern($1, sysfs_t, sysfs_t)
-+ allow $1 sysfs_t:dir setattr_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to search sysfs.
-+## Get attributes of sysfs filesystems.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`dev_dontaudit_search_sysfs',`
-+interface(`dev_getattr_sysfs_fs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- dontaudit $1 sysfs_t:dir search_dir_perms;
-+ allow $1 sysfs_t:filesystem getattr;
- ')
-
- ########################################
- ## <summary>
--## List the contents of the sysfs directories.
-+## Mount a filesystem on /sys
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain allow access.
- ## </summary>
- ## </param>
- #
--interface(`dev_list_sysfs',`
-+interface(`dev_mounton_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- list_dirs_pattern($1, sysfs_t, sysfs_t)
-+ allow $1 sysfs_t:dir mounton;
- ')
-
- ########################################
- ## <summary>
--## Write in a sysfs directories.
-+## Mount sysfs filesystems.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3917,37 +4368,35 @@ interface(`dev_list_sysfs',`
- ## </summary>
- ## </param>
- #
--# cjp: added for cpuspeed
--interface(`dev_write_sysfs_dirs',`
-+interface(`dev_mount_sysfs_fs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- allow $1 sysfs_t:dir write;
-+ allow $1 sysfs_t:filesystem mount;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to write in a sysfs directory.
-+## Unmount sysfs filesystems.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`dev_dontaudit_write_sysfs_dirs',`
-+interface(`dev_unmount_sysfs_fs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- dontaudit $1 sysfs_t:dir write;
-+ allow $1 sysfs_t:filesystem unmount;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete sysfs
--## directories.
-+## Search the sysfs directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3955,41 +4404,160 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`dev_manage_sysfs_dirs',`
-+interface(`dev_search_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+ search_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
- ########################################
- ## <summary>
--## Read hardware state information.
-+## Do not audit attempts to search sysfs.
- ## </summary>
--## <desc>
--## <p>
--## Allow the specified domain to read the contents of
--## the sysfs filesystem. This filesystem contains
--## information, parameters, and other settings on the
--## hardware installed on the system.
--## </p>
--## </desc>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
--## <infoflow type="read" weight="10"/>
- #
--interface(`dev_read_sysfs',`
-+interface(`dev_dontaudit_search_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- read_files_pattern($1, sysfs_t, sysfs_t)
-- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
-+ dontaudit $1 sysfs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## List the contents of the sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7090,18 +7127,17 @@ index 76f285e..03d4787 100644
+## </summary>
+## </param>
+#
-+interface(`dev_list_sysfs',`
++interface(`dev_setattr_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
-+## Write in a sysfs directories.
++## Get attributes of sysfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7109,60 +7145,53 @@ index 76f285e..03d4787 100644
+## </summary>
+## </param>
+#
-+# cjp: added for cpuspeed
-+interface(`dev_write_sysfs_dirs',`
++interface(`dev_getattr_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ allow $1 sysfs_t:dir write;
++ allow $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to write in a sysfs directory.
++## Mount a filesystem on /sys
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allow access.
+## </summary>
+## </param>
+#
-+interface(`dev_dontaudit_write_sysfs_dirs',`
++interface(`dev_mounton_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ dontaudit $1 sysfs_t:dir write;
++ allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
-+## Read cpu online hardware state information.
++## Mount sysfs filesystems.
+## </summary>
-+## <desc>
-+## <p>
-+## Allow the specified domain to read /sys/devices/system/cpu/online file.
-+## </p>
-+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`dev_read_cpu_online',`
++interface(`dev_mount_sysfs_fs',`
+ gen_require(`
-+ type cpu_online_t;
++ type sysfs_t;
+ ')
+
-+ dev_search_sysfs($1)
-+ read_files_pattern($1, cpu_online_t, cpu_online_t)
++ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
-+## Relabel cpu online hardware state information.
++## Unmount sysfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7170,48 +7199,82 @@ index 76f285e..03d4787 100644
+## </summary>
+## </param>
+#
-+interface(`dev_relabel_cpu_online',`
++interface(`dev_unmount_sysfs_fs',`
+ gen_require(`
-+ type cpu_online_t;
+ type sysfs_t;
+ ')
+
-+ dev_search_sysfs($1)
-+ allow $1 cpu_online_t:file relabel_file_perms;
++ allow $1 sysfs_t:filesystem unmount;
+')
+
-+
+########################################
+## <summary>
-+## Read hardware state information.
-+## </summary>
+ ## Search the sysfs directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -3904,6 +4556,7 @@ interface(`dev_list_sysfs',`
+ type sysfs_t;
+ ')
+
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+@@ -3946,23 +4599,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete sysfs
+-## directories.
++## Read cpu online hardware state information.
+ ## </summary>
+## <desc>
+## <p>
-+## Allow the specified domain to read the contents of
-+## the sysfs filesystem. This filesystem contains
-+## information, parameters, and other settings on the
-+## hardware installed on the system.
++## Allow the specified domain to read /sys/devices/system/cpu/online file.
+## </p>
+## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_manage_sysfs_dirs',`
++interface(`dev_read_cpu_online',`
++ gen_require(`
++ type cpu_online_t;
++ ')
++
++ dev_search_sysfs($1)
++ read_files_pattern($1, cpu_online_t, cpu_online_t)
++')
++
++########################################
++## <summary>
++## Relabel cpu online hardware state information.
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <infoflow type="read" weight="10"/>
+#
-+interface(`dev_read_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ read_files_pattern($1, sysfs_t, sysfs_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
- list_dirs_pattern($1, sysfs_t, sysfs_t)
++interface(`dev_relabel_cpu_online',`
+ gen_require(`
++ type cpu_online_t;
+ type sysfs_t;
+ ')
+
+- manage_dirs_pattern($1, sysfs_t, sysfs_t)
++ dev_search_sysfs($1)
++ allow $1 cpu_online_t:file relabel_file_perms;
')
-@@ -4016,6 +4584,62 @@ interface(`dev_rw_sysfs',`
++
+ ########################################
+ ## <summary>
+ ## Read hardware state information.
+@@ -4016,6 +4695,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -7274,7 +7337,7 @@ index 76f285e..03d4787 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4113,6 +4737,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +4848,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -7300,7 +7363,7 @@ index 76f285e..03d4787 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4123,7 +4766,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +4877,7 @@ interface(`dev_write_urand',`
#
interface(`dev_getattr_generic_usb_dev',`
gen_require(`
@@ -7309,7 +7372,7 @@ index 76f285e..03d4787 100644
')
getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5052,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5163,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -7321,7 +7384,7 @@ index 76f285e..03d4787 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4419,17 +5062,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5173,17 @@ interface(`dev_rw_usbfs',`
## </summary>
## </param>
#
@@ -7344,7 +7407,7 @@ index 76f285e..03d4787 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4437,12 +5080,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5191,12 @@ interface(`dev_getattr_video_dev',`
## </summary>
## </param>
#
@@ -7360,7 +7423,7 @@ index 76f285e..03d4787 100644
')
########################################
-@@ -4539,6 +5182,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5293,134 @@ interface(`dev_write_video_dev',`
########################################
## <summary>
@@ -7495,7 +7558,7 @@ index 76f285e..03d4787 100644
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
-@@ -4557,6 +5328,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5439,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -7520,7 +7583,7 @@ index 76f285e..03d4787 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4762,6 +5551,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5662,44 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -7565,7 +7628,7 @@ index 76f285e..03d4787 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4851,3 +5678,946 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5789,948 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -7743,6 +7806,7 @@ index 76f285e..03d4787 100644
+ type cpu_device_t;
+ type scanner_device_t;
+ type modem_device_t;
++ type monitor_device_t;
+ type vhost_device_t;
+ type netcontrol_device_t;
+ type nvram_device_t;
@@ -8081,6 +8145,7 @@ index 76f285e..03d4787 100644
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9")
+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab")
+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem")
++ filetrans_pattern($1, device_t, monitor_device_t, chr_file, "monwriter")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012")
@@ -8513,7 +8578,7 @@ index 76f285e..03d4787 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a871..2844021 100644
+index 0b1a871..f52e603 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -8550,7 +8615,20 @@ index 0b1a871..2844021 100644
# for the IBM zSeries z90crypt hardware ssl accelorator
type crypt_device_t;
dev_node(crypt_device_t)
-@@ -111,6 +112,7 @@ dev_node(ksm_device_t)
+@@ -94,6 +95,12 @@ type ipmi_device_t;
+ dev_node(ipmi_device_t)
+
+ #
++# Type for /dev/infiniband
++#
++type infiniband_device_t;
++dev_node(infiniband_device_t)
++
++#
+ # Type for /dev/kmsg
+ #
+ type kmsg_device_t;
+@@ -111,6 +118,7 @@ dev_node(ksm_device_t)
#
type kvm_device_t;
dev_node(kvm_device_t)
@@ -8558,7 +8636,7 @@ index 0b1a871..2844021 100644
#
# Type for /dev/lirc
-@@ -118,6 +120,9 @@ dev_node(kvm_device_t)
+@@ -118,6 +126,9 @@ dev_node(kvm_device_t)
type lirc_device_t;
dev_node(lirc_device_t)
@@ -8568,7 +8646,20 @@ index 0b1a871..2844021 100644
type loop_control_device_t;
dev_node(loop_control_device_t)
-@@ -227,6 +232,10 @@ files_mountpoint(sysfs_t)
+@@ -150,6 +161,12 @@ type modem_device_t;
+ dev_node(modem_device_t)
+
+ #
++# A general type for monitor devices.
++#
++type monitor_device_t;
++dev_node(monitor_device_t)
++
++#
+ # A more general type for mouse devices.
+ #
+ type mouse_device_t;
+@@ -227,6 +244,10 @@ files_mountpoint(sysfs_t)
fs_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
@@ -8579,7 +8670,7 @@ index 0b1a871..2844021 100644
#
# Type for /dev/tpm
#
-@@ -266,6 +275,15 @@ dev_node(usbmon_device_t)
+@@ -266,6 +287,15 @@ dev_node(usbmon_device_t)
type userio_device_t;
dev_node(userio_device_t)
@@ -8595,7 +8686,7 @@ index 0b1a871..2844021 100644
type v4l_device_t;
dev_node(v4l_device_t)
-@@ -274,6 +292,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +304,7 @@ dev_node(v4l_device_t)
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -8603,7 +8694,7 @@ index 0b1a871..2844021 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -319,5 +338,6 @@ files_associate_tmp(device_node)
+@@ -319,5 +350,6 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -9338,7 +9429,7 @@ index cf04cb5..16c88de 100644
+ unconfined_server_stream_connect(domain)
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..b2aed45 100644
+index b876c48..ad25566 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9358,7 +9449,7 @@ index b876c48..b2aed45 100644
/boot/.* gen_context(system_u:object_r:boot_t,s0)
/boot/\.journal <<none>>
/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
-@@ -38,13 +39,13 @@ ifdef(`distro_suse',`
+@@ -38,27 +39,35 @@ ifdef(`distro_suse',`
#
# /emul
#
@@ -9373,8 +9464,9 @@ index b876c48..b2aed45 100644
+/etc gen_context(system_u:object_r:etc_t,s0)
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -52,13 +53,20 @@ ifdef(`distro_suse',`
+ /etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9400,7 +9492,7 @@ index b876c48..b2aed45 100644
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-@@ -70,7 +78,10 @@ ifdef(`distro_suse',`
+@@ -70,7 +79,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9412,7 +9504,7 @@ index b876c48..b2aed45 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -78,10 +89,6 @@ ifdef(`distro_gentoo', `
+@@ -78,10 +90,6 @@ ifdef(`distro_gentoo', `
/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -9423,7 +9515,7 @@ index b876c48..b2aed45 100644
ifdef(`distro_suse',`
/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -104,7 +111,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -104,7 +112,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -9432,7 +9524,7 @@ index b876c48..b2aed45 100644
#
/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-@@ -125,10 +132,12 @@ ifdef(`distro_debian',`
+@@ -125,10 +133,13 @@ ifdef(`distro_debian',`
#
# Mount points; do not relabel subdirectories, since
# we don't want to change any removable media by default.
@@ -9443,10 +9535,11 @@ index b876c48..b2aed45 100644
/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
+/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+/var/run/media/.* <<none>>
++/var/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0)
#
# /misc
-@@ -138,7 +147,7 @@ ifdef(`distro_debian',`
+@@ -138,7 +149,7 @@ ifdef(`distro_debian',`
#
# /mnt
#
@@ -9455,7 +9548,7 @@ index b876c48..b2aed45 100644
/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/mnt/[^/]*/.* <<none>>
-@@ -150,10 +159,10 @@ ifdef(`distro_debian',`
+@@ -150,10 +161,10 @@ ifdef(`distro_debian',`
#
# /opt
#
@@ -9468,7 +9561,7 @@ index b876c48..b2aed45 100644
#
# /proc
-@@ -161,6 +170,12 @@ ifdef(`distro_debian',`
+@@ -161,6 +172,12 @@ ifdef(`distro_debian',`
/proc -d <<none>>
/proc/.* <<none>>
@@ -9481,7 +9574,7 @@ index b876c48..b2aed45 100644
#
# /run
#
-@@ -169,6 +184,7 @@ ifdef(`distro_debian',`
+@@ -169,6 +186,7 @@ ifdef(`distro_debian',`
/run/.*\.*pid <<none>>
/run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
@@ -9489,7 +9582,7 @@ index b876c48..b2aed45 100644
#
# /selinux
#
-@@ -178,13 +194,14 @@ ifdef(`distro_debian',`
+@@ -178,13 +196,14 @@ ifdef(`distro_debian',`
#
# /srv
#
@@ -9506,7 +9599,7 @@ index b876c48..b2aed45 100644
/tmp/.* <<none>>
/tmp/\.journal <<none>>
-@@ -194,9 +211,11 @@ ifdef(`distro_debian',`
+@@ -194,9 +213,11 @@ ifdef(`distro_debian',`
#
# /usr
#
@@ -9519,7 +9612,7 @@ index b876c48..b2aed45 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -204,15 +223,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +225,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -9536,7 +9629,7 @@ index b876c48..b2aed45 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -220,8 +233,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +235,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@@ -9545,7 +9638,7 @@ index b876c48..b2aed45 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -229,7 +240,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +242,7 @@ ifndef(`distro_redhat',`
#
# /var
#
@@ -9554,7 +9647,7 @@ index b876c48..b2aed45 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +248,25 @@ ifndef(`distro_redhat',`
+@@ -237,11 +250,25 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9581,7 +9674,7 @@ index b876c48..b2aed45 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -256,12 +281,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +283,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -9596,14 +9689,14 @@ index b876c48..b2aed45 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -271,3 +298,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +300,5 @@ ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..693ce96 100644
+index f962f76..6eef570 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -12919,7 +13012,7 @@ index f962f76..693ce96 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6573,10 +7950,819 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7950,839 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@@ -13380,6 +13473,24 @@ index f962f76..693ce96 100644
+
+########################################
+## <summary>
++## Do not audit attempts to search security files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_security_files',`
++ gen_require(`
++ attribute security_file_type;
++ ')
++
++ dontaudit $1 security_file_type:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+## rw any files inherited from another process
+## </summary>
+## <param name="domain">
@@ -13599,6 +13710,7 @@ index f962f76..693ce96 100644
+ files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac")
+ files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac")
+ files_etc_filetrans($1, etc_t, file, "hwdb.bin")
++ files_etc_filetrans_etc_runtime($1, file, ".updated")
+ files_etc_filetrans_etc_runtime($1, file, "runtime")
+ files_etc_filetrans_etc_runtime($1, dir, "blkid")
+ files_etc_filetrans_etc_runtime($1, dir, "cmtab")
@@ -13612,7 +13724,8 @@ index f962f76..693ce96 100644
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+ files_var_filetrans($1, tmp_t, dir, "tmp")
-+ files_var_filetrans($1, var_run_t, dir, "run")
++ files_var_filetrans($1, var_run_t, dir, "run")
++ files_var_filetrans($1, etc_runtime_t, file, ".updated")
+')
+
+########################################
@@ -17552,7 +17665,7 @@ index e0a973b..7d3e431 100644
')
}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 54f1827..39faa3f 100644
+index 54f1827..6910c88 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -7,6 +7,7 @@
@@ -17563,14 +17676,7 @@ index 54f1827..39faa3f 100644
/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
-@@ -23,12 +24,15 @@
- /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
- /dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/dev/infiniband/.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/dev/infiniband/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -28,7 +29,8 @@
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
@@ -17580,7 +17686,7 @@ index 54f1827..39faa3f 100644
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -51,7 +55,8 @@ ifdef(`distro_redhat', `
+@@ -51,7 +53,8 @@ ifdef(`distro_redhat', `
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
@@ -17590,7 +17696,7 @@ index 54f1827..39faa3f 100644
/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -81,3 +86,6 @@ ifdef(`distro_redhat', `
+@@ -81,3 +84,6 @@ ifdef(`distro_redhat', `
/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
@@ -32691,7 +32797,7 @@ index c42fbc3..174cfdb 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..5e28da7 100644
+index be8ed1e..f0ed532 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -32780,16 +32886,17 @@ index be8ed1e..5e28da7 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,6 +105,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +105,9 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
++ fail2ban_read_log(iptables_t)
+ fail2ban_dontaudit_leaks(iptables_t)
+ fail2ban_rw_inherited_tmp_files(iptables_t)
')
optional_policy(`
-@@ -110,6 +115,11 @@ optional_policy(`
+@@ -110,6 +116,11 @@ optional_policy(`
')
optional_policy(`
@@ -32801,7 +32908,7 @@ index be8ed1e..5e28da7 100644
modutils_run_insmod(iptables_t, iptables_roles)
')
-@@ -124,6 +134,12 @@ optional_policy(`
+@@ -124,6 +135,12 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -32814,7 +32921,7 @@ index be8ed1e..5e28da7 100644
')
optional_policy(`
-@@ -135,9 +151,9 @@ optional_policy(`
+@@ -135,9 +152,9 @@ optional_policy(`
')
optional_policy(`
@@ -33322,7 +33429,7 @@ index 808ba93..57a68da 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 54f8fa5..caf32d6 100644
+index 54f8fa5..1584203 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@@ -33355,7 +33462,11 @@ index 54f8fa5..caf32d6 100644
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -75,11 +77,15 @@ kernel_read_system_state(ldconfig_t)
+@@ -72,14 +74,19 @@ files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
+ manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t)
+
+ kernel_read_system_state(ldconfig_t)
++kernel_read_network_state(ldconfig_t)
fs_getattr_xattr_fs(ldconfig_t)
@@ -33372,7 +33483,7 @@ index 54f8fa5..caf32d6 100644
files_read_etc_files(ldconfig_t)
files_read_usr_files(ldconfig_t)
files_search_tmp(ldconfig_t)
-@@ -90,11 +96,11 @@ files_delete_etc_files(ldconfig_t)
+@@ -90,11 +97,11 @@ files_delete_etc_files(ldconfig_t)
init_use_script_ptys(ldconfig_t)
init_read_script_tmp_files(ldconfig_t)
@@ -33386,7 +33497,7 @@ index 54f8fa5..caf32d6 100644
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
-@@ -103,6 +109,13 @@ ifdef(`distro_ubuntu',`
+@@ -103,6 +110,13 @@ ifdef(`distro_ubuntu',`
')
')
@@ -33400,7 +33511,7 @@ index 54f8fa5..caf32d6 100644
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -114,6 +127,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -114,6 +128,11 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -33412,7 +33523,7 @@ index 54f8fa5..caf32d6 100644
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
-@@ -131,6 +149,14 @@ optional_policy(`
+@@ -131,6 +150,14 @@ optional_policy(`
')
optional_policy(`
@@ -33427,7 +33538,7 @@ index 54f8fa5..caf32d6 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +167,3 @@ optional_policy(`
+@@ -141,6 +168,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -34339,7 +34450,7 @@ index 4e94884..8de26ad 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..5d3197b 100644
+index 59b04c1..077c808 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@@ -34693,7 +34804,15 @@ index 59b04c1..5d3197b 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -507,15 +591,40 @@ optional_policy(`
+@@ -497,6 +581,7 @@ optional_policy(`
+ optional_policy(`
+ cron_manage_log_files(syslogd_t)
+ cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
++ cron_generic_log_filetrans_log(syslogd_t, file, "cron")
+ ')
+
+ optional_policy(`
+@@ -507,15 +592,40 @@ optional_policy(`
')
optional_policy(`
@@ -34734,7 +34853,7 @@ index 59b04c1..5d3197b 100644
')
optional_policy(`
-@@ -526,3 +635,26 @@ optional_policy(`
+@@ -526,3 +636,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -43092,7 +43211,7 @@ index db75976..1ee08ec 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..d04015e 100644
+index 9dc60c6..0bed312 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -44442,7 +44561,7 @@ index 9dc60c6..d04015e 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1382,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1382,63 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -44470,6 +44589,9 @@ index 9dc60c6..d04015e 100644
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
+ ')
+
++ tunable_policy(`selinuxuser_udp_server',`
++ corenet_udp_bind_all_unreserved_ports($1_usertype)
++ ')
+ optional_policy(`
+ cdrecord_role($1_r, $1_t)
+ ')
@@ -44499,21 +44621,21 @@ index 9dc60c6..d04015e 100644
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
++ ')
++
++ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
-+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1444,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1447,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -44524,7 +44646,7 @@ index 9dc60c6..d04015e 100644
')
')
-@@ -1079,7 +1482,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1485,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -44535,7 +44657,7 @@ index 9dc60c6..d04015e 100644
')
##############################
-@@ -1095,6 +1500,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1503,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -44543,7 +44665,7 @@ index 9dc60c6..d04015e 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1511,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1514,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -44560,7 +44682,7 @@ index 9dc60c6..d04015e 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1528,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1531,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -44568,7 +44690,7 @@ index 9dc60c6..d04015e 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1546,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1549,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -44584,7 +44706,7 @@ index 9dc60c6..d04015e 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1565,38 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1568,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -44627,7 +44749,7 @@ index 9dc60c6..d04015e 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1606,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1609,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -44636,7 +44758,7 @@ index 9dc60c6..d04015e 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1615,17 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1618,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -44651,11 +44773,15 @@ index 9dc60c6..d04015e 100644
+ tunable_policy(`selinuxuser_tcp_server',`
+ corenet_tcp_bind_all_unreserved_ports($1_t)
+ ')
-+
++
++ tunable_policy(`selinuxuser_udp_server',`
++ corenet_udp_bind_all_unreserved_ports($1_t)
++ ')
++
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1661,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1668,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -44664,7 +44790,7 @@ index 9dc60c6..d04015e 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1671,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1678,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -44673,7 +44799,7 @@ index 9dc60c6..d04015e 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1685,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1692,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -44685,7 +44811,7 @@ index 9dc60c6..d04015e 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1699,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1706,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -44728,7 +44854,7 @@ index 9dc60c6..d04015e 100644
')
optional_policy(`
-@@ -1357,14 +1784,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1791,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -44747,7 +44873,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -1397,12 +1827,51 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1834,51 @@ interface(`userdom_user_tmp_file',`
## </param>
#
interface(`userdom_user_tmpfs_file',`
@@ -44800,7 +44926,7 @@ index 9dc60c6..d04015e 100644
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
-@@ -1509,11 +1978,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1985,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -44832,7 +44958,7 @@ index 9dc60c6..d04015e 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1555,6 +2044,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2051,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -44847,7 +44973,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -1570,9 +2067,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2074,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -44859,7 +44985,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -1629,6 +2128,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2135,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -44902,7 +45028,7 @@ index 9dc60c6..d04015e 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1708,6 +2243,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1708,6 +2250,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -44911,7 +45037,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -1741,10 +2278,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2285,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -44926,7 +45052,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -1769,7 +2308,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2315,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -44935,7 +45061,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1777,19 +2316,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2323,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -44959,7 +45085,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1797,55 +2334,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2341,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -45030,7 +45156,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1853,18 +2390,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2397,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
## </summary>
## </param>
#
@@ -45058,7 +45184,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,55 +2410,55 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,55 +2417,55 @@ interface(`userdom_mmap_user_home_content_files',`
## </summary>
## </param>
#
@@ -45133,7 +45259,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1928,32 +2466,149 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
+@@ -1928,32 +2473,149 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
## </summary>
## </param>
#
@@ -45291,7 +45417,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -1971,7 +2626,80 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1971,7 +2633,80 @@ interface(`userdom_delete_user_home_content_files',`
type user_home_t;
')
@@ -45373,7 +45499,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -2007,8 +2735,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2742,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -45383,7 +45509,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -2024,20 +2751,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2758,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -45408,7 +45534,7 @@ index 9dc60c6..d04015e 100644
########################################
## <summary>
-@@ -2120,7 +2841,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2848,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -45417,7 +45543,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2849,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2856,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -45441,7 +45567,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2867,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2874,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -45457,7 +45583,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -2388,18 +3107,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3114,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
## </summary>
## </param>
#
@@ -45515,7 +45641,7 @@ index 9dc60c6..d04015e 100644
## Do not audit attempts to read users
## temporary files.
## </summary>
-@@ -2414,7 +3169,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3176,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -45524,7 +45650,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -2455,6 +3210,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3217,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -45550,7 +45676,7 @@ index 9dc60c6..d04015e 100644
########################################
## <summary>
-@@ -2538,7 +3312,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3319,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -45559,7 +45685,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2546,19 +3320,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3327,19 @@ interface(`userdom_manage_user_tmp_files',`
## </summary>
## </param>
#
@@ -45582,7 +45708,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2566,19 +3340,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3347,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary>
## </param>
#
@@ -45605,7 +45731,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2586,27 +3360,68 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,27 +3367,68 @@ interface(`userdom_manage_user_tmp_pipes',`
## </summary>
## </param>
#
@@ -45680,7 +45806,7 @@ index 9dc60c6..d04015e 100644
## <summary>
## The type of the object to create.
## </summary>
-@@ -2661,6 +3476,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3483,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -45702,7 +45828,7 @@ index 9dc60c6..d04015e 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2672,18 +3502,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3509,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
## </param>
#
interface(`userdom_read_user_tmpfs_files',`
@@ -45724,7 +45850,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2692,19 +3517,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3524,13 @@ interface(`userdom_read_user_tmpfs_files',`
## </param>
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -45747,7 +45873,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2713,13 +3532,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3539,56 @@ interface(`userdom_rw_user_tmpfs_files',`
## </param>
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -45808,7 +45934,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -2814,6 +3676,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3683,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -45833,7 +45959,7 @@ index 9dc60c6..d04015e 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3712,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3719,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -45876,7 +46002,7 @@ index 9dc60c6..d04015e 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3748,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3755,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -45914,7 +46040,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -2882,8 +3793,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3800,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -45944,7 +46070,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -2955,69 +3885,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3892,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -46045,7 +46171,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3025,12 +3954,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3961,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -46060,7 +46186,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -3094,7 +4023,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4030,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -46069,7 +46195,7 @@ index 9dc60c6..d04015e 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4039,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4046,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -46103,7 +46229,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -3214,7 +4127,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4134,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -46130,7 +46256,7 @@ index 9dc60c6..d04015e 100644
')
########################################
-@@ -3269,12 +4200,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4207,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -46146,7 +46272,7 @@ index 9dc60c6..d04015e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,46 +4214,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4221,122 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -46282,7 +46408,7 @@ index 9dc60c6..d04015e 100644
')
allow $1 userdomain:process getattr;
-@@ -3382,6 +4390,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4397,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -46325,7 +46451,7 @@ index 9dc60c6..d04015e 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4446,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4453,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -46386,7 +46512,7 @@ index 9dc60c6..d04015e 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4533,1686 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4540,1686 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 8299b96..e886127 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1547,7 +1547,7 @@ index 3b5dcb9..fbe187f 100644
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
-index 5d2b90e..bb8adeb 100644
+index 5d2b90e..7374df0 100644
--- a/aiccu.te
+++ b/aiccu.te
@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
@@ -1558,17 +1558,20 @@ index 5d2b90e..bb8adeb 100644
corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
corenet_tcp_connect_sixxsconfig_port(aiccu_t)
corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
-@@ -60,17 +59,20 @@ domain_use_interactive_fds(aiccu_t)
+@@ -60,17 +59,24 @@ domain_use_interactive_fds(aiccu_t)
dev_read_rand(aiccu_t)
dev_read_urand(aiccu_t)
-files_read_etc_files(aiccu_t)
-
--logging_send_syslog_msg(aiccu_t)
++
+auth_read_passwd(aiccu_t)
+ logging_send_syslog_msg(aiccu_t)
+
-miscfiles_read_localization(aiccu_t)
-+logging_send_syslog_msg(aiccu_t)
++optional_policy(`
++ gnome_dontaudit_search_config(aiccu_t)
++')
optional_policy(`
modutils_domtrans_insmod(aiccu_t)
@@ -2678,10 +2681,10 @@ index 0000000..219f32d
+
diff --git a/antivirus.if b/antivirus.if
new file mode 100644
-index 0000000..df5b3be
+index 0000000..ae5f0a3
--- /dev/null
+++ b/antivirus.if
-@@ -0,0 +1,322 @@
+@@ -0,0 +1,324 @@
+## <summary>SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan</summary>
+
+######################################
@@ -2701,6 +2704,8 @@ index 0000000..df5b3be
+ ')
+
+ typeattribute $1 antivirus_domain;
++
++ kernel_read_system_state($1)
+')
+
+#######################################
@@ -3006,10 +3011,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..8cc6120
+index 0000000..cb58319
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,270 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -3115,11 +3120,8 @@ index 0000000..8cc6120
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
-+kernel_read_network_state(antivirus_t)
-+kernel_read_net_sysctls(antivirus_t)
-+kernel_read_kernel_sysctls(antivirus_domain)
-+kernel_read_sysctl(antivirus_domain)
-+kernel_read_system_state(antivirus_t)
++kernel_read_network_state(antivirus_domain)
++kernel_read_all_sysctls(antivirus_domain)
+
+corecmd_exec_bin(antivirus_domain)
+corecmd_exec_shell(antivirus_domain)
@@ -3284,10 +3286,10 @@ index 0000000..8cc6120
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..7e70f67 100644
+index 7caefc3..3009a35 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,203 @@
+@@ -1,162 +1,204 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3495,6 +3497,7 @@ index 7caefc3..7e70f67 100644
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/graphite-web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -5124,7 +5127,7 @@ index f6eb485..f6d065e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..a78899a 100644
+index 6649962..3226dec 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@@ -6126,7 +6129,7 @@ index 6649962..a78899a 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +796,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +796,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -6147,8 +6150,10 @@ index 6649962..a78899a 100644
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
+
-+tunable_policy(`httpd_use_nfs',`
-+ automount_search_tmp_dirs(httpd_t)
++optional_policy(`
++ tunable_policy(`httpd_use_nfs',`
++ automount_search_tmp_dirs(httpd_t)
++ ')
')
-tunable_policy(`httpd_execmem',`
@@ -6217,7 +6222,7 @@ index 6649962..a78899a 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +843,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +845,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6298,7 +6303,7 @@ index 6649962..a78899a 100644
')
optional_policy(`
-@@ -749,24 +896,32 @@ optional_policy(`
+@@ -749,24 +898,32 @@ optional_policy(`
')
optional_policy(`
@@ -6337,7 +6342,7 @@ index 6649962..a78899a 100644
')
optional_policy(`
-@@ -775,6 +930,10 @@ optional_policy(`
+@@ -775,6 +932,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -6348,7 +6353,7 @@ index 6649962..a78899a 100644
')
optional_policy(`
-@@ -786,35 +945,60 @@ optional_policy(`
+@@ -786,35 +947,60 @@ optional_policy(`
')
optional_policy(`
@@ -6422,7 +6427,7 @@ index 6649962..a78899a 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1006,18 @@ optional_policy(`
+@@ -822,8 +1008,18 @@ optional_policy(`
')
optional_policy(`
@@ -6441,7 +6446,7 @@ index 6649962..a78899a 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1026,7 @@ optional_policy(`
+@@ -832,6 +1028,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6449,7 +6454,7 @@ index 6649962..a78899a 100644
')
optional_policy(`
-@@ -842,20 +1037,40 @@ optional_policy(`
+@@ -842,20 +1039,40 @@ optional_policy(`
')
optional_policy(`
@@ -6496,7 +6501,7 @@ index 6649962..a78899a 100644
')
optional_policy(`
-@@ -863,19 +1078,35 @@ optional_policy(`
+@@ -863,19 +1080,35 @@ optional_policy(`
')
optional_policy(`
@@ -6532,7 +6537,7 @@ index 6649962..a78899a 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1114,189 @@ optional_policy(`
+@@ -883,65 +1116,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6744,7 +6749,7 @@ index 6649962..a78899a 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1305,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1307,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6899,7 +6904,7 @@ index 6649962..a78899a 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1389,106 @@ optional_policy(`
+@@ -1083,172 +1391,106 @@ optional_policy(`
')
')
@@ -7136,7 +7141,7 @@ index 6649962..a78899a 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1496,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1498,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7233,7 +7238,7 @@ index 6649962..a78899a 100644
########################################
#
-@@ -1321,8 +1571,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1573,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7250,7 +7255,7 @@ index 6649962..a78899a 100644
')
########################################
-@@ -1330,49 +1587,38 @@ optional_policy(`
+@@ -1330,49 +1589,38 @@ optional_policy(`
# User content local policy
#
@@ -7315,7 +7320,7 @@ index 6649962..a78899a 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1628,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1630,101 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -16208,10 +16213,10 @@ index 715a826..3f0c0dc 100644
+ ')
')
diff --git a/couchdb.te b/couchdb.te
-index ae1c1b1..d461e44 100644
+index ae1c1b1..003fe15 100644
--- a/couchdb.te
+++ b/couchdb.te
-@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t)
+@@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
type couchdb_var_run_t;
files_pid_file(couchdb_var_run_t)
@@ -16221,8 +16226,10 @@ index ae1c1b1..d461e44 100644
########################################
#
# Local policy
-@@ -35,10 +38,10 @@ files_pid_file(couchdb_var_run_t)
- allow couchdb_t self:process { setsched signal signull sigkill };
+ #
+
+-allow couchdb_t self:process { setsched signal signull sigkill };
++allow couchdb_t self:process { execmem setsched signal signull sigkill };
allow couchdb_t self:fifo_file rw_fifo_file_perms;
allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
+allow couchdb_t self:unix_dgram_socket create_socket_perms;
@@ -24476,10 +24483,10 @@ index 0000000..a952041
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..c1ab586
+index 0000000..7f0943f
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,59 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -24533,6 +24540,7 @@ index 0000000..c1ab586
+sysnet_manage_config(dnssec_trigger_t)
+
+optional_policy(`
++ bind_domtrans(dnssec_trigger_t)
+ bind_read_config(dnssec_trigger_t)
+ bind_read_dnssec_keys(dnssec_trigger_t)
+')
@@ -42825,7 +42833,7 @@ index d314333..da30c5d 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
-index 4ec0eea..2eaa558 100644
+index 4ec0eea..01db8ca 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@@ -42860,7 +42868,7 @@ index 4ec0eea..2eaa558 100644
########################################
#
# Local policy
-@@ -26,4 +44,48 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,50 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@@ -42895,6 +42903,8 @@ index 4ec0eea..2eaa558 100644
+
+kernel_read_system_state(lsmd_plugin_t)
+
++auth_read_passwd(lsmd_plugin_t)
++
+dev_read_urand(lsmd_plugin_t)
+
+corecmd_exec_bin(lsmd_plugin_t)
@@ -43899,7 +43909,7 @@ index 327f3f7..4f61561 100644
+ ')
')
diff --git a/mandb.te b/mandb.te
-index e6136fd..813c98d 100644
+index e6136fd..56fa2cf 100644
--- a/mandb.te
+++ b/mandb.te
@@ -10,19 +10,40 @@ roleattribute system_r mandb_roles;
@@ -43945,13 +43955,15 @@ index e6136fd..813c98d 100644
kernel_read_kernel_sysctls(mandb_t)
kernel_read_system_state(mandb_t)
-@@ -33,11 +54,12 @@ dev_search_sysfs(mandb_t)
+@@ -33,11 +54,14 @@ dev_search_sysfs(mandb_t)
domain_use_interactive_fds(mandb_t)
-files_read_etc_files(mandb_t)
+files_search_locks(mandb_t)
+files_dontaudit_search_all_mountpoints(mandb_t)
++
++fs_getattr_all_fs(mandb_t)
miscfiles_manage_man_cache(mandb_t)
+miscfiles_setattr_man_pages(mandb_t)
@@ -46111,6 +46123,145 @@ index b94102e..25d1d33 100644
+ postgresql_stream_connect(mojomojo_script_t)
+ ')
+')
+diff --git a/mon_statd.fc b/mon_statd.fc
+new file mode 100644
+index 0000000..60c11c0
+--- /dev/null
++++ b/mon_statd.fc
+@@ -0,0 +1,7 @@
++/etc/rc\.d/init\.d/mon_statd -- gen_context(system_u:object_r:mon_statd_initrc_exec_t,s0)
++
++/usr/sbin/mon_fsstatd -- gen_context(system_u:object_r:mon_statd_exec_t,s0)
++/usr/sbin/mon_procd -- gen_context(system_u:object_r:mon_procd_exec_t,s0)
++
++/var/run/procd.* -- gen_context(system_u:object_r:mon_statd_var_run_t,s0)
++/var/run/fstatd.* -- gen_context(system_u:object_r:mon_statd_var_run_t,s0)
+diff --git a/mon_statd.if b/mon_statd.if
+new file mode 100644
+index 0000000..1ce3e44
+--- /dev/null
++++ b/mon_statd.if
+@@ -0,0 +1,39 @@
++## <summary>policy for mon_statd</summary>
++
++########################################
++## <summary>
++## Execute mon_statd in the mon_statd domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mon_statd_domtrans',`
++ gen_require(`
++ type mon_statd_t, mon_statd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mon_statd_exec_t, mon_statd_t)
++')
++
++########################################
++## <summary>
++## Execute mon_procd in the mon_procd domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mon_procd_domtrans',`
++ gen_require(`
++ type mon_procd_t, mon_procd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mon_procd_exec_t, mon_procd_t)
++')
+diff --git a/mon_statd.te b/mon_statd.te
+new file mode 100644
+index 0000000..39c5287
+--- /dev/null
++++ b/mon_statd.te
+@@ -0,0 +1,75 @@
++policy_module(mon_statd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute mon_statd_domain;
++
++type mon_statd_t, mon_statd_domain;
++type mon_statd_exec_t;
++init_daemon_domain(mon_statd_t, mon_statd_exec_t)
++
++type mon_procd_t, mon_statd_domain;
++type mon_procd_exec_t;
++init_daemon_domain(mon_procd_t, mon_procd_exec_t)
++
++type mon_statd_initrc_exec_t;
++init_script_file(mon_statd_initrc_exec_t)
++
++type mon_statd_var_run_t;
++files_pid_file(mon_statd_var_run_t)
++
++########################################
++#
++# mon_statd domain policy
++#
++
++manage_files_pattern(mon_statd_domain, mon_statd_var_run_t, mon_statd_var_run_t)
++files_pid_filetrans(mon_statd_domain, mon_statd_var_run_t, file)
++
++domain_read_all_domains_state(mon_statd_domain)
++
++dev_rw_monitor_dev(mon_statd_domain)
++
++########################################
++#
++# mon_fstatd local policy
++#
++allow mon_statd_t self:process { fork signal };
++allow mon_statd_t self:fifo_file rw_fifo_file_perms;
++
++allow mon_statd_t self:unix_stream_socket create_stream_socket_perms;
++allow mon_statd_t self:unix_dgram_socket create_socket_perms;
++
++kernel_dgram_send(mon_statd_t)
++
++fs_getattr_all_fs(mon_statd_t)
++fs_getattr_all_dirs(mon_statd_t)
++
++fs_search_cgroup_dirs(mon_statd_t)
++
++logging_send_syslog_msg(mon_procd_t)
++
++optional_policy(`
++ rpc_read_nfs_state_data(mon_statd_t)
++')
++
++########################################
++#
++# mon_procd local policy
++#
++allow mon_procd_t self:capability sys_ptrace;
++
++allow mon_procd_t self:unix_dgram_socket { create connect };
++
++auth_read_passwd(mon_procd_t)
++
++kernel_dgram_send(mon_procd_t)
++kernel_read_system_state(mon_procd_t)
++
++init_read_utmp(mon_procd_t)
++
++logging_send_syslog_msg(mon_procd_t)
++
diff --git a/mongodb.fc b/mongodb.fc
index 6fcfc31..85dcd4b 100644
--- a/mongodb.fc
@@ -46132,10 +46283,10 @@ index 6fcfc31..85dcd4b 100644
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
diff --git a/mongodb.te b/mongodb.te
-index 169f236..2184be0 100644
+index 169f236..1f19104 100644
--- a/mongodb.te
+++ b/mongodb.te
-@@ -21,19 +21,27 @@ files_type(mongod_var_lib_t)
+@@ -21,19 +21,25 @@ files_type(mongod_var_lib_t)
type mongod_var_run_t;
files_pid_file(mongod_var_run_t)
@@ -46152,20 +46303,22 @@ index 169f236..2184be0 100644
+allow mongod_t self:process { setsched signal };
allow mongod_t self:fifo_file rw_fifo_file_perms;
+-manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+-append_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+-create_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+-setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+-logging_log_filetrans(mongod_t, mongod_log_t, dir)
+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
+allow mongod_t self:udp_socket create_socket_perms;
++allow mongod_t self:tcp_socket { accept listen };
+
- manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
- append_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
- create_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
- setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
--logging_log_filetrans(mongod_t, mongod_log_t, dir)
++manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+logging_log_filetrans(mongod_t, mongod_log_t, { dir file })
manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-@@ -41,21 +49,41 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
+@@ -41,21 +47,41 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
@@ -55440,10 +55593,10 @@ index 0000000..ce897e2
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..6d3a4fe
+index 0000000..2d92a3d
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,335 @@
+@@ -0,0 +1,339 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -55640,6 +55793,8 @@ index 0000000..6d3a4fe
+
+allow nova_console_t self:udp_socket create_socket_perms;
+
++corenet_tcp_connect_memcache_port(nova_console_t)
++
+auth_use_nsswitch(nova_console_t)
+
+#######################################
@@ -55736,6 +55891,8 @@ index 0000000..6d3a4fe
+
+init_read_utmp(nova_scheduler_t)
+
++miscfiles_read_certs(nova_scheduler_t)
++
+#######################################
+#
+# nova vncproxy local policy
@@ -61020,10 +61177,10 @@ index 0000000..776fda7
+')
diff --git a/opensm.te b/opensm.te
new file mode 100644
-index 0000000..a055461
+index 0000000..32d1db4
--- /dev/null
+++ b/opensm.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,45 @@
+policy_module(opensm, 1.0.0)
+
+########################################
@@ -61066,6 +61223,7 @@ index 0000000..a055461
+corecmd_exec_bin(opensm_t)
+
+dev_read_sysfs(opensm_t)
++dev_rw_infiniband_dev(opensm_t)
+
+logging_send_syslog_msg(opensm_t)
diff --git a/openvpn.fc b/openvpn.fc
@@ -61132,7 +61290,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 63957a3..69cc01a 100644
+index 63957a3..e059df5 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@@ -61223,7 +61381,11 @@ index 63957a3..69cc01a 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -135,18 +150,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -132,21 +147,30 @@ files_read_etc_runtime_files(openvpn_t)
+
+ fs_getattr_all_fs(openvpn_t)
+ fs_search_auto_mountpoints(openvpn_t)
++fs_list_cgroup_dirs(openvpn_t)
auth_use_pam(openvpn_t)
@@ -61239,6 +61401,8 @@ index 63957a3..69cc01a 100644
sysnet_use_ldap(openvpn_t)
-userdom_use_user_terminals(openvpn_t)
++systemd_passwd_agent_domtrans(openvpn_t)
++
+userdom_use_inherited_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
+userdom_attach_admin_tun_iface(openvpn_t)
@@ -61251,7 +61415,7 @@ index 63957a3..69cc01a 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -164,6 +185,10 @@ tunable_policy(`openvpn_can_network_connect',`
+@@ -164,6 +188,10 @@ tunable_policy(`openvpn_can_network_connect',`
')
optional_policy(`
@@ -61262,7 +61426,7 @@ index 63957a3..69cc01a 100644
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
-@@ -175,3 +200,27 @@ optional_policy(`
+@@ -175,3 +203,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -67377,7 +67541,7 @@ index 5ad5291..7f1ae2a 100644
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/portreserve.te b/portreserve.te
-index 00b01e2..47ab4d9 100644
+index 00b01e2..10b4512 100644
--- a/portreserve.te
+++ b/portreserve.te
@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
@@ -67388,7 +67552,7 @@ index 00b01e2..47ab4d9 100644
corenet_all_recvfrom_netlabel(portreserve_t)
corenet_tcp_sendrecv_generic_if(portreserve_t)
corenet_udp_sendrecv_generic_if(portreserve_t)
-@@ -56,6 +55,8 @@ corenet_sendrecv_all_server_packets(portreserve_t)
+@@ -56,6 +55,7 @@ corenet_sendrecv_all_server_packets(portreserve_t)
corenet_tcp_bind_all_ports(portreserve_t)
corenet_udp_bind_all_ports(portreserve_t)
@@ -67396,9 +67560,8 @@ index 00b01e2..47ab4d9 100644
-
userdom_dontaudit_search_user_home_content(portreserve_t)
+
-+optional_policy(`
-+ sssd_search_lib(portreserve_t)
-+')
++auth_use_nsswitch(portreserve_t)
++
diff --git a/portslave.te b/portslave.te
index cbe36c1..8ebeb87 100644
--- a/portslave.te
@@ -76182,10 +76345,10 @@ index afc0068..97bbea4 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b..e8c81df 100644
+index 8644d8b..f45e193 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -5,92 +5,173 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,177 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@@ -76274,8 +76437,6 @@ index 8644d8b..e8c81df 100644
-dev_read_urand(quantum_t)
-
-files_read_usr_files(quantum_t)
--
--auth_use_nsswitch(quantum_t)
+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
@@ -76363,6 +76524,11 @@ index 8644d8b..e8c81df 100644
+ corenet_tcp_sendrecv_all_ports(neutron_t)
+')
+-auth_use_nsswitch(quantum_t)
++optional_policy(`
++ dbus_system_bus_client(neutron_t)
++')
+
-libs_exec_ldconfig(quantum_t)
+optional_policy(`
+ brctl_domtrans(neutron_t)
@@ -77162,7 +77328,7 @@ index 4460582..60cf556 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fe..8fc3712 100644
+index 403a4fe..f6923e3 100644
--- a/radius.te
+++ b/radius.te
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
@@ -77175,7 +77341,18 @@ index 403a4fe..8fc3712 100644
########################################
#
# Local policy
-@@ -60,11 +63,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+@@ -49,9 +52,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
+ filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file })
+
+ manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+-append_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+-create_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+-setattr_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
++manage_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+ logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir })
+
+ manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
+@@ -60,11 +61,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
@@ -77188,7 +77365,7 @@ index 403a4fe..8fc3712 100644
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -74,6 +77,9 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
+@@ -74,6 +75,9 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_generic_node(radiusd_t)
@@ -77198,7 +77375,7 @@ index 403a4fe..8fc3712 100644
corenet_sendrecv_radacct_server_packets(radiusd_t)
corenet_udp_bind_radacct_port(radiusd_t)
-@@ -97,7 +103,6 @@ domain_use_interactive_fds(radiusd_t)
+@@ -97,7 +101,6 @@ domain_use_interactive_fds(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
@@ -77206,7 +77383,7 @@ index 403a4fe..8fc3712 100644
files_read_etc_runtime_files(radiusd_t)
files_dontaudit_list_tmp(radiusd_t)
-@@ -109,7 +114,6 @@ libs_exec_lib_files(radiusd_t)
+@@ -109,7 +112,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
@@ -77214,7 +77391,7 @@ index 403a4fe..8fc3712 100644
miscfiles_read_generic_certs(radiusd_t)
sysnet_use_ldap(radiusd_t)
-@@ -122,6 +126,11 @@ optional_policy(`
+@@ -122,6 +124,11 @@ optional_policy(`
')
optional_policy(`
@@ -77226,7 +77403,7 @@ index 403a4fe..8fc3712 100644
logrotate_exec(radiusd_t)
')
-@@ -140,5 +149,10 @@ optional_policy(`
+@@ -140,5 +147,10 @@ optional_policy(`
')
optional_policy(`
@@ -79935,10 +80112,10 @@ index c8a1e16..2d409bf 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..5ad36aa 100644
+index 47de2d6..d5caec9 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,88 @@
+@@ -1,31 +1,90 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -80024,6 +80201,8 @@ index 47de2d6..5ad36aa 100644
+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemaker_remoted -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
++/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
++
+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
@@ -80051,7 +80230,7 @@ index 47de2d6..5ad36aa 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..e6bcb25 100644
+index c8bdea2..b68d5b7 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -80080,7 +80259,7 @@ index c8bdea2..e6bcb25 100644
')
##############################
-@@ -43,33 +43,27 @@ template(`rhcs_domain_template',`
+@@ -43,33 +43,29 @@ template(`rhcs_domain_template',`
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
@@ -80101,6 +80280,8 @@ index c8bdea2..e6bcb25 100644
- optional_policy(`
- dbus_system_bus_client($1_t)
- ')
++ kernel_read_system_state($1_t)
++
+ auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
@@ -80121,7 +80302,7 @@ index c8bdea2..e6bcb25 100644
## </param>
#
interface(`rhcs_domtrans_dlm_controld',`
-@@ -83,8 +77,8 @@ interface(`rhcs_domtrans_dlm_controld',`
+@@ -83,8 +79,8 @@ interface(`rhcs_domtrans_dlm_controld',`
#####################################
## <summary>
@@ -80132,7 +80313,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -92,18 +86,19 @@ interface(`rhcs_domtrans_dlm_controld',`
+@@ -92,18 +88,19 @@ interface(`rhcs_domtrans_dlm_controld',`
## </summary>
## </param>
#
@@ -80157,7 +80338,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -111,18 +106,18 @@ interface(`rhcs_getattr_fenced_exec_files',`
+@@ -111,18 +108,18 @@ interface(`rhcs_getattr_fenced_exec_files',`
## </summary>
## </param>
#
@@ -80180,7 +80361,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -160,9 +155,27 @@ interface(`rhcs_domtrans_fenced',`
+@@ -160,9 +157,27 @@ interface(`rhcs_domtrans_fenced',`
domtrans_pattern($1, fenced_exec_t, fenced_t)
')
@@ -80209,7 +80390,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -181,10 +194,9 @@ interface(`rhcs_rw_fenced_semaphores',`
+@@ -181,10 +196,9 @@ interface(`rhcs_rw_fenced_semaphores',`
manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
')
@@ -80222,7 +80403,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -192,19 +204,18 @@ interface(`rhcs_rw_fenced_semaphores',`
+@@ -192,19 +206,18 @@ interface(`rhcs_rw_fenced_semaphores',`
## </summary>
## </param>
#
@@ -80246,7 +80427,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -221,10 +232,28 @@ interface(`rhcs_stream_connect_fenced',`
+@@ -221,10 +234,28 @@ interface(`rhcs_stream_connect_fenced',`
stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
')
@@ -80277,7 +80458,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -243,7 +272,7 @@ interface(`rhcs_domtrans_gfs_controld',`
+@@ -243,7 +274,7 @@ interface(`rhcs_domtrans_gfs_controld',`
####################################
## <summary>
@@ -80286,7 +80467,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -264,7 +293,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
+@@ -264,7 +295,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
########################################
## <summary>
@@ -80295,7 +80476,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -285,8 +314,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
+@@ -285,8 +316,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
#####################################
## <summary>
@@ -80305,7 +80486,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -324,8 +352,8 @@ interface(`rhcs_domtrans_groupd',`
+@@ -324,8 +354,8 @@ interface(`rhcs_domtrans_groupd',`
#####################################
## <summary>
@@ -80316,7 +80497,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -342,10 +370,51 @@ interface(`rhcs_stream_connect_groupd',`
+@@ -342,10 +372,51 @@ interface(`rhcs_stream_connect_groupd',`
stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
')
@@ -80370,7 +80551,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -366,8 +435,7 @@ interface(`rhcs_rw_cluster_shm',`
+@@ -366,8 +437,7 @@ interface(`rhcs_rw_cluster_shm',`
####################################
## <summary>
@@ -80380,7 +80561,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -383,9 +451,10 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -383,9 +453,10 @@ interface(`rhcs_rw_cluster_semaphores',`
allow $1 cluster_domain:sem { rw_sem_perms destroy };
')
@@ -80393,7 +80574,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -393,20 +462,44 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -393,20 +464,44 @@ interface(`rhcs_rw_cluster_semaphores',`
## </summary>
## </param>
#
@@ -80444,7 +80625,7 @@ index c8bdea2..e6bcb25 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -414,15 +507,12 @@ interface(`rhcs_rw_groupd_semaphores',`
+@@ -414,15 +509,12 @@ interface(`rhcs_rw_groupd_semaphores',`
## </summary>
## </param>
#
@@ -80463,7 +80644,7 @@ index c8bdea2..e6bcb25 100644
')
######################################
-@@ -446,52 +536,361 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +538,361 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
## <summary>
@@ -80514,11 +80695,7 @@ index c8bdea2..e6bcb25 100644
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-
-- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
-- domain_system_change_exemption($1)
-- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
-- allow $2 system_r;
++
+#####################################
+## <summary>
+## Allow domain to manage cluster lib files
@@ -80533,15 +80710,15 @@ index c8bdea2..e6bcb25 100644
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
-
-- files_search_pids($1)
-- admin_pattern($1, cluster_pid)
++
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-- files_search_locks($1)
-- admin_pattern($1, fenced_lock_t)
+- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+- allow $2 system_r;
+####################################
+## <summary>
+## Allow domain to relabel cluster lib files
@@ -80562,8 +80739,8 @@ index c8bdea2..e6bcb25 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-- files_search_tmp($1)
-- admin_pattern($1, fenced_tmp_t)
+- files_search_pids($1)
+- admin_pattern($1, cluster_pid)
+######################################
+## <summary>
+## Execute a domain transition to run cluster administrative domain.
@@ -80579,14 +80756,14 @@ index c8bdea2..e6bcb25 100644
+ type cluster_t, cluster_exec_t;
+ ')
-- files_search_var_lib($1)
-- admin_pattern($1, qdiskd_var_lib_t)
+- files_search_locks($1)
+- admin_pattern($1, fenced_lock_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
-- fs_search_tmpfs($1)
-- admin_pattern($1, cluster_tmpfs)
+- files_search_tmp($1)
+- admin_pattern($1, fenced_tmp_t)
+#######################################
+## <summary>
+## Execute cluster init scripts in
@@ -80602,10 +80779,14 @@ index c8bdea2..e6bcb25 100644
+ gen_require(`
+ type cluster_initrc_exec_t;
+ ')
-+
+
+- files_search_var_lib($1)
+- admin_pattern($1, qdiskd_var_lib_t)
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
-+
+
+- fs_search_tmpfs($1)
+- admin_pattern($1, cluster_tmpfs)
+#####################################
+## <summary>
+## Execute cluster in the caller domain.
@@ -80854,7 +81035,7 @@ index c8bdea2..e6bcb25 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..37290b0 100644
+index 6cf79c4..25c0f70 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -80893,7 +81074,7 @@ index 6cf79c4..37290b0 100644
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
-@@ -44,34 +73,282 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,281 @@ type foghorn_initrc_exec_t;
init_script_file(foghorn_initrc_exec_t)
rhcs_domain_template(gfs_controld)
@@ -80998,7 +81179,6 @@ index 6cf79c4..37290b0 100644
+
+kernel_kill(cluster_t)
+kernel_read_all_sysctls(cluster_t)
-+kernel_read_system_state(cluster_t)
+kernel_rw_rpc_sysctls(cluster_t)
+kernel_search_debugfs(cluster_t)
+kernel_search_network_state(cluster_t)
@@ -81180,7 +81360,7 @@ index 6cf79c4..37290b0 100644
')
#####################################
-@@ -79,9 +356,11 @@ optional_policy(`
+@@ -79,13 +355,14 @@ optional_policy(`
# dlm_controld local policy
#
@@ -81193,7 +81373,11 @@ index 6cf79c4..37290b0 100644
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-@@ -98,16 +377,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+-kernel_read_system_state(dlm_controld_t)
+ kernel_rw_net_sysctls(dlm_controld_t)
+
+ corecmd_exec_bin(dlm_controld_t)
+@@ -98,16 +375,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -81227,18 +81411,18 @@ index 6cf79c4..37290b0 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +411,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +409,7 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-can_exec(fenced_t, fenced_exec_t)
-
- kernel_read_system_state(fenced_t)
+-kernel_read_system_state(fenced_t)
+kernel_read_network_state(fenced_t)
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -140,6 +432,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +429,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
corenet_sendrecv_zented_server_packets(fenced_t)
corenet_tcp_bind_zented_port(fenced_t)
@@ -81247,7 +81431,7 @@ index 6cf79c4..37290b0 100644
corenet_tcp_sendrecv_zented_port(fenced_t)
corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +442,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +439,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -81258,7 +81442,7 @@ index 6cf79c4..37290b0 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +452,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +449,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -81267,7 +81451,7 @@ index 6cf79c4..37290b0 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +474,8 @@ optional_policy(`
+@@ -182,7 +471,8 @@ optional_policy(`
')
optional_policy(`
@@ -81277,7 +81461,7 @@ index 6cf79c4..37290b0 100644
')
optional_policy(`
-@@ -190,12 +483,12 @@ optional_policy(`
+@@ -190,12 +480,12 @@ optional_policy(`
')
optional_policy(`
@@ -81293,7 +81477,7 @@ index 6cf79c4..37290b0 100644
')
optional_policy(`
-@@ -203,6 +496,13 @@ optional_policy(`
+@@ -203,6 +493,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -81307,7 +81491,7 @@ index 6cf79c4..37290b0 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +521,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +518,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -81328,7 +81512,12 @@ index 6cf79c4..37290b0 100644
snmp_stream_connect(foghorn_t)
')
-@@ -252,11 +554,16 @@ kernel_read_system_state(gfs_controld_t)
+@@ -247,16 +546,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+ stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+ stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+-kernel_read_system_state(gfs_controld_t)
+
dev_rw_dlm_control(gfs_controld_t)
dev_setattr_dlm_control(gfs_controld_t)
dev_rw_sysfs(gfs_controld_t)
@@ -81345,7 +81534,7 @@ index 6cf79c4..37290b0 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +582,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +578,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -81405,7 +81594,15 @@ index 6cf79c4..37290b0 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +675,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -292,7 +642,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+ manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+ files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
+
+-kernel_read_system_state(qdiskd_t)
+ kernel_read_software_raid_state(qdiskd_t)
+ kernel_getattr_core_if(qdiskd_t)
+
+@@ -321,6 +670,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -81517,10 +81714,10 @@ index 0000000..bf11e25
+')
diff --git a/rhev.te b/rhev.te
new file mode 100644
-index 0000000..26f7884
+index 0000000..eeee78a
--- /dev/null
+++ b/rhev.te
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,124 @@
+policy_module(rhev,1.0)
+
+########################################
@@ -81604,10 +81801,18 @@ index 0000000..26f7884
+ dbus_system_bus_client(rhev_agentd_t)
+ dbus_connect_system_bus(rhev_agentd_t)
+ dbus_session_bus_client(rhev_agentd_t)
++
++ optional_policy(`
++ systemd_dbus_chat_logind(rhev_agentd_t)
++ ')
++
++ optional_policy(`
++ xserver_dbus_chat_xdm(rhev_agentd_t)
++ ')
++
+')
+
+optional_policy(`
-+ xserver_dbus_chat_xdm(rhev_agentd_t)
+ xserver_stream_connect(rhev_agentd_t)
+')
+
@@ -87233,7 +87438,7 @@ index 50d07fb..bada62f 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..e89790e 100644
+index 2b7c441..d16940f 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -87828,7 +88033,7 @@ index 2b7c441..e89790e 100644
rpc_search_nfs_state_data(smbd_t)
')
-@@ -499,9 +513,36 @@ optional_policy(`
+@@ -499,9 +513,44 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -87842,9 +88047,13 @@ index 2b7c441..e89790e 100644
+tunable_policy(`samba_export_all_ro',`
+ allow nmbd_t self:capability { dac_read_search dac_override };
+ fs_read_noxattr_fs_files(smbd_t)
-+ files_read_non_security_files(smbd_t)
++ files_read_non_security_files(smbd_t)
++ files_dontaudit_search_security_files(smbd_t)
++ files_dontaudit_read_security_files(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+ files_read_non_security_files(nmbd_t)
++ files_dontaudit_search_security_files(nmbd_t)
++ files_dontaudit_read_security_files(nmbd_t)
+')
+
+tunable_policy(`samba_export_all_rw',`
@@ -87852,9 +88061,13 @@ index 2b7c441..e89790e 100644
+ fs_manage_noxattr_fs_files(smbd_t)
+ files_manage_non_security_files(smbd_t)
+ files_manage_non_security_dirs(smbd_t)
++ files_dontaudit_search_security_files(smbd_t)
++ files_dontaudit_read_security_files(smbd_t)
+ fs_manage_noxattr_fs_files(nmbd_t)
+ files_manage_non_security_files(nmbd_t)
+ files_manage_non_security_dirs(nmbd_t)
++ files_dontaudit_search_security_files(nmbd_t)
++ files_dontaudit_read_security_files(nmbd_t)
+')
+
+userdom_filetrans_home_content(nmbd_t)
@@ -87866,7 +88079,7 @@ index 2b7c441..e89790e 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +553,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +561,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -87881,7 +88094,7 @@ index 2b7c441..e89790e 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +569,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +577,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -87905,7 +88118,7 @@ index 2b7c441..e89790e 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +585,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +593,44 @@ kernel_read_kernel_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -87974,7 +88187,7 @@ index 2b7c441..e89790e 100644
')
optional_policy(`
-@@ -606,16 +635,22 @@ optional_policy(`
+@@ -606,16 +643,22 @@ optional_policy(`
########################################
#
@@ -88001,7 +88214,7 @@ index 2b7c441..e89790e 100644
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -627,16 +662,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +670,11 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -88019,7 +88232,7 @@ index 2b7c441..e89790e 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +674,23 @@ optional_policy(`
+@@ -644,22 +682,23 @@ optional_policy(`
########################################
#
@@ -88051,7 +88264,7 @@ index 2b7c441..e89790e 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +699,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +707,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -88087,7 +88300,7 @@ index 2b7c441..e89790e 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +726,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +734,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -88179,7 +88392,7 @@ index 2b7c441..e89790e 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +805,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +813,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -88203,7 +88416,7 @@ index 2b7c441..e89790e 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +819,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +827,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -88246,7 +88459,7 @@ index 2b7c441..e89790e 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +849,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +857,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -88260,7 +88473,7 @@ index 2b7c441..e89790e 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +872,20 @@ optional_policy(`
+@@ -840,17 +880,20 @@ optional_policy(`
# Winbind local policy
#
@@ -88286,7 +88499,7 @@ index 2b7c441..e89790e 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +895,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +903,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -88297,7 +88510,7 @@ index 2b7c441..e89790e 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,23 +906,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,23 +914,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -88327,7 +88540,7 @@ index 2b7c441..e89790e 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -898,13 +929,17 @@ kernel_read_system_state(winbind_t)
+@@ -898,13 +937,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -88348,7 +88561,7 @@ index 2b7c441..e89790e 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +947,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +955,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -88407,7 +88620,7 @@ index 2b7c441..e89790e 100644
')
optional_policy(`
-@@ -959,31 +1008,29 @@ optional_policy(`
+@@ -959,31 +1016,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -88445,7 +88658,7 @@ index 2b7c441..e89790e 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1044,38 @@ optional_policy(`
+@@ -997,25 +1052,38 @@ optional_policy(`
########################################
#
@@ -89800,7 +90013,7 @@ index cd6c213..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index 0045465..7d3129e 100644
+index 0045465..027faf2 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -6,21 +6,26 @@ policy_module(sanlock, 1.1.0)
@@ -89870,7 +90083,7 @@ index 0045465..7d3129e 100644
logging_log_filetrans(sanlock_t, sanlock_log_t, file)
manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
-@@ -65,13 +71,15 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+@@ -65,13 +71,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
kernel_read_kernel_sysctls(sanlock_t)
@@ -89885,11 +90098,12 @@ index 0045465..7d3129e 100644
+dev_read_rand(sanlock_t)
+dev_read_urand(sanlock_t)
++dev_read_sysfs(sanlock_t)
+
auth_use_nsswitch(sanlock_t)
init_read_utmp(sanlock_t)
-@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t)
+@@ -79,20 +88,29 @@ init_dontaudit_write_utmp(sanlock_t)
logging_send_syslog_msg(sanlock_t)
@@ -89928,13 +90142,14 @@ index 0045465..7d3129e 100644
')
optional_policy(`
-@@ -100,7 +117,8 @@ optional_policy(`
+@@ -100,7 +118,9 @@ optional_policy(`
')
optional_policy(`
- virt_kill_all_virt_domains(sanlock_t)
+ virt_kill_svirt(sanlock_t)
+ virt_kill(sanlock_t)
++ virt_signal(sanlock_t)
virt_manage_lib_files(sanlock_t)
- virt_signal_all_virt_domains(sanlock_t)
+ virt_signal_svirt(sanlock_t)
@@ -91507,10 +91722,10 @@ index d204752..31cc6e6 100644
+ ')
')
diff --git a/sensord.te b/sensord.te
-index 5e82fd6..d31876d 100644
+index 5e82fd6..80cb2bc 100644
--- a/sensord.te
+++ b/sensord.te
-@@ -9,27 +9,37 @@ type sensord_t;
+@@ -9,27 +9,38 @@ type sensord_t;
type sensord_exec_t;
init_daemon_domain(sensord_t, sensord_exec_t)
@@ -91547,6 +91762,7 @@ index 5e82fd6..d31876d 100644
-files_read_etc_files(sensord_t)
+dev_read_sysfs(sensord_t)
++dev_getattr_sysfs_fs(sensord_t)
logging_send_syslog_msg(sensord_t)
@@ -93924,7 +94140,7 @@ index 634c6b4..f6db7a7 100644
+')
+
diff --git a/sosreport.te b/sosreport.te
-index f2f507d..0d4a35c 100644
+index f2f507d..9cf6dda 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@@ -94092,7 +94308,7 @@ index f2f507d..0d4a35c 100644
')
optional_policy(`
-@@ -147,13 +201,34 @@ optional_policy(`
+@@ -147,13 +201,35 @@ optional_policy(`
')
optional_policy(`
@@ -94127,6 +94343,7 @@ index f2f507d..0d4a35c 100644
+
+optional_policy(`
+ unconfined_signull(sosreport_t)
++ unconfined_domain(sosreport_t)
')
optional_policy(`
@@ -97048,10 +97265,10 @@ index 49d688d..f07cc80 100644
sysnet_dns_name_resolve(svnserve_t)
diff --git a/swift.fc b/swift.fc
new file mode 100644
-index 0000000..7e59e7e
+index 0000000..79e43aa
--- /dev/null
+++ b/swift.fc
-@@ -0,0 +1,33 @@
+@@ -0,0 +1,35 @@
+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
@@ -97078,6 +97295,8 @@ index 0000000..7e59e7e
+/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0)
+/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0)
+
++/var/lib/swift(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
++
+# This seems to be a de-facto standard when using swift.
+/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
+
@@ -102643,7 +102862,7 @@ index a4f20bc..9ccc90c 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..c43ef2e 100644
+index facdee8..c7a2d97 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -104026,7 +104245,7 @@ index facdee8..c43ef2e 100644
########################################
## <summary>
-## Search virt image directories.
-+## Send a signal to virtual machines
++## Send a signal to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
@@ -104035,34 +104254,34 @@ index facdee8..c43ef2e 100644
## </param>
#
-interface(`virt_search_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_signal',`
gen_require(`
- attribute virt_image_type;
-+ attribute virt_domain;
++ type virtd_t;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-+ allow $1 virt_domain:process signal;
++ allow $1 virtd_t:process signal;
')
########################################
## <summary>
-## Read virt image files.
-+## Manage virt home files.
++## Send a signal to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +1016,57 @@ interface(`virt_search_images',`
+@@ -995,57 +1016,75 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
-interface(`virt_read_images',`
-+interface(`virt_manage_home_files',`
++interface(`virt_signal_svirt',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ type virt_home_t;
++ attribute virt_domain;
')
- virt_search_lib($1)
@@ -104071,8 +104290,7 @@ index facdee8..c43ef2e 100644
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
++ allow $1 virt_domain:process signal;
+')
- tunable_policy(`virt_use_nfs',`
@@ -104081,30 +104299,30 @@ index facdee8..c43ef2e 100644
- fs_read_nfs_symlinks($1)
+########################################
+## <summary>
-+## allow domain to read
-+## virt tmpfs files
++## Manage virt home files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`virt_read_tmpfs_files',`
++interface(`virt_manage_home_files',`
+ gen_require(`
-+ attribute virt_tmpfs_type;
++ type virt_home_t;
')
- tunable_policy(`virt_use_samba',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
-+ allow $1 virt_tmpfs_type:file read_file_perms;
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
+')
+
+########################################
+## <summary>
-+## allow domain to manage
++## allow domain to read
+## virt tmpfs files
+## </summary>
+## <param name="domain">
@@ -104113,38 +104331,63 @@ index facdee8..c43ef2e 100644
+## </summary>
+## </param>
+#
-+interface(`virt_manage_tmpfs_files',`
++interface(`virt_read_tmpfs_files',`
+ gen_require(`
+ attribute virt_tmpfs_type;
')
+
-+ allow $1 virt_tmpfs_type:file manage_file_perms;
++ allow $1 virt_tmpfs_type:file read_file_perms;
')
########################################
## <summary>
-## Read and write all virt image
-## character files.
-+## Create .virt directory in the user home directory
-+## with an correct label.
++## allow domain to manage
++## virt tmpfs files
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1074,28 @@ interface(`virt_read_images',`
+-## Domain allowed access.
++## Domain allowed access
## </summary>
## </param>
#
-interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_filetrans_home_content',`
++interface(`virt_manage_tmpfs_files',`
gen_require(`
- attribute virt_image_type;
-+ type virt_home_t;
-+ type svirt_home_t;
++ attribute virt_tmpfs_type;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
++ allow $1 virt_tmpfs_type:file manage_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## svirt cache files.
++## Create .virt directory in the user home directory
++## with an correct label.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1053,15 +1092,28 @@ interface(`virt_rw_all_image_chr_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_svirt_cache',`
+- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
+- virt_manage_virt_cache($1)
++interface(`virt_filetrans_home_content',`
++ gen_require(`
++ type virt_home_t;
++ type svirt_home_t;
++ ')
++
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
@@ -104161,34 +104404,36 @@ index facdee8..c43ef2e 100644
########################################
## <summary>
-## Create, read, write, and delete
--## svirt cache files.
+-## virt cache content.
+## Dontaudit attempts to Read virt_image_type devices.
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,37 +1103,133 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1069,21 +1121,133 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
--interface(`virt_manage_svirt_cache',`
-- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
-- virt_manage_virt_cache($1)
+-interface(`virt_manage_virt_cache',`
+interface(`virt_dontaudit_read_chr_dev',`
-+ gen_require(`
+ gen_require(`
+- type virt_cache_t;
+ attribute virt_image_type;
-+ ')
-+
+ ')
+
+- files_search_var($1)
+- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+- manage_files_pattern($1, virt_cache_t, virt_cache_t)
+- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
--## virt cache content.
+-## virt image files.
+## Creates types and rules for a basic
+## virt_lxc process domain.
- ## </summary>
--## <param name="domain">
++## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
@@ -104217,7 +104462,7 @@ index facdee8..c43ef2e 100644
+## Make the specified type usable as a lxc domain
+## </summary>
+## <param name="type">
- ## <summary>
++## <summary>
+## Type to be used as a lxc domain
+## </summary>
+## </param>
@@ -104236,7 +104481,7 @@ index facdee8..c43ef2e 100644
+## </summary>
+## <param name="domain">
+## <summary>
- ## Domain allowed access.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -104255,30 +104500,22 @@ index facdee8..c43ef2e 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`virt_manage_virt_cache',`
++## </summary>
++## </param>
++#
+interface(`virt_filetrans_named_content',`
- gen_require(`
-- type virt_cache_t;
++ gen_require(`
+ type virt_lxc_var_run_t;
+ type virt_var_run_t;
- ')
-
-- files_search_var($1)
-- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
-- manage_files_pattern($1, virt_cache_t, virt_cache_t)
-- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
++ ')
++
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## virt image files.
++')
++
++########################################
++## <summary>
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
+## </summary>
@@ -104314,7 +104551,7 @@ index facdee8..c43ef2e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1237,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1255,54 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -104388,7 +104625,7 @@ index facdee8..c43ef2e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1300,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1318,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -104427,30 +104664,30 @@ index facdee8..c43ef2e 100644
- fs_search_tmpfs($1)
- admin_pattern($1, virt_tmpfs_type)
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+ admin_pattern($1, virt_file_type)
-+ admin_pattern($1, svirt_file_type)
-
+-
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
-+ virt_systemctl($1)
-+ allow $1 virtd_unit_file_t:service all_service_perms;
-
+-
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
-
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++ allow $1 virt_domain:process signal_perms;
+
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
--
++ admin_pattern($1, virt_file_type)
++ admin_pattern($1, svirt_file_type)
+
- files_search_var_lib($1)
- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
--
++ virt_systemctl($1)
++ allow $1 virtd_unit_file_t:service all_service_perms;
+
- files_search_locks($1)
- admin_pattern($1, virt_lock_t)
+ virt_stream_connect_sandbox($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bfb0853..cd7d2d7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 85%{?dist}
+Release: 86%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,42 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Oct 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-86
+- Dontaudit aicuu to search home config dir. BZ (#1104076)
+- couchdb is using erlang so it needs execmem privs
+- ALlow sanlock to send a signal to virtd_t.
+- Allow mondogdb to 'accept' accesses on the tcp_socket port.
+- Make sosreport as unconfined domain.
+- Allow nova-console to connect to mem_cache port.
+- Allow mandb to getattr on file systems
+- Allow read antivirus domain all kernel sysctls.
+- Allow lmsd_plugin to read passwd file. BZ(1093733)
+- Label /usr/share/corosync/corosync as cluster_exec_t.
+- ALlow sensord to getattr on sysfs.
+- automount policy is non-base module so it needs to be called in optional block.
+- Add auth_use_nsswitch for portreserve to make it working with sssd.
+- Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files.
+- Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd.
+- Allow openvpn to access /sys/fs/cgroup dir.
+- Allow nova-scheduler to read certs
+- Add support for /var/lib/swiftdirectory.
+- Allow neutron connections to system dbus.
+- Allow mongodb to manage own log files.
+- Allow opensm_t to read/write /dev/infiniband/umad1.
+- Added policy for mon_statd and mon_procd services. BZ (1077821)
+- kernel_read_system_state needs to be called with type. Moved it to antivirus.if.
+- Allow dnssec_trigger_t to execute unbound-control in own domain.
+- Allow all RHCS services to read system state.
+- Added monitor device
+- Add interfaces for /dev/infiniband
+- Add infiniband_device_t for /dev/infiniband instead of fixed_disk_device_t type.
+- Add files_dontaudit_search_security_files()
+- Add selinuxuser_udp_server boolean
+- ALlow syslogd_t to create /var/log/cron with correct labeling
+- Add support for /etc/.updated and /var/.updated
+- Allow iptables read fail2ban logs. BZ (1147709)
+- ALlow ldconfig to read proc//net/sockstat.
+
* Mon Oct 06 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-85
- Allow nova domains to getattr on all filesystems.
- ALlow zebra for user/group look-ups.
More information about the scm-commits
mailing list