[selinux-policy] Make build working
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 12 13:12:50 UTC 2015
commit 525ad6557afcf9c2b30b54dd76655f2e5500d91d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jan 12 14:12:54 2015 +0100
Make build working
policy-rawhide-base.patch | 634 +++++++++++++++---------
policy-rawhide-contrib.patch | 1130 ++++++++++++++++++++++++++++++------------
selinux-policy.spec | 2 +-
3 files changed, 1210 insertions(+), 556 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 50ce6f1..919513d 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1,5 +1,5 @@
diff --git a/Makefile b/Makefile
-index ec7b5cb..7ff79da 100644
+index ec7b5cb..029dcaf 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
@@ -15,7 +15,7 @@ index ec7b5cb..7ff79da 100644
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts systemd_contexts) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts openssh_contexts systemd_contexts) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
@@ -58,6 +58,13 @@ index 313d837..ef3c532 100644
@echo "Success."
########################################
+diff --git a/config/appconfig-mcs/openssh_contexts b/config/appconfig-mcs/openssh_contexts
+new file mode 100644
+index 0000000..6de0b01
+--- /dev/null
++++ b/config/appconfig-mcs/openssh_contexts
+@@ -0,0 +1 @@
++privsep_preauth=sshd_net_t
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
index 881a292..80110a4 100644
--- a/config/appconfig-mcs/staff_u_default_contexts
@@ -116,6 +123,13 @@ index d387b42..150f281 100644
@@ -1 +1,2 @@
system_u:system_r:svirt_t:s0
+system_u:system_r:svirt_tcg_t:s0
+diff --git a/config/appconfig-mls/openssh_contexts b/config/appconfig-mls/openssh_contexts
+new file mode 100644
+index 0000000..6de0b01
+--- /dev/null
++++ b/config/appconfig-mls/openssh_contexts
+@@ -0,0 +1 @@
++privsep_preauth=sshd_net_t
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
index 881a292..80110a4 100644
--- a/config/appconfig-mls/staff_u_default_contexts
@@ -149,6 +163,13 @@ index cacbc93..4f59f94 100644
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
+diff --git a/config/appconfig-standard/openssh_contexts b/config/appconfig-standard/openssh_contexts
+new file mode 100644
+index 0000000..6de0b01
+--- /dev/null
++++ b/config/appconfig-standard/openssh_contexts
+@@ -0,0 +1 @@
++privsep_preauth=sshd_net_t
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
index c2a5ea8..f63999e 100644
--- a/config/appconfig-standard/staff_u_default_contexts
@@ -3291,7 +3312,7 @@ index 7590165..85186a9 100644
+ fs_mounton_fusefs(seunshare_domain)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8d..9a8ff3e 100644
+index 33e0f8d..b48c654 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3314,8 +3335,11 @@ index 33e0f8d..9a8ff3e 100644
/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -69,16 +71,25 @@ ifdef(`distro_redhat',`
+@@ -67,18 +69,28 @@ ifdef(`distro_redhat',`
+ /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)
+
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/kde/kdm(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/redhat-lsb(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3340,7 +3364,7 @@ index 33e0f8d..9a8ff3e 100644
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -101,8 +112,6 @@ ifdef(`distro_redhat',`
+@@ -101,8 +113,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -3349,7 +3373,7 @@ index 33e0f8d..9a8ff3e 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -116,6 +125,9 @@ ifdef(`distro_redhat',`
+@@ -116,6 +126,9 @@ ifdef(`distro_redhat',`
/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3359,7 +3383,7 @@ index 33e0f8d..9a8ff3e 100644
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
-@@ -135,10 +147,12 @@ ifdef(`distro_debian',`
+@@ -135,10 +148,12 @@ ifdef(`distro_debian',`
/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -3373,7 +3397,7 @@ index 33e0f8d..9a8ff3e 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -149,10 +163,12 @@ ifdef(`distro_gentoo',`
+@@ -149,10 +164,12 @@ ifdef(`distro_gentoo',`
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3387,7 +3411,7 @@ index 33e0f8d..9a8ff3e 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +184,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +185,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3395,7 +3419,7 @@ index 33e0f8d..9a8ff3e 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,34 +196,50 @@ ifdef(`distro_gentoo',`
+@@ -179,34 +197,50 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3455,7 +3479,7 @@ index 33e0f8d..9a8ff3e 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -218,19 +251,32 @@ ifdef(`distro_gentoo',`
+@@ -218,19 +252,32 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3495,7 +3519,7 @@ index 33e0f8d..9a8ff3e 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -245,26 +291,40 @@ ifdef(`distro_gentoo',`
+@@ -245,26 +292,40 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3541,7 +3565,7 @@ index 33e0f8d..9a8ff3e 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -280,10 +340,15 @@ ifdef(`distro_gentoo',`
+@@ -280,10 +341,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3557,7 +3581,7 @@ index 33e0f8d..9a8ff3e 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -298,16 +363,22 @@ ifdef(`distro_gentoo',`
+@@ -298,16 +364,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3582,7 +3606,7 @@ index 33e0f8d..9a8ff3e 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,20 +396,27 @@ ifdef(`distro_redhat', `
+@@ -325,20 +397,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3611,7 +3635,7 @@ index 33e0f8d..9a8ff3e 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -346,6 +424,7 @@ ifdef(`distro_redhat', `
+@@ -346,6 +425,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3619,7 +3643,7 @@ index 33e0f8d..9a8ff3e 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,11 +466,16 @@ ifdef(`distro_suse', `
+@@ -387,11 +467,16 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3637,7 +3661,7 @@ index 33e0f8d..9a8ff3e 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -401,3 +485,12 @@ ifdef(`distro_suse', `
+@@ -401,3 +486,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -5493,7 +5517,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..87df0ad 100644
+index b191055..94987a2 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5647,7 +5671,7 @@ index b191055..87df0ad 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +177,54 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +177,55 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5701,6 +5725,7 @@ index b191055..87df0ad 100644
+network_port(luci, tcp,8084,s0)
+network_port(lmtp, tcp,24,s0, udp,24,s0, tcp,2003,s0)
network_port(lrrd) # no defined portcon
++network_port(lsm_plugin, tcp,18700,s0)
+network_port(l2tp, tcp,1701,s0, udp,1701,s0)
network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(matahari, tcp,49000,s0, udp,49000,s0)
@@ -5717,7 +5742,7 @@ index b191055..87df0ad 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +232,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +233,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5758,7 +5783,7 @@ index b191055..87df0ad 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -213,68 +269,79 @@ network_port(postgrey, tcp,60000,s0)
+@@ -213,68 +270,79 @@ network_port(postgrey, tcp,60000,s0)
network_port(pptp, tcp,1723,s0, udp,1723,s0)
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@@ -5774,7 +5799,7 @@ index b191055..87df0ad 100644
-network_port(radius, udp,1645,s0, udp,1812,s0)
+network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
+network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0)
-+network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0)
++network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0, tcp,18120-18121,s0, udp,18120-18121, s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
+network_port(time, tcp,37,s0, udp,37,s0)
@@ -5851,7 +5876,7 @@ index b191055..87df0ad 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +355,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +356,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5878,7 +5903,7 @@ index b191055..87df0ad 100644
########################################
#
-@@ -333,6 +404,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +405,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5887,7 +5912,7 @@ index b191055..87df0ad 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +418,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +419,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -5919,7 +5944,7 @@ index b191055..87df0ad 100644
+typealias neutron_server_packet_t alias quantum_server_packet_t;
+typealias neutron_client_packet_t alias quantum_client_packet_t;
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
-index 3f6e168..51ad69a 100644
+index 3f6e168..340e49f 100644
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
@@ -86,6 +86,11 @@ define(`add_port_attribute',`dnl
@@ -5927,7 +5952,7 @@ index 3f6e168..51ad69a 100644
')
+define(`add_ephemeral_attribute',`dnl
-+ifelse(eval(range_start($3) >= 32768 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type;
++ifelse(eval(range_start($3) >= 50000 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type;
+',`ifelse(`$5',`',`',`add_ephemeral_attribute($1,shiftn(4,$*))')')dnl
+')
+
@@ -5943,7 +5968,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..872ff1b 100644
+index b31c054..1f28afb 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -6003,7 +6028,15 @@ index b31c054..872ff1b 100644
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -106,6 +115,7 @@
+@@ -90,6 +99,7 @@
+ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
+ /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
++/dev/prandom -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
+@@ -106,6 +116,7 @@
/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -6011,7 +6044,7 @@ index b31c054..872ff1b 100644
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +128,11 @@
+@@ -118,6 +129,11 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
@@ -6023,7 +6056,7 @@ index b31c054..872ff1b 100644
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +144,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +145,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -6038,7 +6071,7 @@ index b31c054..872ff1b 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -172,6 +189,8 @@ ifdef(`distro_suse', `
+@@ -172,6 +190,8 @@ ifdef(`distro_suse', `
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -6047,7 +6080,7 @@ index b31c054..872ff1b 100644
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -198,12 +217,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +218,27 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -9020,7 +9053,7 @@ index 6a1e4d1..7ac2831 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..42c468a 100644
+index cf04cb5..005fd45 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -9169,7 +9202,7 @@ index cf04cb5..42c468a 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +238,360 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,361 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9514,6 +9547,7 @@ index cf04cb5..42c468a 100644
+ rpm_dontaudit_leaks(domain)
+ rpm_read_script_tmp_files(domain)
+ rpm_inherited_fifo(domain)
++ rpm_named_filetrans(named_filetrans_domain)
+')
+
+tunable_policy(`fips_mode',`
@@ -9798,7 +9832,7 @@ index b876c48..ad25566 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..eafba08 100644
+index f962f76..f39d066 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -13114,7 +13148,7 @@ index f962f76..eafba08 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6573,10 +7950,857 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7950,875 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@@ -13539,6 +13573,24 @@ index f962f76..eafba08 100644
+
+########################################
+## <summary>
++## Allow delete all tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_delete_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file delete_file_perms;
++')
++
++########################################
++## <summary>
+## Allow read write all tmpfs files
+## </summary>
+## <param name="domain">
@@ -15799,7 +15851,7 @@ index 7be4ddf..71e675a 100644
+/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..85da370 100644
+index e100d88..9e881e6 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -15921,7 +15973,33 @@ index e100d88..85da370 100644
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
-@@ -991,13 +1063,10 @@ interface(`kernel_read_proc_symlinks',`
+@@ -841,6 +913,25 @@ interface(`kernel_dontaudit_setattr_proc_dirs',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to set the
++## attributes of files in /proc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`kernel_dontaudit_setattr_proc_files',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ dontaudit $1 proc_t:file setattr;
++')
++
++########################################
++## <summary>
+ ## Search directories in /proc.
+ ## </summary>
+ ## <param name="domain">
+@@ -991,13 +1082,10 @@ interface(`kernel_read_proc_symlinks',`
#
interface(`kernel_read_system_state',`
gen_require(`
@@ -15937,7 +16015,7 @@ index e100d88..85da370 100644
')
########################################
-@@ -1025,6 +1094,44 @@ interface(`kernel_write_proc_files',`
+@@ -1025,6 +1113,44 @@ interface(`kernel_write_proc_files',`
########################################
## <summary>
@@ -15982,7 +16060,7 @@ index e100d88..85da370 100644
## Do not audit attempts by caller to
## read system state information in proc.
## </summary>
-@@ -1208,6 +1315,24 @@ interface(`kernel_read_messages',`
+@@ -1208,6 +1334,24 @@ interface(`kernel_read_messages',`
########################################
## <summary>
@@ -16007,7 +16085,7 @@ index e100d88..85da370 100644
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
## </summary>
-@@ -1458,6 +1583,25 @@ interface(`kernel_list_all_proc',`
+@@ -1458,6 +1602,25 @@ interface(`kernel_list_all_proc',`
########################################
## <summary>
@@ -16033,7 +16111,7 @@ index e100d88..85da370 100644
## Do not audit attempts to list all proc directories.
## </summary>
## <param name="domain">
-@@ -1477,6 +1621,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1640,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@@ -16058,7 +16136,7 @@ index e100d88..85da370 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -1672,7 +1834,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1853,7 @@ interface(`kernel_read_net_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -16067,7 +16145,7 @@ index e100d88..85da370 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1693,7 +1855,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1874,7 @@ interface(`kernel_rw_net_sysctls',`
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -16076,7 +16154,7 @@ index e100d88..85da370 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1715,7 +1877,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1896,6 @@ interface(`kernel_read_unix_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -16084,7 +16162,7 @@ index e100d88..85da370 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1750,16 +1911,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1930,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -16102,7 +16180,7 @@ index e100d88..85da370 100644
')
########################################
-@@ -1771,16 +1925,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1944,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -16120,7 +16198,7 @@ index e100d88..85da370 100644
')
########################################
-@@ -1792,16 +1939,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1958,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -16138,7 +16216,7 @@ index e100d88..85da370 100644
')
########################################
-@@ -1813,16 +1953,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1972,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -16156,7 +16234,7 @@ index e100d88..85da370 100644
')
########################################
-@@ -2085,9 +2218,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,9 +2237,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -16186,7 +16264,7 @@ index e100d88..85da370 100644
########################################
## <summary>
## Allow caller to read all sysctls.
-@@ -2282,6 +2434,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2453,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -16212,7 +16290,7 @@ index e100d88..85da370 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2477,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2496,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -16221,7 +16299,7 @@ index e100d88..85da370 100644
## </summary>
## </param>
#
-@@ -2488,6 +2659,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2678,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -16246,7 +16324,7 @@ index e100d88..85da370 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2525,6 +2714,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2733,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -16271,12 +16349,21 @@ index e100d88..85da370 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2667,6 +2874,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,16 +2893,34 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
+-## Receive TCP packets from an unlabeled connection.
+## Receive DCCP packets from an unlabeled connection.
-+## </summary>
+ ## </summary>
+-## <desc>
+-## <p>
+-## Receive TCP packets from an unlabeled connection.
+-## </p>
+-## <p>
+-## The corenetwork interface corenet_tcp_recv_unlabeled() should
+-## be used instead of this one.
+-## </p>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -16293,26 +16380,26 @@ index e100d88..85da370 100644
+
+########################################
+## <summary>
- ## Receive TCP packets from an unlabeled connection.
- ## </summary>
- ## <desc>
-@@ -2694,18 +2919,37 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
++## Receive TCP packets from an unlabeled connection.
++## </summary>
++## <desc>
++## <p>
++## Receive TCP packets from an unlabeled connection.
++## </p>
++## <p>
++## The corenetwork interface corenet_tcp_recv_unlabeled() should
++## be used instead of this one.
++## </p>
+ ## </desc>
+ ## <param name="domain">
+ ## <summary>
+@@ -2694,6 +2938,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
--## Do not audit attempts to receive TCP packets from an unlabeled
+## Do not audit attempts to receive DCCP packets from an unlabeled
- ## connection.
- ## </summary>
--## <desc>
--## <p>
--## Do not audit attempts to receive TCP packets from an unlabeled
--## connection.
--## </p>
--## <p>
--## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
--## should be used instead of this one.
--## </p>
++## connection.
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
@@ -16329,22 +16416,10 @@ index e100d88..85da370 100644
+
+########################################
+## <summary>
-+## Do not audit attempts to receive TCP packets from an unlabeled
-+## connection.
-+## </summary>
-+## <desc>
-+## <p>
-+## Do not audit attempts to receive TCP packets from an unlabeled
-+## connection.
-+## </p>
-+## <p>
-+## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
-+## should be used instead of this one.
-+## </p>
- ## </desc>
- ## <param name="domain">
- ## <summary>
-@@ -2803,6 +3047,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+ ## Do not audit attempts to receive TCP packets from an unlabeled
+ ## connection.
+ ## </summary>
+@@ -2803,6 +3066,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -16378,7 +16453,7 @@ index e100d88..85da370 100644
########################################
## <summary>
-@@ -2958,6 +3229,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3248,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -16403,7 +16478,7 @@ index e100d88..85da370 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2972,5 +3261,565 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3280,565 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -17844,7 +17919,7 @@ index 54f1827..6910c88 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 64c4cd0..b9d9660 100644
+index 64c4cd0..542299c 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@@ -17948,7 +18023,33 @@ index 64c4cd0..b9d9660 100644
########################################
## <summary>
## Create block devices in on a tmpfs filesystem with the
-@@ -716,6 +782,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
+@@ -295,6 +361,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
+
+ ########################################
+ ## <summary>
++## Create block devices in on a tmp filesystem with the
++## fixed disk type via an automatic type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`storage_tmp_filetrans_fixed_disk',`
++ gen_require(`
++ type fixed_disk_device_t;
++ ')
++
++ files_tmp_filetrans($1, fixed_disk_device_t, blk_file)
++')
++
++########################################
++## <summary>
+ ## Relabel fixed disk device nodes.
+ ## </summary>
+ ## <param name="domain">
+@@ -716,6 +801,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
')
@@ -17973,7 +18074,7 @@ index 64c4cd0..b9d9660 100644
########################################
## <summary>
## Allow the caller to directly read
-@@ -813,3 +897,452 @@ interface(`storage_unconfined',`
+@@ -813,3 +916,452 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -20507,10 +20608,10 @@ index 0000000..b680867
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
-index 0000000..0573c76
+index 0000000..2a850f2
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,653 @@
+@@ -0,0 +1,671 @@
+## <summary>Unconfined user role</summary>
+
+########################################
@@ -21068,7 +21169,7 @@ index 0000000..0573c76
+
+########################################
+## <summary>
-+## Allow apps to set rlimits on userdomain
++## Allow apps to set rlimits on unconfined user
+## </summary>
+## <param name="domain">
+## <summary>
@@ -21086,6 +21187,24 @@ index 0000000..0573c76
+
+########################################
+## <summary>
++## Allow apps to setsched on unconfined user
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_setsched',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process setsched;
++')
++
++########################################
++## <summary>
+## Get the process group of unconfined.
+## </summary>
+## <param name="domain">
@@ -23692,7 +23811,7 @@ index cc877c7..2ef9dc6 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418..2873da0 100644
+index 8274418..ba82af0 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,36 @@
@@ -23755,7 +23874,7 @@ index 8274418..2873da0 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +77,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +77,33 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -23790,12 +23909,16 @@ index 8274418..2873da0 100644
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
++
++/usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,18 +128,32 @@ ifndef(`distro_debian',`
+@@ -91,19 +129,34 @@ ifndef(`distro_debian',`
+ /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/sddm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -23830,7 +23953,7 @@ index 8274418..2873da0 100644
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -111,7 +161,18 @@ ifndef(`distro_debian',`
+@@ -111,7 +164,18 @@ ifndef(`distro_debian',`
/var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -23850,7 +23973,7 @@ index 8274418..2873da0 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..28c914d 100644
+index 6bf0ecc..b036584 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@
@@ -25586,7 +25709,7 @@ index 6bf0ecc..28c914d 100644
+ type xdm_t;
+ ')
+
-+ allow $1 xdm_t:key { read write };
++ allow $1 xdm_t:key { read write setattr };
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
@@ -30886,7 +31009,7 @@ index 79a45f6..b88e8a2 100644
+ init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..d4113cc 100644
+index 17eda24..32af6e4 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -31083,7 +31206,7 @@ index 17eda24..d4113cc 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +228,22 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +228,23 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -31097,6 +31220,7 @@ index 17eda24..d4113cc 100644
files_rw_generic_pids(init_t)
files_dontaudit_search_isid_type_dirs(init_t)
+files_read_etc_runtime_files(init_t)
++files_manage_all_locks(init_t)
files_manage_etc_runtime_files(init_t)
+files_manage_etc_symlinks(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
@@ -31107,7 +31231,7 @@ index 17eda24..d4113cc 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +253,53 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +254,53 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -31165,7 +31289,7 @@ index 17eda24..d4113cc 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +308,241 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +309,242 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -31211,6 +31335,7 @@ index 17eda24..d4113cc 100644
+optional_policy(`
+ gnome_filetrans_home_content(init_t)
+ gnome_manage_data(init_t)
++ gnome_manage_config(init_t)
+')
+
+optional_policy(`
@@ -31416,7 +31541,7 @@ index 17eda24..d4113cc 100644
')
optional_policy(`
-@@ -216,7 +550,31 @@ optional_policy(`
+@@ -216,7 +552,31 @@ optional_policy(`
')
optional_policy(`
@@ -31448,7 +31573,7 @@ index 17eda24..d4113cc 100644
')
########################################
-@@ -225,9 +583,9 @@ optional_policy(`
+@@ -225,9 +585,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -31460,7 +31585,7 @@ index 17eda24..d4113cc 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +616,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +618,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -31477,7 +31602,7 @@ index 17eda24..d4113cc 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +641,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +643,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -31520,7 +31645,7 @@ index 17eda24..d4113cc 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +678,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +680,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -31532,7 +31657,7 @@ index 17eda24..d4113cc 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +690,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +692,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -31543,7 +31668,7 @@ index 17eda24..d4113cc 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +701,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +703,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -31553,7 +31678,7 @@ index 17eda24..d4113cc 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +710,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +712,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -31561,7 +31686,7 @@ index 17eda24..d4113cc 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +717,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +719,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -31569,7 +31694,7 @@ index 17eda24..d4113cc 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +725,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +727,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -31587,7 +31712,7 @@ index 17eda24..d4113cc 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +743,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +745,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -31601,7 +31726,7 @@ index 17eda24..d4113cc 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +758,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +760,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -31615,7 +31740,7 @@ index 17eda24..d4113cc 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +771,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +773,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -31626,7 +31751,7 @@ index 17eda24..d4113cc 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +784,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +786,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -31634,7 +31759,7 @@ index 17eda24..d4113cc 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +803,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +805,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -31658,7 +31783,7 @@ index 17eda24..d4113cc 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +836,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +838,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -31666,7 +31791,7 @@ index 17eda24..d4113cc 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +870,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +872,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -31677,7 +31802,7 @@ index 17eda24..d4113cc 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +894,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +896,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -31686,7 +31811,7 @@ index 17eda24..d4113cc 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +909,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +911,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -31694,7 +31819,7 @@ index 17eda24..d4113cc 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +930,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +932,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -31702,7 +31827,7 @@ index 17eda24..d4113cc 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +940,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +942,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -31747,7 +31872,7 @@ index 17eda24..d4113cc 100644
')
optional_policy(`
-@@ -559,14 +985,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +987,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -31779,7 +31904,7 @@ index 17eda24..d4113cc 100644
')
')
-@@ -577,6 +1020,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1022,39 @@ ifdef(`distro_suse',`
')
')
@@ -31819,7 +31944,7 @@ index 17eda24..d4113cc 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1065,8 @@ optional_policy(`
+@@ -589,6 +1067,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -31828,7 +31953,7 @@ index 17eda24..d4113cc 100644
')
optional_policy(`
-@@ -610,6 +1088,7 @@ optional_policy(`
+@@ -610,6 +1090,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -31836,7 +31961,7 @@ index 17eda24..d4113cc 100644
')
optional_policy(`
-@@ -626,6 +1105,17 @@ optional_policy(`
+@@ -626,6 +1107,17 @@ optional_policy(`
')
optional_policy(`
@@ -31854,7 +31979,7 @@ index 17eda24..d4113cc 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1132,13 @@ optional_policy(`
+@@ -642,9 +1134,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -31868,7 +31993,7 @@ index 17eda24..d4113cc 100644
')
optional_policy(`
-@@ -657,15 +1151,11 @@ optional_policy(`
+@@ -657,15 +1153,11 @@ optional_policy(`
')
optional_policy(`
@@ -31886,7 +32011,7 @@ index 17eda24..d4113cc 100644
')
optional_policy(`
-@@ -686,6 +1176,15 @@ optional_policy(`
+@@ -686,6 +1178,15 @@ optional_policy(`
')
optional_policy(`
@@ -31902,7 +32027,7 @@ index 17eda24..d4113cc 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1225,7 @@ optional_policy(`
+@@ -726,6 +1227,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -31910,7 +32035,7 @@ index 17eda24..d4113cc 100644
')
optional_policy(`
-@@ -743,7 +1243,13 @@ optional_policy(`
+@@ -743,7 +1245,13 @@ optional_policy(`
')
optional_policy(`
@@ -31925,7 +32050,7 @@ index 17eda24..d4113cc 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1272,10 @@ optional_policy(`
+@@ -766,6 +1274,10 @@ optional_policy(`
')
optional_policy(`
@@ -31936,7 +32061,7 @@ index 17eda24..d4113cc 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1285,20 @@ optional_policy(`
+@@ -775,10 +1287,20 @@ optional_policy(`
')
optional_policy(`
@@ -31957,7 +32082,7 @@ index 17eda24..d4113cc 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1307,10 @@ optional_policy(`
+@@ -787,6 +1309,10 @@ optional_policy(`
')
optional_policy(`
@@ -31968,7 +32093,7 @@ index 17eda24..d4113cc 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1332,6 @@ optional_policy(`
+@@ -808,8 +1334,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -31977,7 +32102,7 @@ index 17eda24..d4113cc 100644
')
optional_policy(`
-@@ -818,6 +1340,10 @@ optional_policy(`
+@@ -818,6 +1342,10 @@ optional_policy(`
')
optional_policy(`
@@ -31988,7 +32113,7 @@ index 17eda24..d4113cc 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1353,12 @@ optional_policy(`
+@@ -827,10 +1355,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -32001,7 +32126,7 @@ index 17eda24..d4113cc 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1385,60 @@ optional_policy(`
+@@ -857,21 +1387,60 @@ optional_policy(`
')
optional_policy(`
@@ -32063,7 +32188,7 @@ index 17eda24..d4113cc 100644
')
optional_policy(`
-@@ -887,6 +1454,10 @@ optional_policy(`
+@@ -887,6 +1456,10 @@ optional_policy(`
')
optional_policy(`
@@ -32074,7 +32199,7 @@ index 17eda24..d4113cc 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1468,218 @@ optional_policy(`
+@@ -897,3 +1470,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -32544,7 +32669,7 @@ index 0d4c8d3..9395313 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..efe343f 100644
+index 312cd04..1cce3ba 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -32580,8 +32705,9 @@ index 312cd04..efe343f 100644
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
- read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+-read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
++manage_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets")
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
@@ -32844,10 +32970,10 @@ index 312cd04..efe343f 100644
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 73a1c4e..af8050d 100644
+index 73a1c4e..51548c7 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,22 +1,39 @@
+@@ -1,22 +1,41 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -32903,6 +33029,8 @@ index 73a1c4e..af8050d 100644
+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++
++/var/lib/ebtables(/.*)? gen_context(system_u:object_r:iptables_var_lib_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index c42fbc3..277fe6c 100644
--- a/policy/modules/system/iptables.if
@@ -32950,10 +33078,10 @@ index c42fbc3..277fe6c 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..f0ed532 100644
+index be8ed1e..231b21d 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
-@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
+@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -32966,13 +33094,16 @@ index be8ed1e..f0ed532 100644
type iptables_var_run_t;
files_pid_file(iptables_var_run_t)
++type iptables_var_lib_t;
++files_pid_file(iptables_var_lib_t)
++
+type iptables_unit_file_t;
+systemd_unit_file(iptables_unit_file_t)
+
########################################
#
# Iptables local policy
-@@ -37,8 +37,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+@@ -37,23 +40,28 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
@@ -32983,7 +33114,14 @@ index be8ed1e..f0ed532 100644
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -49,11 +49,12 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
+
++manage_dirs_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t)
++manage_files_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t)
++manage_lnk_files_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t)
++
+ can_exec(iptables_t, iptables_exec_t)
+
+ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
@@ -32997,7 +33135,7 @@ index be8ed1e..f0ed532 100644
kernel_use_fds(iptables_t)
# needed by ipvsadm
-@@ -64,6 +65,8 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,6 +72,8 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -33006,7 +33144,7 @@ index be8ed1e..f0ed532 100644
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +75,12 @@ fs_list_inotifyfs(iptables_t)
+@@ -72,11 +82,12 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -33021,7 +33159,7 @@ index be8ed1e..f0ed532 100644
auth_use_nsswitch(iptables_t)
-@@ -85,15 +89,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +96,14 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -33039,7 +33177,7 @@ index be8ed1e..f0ed532 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,6 +105,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +112,9 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -33049,7 +33187,7 @@ index be8ed1e..f0ed532 100644
')
optional_policy(`
-@@ -110,6 +116,11 @@ optional_policy(`
+@@ -110,6 +123,11 @@ optional_policy(`
')
optional_policy(`
@@ -33061,7 +33199,7 @@ index be8ed1e..f0ed532 100644
modutils_run_insmod(iptables_t, iptables_roles)
')
-@@ -124,6 +135,12 @@ optional_policy(`
+@@ -124,6 +142,12 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -33074,7 +33212,7 @@ index be8ed1e..f0ed532 100644
')
optional_policy(`
-@@ -135,9 +152,9 @@ optional_policy(`
+@@ -135,9 +159,9 @@ optional_policy(`
')
optional_policy(`
@@ -33776,7 +33914,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa99..ed451bc 100644
+index 446fa99..22f539c 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -33917,7 +34055,7 @@ index 446fa99..ed451bc 100644
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_fifo_file_perms;
-@@ -215,18 +212,27 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,18 +212,30 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -33928,6 +34066,9 @@ index 446fa99..ed451bc 100644
+dev_getattr_all_chr_files(sulogin_t)
+dev_getattr_all_blk_files(sulogin_t)
+
++dev_read_urand(sulogin_t)
++dev_read_rand(sulogin_t)
++
fs_search_auto_mountpoints(sulogin_t)
fs_rw_tmpfs_chr_files(sulogin_t)
@@ -33945,7 +34086,7 @@ index 446fa99..ed451bc 100644
logging_send_syslog_msg(sulogin_t)
-@@ -235,17 +241,28 @@ seutil_read_default_contexts(sulogin_t)
+@@ -235,17 +244,28 @@ seutil_read_default_contexts(sulogin_t)
userdom_use_unpriv_users_fds(sulogin_t)
@@ -33976,7 +34117,7 @@ index 446fa99..ed451bc 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -258,9 +275,5 @@ ifdef(`sulogin_no_pam', `
+@@ -258,9 +278,5 @@ ifdef(`sulogin_no_pam', `
')
optional_policy(`
@@ -36451,7 +36592,7 @@ index a38605e..f035d9f 100644
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..c2ae1ea 100644
+index 4584457..8f676d0 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@@ -36596,7 +36737,7 @@ index 4584457..c2ae1ea 100644
## </summary>
## </param>
#
-@@ -131,45 +243,184 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +243,205 @@ interface(`mount_send_nfs_client_request',`
########################################
## <summary>
@@ -36656,11 +36797,9 @@ index 4584457..c2ae1ea 100644
## <summary>
-## Role allowed access.
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`mount_run_unconfined',`
++## </summary>
++## </param>
++#
+interface(`mount_exec_fusermount',`
+ gen_require(`
+ type fusermount_exec_t;
@@ -36676,19 +36815,16 @@ index 4584457..c2ae1ea 100644
+## <param name="domain">
+## <summary>
+## Domain to not audit.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+#
+interface(`mount_dontaudit_exec_fusermount',`
- gen_require(`
-- type unconfined_mount_t;
++ gen_require(`
+ type fusermount_exec_t;
- ')
-
-- mount_domtrans_unconfined($1)
-- role $2 types unconfined_mount_t;
++ ')
++
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
- ')
++')
+
+######################################
+## <summary>
@@ -36786,9 +36922,9 @@ index 4584457..c2ae1ea 100644
+## Role allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
-+#
-+interface(`mount_run_unconfined',`
+ ## <rolecap/>
+ #
+ interface(`mount_run_unconfined',`
+ gen_require(`
+ type unconfined_mount_t;
+ ')
@@ -36797,8 +36933,32 @@ index 4584457..c2ae1ea 100644
+ role $2 types unconfined_mount_t;
+')
+
++########################################
++## <summary>
++## Allow mount programs to be an entrypoint for
++## the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain for which mount programs is an entrypoint.
++## </summary>
++## </param>
++#
++interface(`mount_entry_type',`
+ gen_require(`
+- type unconfined_mount_t;
++ type mount_ecryptfs_exec_t;
++ type mount_exec_t;
+ ')
+
+- mount_domtrans_unconfined($1)
+- role $2 types unconfined_mount_t;
++ domain_entry_file($1, mount_ecryptfs_exec_t)
++ domain_entry_file($1, mount_exec_t)
+ ')
++
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 459a0ef..9933cad 100644
+index 459a0ef..ed4756e 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -5,13 +5,6 @@ policy_module(mount, 1.16.1)
@@ -37104,7 +37264,7 @@ index 459a0ef..9933cad 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -203,28 +300,136 @@ optional_policy(`
+@@ -203,28 +300,137 @@ optional_policy(`
')
optional_policy(`
@@ -37231,6 +37391,7 @@ index 459a0ef..9933cad 100644
+fs_read_ecryptfs_files(mount_ecryptfs_t)
+
+auth_use_nsswitch(mount_ecryptfs_t)
++auth_manage_pam_console_data(mount_ecryptfs_t)
+
########################################
#
@@ -41441,10 +41602,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..769e942
+index 0000000..db531dc
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,703 @@
+@@ -0,0 +1,707 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -41544,6 +41705,8 @@ index 0000000..769e942
+mls_file_read_all_levels(systemd_logind_t)
+mls_file_write_all_levels(systemd_logind_t)
+
++files_delete_tmpfs_files(systemd_logind_t)
++
+fs_mount_tmpfs(systemd_logind_t)
+fs_unmount_tmpfs(systemd_logind_t)
+fs_list_tmpfs(systemd_logind_t)
@@ -41731,6 +41894,8 @@ index 0000000..769e942
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+
++domain_read_all_domains_state(systemd_passwd_agent_t)
++
+kernel_stream_connect(systemd_passwd_agent_t)
+
+dev_create_generic_dirs(systemd_passwd_agent_t)
@@ -41990,6 +42155,7 @@ index 0000000..769e942
+files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" )
+
+kernel_dgram_send(systemd_hostnamed_t)
++kernel_read_xen_state(systemd_hostnamed_t)
+
+dev_write_kmsg(systemd_hostnamed_t)
+dev_read_sysfs(systemd_hostnamed_t)
@@ -42093,9 +42259,8 @@ index 0000000..769e942
+#
+# systemd_sysctl domains local policy
+#
-+allow systemd_sysctl_t self:capability { sys_admin net_admin };
++allow systemd_sysctl_t self:capability { net_admin sys_admin sys_rawio };
+allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
-+
+kernel_dgram_send(systemd_sysctl_t)
+kernel_request_load_module(systemd_sysctl_t)
+kernel_rw_all_sysctls(systemd_sysctl_t)
@@ -42741,7 +42906,7 @@ index 0abaf84..8b34dbc 100644
-/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 5ca20a9..cf27c0a 100644
+index 5ca20a9..7261f73 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,53 +12,57 @@
@@ -43267,7 +43432,7 @@ index 5ca20a9..cf27c0a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -578,11 +236,11 @@ interface(`unconfined_dbus_chat',`
+@@ -578,11 +236,12 @@ interface(`unconfined_dbus_chat',`
## </summary>
## </param>
#
@@ -43277,6 +43442,7 @@ index 5ca20a9..cf27c0a 100644
- type unconfined_t;
- class dbus acquire_svc;
+ type unconfined_service_t;
++ class dbus send_msg;
')
- allow $1 unconfined_t:dbus acquire_svc;
@@ -43550,7 +43716,7 @@ index db75976..1ee08ec 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..05274ae 100644
+index 9dc60c6..d88f402 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -45394,10 +45560,16 @@ index 9dc60c6..05274ae 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1708,6 +2270,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1704,10 +2266,12 @@ interface(`userdom_user_home_domtrans',`
+ #
+ interface(`userdom_dontaudit_search_user_home_content',`
+ gen_require(`
+- type user_home_t;
++ attribute user_home_type;
')
- dontaudit $1 user_home_t:dir search_dir_perms;
+- dontaudit $1 user_home_t:dir search_dir_perms;
++ dontaudit $1 user_home_type:dir search_dir_perms;
+ fs_dontaudit_list_nfs($1)
+ fs_dontaudit_list_cifs($1)
')
@@ -45854,7 +46026,7 @@ index 9dc60c6..05274ae 100644
')
########################################
-@@ -2024,21 +2778,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2778,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -45868,18 +46040,17 @@ index 9dc60c6..05274ae 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
@@ -2120,7 +2868,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
@@ -46077,7 +46248,7 @@ index 9dc60c6..05274ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2586,18 +3387,59 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,12 +3387,53 @@ interface(`userdom_manage_user_tmp_pipes',`
## </summary>
## </param>
#
@@ -46089,13 +46260,12 @@ index 9dc60c6..05274ae 100644
- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- files_search_tmp($1)
- ')
-
++ files_search_tmp($1)
++')
+
- ########################################
- ## <summary>
--## Create objects in a user temporary directory
++
++########################################
++## <summary>
+## Create, read, write, and delete user
+## temporary named pipes.
+## </summary>
@@ -46131,15 +46301,9 @@ index 9dc60c6..05274ae 100644
+ ')
+
+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
-+## Create objects in a user temporary directory
- ## with an automatic type transition to
- ## a specified private type.
- ## </summary>
+ files_search_tmp($1)
+ ')
+
@@ -2661,6 +3503,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -46606,7 +46770,7 @@ index 9dc60c6..05274ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,46 +4241,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,49 +4241,125 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -46664,8 +46828,9 @@ index 9dc60c6..05274ae 100644
gen_require(`
- attribute userdomain;
+ type user_tmp_t;
-+ ')
-+
+ ')
+
+- allow $1 userdomain:process getattr;
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
@@ -46739,9 +46904,12 @@ index 9dc60c6..05274ae 100644
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
- ')
++ ')
++
++ allow $1 userdomain:process getattr;
+ ')
- allow $1 userdomain:process getattr;
+ ########################################
@@ -3382,6 +4417,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -46846,7 +47014,7 @@ index 9dc60c6..05274ae 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4560,1686 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4560,1687 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -47603,12 +47771,13 @@ index 9dc60c6..05274ae 100644
+ ')
+
+ userdom_search_user_home_dirs($1)
-+ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012")
-+ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013")
-+ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014")
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012")
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013")
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014")
+ manage_dirs_pattern($1, texlive_home_t, texlive_home_t)
+ manage_files_pattern($1, texlive_home_t, texlive_home_t)
-+ manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t)
++ manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t)
++ allow $1 texlive_home_t:file relabelfrom;
+')
+
+########################################
@@ -48534,7 +48703,7 @@ index 9dc60c6..05274ae 100644
+ ')
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..7f49cde 100644
+index f4ac38d..d7cbcec 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -48623,7 +48792,7 @@ index f4ac38d..7f49cde 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,394 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,395 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -48693,6 +48862,7 @@ index f4ac38d..7f49cde 100644
+allow unpriv_userdomain self:key manage_key_perms;
+
+mount_dontaudit_write_mount_pid(unpriv_userdomain)
++mount_entry_type(unpriv_userdomain)
+
+optional_policy(`
+ alsa_read_rw_config(unpriv_userdomain)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 0ccc225..9dd8656 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -546,7 +546,7 @@ index 058d908..1e92177 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..b18f881 100644
+index eb50f07..34371ae 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -791,9 +791,9 @@ index eb50f07..b18f881 100644
+logging_read_syslog_pid(abrt_t)
+
+auth_use_nsswitch(abrt_t)
-+
-+init_read_utmp(abrt_t)
++init_read_utmp(abrt_t)
++
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
@@ -862,7 +862,7 @@ index eb50f07..b18f881 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +300,17 @@ optional_policy(`
+@@ -253,9 +300,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -874,6 +874,10 @@ index eb50f07..b18f881 100644
+ xserver_read_log(abrt_t)
+')
+
++optional_policy(`
++ udev_read_db(abrt_t)
++')
++
#######################################
#
-# Handle-event local policy
@@ -881,7 +885,7 @@ index eb50f07..b18f881 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +321,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +325,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -896,7 +900,7 @@ index eb50f07..b18f881 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +340,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +344,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -904,7 +908,7 @@ index eb50f07..b18f881 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +349,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +353,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -925,7 +929,7 @@ index eb50f07..b18f881 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +370,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +374,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -952,7 +956,7 @@ index eb50f07..b18f881 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +406,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +410,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -966,7 +970,7 @@ index eb50f07..b18f881 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +424,11 @@ optional_policy(`
+@@ -343,10 +428,11 @@ optional_policy(`
#######################################
#
@@ -980,7 +984,7 @@ index eb50f07..b18f881 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +447,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +451,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1040,7 +1044,7 @@ index eb50f07..b18f881 100644
#######################################
#
-@@ -404,7 +504,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +508,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1049,7 +1053,7 @@ index eb50f07..b18f881 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -413,16 +513,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +517,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1093,7 +1097,7 @@ index eb50f07..b18f881 100644
')
#######################################
-@@ -430,10 +556,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +560,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -7727,7 +7731,7 @@ index 080bc4d..de60b99 100644
+ sysnet_dns_name_resolve(apcupsd_cgi_script_t)
')
diff --git a/apm.fc b/apm.fc
-index ce27d2f..d20377e 100644
+index ce27d2f..b2ba16a 100644
--- a/apm.fc
+++ b/apm.fc
@@ -1,3 +1,4 @@
@@ -7735,6 +7739,15 @@ index ce27d2f..d20377e 100644
/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
+@@ -7,6 +8,8 @@
+ /usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
+
+ /var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0)
++/var/lock/subsys/lmt-req\.lock -- gen_context(system_u:object_r:apmd_lock_t,s0)
++/var/lock/lmt-req\.lock -- gen_context(system_u:object_r:apmd_lock_t,s0)
+
+ /var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
+
diff --git a/apm.if b/apm.if
index 1a7a97e..2c7252a 100644
--- a/apm.if
@@ -8781,7 +8794,7 @@ index dcd774e..c240ffa 100644
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
-index f16b000..4e48c62 100644
+index f16b000..3c80c4b 100644
--- a/bacula.te
+++ b/bacula.te
@@ -27,6 +27,9 @@ type bacula_store_t;
@@ -8829,7 +8842,14 @@ index f16b000..4e48c62 100644
corenet_sendrecv_hplip_server_packets(bacula_t)
corenet_tcp_bind_hplip_port(bacula_t)
corenet_udp_bind_hplip_port(bacula_t)
-@@ -105,6 +118,7 @@ files_read_all_symlinks(bacula_t)
+@@ -99,12 +112,14 @@ dev_getattr_all_blk_files(bacula_t)
+ dev_getattr_all_chr_files(bacula_t)
+
+ files_dontaudit_getattr_all_sockets(bacula_t)
++files_dontaudit_getattr_all_pipes(bacula_t)
+ files_read_all_files(bacula_t)
+ files_read_all_symlinks(bacula_t)
+
fs_getattr_xattr_fs(bacula_t)
fs_list_all(bacula_t)
@@ -8837,7 +8857,7 @@ index f16b000..4e48c62 100644
auth_read_shadow(bacula_t)
logging_send_syslog_msg(bacula_t)
-@@ -125,6 +139,12 @@ optional_policy(`
+@@ -125,6 +140,12 @@ optional_policy(`
ldap_stream_connect(bacula_t)
')
@@ -8850,7 +8870,7 @@ index f16b000..4e48c62 100644
########################################
#
# Client local policy
-@@ -148,11 +168,8 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -148,11 +169,8 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
@@ -9254,7 +9274,7 @@ index 531a8f2..0b86f2f 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..a3d3001 100644
+index 1241123..4569bde 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9314,23 +9334,27 @@ index 1241123..a3d3001 100644
domain_use_interactive_fds(named_t)
-@@ -175,6 +177,15 @@ tunable_policy(`named_write_master_zones',`
+@@ -175,6 +177,19 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
++ cron_system_entry(named_t, named_exec_t)
++')
++
++optional_policy(`
+ # needed by FreeIPA with DNS support
+ dirsrv_stream_connect(named_t)
+')
+
+optional_policy(`
-+ cron_system_entry(named_t, named_exec_t)
++ dnssec_trigger_manage_pid_files(named_t)
+')
+
+optional_policy(`
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -187,7 +198,9 @@ optional_policy(`
+@@ -187,7 +202,9 @@ optional_policy(`
')
optional_policy(`
@@ -9340,7 +9364,7 @@ index 1241123..a3d3001 100644
kerberos_use(named_t)
')
-@@ -215,7 +228,8 @@ optional_policy(`
+@@ -215,7 +232,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -9350,7 +9374,7 @@ index 1241123..a3d3001 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -229,10 +243,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +247,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -9362,7 +9386,7 @@ index 1241123..a3d3001 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +255,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +259,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -9372,7 +9396,7 @@ index 1241123..a3d3001 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -257,7 +273,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +277,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -9612,7 +9636,7 @@ index 2b9c7f3..0086b95 100644
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
-index c723a0a..b23b46a 100644
+index c723a0a..1c29d21 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
@@ -9641,7 +9665,21 @@ index c723a0a..b23b46a 100644
')
#####################################
-@@ -130,6 +137,27 @@ interface(`bluetooth_dbus_chat',`
+@@ -63,11 +70,13 @@ interface(`bluetooth_role',`
+ interface(`bluetooth_stream_connect',`
+ gen_require(`
+ type bluetooth_t, bluetooth_var_run_t;
++ type bluetooth_tmp_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 bluetooth_t:socket rw_socket_perms;
+ stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
++ stream_connect_pattern($1, bluetooth_tmp_t, bluetooth_tmp_t, bluetooth_t)
+ ')
+
+ ########################################
+@@ -130,6 +139,27 @@ interface(`bluetooth_dbus_chat',`
########################################
## <summary>
@@ -9669,7 +9707,7 @@ index c723a0a..b23b46a 100644
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
-@@ -190,6 +218,30 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+@@ -190,6 +220,30 @@ interface(`bluetooth_dontaudit_read_helper_state',`
########################################
## <summary>
@@ -9700,7 +9738,7 @@ index c723a0a..b23b46a 100644
## All of the rules required to
## administrate an bluetooth environment.
## </summary>
-@@ -210,12 +262,16 @@ interface(`bluetooth_admin',`
+@@ -210,12 +264,16 @@ interface(`bluetooth_admin',`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
@@ -9719,7 +9757,7 @@ index c723a0a..b23b46a 100644
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
-@@ -235,4 +291,8 @@ interface(`bluetooth_admin',`
+@@ -235,4 +293,8 @@ interface(`bluetooth_admin',`
files_list_pids($1)
admin_pattern($1, bluetooth_var_run_t)
@@ -9729,7 +9767,7 @@ index c723a0a..b23b46a 100644
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
-index 851769e..a069dc3 100644
+index 851769e..3dc3f36 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
@@ -9752,7 +9790,7 @@ index 851769e..a069dc3 100644
manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
-@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+@@ -90,27 +94,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
can_exec(bluetooth_t, bluetooth_helper_exec_t)
@@ -9767,6 +9805,8 @@ index 851769e..a069dc3 100644
-corecmd_exec_bin(bluetooth_t)
-corecmd_exec_shell(bluetooth_t)
+-
+-dev_read_sysfs(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
+corenet_tcp_sendrecv_generic_if(bluetooth_t)
+corenet_udp_sendrecv_generic_if(bluetooth_t)
@@ -9776,10 +9816,10 @@ index 851769e..a069dc3 100644
+corenet_raw_sendrecv_generic_node(bluetooth_t)
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
+corenet_udp_sendrecv_all_ports(bluetooth_t)
-
- dev_read_sysfs(bluetooth_t)
++
++dev_rw_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
-@@ -105,12 +119,12 @@ dev_rw_generic_usb_dev(bluetooth_t)
+ dev_rw_generic_usb_dev(bluetooth_t)
dev_read_urand(bluetooth_t)
dev_rw_input_dev(bluetooth_t)
dev_rw_wireless(bluetooth_t)
@@ -10472,10 +10512,10 @@ index 0000000..968c957
+')
diff --git a/brltty.te b/brltty.te
new file mode 100644
-index 0000000..03032f9
+index 0000000..32c786b
--- /dev/null
+++ b/brltty.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,61 @@
+policy_module(brltty, 1.0.0)
+
+########################################
@@ -10500,7 +10540,7 @@ index 0000000..03032f9
+#
+# brltty local policy
+#
-+allow brltty_t self:capability { sys_admin sys_tty_config };
++allow brltty_t self:capability { sys_admin sys_tty_config mknod };
+allow brltty_t self:process { fork signal_perms };
+
+allow brltty_t self:fifo_file rw_fifo_file_perms;
@@ -10514,7 +10554,8 @@ index 0000000..03032f9
+
+manage_dirs_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+manage_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
-+files_pid_filetrans(brltty_t, brltty_var_run_t, { dir file })
++manage_chr_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
++files_pid_filetrans(brltty_t, brltty_var_run_t, { dir file chr_file })
+allow brltty_t brltty_var_run_t:dir mounton;
+
+kernel_read_system_state(brltty_t)
@@ -11256,7 +11297,7 @@ index 400db07..f416e22 100644
domain_system_change_exemption($1)
role_transition $2 canna_initrc_exec_t system_r;
diff --git a/canna.te b/canna.te
-index 9fe6162..2245f3b 100644
+index 9fe6162..5c505e7 100644
--- a/canna.te
+++ b/canna.te
@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
@@ -11267,7 +11308,7 @@ index 9fe6162..2245f3b 100644
corenet_all_recvfrom_netlabel(canna_t)
corenet_tcp_sendrecv_generic_if(canna_t)
corenet_tcp_sendrecv_generic_node(canna_t)
-@@ -68,16 +67,12 @@ fs_search_auto_mountpoints(canna_t)
+@@ -68,15 +67,13 @@ fs_search_auto_mountpoints(canna_t)
domain_use_interactive_fds(canna_t)
@@ -11277,13 +11318,14 @@ index 9fe6162..2245f3b 100644
files_search_tmp(canna_t)
files_dontaudit_read_root_files(canna_t)
- logging_send_syslog_msg(canna_t)
+-logging_send_syslog_msg(canna_t)
++auth_use_nsswitch(canna_t)
-miscfiles_read_localization(canna_t)
--
++logging_send_syslog_msg(canna_t)
+
sysnet_read_config(canna_t)
- userdom_dontaudit_use_unpriv_user_fds(canna_t)
diff --git a/ccs.if b/ccs.if
index 5ded72d..cb94e5e 100644
--- a/ccs.if
@@ -11501,7 +11543,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..3ad65da 100644
+index 550b287..7f683e5 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -11590,7 +11632,7 @@ index 550b287..3ad65da 100644
')
optional_policy(`
-@@ -92,11 +109,52 @@ optional_policy(`
+@@ -92,11 +109,56 @@ optional_policy(`
')
optional_policy(`
@@ -11620,6 +11662,10 @@ index 550b287..3ad65da 100644
+ pki_read_tomcat_lib_files(certmonger_t)
+')
+
++optional_policy(`
++ sssd_delete_public_files(certmonger_t)
++')
++
+########################################
+#
+# certmonger_unconfined_script_t local policy
@@ -12540,7 +12586,7 @@ index 32e8265..74fd151 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index e5b621c..fc150e9 100644
+index e5b621c..e8b9178 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -12571,7 +12617,7 @@ index e5b621c..fc150e9 100644
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,29 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,30 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
@@ -12597,6 +12643,7 @@ index e5b621c..fc150e9 100644
optional_policy(`
- mta_send_mail(chronyd_t)
+ timemaster_stream_connect(chronyd_t)
++ timemaster_read_pid_files(chronyd_t)
+ timemaster_rw_shm(chronyd_t)
+')
+
@@ -15578,10 +15625,10 @@ index 0000000..1cc5fa4
+')
diff --git a/conman.te b/conman.te
new file mode 100644
-index 0000000..4772f64
+index 0000000..3bc9494
--- /dev/null
+++ b/conman.te
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,78 @@
+policy_module(conman, 1.0.0)
+
+########################################
@@ -15589,6 +15636,14 @@ index 0000000..4772f64
+# Declarations
+#
+
++## <desc>
++## <p>
++## Determine whether conman can
++## connect to all TCP ports
++## </p>
++## </desc>
++gen_tunable(conman_can_network, false)
++
+type conman_t;
+type conman_exec_t;
+init_daemon_domain(conman_t, conman_exec_t)
@@ -15596,6 +15651,9 @@ index 0000000..4772f64
+type conman_log_t;
+logging_log_file(conman_log_t)
+
++type conman_tmp_t;
++files_tmp_file(conman_tmp_t)
++
+type conman_var_run_t;
+files_pid_file(conman_var_run_t)
+
@@ -15618,6 +15676,10 @@ index 0000000..4772f64
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
+logging_log_filetrans(conman_t, conman_log_t, { dir })
+
++manage_files_pattern(conman_t, conman_tmp_t, conman_tmp_t)
++manage_dirs_pattern(conman_t, conman_tmp_t, conman_tmp_t)
++files_tmp_filetrans(conman_t, conman_tmp_t, { file dir })
++
+manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t)
+files_pid_filetrans(conman_t, conman_var_run_t, file)
+
@@ -15626,6 +15688,8 @@ index 0000000..4772f64
+corenet_tcp_bind_generic_node(conman_t)
+corenet_tcp_bind_conman_port(conman_t)
+
++corenet_tcp_connect_all_ephemeral_ports(conman_t)
++
+corecmd_exec_bin(conman_t)
+
+logging_send_syslog_msg(conman_t)
@@ -15634,6 +15698,12 @@ index 0000000..4772f64
+
+userdom_use_user_ptys(conman_t)
+
++tunable_policy(`conman_can_network',`
++ corenet_sendrecv_all_client_packets(conman_t)
++ corenet_tcp_connect_all_ports(conman_t)
++ corenet_tcp_sendrecv_all_ports(conman_t)
++')
++
+optional_policy(`
+ freeipmi_stream_connect(conman_t)
+')
@@ -17997,7 +18067,7 @@ index 1303b30..759412f 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 7de3859..d88194b 100644
+index 7de3859..0ee059a 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,46 @@ gen_require(`
@@ -18723,12 +18793,15 @@ index 7de3859..d88194b 100644
')
optional_policy(`
-@@ -615,12 +634,24 @@ optional_policy(`
+@@ -615,12 +634,27 @@ optional_policy(`
')
optional_policy(`
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+ systemd_dbus_chat_logind(system_cronjob_t)
++ systemd_dbus_chat_timedated(system_cronjob_t)
++ systemd_dbus_chat_hostnamed(system_cronjob_t)
++ systemd_dbus_chat_localed(system_cronjob_t)
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+')
+
@@ -18750,7 +18823,7 @@ index 7de3859..d88194b 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +659,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +662,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -18784,7 +18857,7 @@ index 7de3859..d88194b 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +692,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +695,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -24577,10 +24650,10 @@ index 0000000..9e231a8
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
new file mode 100644
-index 0000000..a952041
+index 0000000..457d4dd
--- /dev/null
+++ b/dnssec.if
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,85 @@
+
+## <summary>policy for dnssec_trigger</summary>
+
@@ -24621,6 +24694,27 @@ index 0000000..a952041
+ allow $1 dnssec_trigger_var_run_t:file read_file_perms;
+')
+
++########################################
++## <summary>
++## Manage dnssec_trigger PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dnssec_trigger_manage_pid_files',`
++ gen_require(`
++ type dnssec_trigger_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++ manage_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++ manage_lnk_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++')
++
+
+########################################
+## <summary>
@@ -25132,10 +25226,10 @@ index 0000000..c8e5981
+
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..08cf151
+index 0000000..4cf83fd
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,300 @@
+@@ -0,0 +1,302 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -25216,6 +25310,7 @@ index 0000000..08cf151
+
+manage_dirs_pattern(docker_t, docker_config_t, docker_config_t)
+manage_files_pattern(docker_t, docker_config_t, docker_config_t)
++files_etc_filetrans(docker_t, docker_config_t, dir, "docker")
+
+manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
+manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
@@ -25435,6 +25530,7 @@ index 0000000..08cf151
+tunable_policy(`docker_transition_unconfined',`
+ unconfined_transition(docker_t, docker_share_t)
+ unconfined_transition(docker_t, docker_var_lib_t)
++ unconfined_setsched(docker_t)
+')
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
@@ -29960,10 +30056,10 @@ index 0000000..9e17d3e
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
-index 0000000..b669406
+index 0000000..cd197a6
--- /dev/null
+++ b/geoclue.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,66 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@@ -30013,6 +30109,10 @@ index 0000000..b669406
+sysnet_dns_name_resolve(geoclue_t)
+
+optional_policy(`
++ kerberos_use(geoclue_t)
++')
++
++optional_policy(`
+ dbus_system_domain(geoclue_t, geoclue_exec_t)
+
+ optional_policy(`
@@ -30427,7 +30527,7 @@ index 9eacb2c..7b19ad2 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index 5cd0909..b558e60 100644
+index 5cd0909..a0b3bfb 100644
--- a/glance.te
+++ b/glance.te
@@ -5,10 +5,31 @@ policy_module(glance, 1.1.0)
@@ -30560,7 +30660,7 @@ index 5cd0909..b558e60 100644
logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +155,30 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +155,37 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@@ -30596,6 +30696,13 @@ index 5cd0909..b558e60 100644
+optional_policy(`
+ mysql_stream_connect(glance_api_t)
+')
++
++########################################
++#
++# Scrubber local policy
++#
++
++corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
index 0000000..8c8c6c9
@@ -35051,10 +35158,43 @@ index bbccc79..435ac42 100644
logging_search_logs(hald_keymap_t)
diff --git a/hddtemp.if b/hddtemp.if
-index 1728071..77e71ea 100644
+index 1728071..6e2d333 100644
--- a/hddtemp.if
+++ b/hddtemp.if
-@@ -60,9 +60,13 @@ interface(`hddtemp_admin',`
+@@ -19,6 +19,32 @@ interface(`hddtemp_domtrans',`
+ domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
+ ')
+
++########################################
++## <summary>
++## Execute hddtemp in the hddtemp domain, and
++## allow the specified role the hddtemp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`hddtemp_run',`
++ gen_require(`
++ type hddtemp_t;
++ attribute_role hddtemp_roles;
++ ')
++
++ hddtemp_domtrans($1)
++ roleattribute $2 hddtemp_roles;
++')
++
+ ######################################
+ ## <summary>
+ ## Execute hddtemp in the caller domain.
+@@ -60,9 +86,13 @@ interface(`hddtemp_admin',`
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
')
@@ -35070,10 +35210,23 @@ index 1728071..77e71ea 100644
domain_system_change_exemption($1)
role_transition $2 hddtemp_initrc_exec_t system_r;
diff --git a/hddtemp.te b/hddtemp.te
-index 9e11b98..29065e6 100644
+index 9e11b98..6338ea7 100644
--- a/hddtemp.te
+++ b/hddtemp.te
-@@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
+@@ -4,10 +4,12 @@ policy_module(hddtemp, 1.2.0)
+ #
+ # Declarations
+ #
++attribute_role hddtemp_roles;
+
+ type hddtemp_t;
+ type hddtemp_exec_t;
+ init_daemon_domain(hddtemp_t, hddtemp_exec_t)
++role hddtemp_roles types hddtemp_t;
+
+ type hddtemp_initrc_exec_t;
+ init_script_file(hddtemp_initrc_exec_t)
+@@ -26,7 +28,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
allow hddtemp_t hddtemp_etc_t:file read_file_perms;
@@ -35081,7 +35234,7 @@ index 9e11b98..29065e6 100644
corenet_all_recvfrom_netlabel(hddtemp_t)
corenet_tcp_sendrecv_generic_if(hddtemp_t)
corenet_tcp_sendrecv_generic_node(hddtemp_t)
-@@ -36,9 +35,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
+@@ -36,9 +37,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
@@ -35091,11 +35244,192 @@ index 9e11b98..29065e6 100644
storage_raw_read_fixed_disk(hddtemp_t)
storage_raw_read_removable_device(hddtemp_t)
-@@ -46,4 +42,3 @@ auth_use_nsswitch(hddtemp_t)
+@@ -46,4 +44,3 @@ auth_use_nsswitch(hddtemp_t)
logging_send_syslog_msg(hddtemp_t)
-miscfiles_read_localization(hddtemp_t)
+diff --git a/hostapd.fc b/hostapd.fc
+new file mode 100644
+index 0000000..0ca97b8
+--- /dev/null
++++ b/hostapd.fc
+@@ -0,0 +1,5 @@
++/usr/lib/systemd/system/hostapd.service -- gen_context(system_u:object_r:hostapd_unit_file_t,s0)
++
++/usr/sbin/hostapd -- gen_context(system_u:object_r:hostapd_exec_t,s0)
++
++/var/run/hostapd(/.*)? gen_context(system_u:object_r:hostapd_var_run_t,s0)
+\ No newline at end of file
+diff --git a/hostapd.if b/hostapd.if
+new file mode 100644
+index 0000000..1f16431
+--- /dev/null
++++ b/hostapd.if
+@@ -0,0 +1,106 @@
++
++## <summary>policy for hostapd</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the hostapd domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`hostapd_domtrans',`
++ gen_require(`
++ type hostapd_t, hostapd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, hostapd_exec_t, hostapd_t)
++')
++########################################
++## <summary>
++## Execute hostapd server in the hostapd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`hostapd_systemctl',`
++ gen_require(`
++ type hostapd_t;
++ type hostapd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 hostapd_unit_file_t:file read_file_perms;
++ allow $1 hostapd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, hostapd_t)
++')
++
++
++########################################
++## <summary>
++## Read hostapd PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`hostapd_read_pid_files',`
++ gen_require(`
++ type hostapd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, hostapd_var_run_t, hostapd_var_run_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an hostapd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`hostapd_admin',`
++ gen_require(`
++ type hostapd_t;
++ type hostapd_unit_file_t;
++ type hostapd_var_run_t;
++ ')
++
++ allow $1 hostapd_t:process { signal_perms };
++ ps_process_pattern($1, hostapd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 hostapd_t:process ptrace;
++ ')
++
++ hostapd_systemctl($1)
++ admin_pattern($1, hostapd_unit_file_t)
++ allow $1 hostapd_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++
++ admin_pattern($1, hostapd_var_run_t)
++')
+diff --git a/hostapd.te b/hostapd.te
+new file mode 100644
+index 0000000..eb501d2
+--- /dev/null
++++ b/hostapd.te
+@@ -0,0 +1,51 @@
++policy_module(hostapd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type hostapd_t;
++type hostapd_exec_t;
++init_daemon_domain(hostapd_t, hostapd_exec_t)
++
++type hostapd_var_run_t;
++files_pid_file(hostapd_var_run_t)
++
++type hostapd_unit_file_t;
++systemd_unit_file(hostapd_unit_file_t)
++
++########################################
++#
++# hostapd local policy
++#
++allow hostapd_t self:capability chown;
++allow hostapd_t self:fifo_file rw_fifo_file_perms;
++allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
++allow hostapd_t self:netlink_socket create_socket_perms;
++allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
++allow hostapd_t self:packet_socket create_socket_perms;
++
++manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
++manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
++manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
++files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file })
++
++kernel_read_system_state(hostapd_t)
++kernel_read_network_state(hostapd_t)
++kernel_request_load_module(hostapd_t)
++
++dev_read_rand(hostapd_t)
++dev_read_urand(hostapd_t)
++dev_read_sysfs(hostapd_t)
++dev_rw_wireless(hostapd_t)
++
++domain_use_interactive_fds(hostapd_t)
++
++files_read_etc_files(hostapd_t)
++
++auth_use_nsswitch(hostapd_t)
++
++logging_send_syslog_msg(hostapd_t)
++
++miscfiles_read_localization(hostapd_t)
diff --git a/howl.te b/howl.te
index b9e60ec..0477728 100644
--- a/howl.te
@@ -41679,7 +42013,7 @@ index 3602712..af83a5b 100644
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index 4c2b111..deb2d7d 100644
+index 4c2b111..8fa1510 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -41720,7 +42054,7 @@ index 4c2b111..deb2d7d 100644
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_generic_if(slapd_t)
corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -115,15 +115,14 @@ fs_getattr_all_fs(slapd_t)
+@@ -115,25 +115,26 @@ fs_getattr_all_fs(slapd_t)
fs_search_auto_mountpoints(slapd_t)
files_read_etc_runtime_files(slapd_t)
@@ -41737,7 +42071,9 @@ index 4c2b111..deb2d7d 100644
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_user_home_dirs(slapd_t)
-@@ -131,9 +130,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
+
++usermanage_read_crack_db(slapd_t)
++
optional_policy(`
kerberos_manage_host_rcache(slapd_t)
kerberos_read_keytab(slapd_t)
@@ -42048,10 +42384,10 @@ index 0000000..d2061a9
+/var/run/timemaster(/.*)? gen_context(system_u:object_r:timemaster_var_run_t,s0)
diff --git a/linuxptp.if b/linuxptp.if
new file mode 100644
-index 0000000..236707b
+index 0000000..7ba5060
--- /dev/null
+++ b/linuxptp.if
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,121 @@
+## <summary>implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.</summary>
+
+########################################
@@ -42113,6 +42449,24 @@ index 0000000..236707b
+
+########################################
+## <summary>
++## Read timemaster conf files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`timemaster_read_pid_files',`
++ gen_require(`
++ type timemaster_var_run_t;
++ ')
++
++ read_files_pattern($1, timemaster_var_run_t, timemaster_var_run_t)
++')
++
++########################################
++## <summary>
+## Read and write timemaster shared memory.
+## </summary>
+## <param name="domain">
@@ -43553,7 +43907,7 @@ index d314333..27ede09 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
-index 4ec0eea..2a6d99e 100644
+index 4ec0eea..c87e394 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@@ -43588,7 +43942,7 @@ index 4ec0eea..2a6d99e 100644
########################################
#
# Local policy
-@@ -26,4 +44,51 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,52 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@@ -43632,6 +43986,7 @@ index 4ec0eea..2a6d99e 100644
+
+corenet_tcp_connect_http_port(lsmd_plugin_t)
+corenet_tcp_connect_http_cache_port(lsmd_plugin_t)
++corenet_tcp_connect_lsm_plugin_port(lsmd_plugin_t)
+corenet_tcp_connect_ssh_port(lsmd_plugin_t)
+
+init_stream_connect(lsmd_plugin_t)
@@ -43969,7 +44324,7 @@ index 108c0f1..a248501 100644
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
diff --git a/mailman.te b/mailman.te
-index ac81c7f..7041046 100644
+index ac81c7f..f24f0ef 100644
--- a/mailman.te
+++ b/mailman.te
@@ -4,6 +4,12 @@ policy_module(mailman, 1.10.0)
@@ -44014,6 +44369,15 @@ index ac81c7f..7041046 100644
########################################
#
# CGI local policy
+@@ -103,7 +100,7 @@ optional_policy(`
+ apache_dontaudit_append_log(mailman_cgi_t)
+ apache_search_sys_script_state(mailman_cgi_t)
+ apache_read_config(mailman_cgi_t)
+- apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
++ apache_rw_stream_sockets(mailman_cgi_t)
+ ')
+
+ optional_policy(`
@@ -115,20 +112,23 @@ optional_policy(`
# Mail local policy
#
@@ -46912,10 +47276,10 @@ index 0000000..1ce3e44
+')
diff --git a/mon_statd.te b/mon_statd.te
new file mode 100644
-index 0000000..74302c2
+index 0000000..e7220a5
--- /dev/null
+++ b/mon_statd.te
-@@ -0,0 +1,75 @@
+@@ -0,0 +1,76 @@
+policy_module(mon_statd, 1.0.0)
+
+########################################
@@ -46962,6 +47326,7 @@ index 0000000..74302c2
+allow mon_statd_t self:unix_dgram_socket create_socket_perms;
+
+kernel_dgram_send(mon_statd_t)
++kernel_read_fs_sysctls(mon_statd_t)
+
+fs_getattr_all_fs(mon_statd_t)
+fs_getattr_all_dirs(mon_statd_t)
@@ -48378,7 +48743,7 @@ index 6194b80..9dbe23d 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..372b342 100644
+index 11ac8e4..01cc431 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@@ -48665,10 +49030,10 @@ index 11ac8e4..372b342 100644
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
--userdom_write_user_tmp_sockets(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
+-userdom_write_user_tmp_sockets(mozilla_t)
+-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -48831,7 +49196,7 @@ index 11ac8e4..372b342 100644
')
optional_policy(`
-@@ -300,259 +339,249 @@ optional_policy(`
+@@ -300,259 +339,253 @@ optional_policy(`
########################################
#
@@ -48913,12 +49278,12 @@ index 11ac8e4..372b342 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
--
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -49166,27 +49531,30 @@ index 11ac8e4..372b342 100644
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
+optional_policy(`
-+ bumblebee_stream_connect(mozilla_plugin_t)
++ bluetooth_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- alsa_read_rw_config(mozilla_plugin_t)
- alsa_read_home_files(mozilla_plugin_t)
-+ cups_stream_connect(mozilla_plugin_t)
++ bumblebee_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
-+ dbus_system_bus_client(mozilla_plugin_t)
-+ dbus_session_bus_client(mozilla_plugin_t)
-+ dbus_connect_session_bus(mozilla_plugin_t)
-+ dbus_read_lib_files(mozilla_plugin_t)
++ cups_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- dbus_all_session_bus_client(mozilla_plugin_t)
- dbus_connect_all_session_bus(mozilla_plugin_t)
-- dbus_system_bus_client(mozilla_plugin_t)
+ dbus_system_bus_client(mozilla_plugin_t)
++ dbus_session_bus_client(mozilla_plugin_t)
++ dbus_connect_session_bus(mozilla_plugin_t)
++ dbus_read_lib_files(mozilla_plugin_t)
++')
++
++optional_policy(`
+ gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
+ gnome_filetrans_home_content(mozilla_plugin_t)
@@ -49227,7 +49595,7 @@ index 11ac8e4..372b342 100644
')
optional_policy(`
-@@ -560,7 +589,11 @@ optional_policy(`
+@@ -560,7 +593,11 @@ optional_policy(`
')
optional_policy(`
@@ -49240,7 +49608,7 @@ index 11ac8e4..372b342 100644
')
optional_policy(`
-@@ -568,108 +601,144 @@ optional_policy(`
+@@ -568,108 +605,144 @@ optional_policy(`
')
optional_policy(`
@@ -49875,7 +50243,7 @@ index f42896c..bd1eb52 100644
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..2224799 100644
+index ed81cac..80e6086 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -50407,7 +50775,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -582,84 +570,66 @@ interface(`mta_read_aliases',`
+@@ -582,84 +570,64 @@ interface(`mta_read_aliases',`
## </summary>
## </param>
#
@@ -50457,9 +50825,7 @@ index ed81cac..2224799 100644
+ files_search_etc($1)
+ manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
-+ mta_etc_filetrans_aliases($1, "aliases")
-+ mta_etc_filetrans_aliases($1, "aliases.db")
-+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
++ mta_filetrans_named_content($1)
')
########################################
@@ -50508,7 +50874,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -674,14 +644,13 @@ interface(`mta_rw_aliases',`
+@@ -674,14 +642,13 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -50526,7 +50892,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -697,6 +666,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -697,6 +664,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
@@ -50552,7 +50918,7 @@ index ed81cac..2224799 100644
#######################################
## <summary>
## Connect to all mail servers over TCP. (Deprecated)
-@@ -713,8 +701,8 @@ interface(`mta_tcp_connect_all_mailservers',`
+@@ -713,8 +699,8 @@ interface(`mta_tcp_connect_all_mailservers',`
#######################################
## <summary>
@@ -50563,7 +50929,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -732,7 +720,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
+@@ -732,7 +718,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
########################################
## <summary>
@@ -50572,7 +50938,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -753,8 +741,8 @@ interface(`mta_getattr_spool',`
+@@ -753,8 +739,8 @@ interface(`mta_getattr_spool',`
########################################
## <summary>
@@ -50583,7 +50949,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -775,9 +763,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -775,9 +761,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
#######################################
## <summary>
@@ -50595,7 +50961,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -811,7 +798,7 @@ interface(`mta_spool_filetrans',`
+@@ -811,7 +796,7 @@ interface(`mta_spool_filetrans',`
#######################################
## <summary>
@@ -50604,7 +50970,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -819,10 +806,10 @@ interface(`mta_spool_filetrans',`
+@@ -819,10 +804,10 @@ interface(`mta_spool_filetrans',`
## </summary>
## </param>
#
@@ -50619,7 +50985,7 @@ index ed81cac..2224799 100644
files_search_spool($1)
read_files_pattern($1, mail_spool_t, mail_spool_t)
-@@ -830,7 +817,7 @@ interface(`mta_read_spool_files',`
+@@ -830,7 +815,7 @@ interface(`mta_read_spool_files',`
########################################
## <summary>
@@ -50628,7 +50994,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -845,13 +832,14 @@ interface(`mta_rw_spool',`
+@@ -845,13 +830,14 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -50646,7 +51012,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -866,13 +854,14 @@ interface(`mta_append_spool',`
+@@ -866,13 +852,14 @@ interface(`mta_append_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -50664,7 +51030,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -891,8 +880,7 @@ interface(`mta_delete_spool',`
+@@ -891,8 +878,7 @@ interface(`mta_delete_spool',`
########################################
## <summary>
@@ -50674,7 +51040,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -911,45 +899,9 @@ interface(`mta_manage_spool',`
+@@ -911,45 +897,9 @@ interface(`mta_manage_spool',`
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
@@ -50721,7 +51087,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -968,7 +920,7 @@ interface(`mta_search_queue',`
+@@ -968,7 +918,7 @@ interface(`mta_search_queue',`
#######################################
## <summary>
@@ -50730,7 +51096,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -981,13 +933,13 @@ interface(`mta_list_queue',`
+@@ -981,13 +931,13 @@ interface(`mta_list_queue',`
type mqueue_spool_t;
')
@@ -50746,7 +51112,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1000,14 +952,14 @@ interface(`mta_read_queue',`
+@@ -1000,14 +950,14 @@ interface(`mta_read_queue',`
type mqueue_spool_t;
')
@@ -50763,7 +51129,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1027,7 +979,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -1027,7 +977,7 @@ interface(`mta_dontaudit_rw_queue',`
########################################
## <summary>
## Create, read, write, and delete
@@ -50772,7 +51138,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1047,6 +999,41 @@ interface(`mta_manage_queue',`
+@@ -1047,6 +997,41 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -50814,7 +51180,7 @@ index ed81cac..2224799 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -1055,6 +1042,7 @@ interface(`mta_manage_queue',`
+@@ -1055,6 +1040,7 @@ interface(`mta_manage_queue',`
## </summary>
## </param>
#
@@ -50822,7 +51188,7 @@ index ed81cac..2224799 100644
interface(`mta_read_sendmail_bin',`
gen_require(`
type sendmail_exec_t;
-@@ -1065,8 +1053,8 @@ interface(`mta_read_sendmail_bin',`
+@@ -1065,8 +1051,8 @@ interface(`mta_read_sendmail_bin',`
#######################################
## <summary>
@@ -50833,7 +51199,7 @@ index ed81cac..2224799 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1081,3 +1069,200 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1067,201 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -51031,11 +51397,12 @@ index ed81cac..2224799 100644
+ mta_etc_filetrans_aliases($1, "aliases")
+ mta_etc_filetrans_aliases($1, "aliases.db")
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
++ mta_etc_filetrans_aliases($1, "__db.aliases.db")
+ mta_filetrans_home_content($1)
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c..a2854c1 100644
+index ff1d68c..86d8c9b 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -51278,7 +51645,7 @@ index ff1d68c..a2854c1 100644
optional_policy(`
+ munin_dontaudit_leaks(system_mail_t)
-+ munin_append_var_lib_files(system_mail_t)
++ munin_manage_var_lib_files(system_mail_t)
+')
+
+optional_policy(`
@@ -51627,7 +51994,7 @@ index eb4b72a..af28bb5 100644
+/var/www/html/cgi/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
+/var/www/cgi-bin/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
diff --git a/munin.if b/munin.if
-index b744fe3..50c386e 100644
+index b744fe3..cb0e2af 100644
--- a/munin.if
+++ b/munin.if
@@ -1,12 +1,13 @@
@@ -51698,7 +52065,7 @@ index b744fe3..50c386e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -80,15 +84,73 @@ interface(`munin_read_config',`
+@@ -80,15 +84,92 @@ interface(`munin_read_config',`
type munin_etc_t;
')
@@ -51707,11 +52074,10 @@ index b744fe3..50c386e 100644
allow $1 munin_etc_t:file read_file_perms;
allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
- ')
-
- #######################################
- ## <summary>
--## Append munin log files.
++')
++
++#######################################
++## <summary>
+## Read munin library files.
+## </summary>
+## <param name="domain">
@@ -51732,6 +52098,25 @@ index b744fe3..50c386e 100644
+
+#######################################
+## <summary>
++## Manage munin library files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`munin_manage_var_lib_files',`
++ gen_require(`
++ type munin_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
++')
++
++#######################################
++## <summary>
+## Append munin library files.
+## </summary>
+## <param name="domain">
@@ -51766,15 +52151,16 @@ index b744fe3..50c386e 100644
+ ')
+
+ dontaudit $1 munin_t:tcp_socket { read write };
-+')
-+
-+#######################################
-+## <summary>
+ ')
+
+ #######################################
+ ## <summary>
+-## Append munin log files.
+## Append to the munin log.
## </summary>
## <param name="domain">
## <summary>
-@@ -147,8 +209,8 @@ interface(`munin_dontaudit_search_lib',`
+@@ -147,8 +228,8 @@ interface(`munin_dontaudit_search_lib',`
########################################
## <summary>
@@ -51785,7 +52171,7 @@ index b744fe3..50c386e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -157,7 +219,7 @@ interface(`munin_dontaudit_search_lib',`
+@@ -157,7 +238,7 @@ interface(`munin_dontaudit_search_lib',`
## </param>
## <param name="role">
## <summary>
@@ -51794,7 +52180,7 @@ index b744fe3..50c386e 100644
## </summary>
## </param>
## <rolecap/>
-@@ -167,11 +229,15 @@ interface(`munin_admin',`
+@@ -167,11 +248,15 @@ interface(`munin_admin',`
attribute munin_plugin_domain, munin_plugin_tmp_content;
type munin_t, munin_etc_t, munin_tmp_t;
type munin_log_t, munin_var_lib_t, munin_var_run_t;
@@ -51813,7 +52199,7 @@ index b744fe3..50c386e 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -193,5 +259,5 @@ interface(`munin_admin',`
+@@ -193,5 +278,5 @@ interface(`munin_admin',`
files_list_pids($1)
admin_pattern($1, munin_var_run_t)
@@ -54050,7 +54436,7 @@ index 0641e97..cad402c 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 7b3e682..75ed416 100644
+index 7b3e682..2aa3b1d 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -54305,7 +54691,7 @@ index 7b3e682..75ed416 100644
')
optional_policy(`
-@@ -406,11 +422,14 @@ allow nagios_system_plugin_t self:capability dac_override;
+@@ -406,28 +422,36 @@ allow nagios_system_plugin_t self:capability dac_override;
dontaudit nagios_system_plugin_t self:capability { setuid setgid };
read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
@@ -54320,7 +54706,10 @@ index 7b3e682..75ed416 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,14 +439,18 @@ dev_read_sysfs(nagios_system_plugin_t)
+ corecmd_exec_shell(nagios_system_plugin_t)
++corecmd_getattr_all_executables(nagios_system_plugin_t)
+
+ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
@@ -54341,7 +54730,7 @@ index 7b3e682..75ed416 100644
#######################################
#
# Event local policy
-@@ -442,9 +465,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,9 +466,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -55118,7 +55507,7 @@ index 86dc29d..3eaf32b 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..6dc7fb1 100644
+index 55f2009..476d363 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -55215,7 +55604,7 @@ index 55f2009..6dc7fb1 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,17 +114,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,17 +114,15 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -55229,12 +55618,13 @@ index 55f2009..6dc7fb1 100644
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
+kernel_dontaudit_setsched(NetworkManager_t)
++kernel_signull(NetworkManager_t)
-corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +132,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +133,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -55260,7 +55650,7 @@ index 55f2009..6dc7fb1 100644
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
-@@ -125,13 +148,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +149,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@@ -55274,7 +55664,7 @@ index 55f2009..6dc7fb1 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,18 +156,33 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +157,33 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -55309,7 +55699,7 @@ index 55f2009..6dc7fb1 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +197,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +198,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -55346,7 +55736,7 @@ index 55f2009..6dc7fb1 100644
')
optional_policy(`
-@@ -196,10 +238,6 @@ optional_policy(`
+@@ -196,10 +239,6 @@ optional_policy(`
')
optional_policy(`
@@ -55357,7 +55747,7 @@ index 55f2009..6dc7fb1 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +248,11 @@ optional_policy(`
+@@ -210,16 +249,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -55376,7 +55766,7 @@ index 55f2009..6dc7fb1 100644
')
')
-@@ -231,10 +264,11 @@ optional_policy(`
+@@ -231,10 +265,11 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -55389,7 +55779,7 @@ index 55f2009..6dc7fb1 100644
')
optional_policy(`
-@@ -246,10 +280,26 @@ optional_policy(`
+@@ -246,10 +281,26 @@ optional_policy(`
')
optional_policy(`
@@ -55416,7 +55806,7 @@ index 55f2009..6dc7fb1 100644
')
optional_policy(`
-@@ -257,15 +307,19 @@ optional_policy(`
+@@ -257,15 +308,19 @@ optional_policy(`
')
optional_policy(`
@@ -55438,7 +55828,7 @@ index 55f2009..6dc7fb1 100644
')
optional_policy(`
-@@ -274,10 +328,17 @@ optional_policy(`
+@@ -274,10 +329,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -55456,11 +55846,12 @@ index 55f2009..6dc7fb1 100644
')
optional_policy(`
-@@ -286,9 +347,11 @@ optional_policy(`
+@@ -286,9 +348,12 @@ optional_policy(`
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
openvpn_signull(NetworkManager_t)
-+ openvpn_stream_connect(NetworkManager_t)
++ openvpn_stream_connect(NetworkManager_t)
++ openvpn_noatsecure(NetworkManager_t)
')
optional_policy(`
@@ -55468,7 +55859,7 @@ index 55f2009..6dc7fb1 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +359,7 @@ optional_policy(`
+@@ -296,7 +361,7 @@ optional_policy(`
')
optional_policy(`
@@ -55477,7 +55868,7 @@ index 55f2009..6dc7fb1 100644
')
optional_policy(`
-@@ -307,6 +370,7 @@ optional_policy(`
+@@ -307,6 +372,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -55485,7 +55876,7 @@ index 55f2009..6dc7fb1 100644
')
optional_policy(`
-@@ -320,14 +384,20 @@ optional_policy(`
+@@ -320,14 +386,20 @@ optional_policy(`
')
optional_policy(`
@@ -55511,7 +55902,7 @@ index 55f2009..6dc7fb1 100644
')
optional_policy(`
-@@ -357,6 +427,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +429,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -62045,7 +62436,7 @@ index 300213f..4cdfe09 100644
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
diff --git a/openvpn.if b/openvpn.if
-index 6837e9a..9bac89c 100644
+index 6837e9a..8d6e33b 100644
--- a/openvpn.if
+++ b/openvpn.if
@@ -23,6 +23,25 @@ interface(`openvpn_domtrans',`
@@ -62074,7 +62465,7 @@ index 6837e9a..9bac89c 100644
## openvpn domain, and allow the
## specified role the openvpn domain.
## </summary>
-@@ -123,6 +142,26 @@ interface(`openvpn_read_config',`
+@@ -123,6 +142,44 @@ interface(`openvpn_read_config',`
allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms;
')
@@ -62098,10 +62489,28 @@ index 6837e9a..9bac89c 100644
+ stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t)
+')
+
++########################################
++## <summary>
++## Read and write to sopenvpn_image devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openvpn_noatsecure',`
++ gen_require(`
++ type openvpn_t;
++ ')
++
++ allow $1 openvpn_t:process noatsecure;
++')
++
########################################
## <summary>
## All of the rules required to
-@@ -147,9 +186,13 @@ interface(`openvpn_admin',`
+@@ -147,9 +204,13 @@ interface(`openvpn_admin',`
type openvpn_status_t;
')
@@ -62117,7 +62526,7 @@ index 6837e9a..9bac89c 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 63957a3..4b43430 100644
+index 63957a3..a6cf637 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@@ -62162,7 +62571,16 @@ index 63957a3..4b43430 100644
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
-@@ -73,13 +83,17 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -63,6 +73,8 @@ allow openvpn_t self:tcp_socket server_stream_socket_perms;
+ allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+ allow openvpn_t self:netlink_route_socket nlmsg_write;
+
++dontaudit openvpn_t self:capability2 block_suspend ;
++
+ allow openvpn_t openvpn_etc_t:dir list_dir_perms;
+ allow openvpn_t openvpn_etc_t:file read_file_perms;
+ allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
+@@ -73,13 +85,17 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
@@ -62183,7 +62601,7 @@ index 63957a3..4b43430 100644
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
-@@ -97,7 +111,6 @@ kernel_request_load_module(openvpn_t)
+@@ -97,7 +113,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -62191,7 +62609,7 @@ index 63957a3..4b43430 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -117,13 +130,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+@@ -117,13 +132,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
corenet_sendrecv_http_server_packets(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
@@ -62208,7 +62626,7 @@ index 63957a3..4b43430 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -132,21 +147,31 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -132,21 +149,31 @@ files_read_etc_runtime_files(openvpn_t)
fs_getattr_all_fs(openvpn_t)
fs_search_auto_mountpoints(openvpn_t)
@@ -62243,7 +62661,7 @@ index 63957a3..4b43430 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -164,10 +189,20 @@ tunable_policy(`openvpn_can_network_connect',`
+@@ -164,10 +191,20 @@ tunable_policy(`openvpn_can_network_connect',`
')
optional_policy(`
@@ -62264,7 +62682,7 @@ index 63957a3..4b43430 100644
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
-@@ -175,3 +210,27 @@ optional_policy(`
+@@ -175,3 +212,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -62594,7 +63012,7 @@ index 9b15730..cb00f20 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..129bba9 100644
+index 44dbc99..c57aab5 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@@ -62659,7 +63077,7 @@ index 44dbc99..129bba9 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -65,33 +68,42 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -65,33 +68,43 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -62668,6 +63086,7 @@ index 44dbc99..129bba9 100644
kernel_read_network_state(openvswitch_t)
kernel_read_system_state(openvswitch_t)
+kernel_request_load_module(openvswitch_t)
++kernel_read_net_sysctls(openvswitch_t)
-corenet_all_recvfrom_unlabeled(openvswitch_t)
-corenet_all_recvfrom_netlabel(openvswitch_t)
@@ -64026,10 +64445,10 @@ index 0000000..9b8cb6b
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
-index 0000000..d9296b1
+index 0000000..af1ca01
--- /dev/null
+++ b/pcp.if
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,140 @@
+## <summary>The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
+
+######################################
@@ -64055,13 +64474,14 @@ index 0000000..d9296b1
+ type pcp_$1_initrc_exec_t;
+ init_script_file(pcp_$1_initrc_exec_t)
+
++ auth_use_nsswitch(pcp_$1_t)
+')
+
+######################################
+## <summary>
+## Allow domain to read pcp lib files
+## </summary>
-+## <param name="prefix">
++## <param name="domain">
+## <summary>
+## Prefix for the domain.
+## </summary>
@@ -64171,10 +64591,10 @@ index 0000000..d9296b1
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..62098f0
+index 0000000..8b45156
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,240 @@
+@@ -0,0 +1,235 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -64223,6 +64643,9 @@ index 0000000..62098f0
+allow pcp_domain self:process signal_perms;
+allow pcp_domain self:tcp_socket create_stream_socket_perms;
+allow pcp_domain self:udp_socket create_socket_perms;
++allow pcp_domain self:netlink_route_socket create_socket_perms;
++
++corenet_tcp_connect_all_ephemeral_ports(pcp_domain)
+
+manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t)
+manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t)
@@ -64253,8 +64676,6 @@ index 0000000..62098f0
+
+fs_getattr_all_fs(pcp_domain)
+
-+auth_read_passwd(pcp_domain)
-+
+miscfiles_read_generic_certs(pcp_domain)
+
+sysnet_read_config(pcp_domain)
@@ -64274,11 +64695,8 @@ index 0000000..62098f0
+#
+
+allow pcp_pmcd_t self:process { setsched };
-+allow pcp_pmcd_t self:netlink_route_socket create_socket_perms;
+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
+
-+auth_use_nsswitch(pcp_pmcd_t)
-+
+kernel_get_sysvipc_info(pcp_pmcd_t)
+kernel_read_network_state(pcp_pmcd_t)
+kernel_read_system_state(pcp_pmcd_t)
@@ -64328,11 +64746,8 @@ index 0000000..62098f0
+#
+
+allow pcp_pmproxy_t self:process setsched;
-+allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms;
+allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
+
-+auth_use_nsswitch(pcp_pmproxy_t)
-+
+logging_send_syslog_msg(pcp_pmproxy_t)
+
+optional_policy(`
@@ -64350,6 +64765,14 @@ index 0000000..62098f0
+
+corenet_tcp_bind_generic_node(pcp_pmwebd_t)
+
++optional_policy(`
++ dbus_system_bus_client(pcp_pmwebd_t)
++
++ optional_policy(`
++ avahi_dbus_chat(pcp_pmwebd_t)
++ ')
++')
++
+########################################
+#
+# pcp_pmmgr local policy
@@ -64361,15 +64784,11 @@ index 0000000..62098f0
+
+kernel_read_system_state(pcp_pmmgr_t)
+
-+auth_use_nsswitch(pcp_pmmgr_t)
-+
+corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
+
+corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t)
+corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t)
+
-+corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t)
-+
+corecmd_exec_bin(pcp_pmmgr_t)
+
+logging_send_syslog_msg(pcp_pmmgr_t)
@@ -64393,8 +64812,6 @@ index 0000000..62098f0
+
+corecmd_exec_bin(pcp_pmie_t)
+
-+corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
-+
+logging_send_syslog_msg(pcp_pmie_t)
+
+userdom_read_user_tmp_files(pcp_pmie_t)
@@ -64413,8 +64830,6 @@ index 0000000..62098f0
+corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
+corenet_tcp_bind_generic_node(pcp_pmlogger_t)
+
-+corenet_tcp_connect_all_ephemeral_ports(pcp_pmlogger_t)
-+
diff --git a/pcscd.if b/pcscd.if
index 43d50f9..6b1544f 100644
--- a/pcscd.if
@@ -64563,10 +64978,10 @@ index dfd46e4..d40433a 100644
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
-index d2fc677..ded726f 100644
+index d2fc677..86dce34 100644
--- a/pegasus.if
+++ b/pegasus.if
-@@ -1,52 +1,59 @@
+@@ -1,52 +1,60 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+######################################
@@ -64601,6 +65016,7 @@ index d2fc677..ded726f 100644
+ #
+
+ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
++ allow pegasus_t pegasus_openlmi_$1_exec_t:file ioctl;
+
+ kernel_read_system_state(pegasus_openlmi_$1_t)
+ logging_send_syslog_msg(pegasus_openlmi_$1_t)
@@ -72757,7 +73173,7 @@ index 0000000..44ed5ad
+')
diff --git a/prosody.te b/prosody.te
new file mode 100644
-index 0000000..4f6badd
+index 0000000..ad32ffe
--- /dev/null
+++ b/prosody.te
@@ -0,0 +1,75 @@
@@ -72794,7 +73210,7 @@ index 0000000..4f6badd
+# prosody local policy
+#
+allow prosody_t self:capability { setuid setgid };
-+allow prosody_t self:process signal_perms;
++allow prosody_t self:process { signal_perms execmem };
+allow prosody_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
@@ -77912,7 +78328,7 @@ index 2c3d338..7d49554 100644
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..0675a9c 100644
+index dc3b0ed..d8858d1 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
@@ -77946,7 +78362,7 @@ index dc3b0ed..0675a9c 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -27,98 +31,86 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,98 +31,92 @@ files_pid_file(rabbitmq_var_run_t)
######################################
#
@@ -78057,6 +78473,7 @@ index dc3b0ed..0675a9c 100644
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+logging_log_filetrans(rabbitmq_t, rabbitmq_var_log_t, { dir file })
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
@@ -78065,6 +78482,7 @@ index dc3b0ed..0675a9c 100644
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
++manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file })
+
+kernel_read_system_state(rabbitmq_t)
@@ -78121,6 +78539,10 @@ index dc3b0ed..0675a9c 100644
+')
+
+optional_policy(`
++ hostname_exec(rabbitmq_t)
++')
++
++optional_policy(`
+ rpc_read_nfs_state_data(rabbitmq_t)
+')
@@ -78203,7 +78625,7 @@ index 4460582..4c66c25 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fe..870d7b3 100644
+index 403a4fe..0e88460 100644
--- a/radius.te
+++ b/radius.te
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
@@ -78240,7 +78662,7 @@ index 403a4fe..870d7b3 100644
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -74,10 +75,14 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
+@@ -74,10 +75,15 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_generic_node(radiusd_t)
@@ -78248,6 +78670,7 @@ index 403a4fe..870d7b3 100644
+corenet_tcp_connect_http_port(radiusd_t)
+
corenet_sendrecv_radacct_server_packets(radiusd_t)
++corenet_tcp_bind_radacct_port(radiusd_t)
corenet_udp_bind_radacct_port(radiusd_t)
corenet_sendrecv_radius_server_packets(radiusd_t)
@@ -78255,7 +78678,7 @@ index 403a4fe..870d7b3 100644
corenet_udp_bind_radius_port(radiusd_t)
corenet_sendrecv_snmp_client_packets(radiusd_t)
-@@ -97,7 +102,6 @@ domain_use_interactive_fds(radiusd_t)
+@@ -97,7 +103,6 @@ domain_use_interactive_fds(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
@@ -78263,7 +78686,7 @@ index 403a4fe..870d7b3 100644
files_read_etc_runtime_files(radiusd_t)
files_dontaudit_list_tmp(radiusd_t)
-@@ -109,7 +113,6 @@ libs_exec_lib_files(radiusd_t)
+@@ -109,7 +114,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
@@ -78271,7 +78694,7 @@ index 403a4fe..870d7b3 100644
miscfiles_read_generic_certs(radiusd_t)
sysnet_use_ldap(radiusd_t)
-@@ -122,6 +125,11 @@ optional_policy(`
+@@ -122,6 +126,11 @@ optional_policy(`
')
optional_policy(`
@@ -78283,7 +78706,7 @@ index 403a4fe..870d7b3 100644
logrotate_exec(radiusd_t)
')
-@@ -140,5 +148,10 @@ optional_policy(`
+@@ -140,5 +149,10 @@ optional_policy(`
')
optional_policy(`
@@ -78589,7 +79012,7 @@ index 951db7f..04b6dde 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index c99753f..ec12db3 100644
+index c99753f..26d52dc 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
@@ -78685,11 +79108,12 @@ index c99753f..ec12db3 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +103,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +103,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
+storage_raw_read_removable_device(mdadm_t)
++storage_tmp_filetrans_fixed_disk(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
term_dontaudit_use_unallocated_ttys(mdadm_t)
@@ -78697,6 +79121,7 @@ index c99753f..ec12db3 100644
+auth_use_nsswitch(mdadm_t)
+
init_dontaudit_getattr_initctl(mdadm_t)
++init_getattr_script_status_files(mdadm_t)
+logging_dontaudit_getattr_all_logs(mdadm_t)
logging_send_syslog_msg(mdadm_t)
@@ -78707,7 +79132,7 @@ index c99753f..ec12db3 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +127,38 @@ optional_policy(`
+@@ -90,17 +129,38 @@ optional_policy(`
')
optional_policy(`
@@ -84837,7 +85262,7 @@ index 0bf13c2..1d69728 100644
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
diff --git a/rpc.te b/rpc.te
-index 2da9fca..f47a20e 100644
+index 2da9fca..b225fea 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
@@ -84919,7 +85344,7 @@ index 2da9fca..f47a20e 100644
corenet_tcp_sendrecv_generic_if(rpc_domain)
corenet_udp_sendrecv_generic_if(rpc_domain)
corenet_tcp_sendrecv_generic_node(rpc_domain)
-@@ -108,41 +105,42 @@ files_read_etc_runtime_files(rpc_domain)
+@@ -108,41 +105,43 @@ files_read_etc_runtime_files(rpc_domain)
files_read_usr_files(rpc_domain)
files_list_home(rpc_domain)
@@ -84965,12 +85390,13 @@ index 2da9fca..f47a20e 100644
can_exec(rpcd_t, rpcd_exec_t)
+kernel_read_system_state(rpcd_t)
++kernel_write_proc_files(rpcd_t)
kernel_read_network_state(rpcd_t)
+# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -163,13 +161,14 @@ fs_getattr_all_fs(rpcd_t)
+@@ -163,13 +162,14 @@ fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
@@ -84988,7 +85414,7 @@ index 2da9fca..f47a20e 100644
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcd_t)
-@@ -181,19 +180,27 @@ optional_policy(`
+@@ -181,19 +181,27 @@ optional_policy(`
')
optional_policy(`
@@ -85019,7 +85445,7 @@ index 2da9fca..f47a20e 100644
')
########################################
-@@ -202,41 +209,56 @@ optional_policy(`
+@@ -202,41 +210,56 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -85085,7 +85511,7 @@ index 2da9fca..f47a20e 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -245,7 +267,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +268,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -85093,7 +85519,7 @@ index 2da9fca..f47a20e 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +278,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +279,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -85108,7 +85534,7 @@ index 2da9fca..f47a20e 100644
')
########################################
-@@ -270,7 +291,7 @@ optional_policy(`
+@@ -270,7 +292,7 @@ optional_policy(`
# GSSD local policy
#
@@ -85117,7 +85543,7 @@ index 2da9fca..f47a20e 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
-@@ -280,6 +301,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +302,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -85125,7 +85551,7 @@ index 2da9fca..f47a20e 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -288,25 +310,30 @@ kernel_signal(gssd_t)
+@@ -288,25 +311,30 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -85159,7 +85585,7 @@ index 2da9fca..f47a20e 100644
')
optional_policy(`
-@@ -314,9 +341,12 @@ optional_policy(`
+@@ -314,9 +342,12 @@ optional_policy(`
')
optional_policy(`
@@ -85476,7 +85902,7 @@ index ebe91fc..fc8f8ac 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index ef3b225..d248cd3 100644
+index ef3b225..d481e0a 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -85735,7 +86161,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -302,7 +378,25 @@ interface(`rpm_manage_log',`
+@@ -302,7 +378,32 @@ interface(`rpm_manage_log',`
########################################
## <summary>
@@ -85748,12 +86174,19 @@ index ef3b225..d248cd3 100644
+## </summary>
+## </param>
+#
-+interface(`rpm_named_filetrans_log_files',`
++interface(`rpm_named_filetrans',`
+ gen_require(`
+ type rpm_log_t;
++ type rpm_var_lib_t;
+ ')
-+ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
-+ logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
++ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
++ logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
++ files_var_filetrans($1, rpm_var_lib_t, dir, "dnf")
++ files_var_filetrans($1, rpm_var_lib_t, dir, "yum")
++ files_var_filetrans($1, rpm_var_lib_t, dir, "rpm")
++ files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
++ files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
++ files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
+')
+
+########################################
@@ -85762,7 +86195,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -320,8 +414,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +421,8 @@ interface(`rpm_use_script_fds',`
########################################
## <summary>
@@ -85773,7 +86206,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -335,12 +429,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +436,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -85790,7 +86223,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -353,14 +450,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +457,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -85808,7 +86241,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -374,12 +470,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +477,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -85824,7 +86257,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -399,7 +497,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +504,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
## <summary>
@@ -85833,7 +86266,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -420,8 +518,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +525,7 @@ interface(`rpm_read_cache',`
########################################
## <summary>
@@ -85843,7 +86276,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -442,7 +539,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +546,7 @@ interface(`rpm_manage_cache',`
########################################
## <summary>
@@ -85852,7 +86285,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,11 +556,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +563,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -85866,7 +86299,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -482,8 +580,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +587,7 @@ interface(`rpm_delete_db',`
########################################
## <summary>
@@ -85876,7 +86309,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -503,8 +600,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +607,28 @@ interface(`rpm_manage_db',`
########################################
## <summary>
@@ -85906,7 +86339,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -517,7 +634,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +641,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -85915,7 +86348,7 @@ index ef3b225..d248cd3 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +660,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +667,7 @@ interface(`rpm_read_pid_files',`
#####################################
## <summary>
@@ -85925,7 +86358,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -563,8 +679,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +686,7 @@ interface(`rpm_manage_pid_files',`
######################################
## <summary>
@@ -85935,7 +86368,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -573,43 +688,54 @@ interface(`rpm_manage_pid_files',`
+@@ -573,43 +695,54 @@ interface(`rpm_manage_pid_files',`
## </param>
#
interface(`rpm_pid_filetrans',`
@@ -86007,7 +86440,7 @@ index ef3b225..d248cd3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -617,22 +743,56 @@ interface(`rpm_pid_filetrans_rpm_pid',`
+@@ -617,22 +750,56 @@ interface(`rpm_pid_filetrans_rpm_pid',`
## </summary>
## </param>
## <param name="role">
@@ -86075,6 +86508,16 @@ index ef3b225..d248cd3 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
+@@ -641,9 +808,6 @@ interface(`rpm_admin',`
+
+ admin_pattern($1, rpm_file_t)
+
+- files_list_var($1)
+- admin_pattern($1, rpm_cache_t)
+-
+ files_list_tmp($1)
+ admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
+
diff --git a/rpm.te b/rpm.te
index 6fc360e..75415ab 100644
--- a/rpm.te
@@ -87824,7 +88267,7 @@ index b8b66ff..a93346e 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
-index 50d07fb..dc069c8 100644
+index 50d07fb..59296a2 100644
--- a/samba.if
+++ b/samba.if
@@ -1,8 +1,12 @@
@@ -88490,12 +88933,13 @@ index 50d07fb..dc069c8 100644
## </summary>
## </param>
## <rolecap/>
-@@ -689,11 +846,28 @@ interface(`samba_admin',`
+@@ -689,11 +846,29 @@ interface(`samba_admin',`
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t;
type winbind_var_run_t, winbind_tmp_t;
- type smbd_keytab_t;
+ type smbd_keytab_t, samba_unit_file_t;
++ type samba_unconfined_script_t;
+ ')
+
+ allow $1 smbd_t:process signal_perms;
@@ -88522,7 +88966,7 @@ index 50d07fb..dc069c8 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -703,23 +877,34 @@ interface(`samba_admin',`
+@@ -703,23 +878,34 @@ interface(`samba_admin',`
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
@@ -91171,7 +91615,7 @@ index cd6c213..82a5ff0 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index 0045465..027faf2 100644
+index 0045465..61da47f 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -6,21 +6,26 @@ policy_module(sanlock, 1.1.0)
@@ -91300,17 +91744,18 @@ index 0045465..027faf2 100644
')
optional_policy(`
-@@ -100,7 +118,9 @@ optional_policy(`
+@@ -100,7 +118,10 @@ optional_policy(`
')
optional_policy(`
- virt_kill_all_virt_domains(sanlock_t)
+ virt_kill_svirt(sanlock_t)
+ virt_kill(sanlock_t)
-+ virt_signal(sanlock_t)
++ virt_signal(sanlock_t)
virt_manage_lib_files(sanlock_t)
- virt_signal_all_virt_domains(sanlock_t)
+ virt_signal_svirt(sanlock_t)
++ virt_read_pid_files(sanlock_t)
')
diff --git a/sasl.fc b/sasl.fc
index 54f41c2..7e58679 100644
@@ -91691,7 +92136,7 @@ index 98c9e0a..562666e 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756b..135baca 100644
+index 299756b..3502684 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -91797,7 +92242,7 @@ index 299756b..135baca 100644
')
optional_policy(`
-@@ -117,6 +133,54 @@ optional_policy(`
+@@ -117,6 +133,58 @@ optional_policy(`
# Reposd local policy
#
@@ -91814,7 +92259,7 @@ index 299756b..135baca 100644
+# Sfcbd local policy
+#
+
-+allow sblim_sfcbd_t self:capability { sys_ptrace setgid };
++allow sblim_sfcbd_t self:capability { sys_ptrace setgid setuid };
+allow sblim_sfcbd_t self:process signal;
+allow sblim_sfcbd_t self:unix_stream_socket connectto;
+
@@ -91844,6 +92289,10 @@ index 299756b..135baca 100644
+logging_send_audit_msgs(sblim_sfcbd_t)
+
+optional_policy(`
++ setroubleshoot_signull(sblim_sfcbd_t)
++')
++
++optional_policy(`
+ rpm_exec(sblim_sfcbd_t)
+ rpm_dontaudit_manage_db(sblim_sfcbd_t)
+')
@@ -92592,7 +93041,7 @@ index 35ad2a7..6b75e85 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 12700b4..906b5db 100644
+index 12700b4..27adacc 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@@ -92732,7 +93181,7 @@ index 12700b4..906b5db 100644
')
optional_policy(`
-@@ -164,14 +168,27 @@ optional_policy(`
+@@ -164,6 +168,10 @@ optional_policy(`
')
optional_policy(`
@@ -92743,12 +93192,7 @@ index 12700b4..906b5db 100644
milter_stream_connect_all(sendmail_t)
')
- optional_policy(`
-+ mta_filetrans_home_content(sendmail_t)
-+')
-+
-+optional_policy(`
- munin_dontaudit_search_lib(sendmail_t)
+@@ -172,6 +180,11 @@ optional_policy(`
')
optional_policy(`
@@ -92760,7 +93204,7 @@ index 12700b4..906b5db 100644
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
-@@ -193,6 +210,10 @@ optional_policy(`
+@@ -193,6 +206,10 @@ optional_policy(`
')
optional_policy(`
@@ -92771,18 +93215,15 @@ index 12700b4..906b5db 100644
udev_read_db(sendmail_t)
')
-@@ -206,8 +227,8 @@ optional_policy(`
+@@ -206,8 +223,6 @@ optional_policy(`
#
optional_policy(`
- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases")
- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db")
- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp")
-- unconfined_domain(unconfined_sendmail_t)
-+ mta_etc_filetrans_aliases(unconfined_sendmail_t, "aliases")
-+ mta_etc_filetrans_aliases(unconfined_sendmail_t, "aliases.db")
-+ mta_etc_filetrans_aliases(unconfined_sendmail_t, "aliasesdb-stamp")
-+ unconfined_domain(unconfined_sendmail_t)
++ mta_filetrans_named_content(unconfined_sendmail_t)
+ unconfined_domain(unconfined_sendmail_t)
')
diff --git a/sensord.fc b/sensord.fc
index 8185d5a..9be989a 100644
@@ -92897,7 +93338,7 @@ index d204752..85631b3 100644
+ ')
')
diff --git a/sensord.te b/sensord.te
-index 5e82fd6..80cb2bc 100644
+index 5e82fd6..ddb249d 100644
--- a/sensord.te
+++ b/sensord.te
@@ -9,27 +9,38 @@ type sensord_t;
@@ -92921,7 +93362,7 @@ index 5e82fd6..80cb2bc 100644
# Local policy
#
-+allow sensord_t self:process signal;
++allow sensord_t self:process { signal execmem };
+
allow sensord_t self:fifo_file rw_fifo_file_perms;
allow sensord_t self:unix_stream_socket create_stream_socket_perms;
@@ -93720,7 +94161,7 @@ index 1aeef8a..d5ce40a 100644
admin_pattern($1, shorewall_etc_t)
diff --git a/shorewall.te b/shorewall.te
-index 7710b9f..6195392 100644
+index 7710b9f..b33b936 100644
--- a/shorewall.te
+++ b/shorewall.te
@@ -34,6 +34,7 @@ logging_log_file(shorewall_log_t)
@@ -93776,6 +94217,16 @@ index 7710b9f..6195392 100644
optional_policy(`
brctl_domtrans(shorewall_t)
+@@ -110,5 +110,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ netutils_domtrans(shorewall_t)
++')
++
++optional_policy(`
+ ulogd_search_log(shorewall_t)
+ ')
diff --git a/shutdown.fc b/shutdown.fc
index a91f33b..631dbc1 100644
--- a/shutdown.fc
@@ -95347,7 +95798,7 @@ index 634c6b4..f6db7a7 100644
+')
+
diff --git a/sosreport.te b/sosreport.te
-index f2f507d..9cf6dda 100644
+index f2f507d..b3f8d3b 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@@ -95539,7 +95990,7 @@ index f2f507d..9cf6dda 100644
+ rpm_manage_cache(sosreport_t)
+ rpm_manage_log(sosreport_t)
+ rpm_manage_pid_files(sosreport_t)
-+ rpm_named_filetrans_log_files(sosreport_t)
++ rpm_named_filetrans(sosreport_t)
+ rpm_read_db(sosreport_t)
+ rpm_signull(sosreport_t)
+')
@@ -96122,7 +96573,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..b1878b4 100644
+index cc58e35..c0d3694 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
@@ -96527,20 +96978,20 @@ index cc58e35..b1878b4 100644
-auth_use_nsswitch(spamc_t)
+fs_search_auto_mountpoints(spamc_t)
-+
-+libs_exec_ldconfig(spamc_t)
- logging_send_syslog_msg(spamc_t)
+-logging_send_syslog_msg(spamc_t)
++libs_exec_ldconfig(spamc_t)
-miscfiles_read_localization(spamc_t)
-+auth_use_nsswitch(spamc_t)
++logging_send_syslog_msg(spamc_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(spamc_t)
- fs_manage_nfs_files(spamc_t)
- fs_manage_nfs_symlinks(spamc_t)
-')
--
++auth_use_nsswitch(spamc_t)
+
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(spamc_t)
- fs_manage_cifs_files(spamc_t)
@@ -96558,7 +97009,7 @@ index cc58e35..b1878b4 100644
evolution_stream_connect(spamc_t)
')
-@@ -251,10 +353,16 @@ optional_policy(`
+@@ -251,11 +353,18 @@ optional_policy(`
')
optional_policy(`
@@ -96574,9 +97025,11 @@ index cc58e35..b1878b4 100644
mta_read_queue(spamc_t)
- sendmail_rw_pipes(spamc_t)
sendmail_stub(spamc_t)
++ sendmail_rw_pipes(spamc_t)
')
-@@ -267,36 +375,40 @@ optional_policy(`
+ optional_policy(`
+@@ -267,36 +376,40 @@ optional_policy(`
########################################
#
@@ -96603,17 +97056,17 @@ index cc58e35..b1878b4 100644
allow spamd_t self:unix_dgram_socket sendto;
-allow spamd_t self:unix_stream_socket { accept connectto listen };
-allow spamd_t self:tcp_socket { accept listen };
--
++allow spamd_t self:unix_stream_socket connectto;
++allow spamd_t self:tcp_socket create_stream_socket_perms;
++allow spamd_t self:udp_socket create_socket_perms;
+
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
-+allow spamd_t self:unix_stream_socket connectto;
-+allow spamd_t self:tcp_socket create_stream_socket_perms;
-+allow spamd_t self:udp_socket create_socket_perms;
-
+-
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@@ -96634,7 +97087,7 @@ index cc58e35..b1878b4 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +420,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +421,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -96644,7 +97097,7 @@ index cc58e35..b1878b4 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +430,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +431,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -96660,7 +97113,7 @@ index cc58e35..b1878b4 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +445,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +446,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -96764,7 +97217,7 @@ index cc58e35..b1878b4 100644
')
optional_policy(`
-@@ -421,21 +516,13 @@ optional_policy(`
+@@ -421,21 +517,13 @@ optional_policy(`
')
optional_policy(`
@@ -96788,7 +97241,7 @@ index cc58e35..b1878b4 100644
')
optional_policy(`
-@@ -443,8 +530,8 @@ optional_policy(`
+@@ -443,8 +531,8 @@ optional_policy(`
')
optional_policy(`
@@ -96798,7 +97251,7 @@ index cc58e35..b1878b4 100644
')
optional_policy(`
-@@ -455,7 +542,17 @@ optional_policy(`
+@@ -455,7 +543,17 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -96817,7 +97270,7 @@ index cc58e35..b1878b4 100644
')
optional_policy(`
-@@ -463,9 +560,9 @@ optional_policy(`
+@@ -463,9 +561,9 @@ optional_policy(`
')
optional_policy(`
@@ -96828,7 +97281,7 @@ index cc58e35..b1878b4 100644
')
optional_policy(`
-@@ -474,32 +571,32 @@ optional_policy(`
+@@ -474,32 +572,32 @@ optional_policy(`
########################################
#
@@ -96871,7 +97324,7 @@ index cc58e35..b1878b4 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +605,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +606,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -97417,7 +97870,7 @@ index dbb005a..835122a 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
-index a240455..b25b2ce 100644
+index a240455..04419ae 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
@@ -97612,22 +98065,40 @@ index a240455..b25b2ce 100644
## <summary>
-## Create, read, write, and delete
-## sssd public files.
-+## Dontaudit read sssd public files.
++## Delete sssd public files.
## </summary>
## <param name="domain">
## <summary>
-@@ -146,18 +185,36 @@ interface(`sssd_read_public_files',`
+@@ -146,18 +185,55 @@ interface(`sssd_read_public_files',`
## </summary>
## </param>
#
-interface(`sssd_manage_public_files',`
-+interface(`sssd_dontaudit_read_public_files',`
++interface(`sssd_delete_public_files',`
gen_require(`
type sssd_public_t;
')
-- sssd_search_lib($1)
+ sssd_search_lib($1)
- manage_files_pattern($1, sssd_public_t, sssd_public_t)
++ allow $1 sssd_public_t:file unlink;
++')
++
++########################################
++## <summary>
++## Dontaudit read sssd public files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_dontaudit_read_public_files',`
++ gen_require(`
++ type sssd_public_t;
++ ')
++
+ dontaudit $1 sssd_public_t:file read_file_perms;
+')
+
@@ -97657,7 +98128,7 @@ index a240455..b25b2ce 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -176,8 +233,7 @@ interface(`sssd_read_pid_files',`
+@@ -176,8 +252,7 @@ interface(`sssd_read_pid_files',`
########################################
## <summary>
@@ -97667,7 +98138,7 @@ index a240455..b25b2ce 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -216,8 +272,7 @@ interface(`sssd_search_lib',`
+@@ -216,8 +291,7 @@ interface(`sssd_search_lib',`
########################################
## <summary>
@@ -97677,7 +98148,7 @@ index a240455..b25b2ce 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -235,6 +290,24 @@ interface(`sssd_dontaudit_search_lib',`
+@@ -235,6 +309,24 @@ interface(`sssd_dontaudit_search_lib',`
########################################
## <summary>
@@ -97702,7 +98173,7 @@ index a240455..b25b2ce 100644
## Read sssd lib files.
## </summary>
## <param name="domain">
-@@ -297,8 +370,7 @@ interface(`sssd_dbus_chat',`
+@@ -297,8 +389,7 @@ interface(`sssd_dbus_chat',`
########################################
## <summary>
@@ -97712,7 +98183,7 @@ index a240455..b25b2ce 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -317,8 +389,65 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +408,65 @@ interface(`sssd_stream_connect',`
########################################
## <summary>
@@ -97780,7 +98251,7 @@ index a240455..b25b2ce 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -327,7 +456,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +475,7 @@ interface(`sssd_stream_connect',`
## </param>
## <param name="role">
## <summary>
@@ -97789,7 +98260,7 @@ index a240455..b25b2ce 100644
## </summary>
## </param>
## <rolecap/>
-@@ -335,27 +464,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +483,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -99706,7 +100177,7 @@ index 42946bc..9f70e4c 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index 9afcbc9..29ae736 100644
+index 9afcbc9..b19622d 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -2,28 +2,27 @@ policy_module(telepathy, 1.4.2)
@@ -99747,7 +100218,7 @@ index 9afcbc9..29ae736 100644
telepathy_domain_template(gabble)
-@@ -67,179 +66,150 @@ userdom_user_home_content(telepathy_sunshine_home_t)
+@@ -67,179 +66,157 @@ userdom_user_home_content(telepathy_sunshine_home_t)
#######################################
#
@@ -99950,6 +100421,13 @@ index 9afcbc9..29ae736 100644
-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
-# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections")
++manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t)
++manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t)
++manage_sock_files_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t)
++exec_files_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t)
++files_tmp_filetrans(telepathy_mission_control_t, telepathy_mission_control_tmp_t, { dir file sock_file })
++userdom_user_tmp_filetrans(telepathy_mission_control_t, telepathy_mission_control_tmp_t, { dir file sock_file })
++
+optional_policy(`
+ gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
+ gnome_manage_home_config(telepathy_mission_control_t)
@@ -99960,16 +100438,16 @@ index 9afcbc9..29ae736 100644
dev_read_rand(telepathy_mission_control_t)
-+fs_getattr_all_fs(telepathy_mission_control_t)
-+
- files_list_tmp(telepathy_mission_control_t)
+-files_list_tmp(telepathy_mission_control_t)
-files_read_usr_files(telepathy_mission_control_t)
++fs_getattr_all_fs(telepathy_mission_control_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_mission_control_t)
- fs_manage_nfs_files(telepathy_mission_control_t)
-')
--
++files_list_tmp(telepathy_mission_control_t)
+
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_mission_control_t)
- fs_manage_cifs_files(telepathy_mission_control_t)
@@ -99978,7 +100456,7 @@ index 9afcbc9..29ae736 100644
optional_policy(`
dbus_system_bus_client(telepathy_mission_control_t)
-@@ -248,59 +218,47 @@ optional_policy(`
+@@ -248,59 +225,47 @@ optional_policy(`
devicekit_dbus_chat_power(telepathy_mission_control_t)
')
optional_policy(`
@@ -100052,7 +100530,7 @@ index 9afcbc9..29ae736 100644
init_read_state(telepathy_msn_t)
-@@ -310,18 +268,19 @@ logging_send_syslog_msg(telepathy_msn_t)
+@@ -310,18 +275,19 @@ logging_send_syslog_msg(telepathy_msn_t)
miscfiles_read_all_certs(telepathy_msn_t)
@@ -100077,7 +100555,7 @@ index 9afcbc9..29ae736 100644
')
optional_policy(`
-@@ -332,43 +291,33 @@ optional_policy(`
+@@ -332,43 +298,33 @@ optional_policy(`
')
')
@@ -100126,7 +100604,7 @@ index 9afcbc9..29ae736 100644
')
optional_policy(`
-@@ -381,73 +330,51 @@ optional_policy(`
+@@ -381,73 +337,51 @@ optional_policy(`
#######################################
#
@@ -100210,7 +100688,7 @@ index 9afcbc9..29ae736 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -455,31 +382,51 @@ optional_policy(`
+@@ -455,31 +389,51 @@ optional_policy(`
#######################################
#
@@ -101242,10 +101720,10 @@ index 0000000..9524b50
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..bc96302
+index 0000000..02ed710
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,160 @@
+@@ -0,0 +1,161 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -101276,6 +101754,7 @@ index 0000000..bc96302
+
+allow thumb_t self:process { setsched signal signull setrlimit };
+dontaudit thumb_t self:capability sys_tty_config;
++dontaudit thumb_t self:process setfscreate;
+
+tunable_policy(`deny_execmem',`',`
+ allow thumb_t self:process execmem;
@@ -102928,7 +103407,7 @@ index c416a83..cd83b89 100644
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
-index 98b51fd..b25ec0d 100644
+index 98b51fd..2a003a5 100644
--- a/userhelper.if
+++ b/userhelper.if
@@ -1,4 +1,4 @@
@@ -103168,7 +103647,7 @@ index 98b51fd..b25ec0d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -206,10 +263,79 @@ interface(`userhelper_exec',`
+@@ -206,10 +263,83 @@ interface(`userhelper_exec',`
type userhelper_exec_t;
')
@@ -103232,6 +103711,10 @@ index 98b51fd..b25ec0d 100644
+ ')
+
+ optional_policy(`
++ hddtemp_run($1_consolehelper_t, $2)
++ ')
++
++ optional_policy(`
+ shutdown_run($1_consolehelper_t, $2)
+ shutdown_send_sigchld($3)
+ ')
@@ -106011,7 +106494,7 @@ index facdee8..aacee65 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..487f131 100644
+index f03dcf5..2a9e44c 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,241 @@
@@ -107510,7 +107993,7 @@ index f03dcf5..487f131 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1170,317 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1170,318 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -107603,6 +108086,7 @@ index f03dcf5..487f131 100644
+kernel_read_net_sysctls(svirt_sandbox_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
+kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
++kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
+
+corecmd_exec_all_executables(svirt_sandbox_domain)
+
@@ -107966,7 +108450,7 @@ index f03dcf5..487f131 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1493,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1494,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -107981,7 +108465,7 @@ index f03dcf5..487f131 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1511,8 @@ optional_policy(`
+@@ -1192,9 +1512,8 @@ optional_policy(`
########################################
#
@@ -107992,7 +108476,7 @@ index f03dcf5..487f131 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1525,233 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1526,233 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index afc2b90..87bf2cc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 102%{?dist}
+Release: 103%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
More information about the scm-commits
mailing list