lvrabec pushed to selinux-policy (master). "* Wed Apr 14 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-123 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon Apr 13 23:13:47 UTC 2015
>From 578b67080c085144afdf9906b1b344ab3abaa4c4 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue, 14 Apr 2015 01:13:22 +0200
Subject: * Wed Apr 14 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-123 -
Allow abrtd to list home config. BZ(1199658) - Dontaudit dnssec_trigger_t to
read /tmp. BZ(1210250) - Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481) -
Allow mock_t to use ptmx. BZ(1181333) - Allow dnssec_trigger_t to stream
connect to networkmanager. - Allow dnssec_trigger_t to create resolv files
labeled as net_conf_t - Fix labeling for keystone CGI scripts.
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 49db009..c471c0e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -6125,7 +6125,7 @@ index b31c054..1f28afb 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..be13cd9 100644
+index 76f285e..4311238 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7101,45 +7101,45 @@ index 76f285e..be13cd9 100644
## Read and write BIOS non-volatile RAM.
## </summary>
## <param name="domain">
-@@ -3254,7 +3814,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3814,7 @@ interface(`dev_rw_printer',`
########################################
## <summary>
-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+## Relabel the printer device node.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_relabel_printer',`
-+ gen_require(`
-+ type printer_device_t;
-+ ')
-+
-+ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read and write the printer device.
## </summary>
## <param name="domain">
## <summary>
-@@ -3262,12 +3840,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3822,31 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
-interface(`dev_read_printk',`
-+interface(`dev_manage_printer',`
++interface(`dev_relabel_printer',`
gen_require(`
- type device_t, printk_device_t;
-+ type device_t, printer_device_t;
++ type printer_device_t;
')
- read_chr_files_pattern($1, device_t, printk_device_t)
++ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
++')
++
++########################################
++## <summary>
++## Read and write the printer device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_manage_printer',`
++ gen_require(`
++ type device_t, printer_device_t;
++ ')
++
+ manage_chr_files_pattern($1, device_t, printer_device_t)
+ dev_filetrans_printer_named_dev($1)
')
@@ -7163,7 +7163,7 @@ index 76f285e..be13cd9 100644
')
########################################
-@@ -3855,6 +4434,96 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,6 +4434,114 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -7221,6 +7221,24 @@ index 76f285e..be13cd9 100644
+
+########################################
+## <summary>
++## Dontaudit attempts to mount a filesystem on /sys
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_mounton_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ dontaudit $1 sysfs_t:dir mounton;
++')
++
++########################################
++## <summary>
+## Mount sysfs filesystems.
+## </summary>
+## <param name="domain">
@@ -7260,7 +7278,7 @@ index 76f285e..be13cd9 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3904,6 +4573,7 @@ interface(`dev_list_sysfs',`
+@@ -3904,6 +4591,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
@@ -7268,7 +7286,7 @@ index 76f285e..be13cd9 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3946,23 +4616,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3946,23 +4634,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -7289,7 +7307,7 @@ index 76f285e..be13cd9 100644
#
-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_read_cpu_online',`
- gen_require(`
++ gen_require(`
+ type cpu_online_t;
+ ')
+
@@ -7308,7 +7326,7 @@ index 76f285e..be13cd9 100644
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
-+ gen_require(`
+ gen_require(`
+ type cpu_online_t;
type sysfs_t;
')
@@ -7322,7 +7340,7 @@ index 76f285e..be13cd9 100644
########################################
## <summary>
## Read hardware state information.
-@@ -4016,6 +4712,62 @@ interface(`dev_rw_sysfs',`
+@@ -4016,6 +4730,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -7385,7 +7403,7 @@ index 76f285e..be13cd9 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4113,6 +4865,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +4883,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -7411,7 +7429,7 @@ index 76f285e..be13cd9 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4123,7 +4894,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +4912,7 @@ interface(`dev_write_urand',`
#
interface(`dev_getattr_generic_usb_dev',`
gen_require(`
@@ -7420,7 +7438,7 @@ index 76f285e..be13cd9 100644
')
getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5180,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5198,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -7432,7 +7450,7 @@ index 76f285e..be13cd9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4419,17 +5190,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5208,17 @@ interface(`dev_rw_usbfs',`
## </summary>
## </param>
#
@@ -7455,7 +7473,7 @@ index 76f285e..be13cd9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4437,12 +5208,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5226,12 @@ interface(`dev_getattr_video_dev',`
## </summary>
## </param>
#
@@ -7471,7 +7489,7 @@ index 76f285e..be13cd9 100644
')
########################################
-@@ -4539,6 +5310,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5328,134 @@ interface(`dev_write_video_dev',`
########################################
## <summary>
@@ -7606,7 +7624,7 @@ index 76f285e..be13cd9 100644
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
-@@ -4557,6 +5456,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5474,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -7631,7 +7649,7 @@ index 76f285e..be13cd9 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4762,6 +5679,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5697,44 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -7676,7 +7694,7 @@ index 76f285e..be13cd9 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4851,3 +5806,966 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5824,966 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -9051,7 +9069,7 @@ index 6a1e4d1..549967a 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..7da29ff 100644
+index cf04cb5..f372320 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -9097,7 +9115,7 @@ index cf04cb5..7da29ff 100644
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,51 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +110,55 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
@@ -9126,6 +9144,10 @@ index cf04cb5..7da29ff 100644
dev_rw_zero(domain)
term_use_controlling_term(domain)
++# Allow all domains to read /dev/urandom. It is needed by all apps/services
++# linked to libgcrypt. There is no harm to allow it by default.
++dev_read_urand(domain)
++
# list the root directory
files_list_root(domain)
+# allow all domains to search through base_file_type directory, since users
@@ -9150,7 +9172,7 @@ index cf04cb5..7da29ff 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +173,19 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +177,19 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -9170,7 +9192,7 @@ index cf04cb5..7da29ff 100644
')
optional_policy(`
-@@ -133,6 +196,9 @@ optional_policy(`
+@@ -133,6 +200,9 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -9180,7 +9202,7 @@ index cf04cb5..7da29ff 100644
')
########################################
-@@ -147,12 +213,18 @@ optional_policy(`
+@@ -147,12 +217,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -9200,7 +9222,7 @@ index cf04cb5..7da29ff 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +238,357 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +242,357 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -14063,7 +14085,7 @@ index f962f76..1a36ae2 100644
+ allow $1 etc_t:service status;
')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 1a03abd..32a40f8 100644
+index 1a03abd..3221f80 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
@@ -14258,7 +14280,8 @@ index 1a03abd..32a40f8 100644
+allow files_unconfined_type file_type:service *;
# Mount/unmount any filesystem with the context= option.
- allow files_unconfined_type file_type:filesystem *;
+-allow files_unconfined_type file_type:filesystem *;
++allow files_unconfined_type file_type:filesystem all_filesystem_perms;
-tunable_policy(`allow_execmod',`
+tunable_policy(`selinuxuser_execmod',`
@@ -14306,7 +14329,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..75c7b9d 100644
+index 8416beb..19d6aba 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -14595,74 +14618,386 @@ index 8416beb..75c7b9d 100644
## Mount a DOS filesystem, such as
## FAT32 or NTFS.
## </summary>
-@@ -1793,6 +1954,205 @@ interface(`fs_read_eventpollfs',`
+@@ -1793,63 +1954,70 @@ interface(`fs_read_eventpollfs',`
refpolicywarn(`$0($*) has been deprecated.')
')
+-########################################
+
+#######################################
-+## <summary>
+ ## <summary>
+-## Mount a FUSE filesystem.
+## Search directories
+## on a ecrypt filesystem.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`fs_mount_fusefs',`
+- gen_require(`
+- type fusefs_t;
+- ')
+interface(`fs_search_ecryptfs',`
+ gen_require(`
+ type ecryptfs_t;
+ ')
-+
+
+- allow $1 fusefs_t:filesystem mount;
+ allow $1 ecryptfs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Unmount a FUSE filesystem.
+## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`fs_unmount_fusefs',`
+interface(`fs_manage_ecryptfs_dirs',`
-+ gen_require(`
+ gen_require(`
+- type fusefs_t;
+ type ecryptfs_t;
-+ ')
-+
+ ')
+
+- allow $1 fusefs_t:filesystem unmount;
+ manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
+ allow $1 ecryptfs_t:dir manage_dir_perms;
-+')
-+
+ ')
+
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Mounton a FUSEFS filesystem.
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`fs_mounton_fusefs',`
+- gen_require(`
+- type fusefs_t;
+- ')
+interface(`fs_read_ecryptfs_files',`
+ gen_require(`
+ type ecryptfs_t;
+ ')
-+
+
+- allow $1 fusefs_t:dir mounton;
+ read_files_pattern($1, ecryptfs_t, ecryptfs_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search directories
++## Create, read, write, and delete files
+ ## on a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1859,18 +2027,19 @@ interface(`fs_mounton_fusefs',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`fs_search_fusefs',`
++interface(`fs_manage_ecryptfs_files',`
+ gen_require(`
+- type fusefs_t;
++ type ecryptfs_t;
+ ')
+
+- allow $1 fusefs_t:dir search_dir_perms;
++ manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to list the contents
+-## of directories on a FUSEFS filesystem.
++## Do not audit attempts to create,
++## read, write, and delete files
++## on a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1878,135 +2047,151 @@ interface(`fs_search_fusefs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_list_fusefs',`
++interface(`fs_dontaudit_manage_ecryptfs_files',`
+ gen_require(`
+- type fusefs_t;
++ type ecryptfs_t;
+ ')
+
+- dontaudit $1 fusefs_t:dir list_dir_perms;
++ dontaudit $1 ecryptfs_t:file manage_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete directories
+-## on a FUSEFS filesystem.
++## Read symbolic links on a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_manage_fusefs_dirs',`
++interface(`fs_read_ecryptfs_symlinks',`
+ gen_require(`
+- type fusefs_t;
++ type ecryptfs_t;
+ ')
+
+- allow $1 fusefs_t:dir manage_dir_perms;
++ allow $1 ecryptfs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
+ ')
+
+-########################################
++#######################################
+ ## <summary>
+-## Do not audit attempts to create, read,
+-## write, and delete directories
+-## on a FUSEFS filesystem.
++## Dontaudit append files on ecrypt filesystem.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain to not audit.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_manage_fusefs_dirs',`
++interface(`fs_dontaudit_append_ecryptfs_files',`
+ gen_require(`
+- type fusefs_t;
++ type ecryptfs_t;
+ ')
+-
+- dontaudit $1 fusefs_t:dir manage_dir_perms;
++ dontaudit $1 ecryptfs_t:file append;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read, a FUSEFS filesystem.
++## Manage symbolic links on a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_read_fusefs_files',`
++interface(`fs_manage_ecryptfs_symlinks',`
+ gen_require(`
+- type fusefs_t;
++ type ecryptfs_t;
+ ')
+
+- read_files_pattern($1, fusefs_t, fusefs_t)
++ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute files on a FUSEFS filesystem.
++## Execute a file on a FUSE filesystem
++## in the specified domain.
+ ## </summary>
++## <desc>
++## <p>
++## Execute a file on a FUSE filesystem
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain. This is not suggested.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## <p>
++## This interface was added to handle
++## home directories on FUSE filesystems,
++## in particular used by the ssh-agent policy.
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_exec_fusefs_files',`
++interface(`fs_ecryptfs_domtrans',`
+ gen_require(`
+- type fusefs_t;
++ type ecryptfs_t;
+ ')
+
+- exec_files_pattern($1, fusefs_t, fusefs_t)
++ allow $1 ecryptfs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, ecryptfs_t, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete files
+-## on a FUSEFS filesystem.
++## Mount a FUSE filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_manage_fusefs_files',`
++interface(`fs_mount_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- manage_files_pattern($1, fusefs_t, fusefs_t)
++ allow $1 fusefs_t:filesystem mount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to create,
+-## read, write, and delete files
+-## on a FUSEFS filesystem.
++## Unmount a FUSE filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_manage_fusefs_files',`
++interface(`fs_unmount_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- dontaudit $1 fusefs_t:file manage_file_perms;
++ allow $1 fusefs_t:filesystem unmount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links on a FUSEFS filesystem.
++## Mounton a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2014,41 +2199,297 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_read_fusefs_symlinks',`
++interface(`fs_mounton_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- allow $1 fusefs_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ allow $1 fusefs_t:dir mounton;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of an hugetlbfs
+-## filesystem.
++## Search directories
++## on a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`fs_getattr_hugetlbfs',`
++interface(`fs_search_fusefs',`
+ gen_require(`
+- type hugetlbfs_t;
++ type fusefs_t;
+ ')
+
+- allow $1 hugetlbfs_t:filesystem getattr;
++ allow $1 fusefs_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## List hugetlbfs.
++## Do not audit attempts to list the contents
++## of directories on a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_list_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ dontaudit $1 fusefs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete files
++## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
@@ -14672,18 +15007,18 @@ index 8416beb..75c7b9d 100644
+## </param>
+## <rolecap/>
+#
-+interface(`fs_manage_ecryptfs_files',`
++interface(`fs_manage_fusefs_dirs',`
+ gen_require(`
-+ type ecryptfs_t;
++ type fusefs_t;
+ ')
+
-+ manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
++ allow $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to create,
-+## read, write, and delete files
++## Do not audit attempts to create, read,
++## write, and delete directories
+## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
@@ -14692,119 +15027,113 @@ index 8416beb..75c7b9d 100644
+## </summary>
+## </param>
+#
-+interface(`fs_dontaudit_manage_ecryptfs_files',`
++interface(`fs_dontaudit_manage_fusefs_dirs',`
+ gen_require(`
-+ type ecryptfs_t;
++ type fusefs_t;
+ ')
+
-+ dontaudit $1 ecryptfs_t:file manage_file_perms;
++ dontaudit $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
-+## Read symbolic links on a FUSEFS filesystem.
++## Read, a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`fs_read_ecryptfs_symlinks',`
++interface(`fs_read_fusefs_files',`
+ gen_require(`
-+ type ecryptfs_t;
++ type fusefs_t;
+ ')
+
-+ allow $1 ecryptfs_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++ read_files_pattern($1, fusefs_t, fusefs_t)
+')
+
-+#######################################
++########################################
+## <summary>
-+## Dontaudit append files on ecrypt filesystem.
++## Execute files on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`fs_dontaudit_append_ecryptfs_files',`
++interface(`fs_exec_fusefs_files',`
+ gen_require(`
-+ type ecryptfs_t;
++ type fusefs_t;
+ ')
-+ dontaudit $1 ecryptfs_t:file append;
++
++ exec_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
-+## Manage symbolic links on a FUSEFS filesystem.
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`fs_manage_ecryptfs_symlinks',`
++interface(`fs_manage_fusefs_files',`
+ gen_require(`
-+ type ecryptfs_t;
++ type fusefs_t;
+ ')
+
-+ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++ manage_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
-+## Execute a file on a FUSE filesystem
-+## in the specified domain.
++## Do not audit attempts to create,
++## read, write, and delete files
++## on a FUSEFS filesystem.
+## </summary>
-+## <desc>
-+## <p>
-+## Execute a file on a FUSE filesystem
-+## in the specified domain. This allows
-+## the specified domain to execute any file
-+## on these filesystems in the specified
-+## domain. This is not suggested.
-+## </p>
-+## <p>
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+## </p>
-+## <p>
-+## This interface was added to handle
-+## home directories on FUSE filesystems,
-+## in particular used by the ssh-agent policy.
-+## </p>
-+## </desc>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
++## Domain to not audit.
+## </summary>
+## </param>
-+## <param name="target_domain">
++#
++interface(`fs_dontaudit_manage_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ dontaudit $1 fusefs_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
+## <summary>
-+## The type of the new process.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`fs_ecryptfs_domtrans',`
++interface(`fs_read_fusefs_symlinks',`
+ gen_require(`
-+ type ecryptfs_t;
++ type fusefs_t;
+ ')
+
-+ allow $1 ecryptfs_t:dir search_dir_perms;
-+ domain_auto_transition_pattern($1, ecryptfs_t, $2)
++ allow $1 fusefs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+')
+
- ########################################
- ## <summary>
- ## Mount a FUSE filesystem.
-@@ -2025,6 +2385,87 @@ interface(`fs_read_fusefs_symlinks',`
-
- ########################################
- ## <summary>
++########################################
++## <summary>
+## Manage symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
@@ -14886,9 +15215,33 @@ index 8416beb..75c7b9d 100644
+
+########################################
+## <summary>
- ## Get the attributes of an hugetlbfs
- ## filesystem.
- ## </summary>
++## Get the attributes of an hugetlbfs
++## filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_getattr_hugetlbfs',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $1 hugetlbfs_t:filesystem getattr;
++')
++
++########################################
++## <summary>
++## List hugetlbfs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
@@ -2080,6 +2521,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
@@ -15181,19 +15534,10 @@ index 8416beb..75c7b9d 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -3255,17 +3853,53 @@ interface(`fs_list_nfsd_fs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_getattr_nfsd_files',`
-+interface(`fs_getattr_nfsd_files',`
-+ gen_require(`
-+ type nfsd_fs_t;
-+ ')
-+
-+ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+')
-+
+@@ -3263,6 +3861,24 @@ interface(`fs_getattr_nfsd_files',`
+ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+
+#######################################
+## <summary>
+## read files on an nfsd filesystem
@@ -15212,9 +15556,14 @@ index 8416beb..75c7b9d 100644
+ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
-+########################################
-+## <summary>
-+## Read and write NFS server files.
+ ########################################
+ ## <summary>
+ ## Read and write NFS server files.
+@@ -3283,6 +3899,24 @@ interface(`fs_rw_nfsd_fs',`
+
+ ########################################
+ ## <summary>
++## Manage NFS server files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -15222,37 +15571,19 @@ index 8416beb..75c7b9d 100644
+## </summary>
+## </param>
+#
-+interface(`fs_rw_nfsd_fs',`
- gen_require(`
- type nfsd_fs_t;
- ')
-
-- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+ rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
- ')
-
- ########################################
- ## <summary>
--## Read and write NFS server files.
-+## Manage NFS server files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3273,12 +3907,12 @@ interface(`fs_getattr_nfsd_files',`
- ## </summary>
- ## </param>
- #
--interface(`fs_rw_nfsd_fs',`
+interface(`fs_manage_nfsd_fs',`
- gen_require(`
- type nfsd_fs_t;
- ')
-
-- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
+ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
- ')
-
- ########################################
++')
++
++########################################
++## <summary>
+ ## Allow the type to associate to ramfs filesystems.
+ ## </summary>
+ ## <param name="type">
@@ -3392,7 +4026,7 @@ interface(`fs_search_ramfs',`
########################################
@@ -15280,11 +15611,12 @@ index 8416beb..75c7b9d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3815,6 +4449,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3743,25 +4377,61 @@ interface(`fs_getattr_rpc_pipefs',`
- ########################################
+ #########################################
## <summary>
-+## Mount on tmpfs directories.
+-## Read and write RPC pipe filesystem named pipes.
++## Read and write RPC pipe filesystem named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -15292,20 +15624,119 @@ index 8416beb..75c7b9d 100644
+## </summary>
+## </param>
+#
-+interface(`fs_mounton_tmpfs', `
++interface(`fs_rw_rpc_named_pipes',`
++ gen_require(`
++ type rpc_pipefs_t;
++ ')
++
++ allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## Mount a tmpfs filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_mount_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ allow $1 tmpfs_t:dir mounton;
++ allow $1 tmpfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
- ## Get the attributes of a tmpfs
- ## filesystem.
++## Dontaudit remount a tmpfs filesystem.
## </summary>
-@@ -3908,7 +4560,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_rw_rpc_named_pipes',`
++interface(`fs_dontaudit_remount_tmpfs',`
+ gen_require(`
+- type rpc_pipefs_t;
++ type tmpfs_t;
+ ')
+
+- allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 tmpfs_t:filesystem remount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount a tmpfs filesystem.
++## Remount a tmpfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3769,17 +4439,17 @@ interface(`fs_rw_rpc_named_pipes',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_mount_tmpfs',`
++interface(`fs_remount_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:filesystem mount;
++ allow $1 tmpfs_t:filesystem remount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Remount a tmpfs filesystem.
++## Unmount a tmpfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3787,17 +4457,17 @@ interface(`fs_mount_tmpfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_remount_tmpfs',`
++interface(`fs_unmount_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:filesystem remount;
++ allow $1 tmpfs_t:filesystem unmount;
+ ')
+
+ ########################################
+ ## <summary>
+-## Unmount a tmpfs filesystem.
++## Mount on tmpfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3805,12 +4475,12 @@ interface(`fs_remount_tmpfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_unmount_tmpfs',`
++interface(`fs_mounton_tmpfs', `
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:filesystem unmount;
++ allow $1 tmpfs_t:dir mounton;
+ ')
+
+ ########################################
+@@ -3908,7 +4578,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@@ -15314,7 +15745,7 @@ index 8416beb..75c7b9d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,17 +4568,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +4586,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -15335,7 +15766,7 @@ index 8416beb..75c7b9d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3934,17 +4586,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +4604,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@@ -15356,7 +15787,7 @@ index 8416beb..75c7b9d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +4604,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +4622,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -15396,7 +15827,7 @@ index 8416beb..75c7b9d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +4641,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +4659,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -15452,7 +15883,7 @@ index 8416beb..75c7b9d 100644
')
########################################
-@@ -4105,7 +4793,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +4811,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -15461,7 +15892,7 @@ index 8416beb..75c7b9d 100644
')
########################################
-@@ -4165,6 +4853,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +4871,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -15486,7 +15917,7 @@ index 8416beb..75c7b9d 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4202,7 +4908,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +4926,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -15495,7 +15926,7 @@ index 8416beb..75c7b9d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4221,6 +4927,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +4945,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -15556,7 +15987,7 @@ index 8416beb..75c7b9d 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4278,6 +5038,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +5056,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -15601,7 +16032,7 @@ index 8416beb..75c7b9d 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4297,6 +5095,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5113,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -15627,7 +16058,7 @@ index 8416beb..75c7b9d 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4503,6 +5320,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5338,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -15636,7 +16067,7 @@ index 8416beb..75c7b9d 100644
')
########################################
-@@ -4549,7 +5368,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5386,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -15645,7 +16076,7 @@ index 8416beb..75c7b9d 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +5415,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5433,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -15672,7 +16103,7 @@ index 8416beb..75c7b9d 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +5510,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +5528,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -15698,7 +16129,7 @@ index 8416beb..75c7b9d 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +5770,43 @@ interface(`fs_unconfined',`
+@@ -4912,3 +5788,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -15889,7 +16320,7 @@ index 7be4ddf..9710b33 100644
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.* <<none>>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..f45a698 100644
+index e100d88..991e1a5 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -16516,7 +16947,7 @@ index e100d88..f45a698 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2972,5 +3280,583 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3280,628 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -16757,7 +17188,7 @@ index e100d88..f45a698 100644
+ ')
+
+ write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
-+')
+ ')
+
+########################################
+## <summary>
@@ -17100,7 +17531,52 @@ index e100d88..f45a698 100644
+ ')
+
+ allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms;
- ')
++')
++
++########################################
++## <summary>
++## Execute an unlabeled file in the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`kernel_unlabeled_domtrans',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
++ domain_transition_pattern($1, unlabeled_t, $2)
++ type_transition $1 unlabeled_t:process $2;
++')
++
++########################################
++## <summary>
++## Make general progams without labeles an entrypoint for
++## the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain for which unlabeled_t is an entrypoint.
++## </summary>
++## </param>
++#
++interface(`kernel_unlabeled_entry_type',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ domain_entry_file($1, unlabeled_t)
++')
++
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8dbab4c..96d9a91 100644
--- a/policy/modules/kernel/kernel.te
@@ -18602,10 +19078,10 @@ index 156c333..02f5a3c 100644
+ dev_manage_generic_blk_files(fixed_disk_raw_write)
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 0ea25b6..01b968e 100644
+index 0ea25b6..37069ae 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -14,11 +14,12 @@
+@@ -14,12 +14,13 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
@@ -18615,10 +19091,12 @@ index 0ea25b6..01b968e 100644
+/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
+-/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
+/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
- /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
++/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
@@ -42,3 +43,7 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
@@ -34352,7 +34830,7 @@ index b50c5fe..13da95a 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..8c67cd0 100644
+index 4e94884..7ab6191 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -34470,7 +34948,7 @@ index 4e94884..8c67cd0 100644
- allow $1 devlog_t:lnk_file read_lnk_file_perms;
- allow $1 devlog_t:sock_file write_sock_file_perms;
-+ allow $1 devlog_t:lnk_file manage_sock_file_perms;
++ allow $1 devlog_t:lnk_file manage_lnk_file_perms;
+ dev_filetrans($1, devlog_t, lnk_file, "log")
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
+ logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log")
@@ -37728,7 +38206,7 @@ index d43f3b1..870bc36 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..8a23b62 100644
+index 3822072..8893bcf 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -38365,7 +38843,7 @@ index 3822072..8a23b62 100644
## Get trans lock on module store
## </summary>
## <param name="domain">
-@@ -1137,3 +1618,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1618,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -38397,7 +38875,6 @@ index 3822072..8a23b62 100644
+ mls_file_read_all_levels($1)
+
+ selinux_get_enforce_mode($1)
-+ selinux_set_enforce_mode($1)
+
+ seutil_manage_bin_policy($1)
+
@@ -38489,7 +38966,7 @@ index 3822072..8a23b62 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..90ff61b 100644
+index dc46420..f064846 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -38880,7 +39357,7 @@ index dc46420..90ff61b 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -440,81 +514,87 @@ optional_policy(`
+@@ -440,81 +514,88 @@ optional_policy(`
# semodule local policy
#
@@ -38920,6 +39397,7 @@ index dc46420..90ff61b 100644
-selinux_get_enforce_mode(semanage_t)
-selinux_getattr_fs(semanage_t)
-# for setsebool:
++selinux_set_enforce_mode(semanage_t)
selinux_set_all_booleans(semanage_t)
+can_exec(semanage_t, semanage_exec_t)
@@ -39021,7 +39499,7 @@ index dc46420..90ff61b 100644
')
########################################
-@@ -522,111 +602,197 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +603,197 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -39364,10 +39842,10 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..b328c40 100644
+index 40edc18..95f4458 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,23 +17,27 @@ ifdef(`distro_debian',`
+@@ -17,23 +17,29 @@ ifdef(`distro_debian',`
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -39382,6 +39860,8 @@ index 40edc18..b328c40 100644
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
-/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0)
++/etc/resolv-secure.conf.* gen_context(system_u:object_r:net_conf_t,s0)
++/etc/\.resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
@@ -39400,7 +39880,7 @@ index 40edc18..b328c40 100644
#
# /sbin
-@@ -44,6 +48,7 @@ ifdef(`distro_redhat',`
+@@ -44,6 +50,7 @@ ifdef(`distro_redhat',`
/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -39408,7 +39888,7 @@ index 40edc18..b328c40 100644
/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -55,6 +60,21 @@ ifdef(`distro_redhat',`
+@@ -55,6 +62,21 @@ ifdef(`distro_redhat',`
#
# /usr
#
@@ -39430,7 +39910,7 @@ index 40edc18..b328c40 100644
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
-@@ -77,3 +97,6 @@ ifdef(`distro_debian',`
+@@ -77,3 +99,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
@@ -39438,7 +39918,7 @@ index 40edc18..b328c40 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..8dbfc5b 100644
+index 2cea692..fd3a212 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -39807,7 +40287,7 @@ index 2cea692..8dbfc5b 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1010,122 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1010,125 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -39877,6 +40357,9 @@ index 2cea692..8dbfc5b 100644
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
++ files_etc_filetrans($1, net_conf_t, file, "resolv-secure.conf")
++ files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger")
++ files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger")
+ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf")
+ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager")
+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
@@ -41847,10 +42330,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..85428ce
+index 0000000..f3a8fe7
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,712 @@
+@@ -0,0 +1,713 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -42094,7 +42577,7 @@ index 0000000..85428ce
+# systemd-networkd local policy
+#
+
-+allow systemd_networkd_t self:capability { net_admin net_raw setuid fowner chown setgid setpcap };
++allow systemd_networkd_t self:capability { dac_override net_admin net_raw setuid fowner chown setgid setpcap };
+allow systemd_networkd_t self:process { getcap setcap };
+
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -42108,6 +42591,7 @@ index 0000000..85428ce
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+
+kernel_dgram_send(systemd_networkd_t)
++kernel_request_load_module(systemd_networkd_t)
+
+dev_read_sysfs(systemd_networkd_t)
+
@@ -43965,7 +44449,7 @@ index db75976..1ee08ec 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..6498859 100644
+index 9dc60c6..41ef467 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -44566,7 +45050,7 @@ index 9dc60c6..6498859 100644
')
')
-@@ -491,51 +664,68 @@ template(`userdom_common_user_template',`
+@@ -491,51 +664,69 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -44620,6 +45104,7 @@ index 9dc60c6..6498859 100644
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
++ dev_rw_inherited_input_dev($1_usertype)
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
@@ -44659,7 +45144,7 @@ index 9dc60c6..6498859 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +736,132 @@ template(`userdom_common_user_template',`
+@@ -546,93 +737,132 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -44830,7 +45315,7 @@ index 9dc60c6..6498859 100644
')
optional_policy(`
-@@ -642,23 +871,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +872,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -44859,7 +45344,7 @@ index 9dc60c6..6498859 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +898,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +899,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -44868,7 +45353,7 @@ index 9dc60c6..6498859 100644
')
optional_policy(`
-@@ -680,9 +907,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +908,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -44881,7 +45366,7 @@ index 9dc60c6..6498859 100644
')
')
-@@ -693,32 +920,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +921,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -44928,7 +45413,7 @@ index 9dc60c6..6498859 100644
')
')
-@@ -743,17 +973,32 @@ template(`userdom_common_user_template',`
+@@ -743,17 +974,32 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -44965,7 +45450,7 @@ index 9dc60c6..6498859 100644
userdom_change_password_template($1)
-@@ -761,83 +1006,107 @@ template(`userdom_login_user_template', `
+@@ -761,83 +1007,107 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -45109,7 +45594,7 @@ index 9dc60c6..6498859 100644
')
#######################################
-@@ -868,6 +1137,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1138,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -45122,7 +45607,7 @@ index 9dc60c6..6498859 100644
##############################
#
# Local policy
-@@ -907,53 +1182,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1183,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -45278,7 +45763,7 @@ index 9dc60c6..6498859 100644
')
#######################################
-@@ -987,27 +1346,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1347,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -45316,7 +45801,7 @@ index 9dc60c6..6498859 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1383,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1384,63 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -45390,7 +45875,7 @@ index 9dc60c6..6498859 100644
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1448,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1449,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -45401,7 +45886,7 @@ index 9dc60c6..6498859 100644
')
')
-@@ -1079,7 +1486,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1487,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -45412,7 +45897,7 @@ index 9dc60c6..6498859 100644
')
##############################
-@@ -1095,6 +1504,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1505,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -45420,7 +45905,7 @@ index 9dc60c6..6498859 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1515,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1516,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -45437,7 +45922,7 @@ index 9dc60c6..6498859 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1532,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1533,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -45445,7 +45930,7 @@ index 9dc60c6..6498859 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1550,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1551,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -45461,7 +45946,7 @@ index 9dc60c6..6498859 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1569,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1570,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -45506,7 +45991,7 @@ index 9dc60c6..6498859 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1612,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1613,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -45515,7 +46000,7 @@ index 9dc60c6..6498859 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1621,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1622,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -45538,7 +46023,7 @@ index 9dc60c6..6498859 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1671,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1672,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -45547,7 +46032,7 @@ index 9dc60c6..6498859 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1681,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1682,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -45556,7 +46041,7 @@ index 9dc60c6..6498859 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1695,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1696,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -45568,7 +46053,7 @@ index 9dc60c6..6498859 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1709,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1710,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -45611,7 +46096,7 @@ index 9dc60c6..6498859 100644
')
optional_policy(`
-@@ -1357,14 +1794,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1795,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -45630,7 +46115,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -1397,12 +1837,51 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1838,51 @@ interface(`userdom_user_tmp_file',`
## </param>
#
interface(`userdom_user_tmpfs_file',`
@@ -45683,7 +46168,7 @@ index 9dc60c6..6498859 100644
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
-@@ -1509,11 +1988,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1989,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -45715,7 +46200,7 @@ index 9dc60c6..6498859 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1555,6 +2054,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2055,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -45730,7 +46215,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -1570,9 +2077,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2078,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -45742,7 +46227,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -1613,6 +2122,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2123,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
## <summary>
@@ -45767,7 +46252,7 @@ index 9dc60c6..6498859 100644
## Relabel to user home directories.
## </summary>
## <param name="domain">
-@@ -1629,6 +2156,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2157,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -45810,7 +46295,7 @@ index 9dc60c6..6498859 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1704,10 +2267,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2268,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -45825,7 +46310,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -1741,10 +2306,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2307,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -45840,7 +46325,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -1769,7 +2336,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2337,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -45849,7 +46334,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1777,19 +2344,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2345,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -45873,7 +46358,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1797,55 +2362,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2363,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -45944,7 +46429,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1853,18 +2418,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2419,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
## </summary>
## </param>
#
@@ -45972,7 +46457,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,41 +2438,178 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,41 +2439,178 @@ interface(`userdom_mmap_user_home_content_files',`
## </summary>
## </param>
#
@@ -46166,7 +46651,7 @@ index 9dc60c6..6498859 100644
## </summary>
## </param>
#
-@@ -1938,7 +2641,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2642,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -46175,7 +46660,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,10 +2649,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2650,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -46188,7 +46673,7 @@ index 9dc60c6..6498859 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2660,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2661,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@@ -46197,7 +46682,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1966,12 +2668,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2669,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -46266,7 +46751,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2007,8 +2763,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2764,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -46276,7 +46761,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2024,20 +2779,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2780,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -46301,7 +46786,7 @@ index 9dc60c6..6498859 100644
########################################
## <summary>
-@@ -2120,7 +2869,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2870,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -46310,7 +46795,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2877,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2878,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -46334,7 +46819,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2895,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2896,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -46350,7 +46835,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2388,18 +3135,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3136,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
## </summary>
## </param>
#
@@ -46408,7 +46893,7 @@ index 9dc60c6..6498859 100644
## Do not audit attempts to read users
## temporary files.
## </summary>
-@@ -2414,7 +3197,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3198,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -46417,7 +46902,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2455,6 +3238,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3239,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -46443,7 +46928,7 @@ index 9dc60c6..6498859 100644
########################################
## <summary>
-@@ -2538,7 +3340,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3341,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -46452,7 +46937,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2546,19 +3348,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3349,19 @@ interface(`userdom_manage_user_tmp_files',`
## </summary>
## </param>
#
@@ -46475,7 +46960,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2566,19 +3368,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3369,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary>
## </param>
#
@@ -46498,7 +46983,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2586,12 +3388,53 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,12 +3389,53 @@ interface(`userdom_manage_user_tmp_pipes',`
## </summary>
## </param>
#
@@ -46554,7 +47039,7 @@ index 9dc60c6..6498859 100644
files_search_tmp($1)
')
-@@ -2661,6 +3504,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3505,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -46576,7 +47061,7 @@ index 9dc60c6..6498859 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2672,18 +3530,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3531,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
## </param>
#
interface(`userdom_read_user_tmpfs_files',`
@@ -46598,7 +47083,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2692,19 +3545,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3546,13 @@ interface(`userdom_read_user_tmpfs_files',`
## </param>
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -46621,7 +47106,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2713,13 +3560,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3561,56 @@ interface(`userdom_rw_user_tmpfs_files',`
## </param>
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -46682,7 +47167,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2814,6 +3704,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3705,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -46707,7 +47192,7 @@ index 9dc60c6..6498859 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3740,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3741,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -46750,7 +47235,7 @@ index 9dc60c6..6498859 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3776,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3777,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -46788,7 +47273,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2882,8 +3821,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3822,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -46818,7 +47303,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2955,69 +3913,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3914,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -46919,7 +47404,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3025,12 +3982,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3983,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -46934,7 +47419,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -3094,7 +4051,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4052,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -46943,7 +47428,7 @@ index 9dc60c6..6498859 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4067,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4068,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -46977,7 +47462,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -3214,7 +4155,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4156,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -47004,7 +47489,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -3269,12 +4228,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4229,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -47020,7 +47505,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,49 +4242,125 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,49 +4243,125 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -47160,7 +47645,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -3382,6 +4418,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4419,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -47203,7 +47688,7 @@ index 9dc60c6..6498859 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4474,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4475,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -47264,7 +47749,7 @@ index 9dc60c6..6498859 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4561,1687 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4562,1687 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index cf8f382..6d743c7 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -6,21 +6,19 @@ index 0000000..bea5755
@@ -0,0 +1 @@
+TAGS
diff --git a/abrt.fc b/abrt.fc
-index 1a93dc5..7a7d67e 100644
+index 1a93dc5..f2b26f5 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,31 +1,48 @@
+@@ -1,31 +1,46 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-+HOME_DIR/\.config/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
++/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
++/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-+
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
+/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
@@ -548,7 +546,7 @@ index 058d908..158acba 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..ab4ab96 100644
+index eb50f07..7f6a8b6 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -1008,7 +1006,7 @@ index eb50f07..ab4ab96 100644
#
-allow abrt_dump_oops_t self:capability dac_override;
-+allow abrt_dump_oops_t self:capability { fowner chown fsetid dac_override };
++allow abrt_dump_oops_t self:capability { ipc_lock fowner chown fsetid dac_override };
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
@@ -1051,7 +1049,7 @@ index eb50f07..ab4ab96 100644
#######################################
#
-@@ -404,25 +512,54 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +512,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1070,6 +1068,10 @@ index eb50f07..ab4ab96 100644
logging_read_all_logs(abrt_watch_log_t)
+logging_send_syslog_msg(abrt_watch_log_t)
+
++optional_policy(`
++ gnome_list_home_config(abrt_watch_log_t)
++')
++
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
@@ -1108,7 +1110,7 @@ index eb50f07..ab4ab96 100644
')
#######################################
-@@ -430,10 +567,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +571,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -24843,10 +24845,10 @@ index 0000000..457d4dd
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..7f0943f
+index 0000000..46f4d2c
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,63 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -24891,6 +24893,7 @@ index 0000000..7f0943f
+domain_use_interactive_fds(dnssec_trigger_t)
+
+files_read_etc_runtime_files(dnssec_trigger_t)
++files_dontaudit_list_tmp(dnssec_trigger_t)
+
+logging_send_syslog_msg(dnssec_trigger_t)
+
@@ -24898,6 +24901,7 @@ index 0000000..7f0943f
+
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
++sysnet_filetrans_named_content(dnssec_trigger_t)
+
+optional_policy(`
+ bind_domtrans(dnssec_trigger_t)
@@ -24905,7 +24909,9 @@ index 0000000..7f0943f
+ bind_read_dnssec_keys(dnssec_trigger_t)
+')
+
-+
++optional_policy(`
++ networkmanager_stream_connect(dnssec_trigger_t)
++')
diff --git a/dnssectrigger.te b/dnssectrigger.te
index c7bb4e7..e6fe2f40 100644
--- a/dnssectrigger.te
@@ -39792,7 +39798,7 @@ index 628b78b..fe65617 100644
-
-miscfiles_read_localization(keyboardd_t)
diff --git a/keystone.fc b/keystone.fc
-index b273d80..9b6e9bd 100644
+index b273d80..6b2b50d 100644
--- a/keystone.fc
+++ b/keystone.fc
@@ -1,7 +1,13 @@
@@ -39802,7 +39808,7 @@ index b273d80..9b6e9bd 100644
/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
-+/usr/share/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
++/var/www/cgi-bin/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
+
/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
@@ -46189,10 +46195,10 @@ index 0000000..f5b98e6
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..1bf717f
+index 0000000..86766b0
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,277 @@
+@@ -0,0 +1,278 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -46327,6 +46333,7 @@ index 0000000..1bf717f
+term_search_ptys(mock_t)
+term_mount_pty_fs(mock_t)
+term_unmount_pty_fs(mock_t)
++term_use_ptmx(mock_t)
+
+auth_use_nsswitch(mock_t)
+
@@ -46809,17 +46816,16 @@ index 0000000..e7220a5
+logging_send_syslog_msg(mon_procd_t)
+
diff --git a/mongodb.fc b/mongodb.fc
-index 6fcfc31..1719247 100644
+index 6fcfc31..91adcaf 100644
--- a/mongodb.fc
+++ b/mongodb.fc
-@@ -1,9 +1,14 @@
+@@ -1,9 +1,13 @@
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
-+/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 775acc1..9c3b13e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 122%{?dist}
+Release: 123%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Apr 14 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-123
+- Allow abrtd to list home config. BZ(1199658)
+- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
+- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
+- Allow mock_t to use ptmx. BZ(1181333)
+- Allow dnssec_trigger_t to stream connect to networkmanager.
+- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
+- Fix labeling for keystone CGI scripts.
+
* Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-122
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=master&id=578b67080c085144afdf9906b1b344ab3abaa4c4
More information about the scm-commits
mailing list