mgrepl pushed to selinux-policy (f22). "- Add lvm_stream_connect() interface. (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue May 12 15:53:34 UTC 2015
From 65bda9858d519f6f1ab66683d490a48483103a16 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue, 12 May 2015 17:48:59 +0200
Subject: - Add lvm_stream_connect() interface. - Add support for
/usr/sbin/lvmpolld.BZ(1220817) - Allow gvfsd-fuse running as xdm_t to use
/run/user/42/gvfs as mountpoint.BZ(1218137) - Allow login_pgm domains to
access kernel keyring for nsswitch domains. - Add labeling for
systemd-time*.service unit files and allow systemd-timedated to access these
unit files. - This change will remove entrypoint from filesystems, should be
back ported to all RHEL/Fedora systems - Only allow semanage_t to be able to
setenforce 0, no all domains that use selinux_semanage interface - Allow
debugfs associate to a sysfs filesystem. - vport is mislabeled on arm, need
to be less specific - Add relabel_user_home_dirs for use by docker_t - Allow
net_admin cap for dnssec-trigger to make wifi reconnect working. - Add
support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
- Allow gluster rpm scripletto create glusterd socket with correct labeling.
This is a workaround until we get fix in glusterd. - Add
glusterd_filetrans_named_pid() interface. - Allow antivirus_t to read system
state info.BZ(1217616) - Dontaudit use console for chrome-sandbox.
BZ(1216087) - Add support for ~/.local/share/libvirt/images and for
~/.local/share/libvirt/boot. BZ(1215359) - Clamd needs to have fsetid
capability. BZ(1215308) - Allow cinder-backup to dbus chat with
systemd-logind. BZ(1207098) - Update httpd_use_openstack boolean to allow
httpd to bind commplex_main_port and read keystone log files. - Allow gssd to
access kernel keyring for login_pgm domains. - Add more fixes related to
timemaster+ntp+ptp4l. - Allow docker sandbox domains to search all
mountpoiunts - update winbind_t rules to allow IPC for winbind. BZ(1210663) -
Allow dhcpd kill capability. - Add support for new fence agent fence_mpath
which is executed by fence_node. - Remove dac_override capability for
setroubleshoot. We now have it running as setroubleshoot user. - Allow redis
to create /var/run/redis/redis.sock. - Allow fence_mpathpersist to run
mpathpersist which requires sys_admin capability. - Allow timemaster send a
signal to ntpd. - Add rules for netlink_socket in iotop. - Allow iotop
netlink socket. - Allow sys_ptrace cap for sblim-gatherd caused by ps. - Add
support for /usr/libexec/mongodb-scl-helper RHSCL helper script. - Allow
passenger to accept connection. - Update virt_read_pid_files() interface to
allow read also symlinks with virt_var_run_t type. - Fix labeling for
/usr/libexec/mysqld_safe-scl-helper. - Add support for mysqld_safe-scl-helper
which is needed for RHSCL daemons. - Label /usr/bin/yum-deprecated as
rpm_exec_t. (#1218650) - Don't use deprecated userdom_manage_tmpfs_role()
interface calliing and use userdom_manage_tmp_role() instead. - Add support
for iprdbg logging files in /var/log. - Add support for mongod/mongos systemd
unit files. - Allow inet_gethost called by couchdb to access /proc/net/unix.
BZ(1207538) - Allow eu-unstrip running under abrt_t to access
/var/lib/pcp/pmdas/linux/pmda_linux.so (#1207410)
diff --git a/policy-f22-base.patch b/policy-f22-base.patch
index cceca2d..38990e7 100644
--- a/policy-f22-base.patch
+++ b/policy-f22-base.patch
@@ -14051,7 +14051,7 @@ index f962f76..1a36ae2 100644
+ allow $1 etc_t:service status;
')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 1a03abd..32a40f8 100644
+index 1a03abd..3221f80 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
@@ -14246,7 +14246,8 @@ index 1a03abd..32a40f8 100644
+allow files_unconfined_type file_type:service *;
# Mount/unmount any filesystem with the context= option.
- allow files_unconfined_type file_type:filesystem *;
+-allow files_unconfined_type file_type:filesystem *;
++allow files_unconfined_type file_type:filesystem all_filesystem_perms;
-tunable_policy(`allow_execmod',`
+tunable_policy(`selinuxuser_execmod',`
@@ -15879,14 +15880,16 @@ index e7d1738..6ac60c3 100644
+allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint;
+allow filesystem_unconfined_type filesystem_type:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
-index 7be4ddf..71e675a 100644
+index 7be4ddf..9710b33 100644
--- a/policy/modules/kernel/kernel.fc
+++ b/policy/modules/kernel/kernel.fc
-@@ -1 +1,3 @@
+@@ -1 +1,5 @@
-# This module currently does not have any file contexts.
+
+/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
++/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
++/sys/kernel/debug/.* <<none>>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e100d88..f45a698 100644
--- a/policy/modules/kernel/kernel.if
@@ -17101,7 +17104,7 @@ index e100d88..f45a698 100644
+ allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms;
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..15c063c 100644
+index 8dbab4c..46d7f18 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -17122,15 +17125,16 @@ index 8dbab4c..15c063c 100644
role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
-@@ -58,6 +62,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+@@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
type debugfs_t;
files_mountpoint(debugfs_t)
fs_type(debugfs_t)
++dev_associate_sysfs(debugfs_t)
+
allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
-@@ -95,9 +100,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+@@ -95,9 +101,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
type proc_mdstat_t, proc_type;
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
@@ -17163,7 +17167,7 @@ index 8dbab4c..15c063c 100644
type proc_xen_t, proc_type;
files_mountpoint(proc_xen_t)
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
-@@ -133,14 +161,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+@@ -133,14 +162,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
type sysctl_kernel_t, sysctl_type;
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
@@ -17178,7 +17182,7 @@ index 8dbab4c..15c063c 100644
# /proc/sys/net directory and files
type sysctl_net_t, sysctl_type;
genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-@@ -153,6 +173,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -153,6 +174,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
type sysctl_vm_t, sysctl_type;
genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
@@ -17189,7 +17193,7 @@ index 8dbab4c..15c063c 100644
# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +189,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +190,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t;
fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -17204,7 +17208,7 @@ index 8dbab4c..15c063c 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +221,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +222,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# kernel local policy
#
@@ -17212,7 +17216,7 @@ index 8dbab4c..15c063c 100644
allow kernel_t self:capability ~sys_module;
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +266,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +267,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)
@@ -17220,7 +17224,7 @@ index 8dbab4c..15c063c 100644
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +276,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +277,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
@@ -17246,7 +17250,7 @@ index 8dbab4c..15c063c 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -263,7 +299,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +300,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -17256,7 +17260,7 @@ index 8dbab4c..15c063c 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -277,25 +314,53 @@ files_list_root(kernel_t)
+@@ -277,25 +315,53 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -17310,7 +17314,7 @@ index 8dbab4c..15c063c 100644
')
optional_policy(`
-@@ -305,6 +370,19 @@ optional_policy(`
+@@ -305,6 +371,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -17330,7 +17334,7 @@ index 8dbab4c..15c063c 100644
')
optional_policy(`
-@@ -312,6 +390,11 @@ optional_policy(`
+@@ -312,6 +391,11 @@ optional_policy(`
')
optional_policy(`
@@ -17342,7 +17346,7 @@ index 8dbab4c..15c063c 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +415,6 @@ optional_policy(`
+@@ -332,9 +416,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@@ -17352,7 +17356,7 @@ index 8dbab4c..15c063c 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +423,7 @@ optional_policy(`
+@@ -343,9 +424,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -17363,7 +17367,7 @@ index 8dbab4c..15c063c 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +432,7 @@ optional_policy(`
+@@ -354,7 +433,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -17372,7 +17376,7 @@ index 8dbab4c..15c063c 100644
')
')
-@@ -367,6 +445,15 @@ optional_policy(`
+@@ -367,6 +446,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -17388,7 +17392,7 @@ index 8dbab4c..15c063c 100644
########################################
#
# Unlabeled process local policy
-@@ -399,14 +486,39 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +487,39 @@ if( ! secure_mode_insmod ) {
# Rules for unconfined acccess to this module
#
@@ -18617,10 +18621,10 @@ index 156c333..02f5a3c 100644
+ dev_manage_generic_blk_files(fixed_disk_raw_write)
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 0ea25b6..01b968e 100644
+index 0ea25b6..37069ae 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -14,11 +14,12 @@
+@@ -14,12 +14,13 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
@@ -18630,10 +18634,12 @@ index 0ea25b6..01b968e 100644
+/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
+-/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
+/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
- /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
++/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
@@ -42,3 +43,7 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
@@ -25805,7 +25811,7 @@ index 6bf0ecc..b036584 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..2532a81 100644
+index 8b40377..2fd531e 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -26368,7 +26374,7 @@ index 8b40377..2532a81 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +611,28 @@ files_list_mnt(xdm_t)
+@@ -431,9 +611,29 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -26386,6 +26392,7 @@ index 8b40377..2532a81 100644
+fs_search_all(xdm_t)
+fs_rw_anon_inodefs_files(xdm_t)
+fs_mount_tmpfs(xdm_t)
++fs_mounton_fusefs(xdm_t)
+fs_list_inotifyfs(xdm_t)
+fs_dontaudit_list_noxattr_fs(xdm_t)
+fs_dontaudit_read_noxattr_fs_files(xdm_t)
@@ -26397,7 +26404,7 @@ index 8b40377..2532a81 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +641,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +642,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -26446,7 +26453,7 @@ index 8b40377..2532a81 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +687,159 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +688,159 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -26612,7 +26619,7 @@ index 8b40377..2532a81 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,12 +852,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +853,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -26644,7 +26651,7 @@ index 8b40377..2532a81 100644
')
optional_policy(`
-@@ -517,9 +886,34 @@ optional_policy(`
+@@ -517,9 +887,34 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -26680,7 +26687,7 @@ index 8b40377..2532a81 100644
')
')
-@@ -530,6 +924,20 @@ optional_policy(`
+@@ -530,6 +925,20 @@ optional_policy(`
')
optional_policy(`
@@ -26701,7 +26708,7 @@ index 8b40377..2532a81 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +955,78 @@ optional_policy(`
+@@ -547,28 +956,78 @@ optional_policy(`
')
optional_policy(`
@@ -26789,7 +26796,7 @@ index 8b40377..2532a81 100644
')
optional_policy(`
-@@ -580,6 +1038,14 @@ optional_policy(`
+@@ -580,6 +1039,14 @@ optional_policy(`
')
optional_policy(`
@@ -26804,7 +26811,7 @@ index 8b40377..2532a81 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1060,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1061,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -26813,7 +26820,7 @@ index 8b40377..2532a81 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1070,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1071,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -26826,7 +26833,7 @@ index 8b40377..2532a81 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1087,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1088,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -26842,7 +26849,7 @@ index 8b40377..2532a81 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1103,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1104,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -26853,7 +26860,7 @@ index 8b40377..2532a81 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1118,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1119,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -26890,7 +26897,7 @@ index 8b40377..2532a81 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1164,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1165,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -26922,7 +26929,7 @@ index 8b40377..2532a81 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1197,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1198,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -26937,7 +26944,7 @@ index 8b40377..2532a81 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1218,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1219,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -26961,7 +26968,7 @@ index 8b40377..2532a81 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1237,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1238,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -26970,7 +26977,7 @@ index 8b40377..2532a81 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1281,54 @@ optional_policy(`
+@@ -785,17 +1282,54 @@ optional_policy(`
')
optional_policy(`
@@ -27027,7 +27034,7 @@ index 8b40377..2532a81 100644
')
optional_policy(`
-@@ -803,6 +1336,10 @@ optional_policy(`
+@@ -803,6 +1337,10 @@ optional_policy(`
')
optional_policy(`
@@ -27038,7 +27045,7 @@ index 8b40377..2532a81 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1355,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1356,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -27063,7 +27070,7 @@ index 8b40377..2532a81 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1378,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1379,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -27098,7 +27105,7 @@ index 8b40377..2532a81 100644
')
optional_policy(`
-@@ -912,7 +1443,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1444,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -27107,7 +27114,7 @@ index 8b40377..2532a81 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1497,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1498,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -27139,7 +27146,7 @@ index 8b40377..2532a81 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1543,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1544,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -28432,7 +28439,7 @@ index 3efd5b6..9e85ea0 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..03657db 100644
+index 09b791d..15dea9c 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -28756,7 +28763,7 @@ index 09b791d..03657db 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,10 +520,155 @@ optional_policy(`
+@@ -456,10 +520,156 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -28796,6 +28803,7 @@ index 09b791d..03657db 100644
+allow login_pgm self:process setkeycreate;
+allow login_pgm self:key manage_key_perms;
+userdom_manage_all_users_keys(login_pgm)
++allow login_pgm nsswitch_domain:key manage_key_perms;
+
+files_list_var_lib(login_pgm)
+manage_dirs_pattern(login_pgm, var_auth_t, var_auth_t)
@@ -35359,7 +35367,7 @@ index 59b04c1..aaf4124 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 6b91740..562d1fd 100644
+index 6b91740..5c1669a 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
@@ -35371,7 +35379,7 @@ index 6b91740..562d1fd 100644
#
# /lib
#
-@@ -33,19 +35,23 @@ ifdef(`distro_gentoo',`
+@@ -33,22 +35,27 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -35396,7 +35404,11 @@ index 6b91740..562d1fd 100644
/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -89,8 +95,74 @@ ifdef(`distro_gentoo',`
++/sbin/lvmpolld -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -89,8 +96,75 @@ ifdef(`distro_gentoo',`
#
# /usr
#
@@ -35425,6 +35437,7 @@ index 6b91740..562d1fd 100644
+/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmpolld -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -35473,7 +35486,7 @@ index 6b91740..562d1fd 100644
#
# /var
-@@ -98,5 +170,9 @@ ifdef(`distro_gentoo',`
+@@ -98,5 +172,9 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -35484,7 +35497,7 @@ index 6b91740..562d1fd 100644
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..f5ae583 100644
+index 58bc27f..52e94d7 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -86,6 +86,50 @@ interface(`lvm_read_config',`
@@ -35538,7 +35551,33 @@ index 58bc27f..f5ae583 100644
## Manage LVM configuration files.
## </summary>
## <param name="domain">
-@@ -123,3 +167,131 @@ interface(`lvm_domtrans_clvmd',`
+@@ -105,6 +149,25 @@ interface(`lvm_manage_config',`
+ manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
+ ')
+
++########################################
++## <summary>
++## Connect to lvm using a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`lvm_stream_connect',`
++ gen_require(`
++ type lvm_t, lvm_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, lvm_var_run_t, lvm_var_run_t, lvm_t)
++')
++
+ ######################################
+ ## <summary>
+ ## Execute a domain transition to run clvmd.
+@@ -123,3 +186,131 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
@@ -37692,7 +37731,7 @@ index d43f3b1..870bc36 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..8a23b62 100644
+index 3822072..8893bcf 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -38329,7 +38368,7 @@ index 3822072..8a23b62 100644
## Get trans lock on module store
## </summary>
## <param name="domain">
-@@ -1137,3 +1618,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1618,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -38361,7 +38400,6 @@ index 3822072..8a23b62 100644
+ mls_file_read_all_levels($1)
+
+ selinux_get_enforce_mode($1)
-+ selinux_set_enforce_mode($1)
+
+ seutil_manage_bin_policy($1)
+
@@ -38453,7 +38491,7 @@ index 3822072..8a23b62 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..90ff61b 100644
+index dc46420..f064846 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -38844,7 +38882,7 @@ index dc46420..90ff61b 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -440,81 +514,87 @@ optional_policy(`
+@@ -440,81 +514,88 @@ optional_policy(`
# semodule local policy
#
@@ -38884,6 +38922,7 @@ index dc46420..90ff61b 100644
-selinux_get_enforce_mode(semanage_t)
-selinux_getattr_fs(semanage_t)
-# for setsebool:
++selinux_set_enforce_mode(semanage_t)
selinux_set_all_booleans(semanage_t)
+can_exec(semanage_t, semanage_exec_t)
@@ -38985,7 +39024,7 @@ index dc46420..90ff61b 100644
')
########################################
-@@ -522,111 +602,197 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +603,197 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -40293,10 +40332,10 @@ index a392fc4..ca1b2bc 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..a6664be
+index 0000000..a03b5ee
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,51 @@
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+
@@ -40318,6 +40357,7 @@ index 0000000..a6664be
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
++/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
@@ -41815,10 +41855,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..e980df0
+index 0000000..c19260b
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,709 @@
+@@ -0,0 +1,714 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -41901,6 +41941,9 @@ index 0000000..e980df0
+typeattribute systemd_timedated_t systemd_domain;
+typealias systemd_timedated_t alias gnomeclock_t;
+
++type systemd_timedated_unit_file_t;
++systemd_unit_file(systemd_timedated_unit_file_t)
++
+systemd_domain_template(systemd_sysctl)
+
+#######################################
@@ -42398,6 +42441,8 @@ index 0000000..e980df0
+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
+allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
+
++allow systemd_timedated_t systemd_timedated_unit_file_t:service manage_service_perms;
++
+corecmd_exec_bin(systemd_timedated_t)
+corecmd_exec_shell(systemd_timedated_t)
+corecmd_dontaudit_access_check_bin(systemd_timedated_t)
@@ -43930,7 +43975,7 @@ index db75976..1ee08ec 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..6498859 100644
+index 9dc60c6..2db13a0 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -45732,13 +45777,10 @@ index 9dc60c6..6498859 100644
## Relabel to user home directories.
## </summary>
## <param name="domain">
-@@ -1629,6 +2156,42 @@ interface(`userdom_relabelto_user_home_dirs',`
- allow $1 user_home_dir_t:dir relabelto;
- ')
+@@ -1631,6 +2158,59 @@ interface(`userdom_relabelto_user_home_dirs',`
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+## Relabel to user home files.
+## </summary>
+## <param name="domain">
@@ -45772,10 +45814,30 @@ index 9dc60c6..6498859 100644
+ allow $1 user_home_t:file relabel_file_perms;
+')
+
- ########################################
- ## <summary>
++########################################
++## <summary>
++## Relabel user home directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_relabel_user_home_dirs',`
++ gen_require(`
++ type user_home_dir_t;
++ ')
++
++ allow $1 user_home_t:dir relabel_file_perms;
++')
++
++########################################
++## <summary>
## Create directories in the home dir root with
-@@ -1704,10 +2267,12 @@ interface(`userdom_user_home_domtrans',`
+ ## the user home directory type.
+ ## </summary>
+@@ -1704,10 +2284,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -45790,7 +45852,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -1741,10 +2306,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2323,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -45805,7 +45867,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -1769,7 +2336,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2353,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -45814,7 +45876,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1777,19 +2344,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2361,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -45838,7 +45900,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1797,55 +2362,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2379,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -45909,7 +45971,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1853,18 +2418,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2435,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
## </summary>
## </param>
#
@@ -45937,57 +45999,45 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,41 +2438,178 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,17 +2455,151 @@ interface(`userdom_mmap_user_home_content_files',`
## </summary>
## </param>
#
-interface(`userdom_read_user_home_content_files',`
- gen_require(`
- type user_home_dir_t, user_home_t;
-- ')
--
-- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
+interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+ dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to read user home files.
++')
++
++########################################
++## <summary>
+## Relabel user tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`userdom_dontaudit_read_user_home_content_files',`
++#
+interface(`userdom_relabel_user_tmp_files',`
- gen_require(`
-- type user_home_t;
++ gen_require(`
+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_home_t:dir list_dir_perms;
-- dontaudit $1 user_home_t:file read_file_perms;
++ ')
++
+ allow $1 user_tmp_t:file relabel_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to append user home files.
++')
++
++########################################
++## <summary>
+## Relabel user tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
@@ -46072,16 +46122,17 @@ index 9dc60c6..6498859 100644
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ attribute user_home_type;
-+ ')
-+
+ ')
+
+- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
+ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
+ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ files_search_home($1)
-+')
-+
-+########################################
-+## <summary>
+ files_search_home($1)
+ ')
+
+ ########################################
+ ## <summary>
+## Do not audit attempts to getattr user home files.
+## </summary>
+## <param name="domain">
@@ -46101,37 +46152,28 @@ index 9dc60c6..6498859 100644
+
+########################################
+## <summary>
-+## Do not audit attempts to read user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_dontaudit_read_user_home_content_files',`
-+ gen_require(`
+ ## Do not audit attempts to read user home files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1893,11 +2610,14 @@ interface(`userdom_read_user_home_content_files',`
+ #
+ interface(`userdom_dontaudit_read_user_home_content_files',`
+ gen_require(`
+- type user_home_t;
+ attribute user_home_type;
+ type user_home_dir_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 user_home_t:dir list_dir_perms;
+- dontaudit $1 user_home_t:file read_file_perms;
+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
+ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to append user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -1938,7 +2641,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+ ')
+
+ ########################################
+@@ -1938,7 +2658,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -46140,7 +46182,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,10 +2649,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2666,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -46153,7 +46195,7 @@ index 9dc60c6..6498859 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2660,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2677,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@@ -46162,7 +46204,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1966,12 +2668,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2685,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -46231,7 +46273,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2007,8 +2763,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2780,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -46241,7 +46283,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2024,20 +2779,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2796,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -46266,7 +46308,7 @@ index 9dc60c6..6498859 100644
########################################
## <summary>
-@@ -2120,7 +2869,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2886,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -46275,7 +46317,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2877,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2894,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -46299,7 +46341,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2895,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2912,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -46315,7 +46357,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2388,18 +3135,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3152,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
## </summary>
## </param>
#
@@ -46373,7 +46415,7 @@ index 9dc60c6..6498859 100644
## Do not audit attempts to read users
## temporary files.
## </summary>
-@@ -2414,7 +3197,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3214,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -46382,7 +46424,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2455,6 +3238,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3255,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -46408,7 +46450,7 @@ index 9dc60c6..6498859 100644
########################################
## <summary>
-@@ -2538,7 +3340,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3357,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -46417,7 +46459,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2546,19 +3348,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3365,19 @@ interface(`userdom_manage_user_tmp_files',`
## </summary>
## </param>
#
@@ -46440,7 +46482,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2566,19 +3368,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3385,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary>
## </param>
#
@@ -46463,7 +46505,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2586,12 +3388,53 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,19 +3405,60 @@ interface(`userdom_manage_user_tmp_pipes',`
## </summary>
## </param>
#
@@ -46475,12 +46517,14 @@ index 9dc60c6..6498859 100644
- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
-+ files_search_tmp($1)
-+')
-+
+ files_search_tmp($1)
+ ')
+
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Create objects in a user temporary directory
+-## with an automatic type transition to
+## Create, read, write, and delete user
+## temporary named pipes.
+## </summary>
@@ -46516,10 +46560,17 @@ index 9dc60c6..6498859 100644
+ ')
+
+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
- files_search_tmp($1)
- ')
-
-@@ -2661,6 +3504,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
++ files_search_tmp($1)
++')
++
++########################################
++## <summary>
++## Create objects in a user temporary directory
++## with an automatic type transition to
+ ## a specified private type.
+ ## </summary>
+ ## <param name="domain">
+@@ -2661,6 +3521,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -46541,7 +46592,7 @@ index 9dc60c6..6498859 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2672,18 +3530,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3547,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
## </param>
#
interface(`userdom_read_user_tmpfs_files',`
@@ -46563,7 +46614,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2692,19 +3545,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3562,13 @@ interface(`userdom_read_user_tmpfs_files',`
## </param>
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -46586,7 +46637,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2713,13 +3560,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3577,56 @@ interface(`userdom_rw_user_tmpfs_files',`
## </param>
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -46647,7 +46698,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2814,6 +3704,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3721,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -46672,7 +46723,7 @@ index 9dc60c6..6498859 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3740,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3757,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -46715,7 +46766,7 @@ index 9dc60c6..6498859 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3776,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3793,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -46753,7 +46804,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2882,8 +3821,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3838,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -46783,7 +46834,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -2955,69 +3913,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3930,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -46884,7 +46935,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3025,12 +3982,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3999,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -46899,7 +46950,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -3094,7 +4051,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4068,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -46908,7 +46959,7 @@ index 9dc60c6..6498859 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4067,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4084,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -46942,7 +46993,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -3214,7 +4155,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4172,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -46969,7 +47020,7 @@ index 9dc60c6..6498859 100644
')
########################################
-@@ -3269,12 +4228,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4245,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -46985,7 +47036,7 @@ index 9dc60c6..6498859 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,49 +4242,125 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4259,122 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -47043,9 +47094,8 @@ index 9dc60c6..6498859 100644
gen_require(`
- attribute userdomain;
+ type user_tmp_t;
- ')
-
-- allow $1 userdomain:process getattr;
++ ')
++
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
@@ -47119,13 +47169,10 @@ index 9dc60c6..6498859 100644
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process getattr;
- ')
+ ')
- ########################################
-@@ -3382,6 +4418,42 @@ interface(`userdom_signal_all_users',`
+ allow $1 userdomain:process getattr;
+@@ -3382,6 +4435,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -47168,7 +47215,7 @@ index 9dc60c6..6498859 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4474,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4491,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -47229,7 +47276,7 @@ index 9dc60c6..6498859 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4561,1687 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4578,1687 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-f22-contrib.patch b/policy-f22-contrib.patch
index 6589773..0fa996f 100644
--- a/policy-f22-contrib.patch
+++ b/policy-f22-contrib.patch
@@ -546,7 +546,7 @@ index 058d908..158acba 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..7f6a8b6 100644
+index eb50f07..fb0af36 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -821,7 +821,7 @@ index eb50f07..7f6a8b6 100644
')
optional_policy(`
-@@ -222,6 +249,20 @@ optional_policy(`
+@@ -222,6 +249,24 @@ optional_policy(`
')
optional_policy(`
@@ -838,11 +838,15 @@ index eb50f07..7f6a8b6 100644
+')
+
+optional_policy(`
++ pcp_read_lib_files(abrt_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -234,6 +275,11 @@ optional_policy(`
+@@ -234,6 +279,11 @@ optional_policy(`
')
optional_policy(`
@@ -854,7 +858,7 @@ index eb50f07..7f6a8b6 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
-@@ -243,6 +289,7 @@ optional_policy(`
+@@ -243,6 +293,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -862,7 +866,7 @@ index eb50f07..7f6a8b6 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +300,21 @@ optional_policy(`
+@@ -253,9 +304,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -885,7 +889,7 @@ index eb50f07..7f6a8b6 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +325,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +329,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -900,7 +904,7 @@ index eb50f07..7f6a8b6 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +344,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +348,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -908,7 +912,7 @@ index eb50f07..7f6a8b6 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +353,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +357,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -929,7 +933,7 @@ index eb50f07..7f6a8b6 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +374,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +378,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -956,7 +960,7 @@ index eb50f07..7f6a8b6 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +410,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +414,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -970,7 +974,7 @@ index eb50f07..7f6a8b6 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +428,11 @@ optional_policy(`
+@@ -343,10 +432,11 @@ optional_policy(`
#######################################
#
@@ -984,7 +988,7 @@ index eb50f07..7f6a8b6 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +451,60 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +455,60 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1049,7 +1053,7 @@ index eb50f07..7f6a8b6 100644
#######################################
#
-@@ -404,25 +512,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +516,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1110,7 +1114,7 @@ index eb50f07..7f6a8b6 100644
')
#######################################
-@@ -430,10 +571,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +575,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -3040,10 +3044,10 @@ index 0000000..36251b9
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..253a684
+index 0000000..6183b21
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,270 @@
+@@ -0,0 +1,271 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -3110,7 +3114,7 @@ index 0000000..253a684
+# antivirus domain local policy
+#
+
-+allow antivirus_domain self:capability { dac_override chown kill setgid setuid sys_admin };
++allow antivirus_domain self:capability { dac_override chown kill fsetid setgid setuid sys_admin };
+dontaudit antivirus_domain self:capability sys_tty_config;
+allow antivirus_domain self:process signal_perms;
+
@@ -3149,6 +3153,7 @@ index 0000000..253a684
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
++kernel_read_system_state(antivirus_t)
+kernel_read_network_state(antivirus_domain)
+kernel_read_all_sysctls(antivirus_domain)
+
@@ -3315,10 +3320,10 @@ index 0000000..253a684
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..3009a35 100644
+index 7caefc3..89ce9a7 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,204 @@
+@@ -1,162 +1,205 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3531,6 +3536,7 @@ index 7caefc3..3009a35 100644
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/ipsilon(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -5157,7 +5163,7 @@ index f6eb485..164501c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..d671bf8 100644
+index 6649962..2837ddd 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@@ -7353,7 +7359,7 @@ index 6649962..d671bf8 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1633,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1633,103 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -7474,6 +7480,8 @@ index 6649962..d671bf8 100644
+
+tunable_policy(`httpd_use_openstack',`
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
++ corenet_tcp_bind_commplex_main_port(httpd_t)
++ keystone_read_log(httpd_t)
')
diff --git a/apcupsd.fc b/apcupsd.fc
index 5ec0e13..97c204f 100644
@@ -12185,10 +12193,10 @@ index 0000000..aa308eb
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..f50b201
+index 0000000..fbcd3e2
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,251 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -12301,6 +12309,8 @@ index 0000000..f50b201
+
+libs_legacy_use_shared_libs(chrome_sandbox_t)
+
++term_dontaudit_use_console(chrome_sandbox_t)
++
+miscfiles_read_fonts(chrome_sandbox_t)
+
+sysnet_dns_name_resolve(chrome_sandbox_t)
@@ -12775,10 +12785,10 @@ index 0000000..fc9cae7
+')
diff --git a/cinder.te b/cinder.te
new file mode 100644
-index 0000000..f257547
+index 0000000..488a7a6
--- /dev/null
+++ b/cinder.te
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,169 @@
+policy_module(cinder, 1.0.0)
+
+########################################
@@ -12905,6 +12915,8 @@ index 0000000..f257547
+
+auth_use_nsswitch(cinder_backup_t)
+
++systemd_dbus_chat_logind(cinder_backup_t)
++
+optional_policy(`
+ unconfined_domain(cinder_backup_t)
+')
@@ -16451,7 +16463,7 @@ index 715a826..a1cbdb2 100644
+ ')
')
diff --git a/couchdb.te b/couchdb.te
-index ae1c1b1..81803f9 100644
+index ae1c1b1..fa53a8c 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
@@ -16479,7 +16491,7 @@ index ae1c1b1..81803f9 100644
manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-@@ -56,11 +59,13 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
+@@ -56,11 +59,14 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
@@ -16488,13 +16500,14 @@ index ae1c1b1..81803f9 100644
can_exec(couchdb_t, couchdb_exec_t)
++kernel_read_network_state(couchdb_t)
kernel_read_system_state(couchdb_t)
+kernel_read_fs_sysctls(couchdb_t)
+kernel_dgram_send(couchdb_t)
corecmd_exec_bin(couchdb_t)
corecmd_exec_shell(couchdb_t)
-@@ -75,14 +80,25 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+@@ -75,14 +81,25 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
corenet_tcp_bind_couchdb_port(couchdb_t)
corenet_tcp_sendrecv_couchdb_port(couchdb_t)
@@ -23340,7 +23353,7 @@ index c697edb..954c090 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..401ddbc 100644
+index 98a24b9..5a24c3a 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -23358,7 +23371,7 @@ index 98a24b9..401ddbc 100644
#
-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
-+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid setpcap sys_resource };
++allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw kill setgid setuid setpcap sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process { getcap setcap signal_perms };
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@@ -24862,7 +24875,7 @@ index 0000000..457d4dd
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..64f1a64
+index 0000000..b759cd7
--- /dev/null
+++ b/dnssec.te
@@ -0,0 +1,68 @@
@@ -24887,7 +24900,7 @@ index 0000000..64f1a64
+#
+# dnssec_trigger local policy
+#
-+allow dnssec_trigger_t self:capability linux_immutable;
++allow dnssec_trigger_t self:capability { net_admin linux_immutable };
+allow dnssec_trigger_t self:process signal;
+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
@@ -30923,10 +30936,10 @@ index 0000000..8c8c6c9
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
-index 0000000..07b266a
+index 0000000..29f6b1d
--- /dev/null
+++ b/glusterd.if
-@@ -0,0 +1,170 @@
+@@ -0,0 +1,186 @@
+
+## <summary>policy for glusterd</summary>
+
@@ -30969,7 +30982,6 @@ index 0000000..07b266a
+ init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+')
+
-+
+########################################
+## <summary>
+## Read glusterd's log files.
@@ -31009,6 +31021,23 @@ index 0000000..07b266a
+ append_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
++#######################################
++## <summary>
++## Transition content labels to glusterd named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glusterd_filetrans_named_pid',`
++ gen_require(`
++ type glusterd_var_run_t;
++ ')
++ files_pid_filetrans($1, glusterd_var_run_t , sock_file, "glusterd.socket")
++')
++
+########################################
+## <summary>
+## Manage glusterd log files
@@ -36477,16 +36506,17 @@ index 0000000..7fc3464
+')
diff --git a/iotop.te b/iotop.te
new file mode 100644
-index 0000000..51d7e34
+index 0000000..61f2003
--- /dev/null
+++ b/iotop.te
-@@ -0,0 +1,37 @@
+@@ -0,0 +1,39 @@
+policy_module(iotop, 1.0.0)
+
+########################################
+#
+# Declarations
+#
++
+attribute_role iotop_roles;
+roleattribute system_r iotop_roles;
+
@@ -36503,6 +36533,7 @@ index 0000000..51d7e34
+
+allow iotop_t self:capability net_admin;
+allow iotop_t self:netlink_route_socket r_netlink_socket_perms;
++allow iotop_t self:netlink_socket create_socket_perms;
+
+kernel_read_system_state(iotop_t)
+
@@ -42775,10 +42806,10 @@ index 0000000..7ba5060
+
diff --git a/linuxptp.te b/linuxptp.te
new file mode 100644
-index 0000000..15aea48
+index 0000000..7529f3c
--- /dev/null
+++ b/linuxptp.te
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,173 @@
+policy_module(linuxptp, 1.0.0)
+
+
@@ -42855,6 +42886,7 @@ index 0000000..15aea48
+
+optional_policy(`
+ ntp_domtrans(timemaster_t)
++ ntp_signal(timemaster_t)
+')
+
+optional_policy(`
@@ -47624,16 +47656,22 @@ index 0000000..e7220a5
+logging_send_syslog_msg(mon_procd_t)
+
diff --git a/mongodb.fc b/mongodb.fc
-index 6fcfc31..91adcaf 100644
+index 6fcfc31..e9e6bc5 100644
--- a/mongodb.fc
+++ b/mongodb.fc
-@@ -1,9 +1,13 @@
+@@ -1,9 +1,19 @@
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/mongos -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
++/usr/lib/systemd/system/mongod.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
++/usr/lib/systemd/system/mongos.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
++
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
++
++/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
@@ -47645,10 +47683,20 @@ index 6fcfc31..91adcaf 100644
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
diff --git a/mongodb.te b/mongodb.te
-index 169f236..907b24c 100644
+index 169f236..ce00a2c 100644
--- a/mongodb.te
+++ b/mongodb.te
-@@ -21,19 +21,25 @@ files_type(mongod_var_lib_t)
+@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
+ type mongod_initrc_exec_t;
+ init_script_file(mongod_initrc_exec_t)
+
++type mongod_unit_file_t;
++systemd_unit_file(mongod_unit_file_t)
++
+ type mongod_log_t;
+ logging_log_file(mongod_log_t)
+
+@@ -21,19 +24,25 @@ files_type(mongod_var_lib_t)
type mongod_var_run_t;
files_pid_file(mongod_var_run_t)
@@ -47680,7 +47728,7 @@ index 169f236..907b24c 100644
manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-@@ -41,21 +47,42 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
+@@ -41,21 +50,42 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
@@ -52741,10 +52789,10 @@ index b708708..dd6e04b 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
-index 06f8666..d813d8a 100644
+index 06f8666..c2c13aa 100644
--- a/mysql.fc
+++ b/mysql.fc
-@@ -1,12 +1,26 @@
+@@ -1,27 +1,46 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
@@ -52780,7 +52828,9 @@ index 06f8666..d813d8a 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-@@ -14,14 +28,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
+ /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
++/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
++
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -58453,7 +58503,7 @@ index 0000000..22e6c96
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/nsplugin.if b/nsplugin.if
new file mode 100644
-index 0000000..16f4789
+index 0000000..bceb527
--- /dev/null
+++ b/nsplugin.if
@@ -0,0 +1,474 @@
@@ -58564,7 +58614,7 @@ index 0000000..16f4789
+ userdom_use_inherited_user_terminals(nsplugin_t)
+ userdom_use_inherited_user_terminals(nsplugin_config_t)
+ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
-+ userdom_manage_tmpfs_role($1, nsplugin_t)
++ userdom_manage_tmp_role($1, nsplugin_t)
+
+ optional_policy(`
+ pulseaudio_role($1, nsplugin_t)
@@ -59307,7 +59357,7 @@ index af3c91e..3e5f9cf 100644
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.if b/ntp.if
-index e96a309..ef6081b 100644
+index e96a309..3dbc18c 100644
--- a/ntp.if
+++ b/ntp.if
@@ -1,4 +1,4 @@
@@ -59356,7 +59406,7 @@ index e96a309..ef6081b 100644
')
########################################
-@@ -98,6 +117,49 @@ interface(`ntp_initrc_domtrans',`
+@@ -98,6 +117,67 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
@@ -59403,10 +59453,28 @@ index e96a309..ef6081b 100644
+ ps_process_pattern($1, ntpd_t)
+')
+
++########################################
++## <summary>
++## Send a generic signal to ntpd
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ntp_signal',`
++ gen_require(`
++ type ntpd_t;
++ ')
++
++ allow $1 ntpd_t:process signal;
++')
++
########################################
## <summary>
## Read ntp drift files.
-@@ -141,8 +203,27 @@ interface(`ntp_rw_shm',`
+@@ -141,8 +221,27 @@ interface(`ntp_rw_shm',`
########################################
## <summary>
@@ -59436,7 +59504,7 @@ index e96a309..ef6081b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -151,28 +232,32 @@ interface(`ntp_rw_shm',`
+@@ -151,28 +250,32 @@ interface(`ntp_rw_shm',`
## </param>
## <param name="role">
## <summary>
@@ -59475,7 +59543,7 @@ index e96a309..ef6081b 100644
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
-@@ -186,5 +271,30 @@ interface(`ntp_admin',`
+@@ -186,5 +289,30 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -59508,7 +59576,7 @@ index e96a309..ef6081b 100644
+ files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
')
diff --git a/ntp.te b/ntp.te
-index f81b113..6f94328 100644
+index f81b113..ab4d914 100644
--- a/ntp.te
+++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -59591,6 +59659,25 @@ index f81b113..6f94328 100644
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)
+@@ -152,9 +150,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ptp4l_rw_shm(ntpd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(ntpd_t)
+ ')
+
+ optional_policy(`
++ timemaster_read_pid_files(ntpd_t)
++ timemaster_rw_shm(ntpd_t)
++')
++
++optional_policy(`
+ udev_read_db(ntpd_t)
+ ')
diff --git a/numad.fc b/numad.fc
index 3488bb0..1f97624 100644
--- a/numad.fc
@@ -64607,7 +64694,7 @@ index bf59ef7..0e33327 100644
+')
+
diff --git a/passenger.te b/passenger.te
-index 08ec33b..231f2e2 100644
+index 08ec33b..56fba2e 100644
--- a/passenger.te
+++ b/passenger.te
@@ -14,6 +14,9 @@ role system_r types passenger_t;
@@ -64634,7 +64721,7 @@ index 08ec33b..231f2e2 100644
+allow passenger_t self:process { setpgid setsched getsession signal_perms };
allow passenger_t self:fifo_file rw_fifo_file_perms;
-allow passenger_t self:unix_stream_socket { accept connectto listen };
-+allow passenger_t self:tcp_socket listen;
++allow passenger_t self:tcp_socket { accept listen };
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+can_exec(passenger_t, passenger_exec_t)
@@ -73838,10 +73925,10 @@ index 6864479..0e7d875 100644
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
-index 45843b5..116be8a 100644
+index 45843b5..4d1adac 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
-@@ -2,43 +2,48 @@
+@@ -2,43 +2,47 @@
########################################
## <summary>
@@ -73897,7 +73984,6 @@ index 45843b5..116be8a 100644
- allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_manage_tmp_role($1, pulseaudio_t)
-+ userdom_manage_tmpfs_role($1, pulseaudio_t)
- allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow $2 pulseaudio_t:dbus send_msg;
@@ -73905,7 +73991,7 @@ index 45843b5..116be8a 100644
')
########################################
-@@ -65,9 +70,8 @@ interface(`pulseaudio_domtrans',`
+@@ -65,9 +69,8 @@ interface(`pulseaudio_domtrans',`
########################################
## <summary>
@@ -73917,7 +74003,7 @@ index 45843b5..116be8a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -82,16 +86,16 @@ interface(`pulseaudio_domtrans',`
+@@ -82,16 +85,16 @@ interface(`pulseaudio_domtrans',`
#
interface(`pulseaudio_run',`
gen_require(`
@@ -73937,7 +74023,7 @@ index 45843b5..116be8a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -104,13 +108,12 @@ interface(`pulseaudio_exec',`
+@@ -104,13 +107,12 @@ interface(`pulseaudio_exec',`
type pulseaudio_exec_t;
')
@@ -73952,7 +74038,7 @@ index 45843b5..116be8a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -128,7 +131,7 @@ interface(`pulseaudio_dontaudit_exec',`
+@@ -128,7 +130,7 @@ interface(`pulseaudio_dontaudit_exec',`
########################################
## <summary>
@@ -73961,7 +74047,7 @@ index 45843b5..116be8a 100644
## processes.
## </summary>
## <param name="domain">
-@@ -147,8 +150,8 @@ interface(`pulseaudio_signull',`
+@@ -147,8 +149,8 @@ interface(`pulseaudio_signull',`
#####################################
## <summary>
@@ -73972,7 +74058,7 @@ index 45843b5..116be8a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -158,11 +161,15 @@ interface(`pulseaudio_signull',`
+@@ -158,11 +160,15 @@ interface(`pulseaudio_signull',`
#
interface(`pulseaudio_stream_connect',`
gen_require(`
@@ -73990,7 +74076,7 @@ index 45843b5..116be8a 100644
')
########################################
-@@ -188,9 +195,9 @@ interface(`pulseaudio_dbus_chat',`
+@@ -188,9 +194,9 @@ interface(`pulseaudio_dbus_chat',`
########################################
## <summary>
@@ -74002,7 +74088,7 @@ index 45843b5..116be8a 100644
## <summary>
## Domain allowed access.
## </summary>
-@@ -201,148 +208,190 @@ interface(`pulseaudio_setattr_home_dir',`
+@@ -201,148 +207,190 @@ interface(`pulseaudio_setattr_home_dir',`
type pulseaudio_home_t;
')
@@ -79139,7 +79225,7 @@ index 6d162e4..889c0ed 100644
userdom_dontaudit_search_user_home_dirs(radvd_t)
diff --git a/raid.fc b/raid.fc
-index 5806046..d83ec27 100644
+index 5806046..8bce88f 100644
--- a/raid.fc
+++ b/raid.fc
@@ -3,6 +3,11 @@
@@ -79154,13 +79240,16 @@ index 5806046..d83ec27 100644
/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-@@ -16,6 +21,7 @@
+@@ -16,6 +21,10 @@
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/var/log/iprdbg -- gen_context(system_u:object_r:mdadm_log_t,s0)
++/var/log/iprdump.* -- gen_context(system_u:object_r:mdadm_log_t,s0)
++
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
index 951db7f..04b6dde 100644
@@ -79378,10 +79467,10 @@ index 951db7f..04b6dde 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index c99753f..26d52dc 100644
+index c99753f..0d4e845 100644
--- a/raid.te
+++ b/raid.te
-@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
+@@ -15,54 +15,92 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
@@ -79397,7 +79486,13 @@ index c99753f..26d52dc 100644
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
-@@ -25,44 +34,67 @@ dev_associate(mdadm_var_run_t)
+
++type mdadm_log_t;
++logging_log_file(mdadm_log_t)
++
+ ########################################
+ #
+ # Local policy
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -79425,6 +79520,9 @@ index c99753f..26d52dc 100644
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
+
++manage_files_pattern(mdadm_t, mdadm_log_t, mdadm_log_t)
++logging_log_filetrans(mdadm_t, mdadm_log_t, file)
++
+can_exec(mdadm_t, mdadm_exec_t)
kernel_getattr_core_if(mdadm_t)
@@ -79474,7 +79572,7 @@ index c99753f..26d52dc 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +103,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +109,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -79498,7 +79596,7 @@ index c99753f..26d52dc 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +129,38 @@ optional_policy(`
+@@ -90,17 +135,38 @@ optional_policy(`
')
optional_policy(`
@@ -81108,7 +81206,7 @@ index 16c8ecb..4e021ec 100644
+ ')
')
diff --git a/redis.te b/redis.te
-index 25cd417..178198b 100644
+index 25cd417..e331b5d 100644
--- a/redis.te
+++ b/redis.te
@@ -21,6 +21,9 @@ files_type(redis_var_lib_t)
@@ -81121,7 +81219,15 @@ index 25cd417..178198b 100644
########################################
#
# Local policy
-@@ -60,6 +63,4 @@ dev_read_urand(redis_t)
+@@ -42,6 +45,7 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+ manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+ manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+ manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+
+ kernel_read_system_state(redis_t)
+
+@@ -60,6 +64,4 @@ dev_read_urand(redis_t)
logging_send_syslog_msg(redis_t)
@@ -81787,10 +81893,10 @@ index c8a1e16..2d409bf 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..2c625fb 100644
+index 47de2d6..7bed6ad 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,91 @@
+@@ -1,31 +1,92 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -81844,6 +81950,7 @@ index 47de2d6..2c625fb 100644
-/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
-/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/cluster/mpath\.devices -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
@@ -82730,7 +82837,7 @@ index c8bdea2..bf60580 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..25c0f70 100644
+index 6cf79c4..a70327a 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -83094,7 +83201,7 @@ index 6cf79c4..25c0f70 100644
-allow fenced_t self:capability { sys_rawio sys_resource };
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
-+allow fenced_t self:capability { net_admin sys_rawio sys_resource };
++allow fenced_t self:capability { net_admin sys_rawio sys_resource sys_admin };
+allow fenced_t self:process { getsched setpgid signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
@@ -83106,7 +83213,7 @@ index 6cf79c4..25c0f70 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +409,7 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +409,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -83114,10 +83221,11 @@ index 6cf79c4..25c0f70 100644
-
-kernel_read_system_state(fenced_t)
+kernel_read_network_state(fenced_t)
++kernel_read_fs_sysctls(fenced_t)
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -140,6 +429,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +430,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
corenet_sendrecv_zented_server_packets(fenced_t)
corenet_tcp_bind_zented_port(fenced_t)
@@ -83126,7 +83234,7 @@ index 6cf79c4..25c0f70 100644
corenet_tcp_sendrecv_zented_port(fenced_t)
corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +439,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +440,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -83134,10 +83242,11 @@ index 6cf79c4..25c0f70 100644
-files_read_usr_files(fenced_t)
-files_read_usr_symlinks(fenced_t)
+dev_read_rand(fenced_t)
++dev_rw_lvm_control(fenced_t)
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +449,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +451,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -83146,7 +83255,7 @@ index 6cf79c4..25c0f70 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +471,8 @@ optional_policy(`
+@@ -182,7 +473,8 @@ optional_policy(`
')
optional_policy(`
@@ -83156,13 +83265,14 @@ index 6cf79c4..25c0f70 100644
')
optional_policy(`
-@@ -190,12 +480,12 @@ optional_policy(`
+@@ -190,12 +482,13 @@ optional_policy(`
')
optional_policy(`
- gnome_read_generic_home_content(fenced_t)
+ lvm_domtrans(fenced_t)
+ lvm_read_config(fenced_t)
++ lvm_stream_connect(fenced_t)
')
optional_policy(`
@@ -83172,7 +83282,7 @@ index 6cf79c4..25c0f70 100644
')
optional_policy(`
-@@ -203,6 +493,13 @@ optional_policy(`
+@@ -203,6 +496,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -83186,7 +83296,7 @@ index 6cf79c4..25c0f70 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +518,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +521,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -83207,7 +83317,7 @@ index 6cf79c4..25c0f70 100644
snmp_stream_connect(foghorn_t)
')
-@@ -247,16 +546,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +549,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -83229,7 +83339,7 @@ index 6cf79c4..25c0f70 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +578,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +581,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -83289,7 +83399,7 @@ index 6cf79c4..25c0f70 100644
######################################
#
# qdiskd local policy
-@@ -292,7 +642,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +645,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
@@ -83297,7 +83407,7 @@ index 6cf79c4..25c0f70 100644
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
-@@ -321,6 +670,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +673,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -85624,7 +85734,7 @@ index 0bf13c2..8236a71 100644
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
diff --git a/rpc.te b/rpc.te
-index 2da9fca..b225fea 100644
+index 2da9fca..876a4e7 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
@@ -85913,7 +86023,7 @@ index 2da9fca..b225fea 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -288,25 +311,30 @@ kernel_signal(gssd_t)
+@@ -288,25 +311,31 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -85931,6 +86041,7 @@ index 2da9fca..b225fea 100644
+auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
++auth_login_manage_key(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -85947,7 +86058,7 @@ index 2da9fca..b225fea 100644
')
optional_policy(`
-@@ -314,9 +342,12 @@ optional_policy(`
+@@ -314,9 +343,12 @@ optional_policy(`
')
optional_policy(`
@@ -86141,10 +86252,10 @@ index 54de77c..cb05fbf 100644
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..fc8f8ac 100644
+index ebe91fc..6d1c8f2 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,75 @@
+@@ -1,61 +1,76 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -86168,6 +86279,7 @@ index ebe91fc..fc8f8ac 100644
+/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/yum-deprecated -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -86881,7 +86993,7 @@ index ef3b225..d481e0a 100644
admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
diff --git a/rpm.te b/rpm.te
-index 6fc360e..75415ab 100644
+index 6fc360e..77ca468 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -87223,7 +87335,7 @@ index 6fc360e..75415ab 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,73 +331,125 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,73 +331,129 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -87268,11 +87380,11 @@ index 6fc360e..75415ab 100644
+logging_send_audit_msgs(rpm_script_t)
-miscfiles_read_localization(rpm_script_t)
-+miscfiles_filetrans_named_content(rpm_script_t)
-
+-
-modutils_run_depmod(rpm_script_t, rpm_roles)
-modutils_run_insmod(rpm_script_t, rpm_roles)
--
++miscfiles_filetrans_named_content(rpm_script_t)
+
-seutil_run_loadpolicy(rpm_script_t, rpm_roles)
-seutil_run_setfiles(rpm_script_t, rpm_roles)
-seutil_run_semanage(rpm_script_t, rpm_roles)
@@ -87315,6 +87427,10 @@ index 6fc360e..75415ab 100644
+')
+
+optional_policy(`
++ glusterd_filetrans_named_pid(rpm_script_t)
++')
++
++optional_policy(`
+ sblim_filetrans_named_content(rpm_script_t)
')
@@ -87369,7 +87485,7 @@ index 6fc360e..75415ab 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +461,6 @@ optional_policy(`
+@@ -409,6 +465,6 @@ optional_policy(`
')
optional_policy(`
@@ -89375,7 +89491,7 @@ index 50d07fb..59296a2 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..114b2be 100644
+index 2b7c441..bbbc802 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -90441,7 +90557,7 @@ index 2b7c441..114b2be 100644
allow winbind_t self:fifo_file rw_fifo_file_perms;
-allow winbind_t self:unix_stream_socket { accept listen };
-allow winbind_t self:tcp_socket { accept listen };
-+allow winbind_t self:unix_dgram_socket create_socket_perms;
++allow winbind_t self:unix_dgram_socket { create_socket_perms sendto };
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_t self:tcp_socket create_stream_socket_perms;
+allow winbind_t self:udp_socket create_socket_perms;
@@ -92498,7 +92614,7 @@ index 98c9e0a..562666e 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756b..1a69cf7 100644
+index 299756b..6646c78 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -92579,7 +92695,7 @@ index 299756b..1a69cf7 100644
-allow sblim_gatherd_t self:capability dac_override;
-allow sblim_gatherd_t self:process signal;
-+allow sblim_gatherd_t self:capability { dac_override sys_nice };
++allow sblim_gatherd_t self:capability { dac_override sys_nice sys_ptrace };
+allow sblim_gatherd_t self:process { setsched signal };
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
@@ -93872,7 +93988,7 @@ index 3a9a70b..903109c 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index ce67935..88fea69 100644
+index ce67935..130eca9 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1)
@@ -93905,8 +94021,9 @@ index ce67935..88fea69 100644
+# setroubleshootd local policy
#
- allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
+-allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
-allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack };
++allow setroubleshootd_t self:capability { sys_nice sys_ptrace sys_tty_config };
+dontaudit setroubleshootd_t self:capability net_admin;
+
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
@@ -104854,10 +104971,10 @@ index 3d11c6a..b19a117 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index a4f20bc..b3bd64f 100644
+index a4f20bc..374e8ef 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,51 +1,99 @@
+@@ -1,51 +1,101 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -104875,6 +104992,8 @@ index a4f20bc..b3bd64f 100644
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
++HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
++HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
@@ -104996,7 +105115,7 @@ index a4f20bc..b3bd64f 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..f6b8a09 100644
+index facdee8..6d8af6c 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -105555,7 +105674,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -495,53 +350,37 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +350,38 @@ interface(`virt_manage_virt_content',`
## </summary>
## </param>
#
@@ -105609,6 +105728,7 @@ index facdee8..f6b8a09 100644
- virt_home_filetrans($1, virt_content_t, $2, $3)
+ files_search_pids($1)
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
########################################
@@ -105619,7 +105739,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -549,34 +388,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +389,21 @@ interface(`virt_home_filetrans_virt_content',`
## </summary>
## </param>
#
@@ -105662,7 +105782,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -584,32 +410,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +411,36 @@ interface(`virt_manage_svirt_home_content',`
## </summary>
## </param>
#
@@ -105711,7 +105831,7 @@ index facdee8..f6b8a09 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -618,54 +448,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +449,36 @@ interface(`virt_relabel_svirt_home_content',`
## </summary>
## </param>
#
@@ -105775,7 +105895,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -673,54 +485,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +486,38 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
@@ -105842,7 +105962,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -728,52 +524,58 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +525,58 @@ interface(`virt_manage_generic_virt_home_content',`
## </summary>
## </param>
#
@@ -105923,7 +106043,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -781,19 +583,19 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +584,19 @@ interface(`virt_home_filetrans_virt_home',`
## </summary>
## </param>
#
@@ -105949,7 +106069,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -801,18 +603,18 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +604,18 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
@@ -105973,7 +106093,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -820,18 +622,18 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +623,18 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
@@ -105997,7 +106117,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -839,20 +641,73 @@ interface(`virt_search_lib',`
+@@ -839,20 +642,73 @@ interface(`virt_search_lib',`
## </summary>
## </param>
#
@@ -106076,7 +106196,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,94 +715,267 @@ interface(`virt_read_lib_files',`
+@@ -860,94 +716,267 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -106373,7 +106493,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +983,17 @@ interface(`virt_append_log',`
+@@ -955,20 +984,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@@ -106398,7 +106518,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +1001,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +1002,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -106421,7 +106541,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +1019,35 @@ interface(`virt_search_images',`
+@@ -995,36 +1020,35 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -106477,7 +106597,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1055,17 @@ interface(`virt_read_images',`
+@@ -1032,20 +1056,17 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -106502,7 +106622,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,15 +1073,57 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1074,57 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -106565,7 +106685,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +1131,28 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1132,29 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
@@ -106591,6 +106711,7 @@ index facdee8..f6b8a09 100644
+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
++ gnome_data_filetrans($1, svirt_home_t, dir, "boot")
+ ')
')
@@ -106602,7 +106723,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1160,188 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1162,188 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -106809,7 +106930,7 @@ index facdee8..f6b8a09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1357,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1359,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -106898,7 +107019,7 @@ index facdee8..f6b8a09 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..a1f667e 100644
+index f03dcf5..dcbd7ac 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,241 @@
@@ -108398,7 +108519,7 @@ index f03dcf5..a1f667e 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1171,321 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1171,322 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -108583,6 +108704,7 @@ index f03dcf5..a1f667e 100644
+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
++files_search_all_mountpoints(svirt_sandbox_domain)
+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
+files_entrypoint_all_files(svirt_sandbox_domain)
@@ -108861,7 +108983,7 @@ index f03dcf5..a1f667e 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1498,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1499,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -108876,7 +108998,7 @@ index f03dcf5..a1f667e 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1516,8 @@ optional_policy(`
+@@ -1192,9 +1517,8 @@ optional_policy(`
########################################
#
@@ -108887,7 +109009,7 @@ index f03dcf5..a1f667e 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1530,238 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1531,238 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -110261,7 +110383,7 @@ index ae919b9..32cbf8c 100644
optional_policy(`
diff --git a/wine.if b/wine.if
-index fd2b6cc..c5ea35d 100644
+index fd2b6cc..9c4f14b 100644
--- a/wine.if
+++ b/wine.if
@@ -1,46 +1,58 @@
@@ -110374,7 +110496,7 @@ index fd2b6cc..c5ea35d 100644
userdom_unpriv_usertype($1, $1_wine_t)
- userdom_manage_user_tmpfs_files($1_wine_t)
-+ userdom_manage_tmpfs_role($2, $1_wine_t)
++ userdom_manage_tmp_role($2, $1_wine_t)
+ userdom_manage_home_role($2 ,$1_wine_t)
domain_mmap_low($1_wine_t)
@@ -110603,7 +110725,7 @@ index 304ae09..c1d10a1 100644
-/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/wm.if b/wm.if
-index 95f888d..36b2f81 100644
+index 95f888d..48fe249 100644
--- a/wm.if
+++ b/wm.if
@@ -1,4 +1,4 @@
@@ -110612,7 +110734,7 @@ index 95f888d..36b2f81 100644
#######################################
## <summary>
-@@ -29,69 +29,59 @@
+@@ -29,69 +29,58 @@
#
template(`wm_role_template',`
gen_require(`
@@ -110650,7 +110772,6 @@ index 95f888d..36b2f81 100644
- allow $1_wm_t $3:process { signull sigkill };
+ userdom_manage_home_role($2, $1_wm_t)
-+ userdom_manage_tmpfs_role($2, $1_wm_t)
+ userdom_manage_tmp_role($2, $1_wm_t)
+ userdom_exec_user_tmp_files($1_wm_t)
@@ -110704,7 +110825,7 @@ index 95f888d..36b2f81 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -104,33 +94,5 @@ interface(`wm_exec',`
+@@ -104,33 +93,5 @@ interface(`wm_exec',`
type wm_exec_t;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 20c4ac2..b2d67f1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 125%{?dist}
+Release: 126%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,52 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue May 12 2015 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-126
+- Add lvm_stream_connect() interface.
+- Add support for /usr/sbin/lvmpolld.BZ(1220817)
+- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.BZ(1218137)
+- Allow login_pgm domains to access kernel keyring for nsswitch domains.
+- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
+- This change will remove entrypoint from filesystems, should be back ported to all RHEL/Fedora systems
+- Only allow semanage_t to be able to setenforce 0, no all domains that use selinux_semanage interface
+- Allow debugfs associate to a sysfs filesystem.
+- vport is mislabeled on arm, need to be less specific
+- Add relabel_user_home_dirs for use by docker_t
+- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
+- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
+- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
+- Add glusterd_filetrans_named_pid() interface.
+- Allow antivirus_t to read system state info.BZ(1217616)
+- Dontaudit use console for chrome-sandbox. BZ(1216087)
+- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. BZ(1215359)
+- Clamd needs to have fsetid capability. BZ(1215308)
+- Allow cinder-backup to dbus chat with systemd-logind. BZ(1207098)
+- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
+- Allow gssd to access kernel keyring for login_pgm domains.
+- Add more fixes related to timemaster+ntp+ptp4l.
+- Allow docker sandbox domains to search all mountpoiunts
+- update winbind_t rules to allow IPC for winbind. BZ(1210663)
+- Allow dhcpd kill capability.
+- Add support for new fence agent fence_mpath which is executed by fence_node.
+- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
+- Allow redis to create /var/run/redis/redis.sock.
+- Allow fence_mpathpersist to run mpathpersist which requires sys_admin capability.
+- Allow timemaster send a signal to ntpd.
+- Add rules for netlink_socket in iotop.
+- Allow iotop netlink socket.
+- Allow sys_ptrace cap for sblim-gatherd caused by ps.
+- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
+- Allow passenger to accept connection.
+- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
+- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
+- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
+- Label /usr/bin/yum-deprecated as rpm_exec_t. (#1218650)
+- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
+- Add support for iprdbg logging files in /var/log.
+- Add support for mongod/mongos systemd unit files.
+- Allow inet_gethost called by couchdb to access /proc/net/unix. BZ(1207538)
+- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so (#1207410)
+
* Tue May 05 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-125
- Add support for new cobbler dir locations:
- Add nagios_read_lib() interface.
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=f22&id=65bda9858d519f6f1ab66683d490a48483103a16
More information about the scm-commits
mailing list